Add support for read-write API keys and MCP tools for finalizing reviews

Author: kraih

assets/vue/ApiKeys.vue

@@ -48,7 +48,7 @@
                     <span class="real">{{ key.apiKey }}</span>
                   </span>
                 </td>
-                <td>read-only</td>
+                <td>{{ key.type }}</td>
                 <td>{{ key.description }}</td>
                 <td>{{ key.expires }}</td>
                 <td class="text-center">
@@ -80,6 +80,13 @@
                 <label for="api-key-description" class="col-form-label">Description</label>
                 <input v-model="apiKeyDescription" class="form-control" id="api-key-description" />
               </div>
+              <div class="mb-3">
+                <label for="api-key-type" class="col-form-label">Type</label>
+                <select v-model="apiKeyType" class="form-select" id="api-key-type">
+                  <option value="read-only">Read-Only</option>
+                  <option value="read-write">Read-Write</option>
+                </select>
+              </div>
               <div class="mb-3">
                 <label for="api-key-expires" class="col-form-label">Expires</label>
                 <input v-model="apiKeyExpires" type="datetime-local" class="form-control" id="api-key-expires" />
@@ -117,6 +124,7 @@ export default {
       addApiKeyUrl: '/api_keys',
       apiKeys: null,
       apiKeyDescription: 'User API Key',
+      apiKeyType: 'read-only',
       apiKeyExpires: new moment().add(365, 'days').format('YYYY-MM-DDTHH:mm'),
       lastCopied: null,
       refreshUrl: '/api_keys/meta'
@@ -132,7 +140,8 @@ export default {
     },
     async addApiKey() {
       const ua = new UserAgent({baseURL: window.location.href});
-      await ua.post(this.addApiKeyUrl, {form: {description: this.apiKeyDescription, expires: this.apiKeyExpires}});
+      const form = {description: this.apiKeyDescription, type: this.apiKeyType, expires: this.apiKeyExpires};
+      await ua.post(this.addApiKeyUrl, {form});
       this.doApiRefresh();
     },
     async deleteApiKey(key) {
@@ -147,6 +156,7 @@ export default {
           id: key.id,
           apiKey: key.api_key,
           description: key.description,
+          type: key.write_access ? 'read-write' : 'read-only',
           expires: moment(key.expires_epoch * 1000).fromNow(),
           removeUrl: `/api_keys/${key.id}`
         });

assets/vue/ReportMetadata.vue

@@ -188,7 +188,10 @@
             <i class="fas fa-user"></i>
           </th>
           <th class="fit text-start noleftpad" scope="row">Reviewing User:</th>
-          <td>{{ reviewingUser }}</td>
+          <td>
+            {{ reviewingUser }}
+            <span v-if="pkgAiAssisted" class="ai-assisted-badge">(with AI Assistant <i class="fas fa-robot"></i>)</span>
+          </td>
         </tr>
       </tbody>
     </table>
@@ -367,6 +370,7 @@ export default {
       hasSpdxReport: false,
       history: [],
       notice: null,
+      pkgAiAssisted: false,
       pkgChecksum: null,
       pkgEmbargoed: false,
       pkgFiles: [],
@@ -439,6 +443,7 @@ export default {
       this.pkgUrl = data.package_url;
       this.pkgVersion = data.package_version;
       this.pkgEmbargoed = data.embargoed;
+      this.pkgAiAssisted = data.ai_assisted;
 
       this.pkgChecksum = data.package_checksum;
       this.checkoutUrl = `/reviews/file_view/${this.pkgId}`;

cpanfile

@@ -18,4 +18,4 @@ requires 'Try::Tiny';
 requires 'YAML::XS';
 requires 'JSON::Validator';
 requires 'Digest::SHA1';
-requires 'MCP', '>= 0.06';
+requires 'MCP', '>= 0.07';

lib/Cavil/Controller/API.pm

@@ -16,6 +16,8 @@
 package Cavil::Controller::API;
 use Mojo::Base 'Mojolicious::Controller', -signatures;
 
+use Mojo::JSON qw(true false);
+
 sub identify ($self) {
   my $name     = $self->stash('name');
   my $checksum = $self->stash('checksum');
@@ -64,7 +66,14 @@ sub status ($self) {
 sub whoami ($self) {
   my $user = $self->current_user;
   my $id   = $self->users->id_for_login($user);
-  $self->render(json => {id => $id, user => $user});
+  $self->render(
+    json => {
+      id           => $id,
+      user         => $user,
+      roles        => $self->current_user_roles,
+      write_access => $self->current_user_has_write_access ? true : false
+    }
+  );
 }
 
 1;

lib/Cavil/Controller/APIKeys.pm

@@ -19,13 +19,15 @@ use Mojo::Base 'Mojolicious::Controller', -signatures;
 sub create ($self) {
   my $validation = $self->validation;
   $validation->optional('description');
+  $validation->required('type')->in(qw(read-only read-write));
   $validation->required('expires')->like(qr/^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}$/);
   return $self->reply->json_validation_error if $validation->has_error;
 
   my $owner   = $self->users->id_for_login($self->current_user);
   my $api_key = $self->api_keys->create(
     owner       => $owner,
     description => $validation->param('description'),
+    type        => $validation->param('type'),
     expires     => $validation->param('expires')
   );
 

lib/Cavil/Controller/Auth/APIKey.pm

@@ -22,7 +22,7 @@ sub check ($self) {
   my $token = $1;
 
   $self->_denied and return undef unless defined(my $user = $self->api_keys->find_by_key($token));
-  $self->stash('api.user' => $user);
+  $self->stash('cavil.api.user' => $user->{login}, 'cavil.api.write_access' => $user->{write_access});
 
   return 1;
 }

lib/Cavil/Controller/Reviewer.pm

@@ -151,6 +151,7 @@ sub review_package ($self) {
     die "Unknown state";
   }
   $pkg->{review_timestamp} = 1;
+  $pkg->{ai_assisted}      = 0;
 
   $self->packages->update($pkg);
 

lib/Cavil/Model/APIKeys.pm

@@ -4,7 +4,12 @@ use Mojo::Base -base, -signatures;
 has 'pg';
 
 sub create ($self, %args) {
-  my %data = (owner => $args{owner}, description => $args{description} // '', expires => $args{expires});
+  my %data = (
+    owner        => $args{owner},
+    description  => $args{description} // '',
+    write_access => $args{type} eq 'read-write' ? 1 : 0,
+    expires      => $args{expires}
+  );
   return $self->pg->db->insert('api_keys', \%data, {returning => '*'})->hash;
 }
 
@@ -13,7 +18,7 @@ sub find_by_key ($self, $key) {
     'SELECT * FROM api_keys ak JOIN bot_users bu ON ak.owner = bu.id
      WHERE ak.api_key = ? AND expires > NOW()', $key
   )->hash;
-  return $user->{login};
+  return {login => $user->{login}, write_access => $user->{write_access}};
 }
 
 sub list ($self, $owner) {

lib/Cavil/Model/Packages.pm

@@ -582,8 +582,10 @@ sub unpacked ($self, $id) {
 }
 
 sub update ($self, $pkg) {
-  my %updates = map { exists $pkg->{$_} ? ($_ => $pkg->{$_}) : () }
-    (qw(created checksum priority state obsolete result notice reviewed reviewing_user external_link embargoed));
+  my %updates = map { exists $pkg->{$_} ? ($_ => $pkg->{$_}) : () } (
+    qw(created checksum priority state obsolete result notice reviewed reviewing_user external_link),
+    qw(embargoed ai_assisted)
+  );
   $updates{reviewed} = \'now()' if $pkg->{review_timestamp};
   return $self->pg->db->update('bot_packages', \%updates, {id => $pkg->{id}});
 }

lib/Cavil/Model/Users.pm

@@ -57,7 +57,7 @@ sub remove_role ($self, $id, $role) {
 }
 
 sub roles ($self, $user) {
-  return $self->pg->db->query('select roles from bot_users where login = ?', $user)->arrays->flatten->to_array;
+  return $self->pg->db->query('select roles from bot_users where login = ?', $user)->arrays->flatten->sort->to_array;
 }
 
 1;