Skip to content

Add Pandora Operator Action Center#134

Merged
besfeng23 merged 1 commit into
mainfrom
codex/create-production-safe-pandora-operator-action-center
Jul 3, 2026
Merged

Add Pandora Operator Action Center#134
besfeng23 merged 1 commit into
mainfrom
codex/create-production-safe-pandora-operator-action-center

Conversation

@besfeng23

Copy link
Copy Markdown
Owner

Motivation

  • Add a production-safe Operator Action Center to let authenticated operators propose, audit, and dry-run controlled operator workflows without permitting any destructive or autonomous memory mutations.
  • Provide deterministic idempotency, per-operator scoping, and visible audit/event bookkeeping to form the safe foundation for future operator-approved live actions.

Description

  • Schema: added additive Supabase migration supabase/migrations/20260703000000_pandora_operator_action_center.sql creating pandora_operator_actions and pandora_operator_action_events with constraints, indexes, RLS policies, and unique(user_id, idempotency_key).
  • Service: new server-side service lib/services/pandora-operator-action-service.ts exposing listOperatorActions, proposeOperatorAction, dryRunOperatorAction, cancelOperatorAction, and createActionEvent; enforces server-derived userId, deterministic idempotency key, allowed action/mode lists, and never mutates core memory tables.
  • Routes: added authenticated internal API routes app/api/pandora/operator-actions/route.ts, app/api/pandora/operator-actions/[id]/dry-run/route.ts, and app/api/pandora/operator-actions/[id]/cancel/route.ts that reject client-supplied user_id and call the service functions.
  • UI & types: introduced components OperatorActionCenterCard, OperatorActionComposer, OperatorActionList, and OperatorActionEnvelope, extended components/pandora/types.ts and wired an operatorActions summary into the live /pandora dashboard loader (lib/services/pandora-dashboard-service.ts) while preserving existing dashboard/verification behavior and visual style.
  • Safety guarantees: dry-run results include no_mutation_performed: true; allowed action types are constrained to verification/dashboard-related work only; no model calls, embeddings, destructive operations, or service-role/admin client usage were added.

Testing

  • Ran typecheck (npm run typecheck) which passed, and lint (npm run lint) which passed with pre-existing non-blocking warnings.
  • Ran unit tests (npm run test) and full test suite; all tests passed (96 test files, 612 tests passed in CI run shown locally).
  • Built the app (npm run build) which completed successfully with Next.js/Edge-runtime informational warnings only.
  • Env policy (npm run env:policy) passed for discovered env keys.
  • New automated tests added: tests/unit/pandora-operator-action-service.test.ts, tests/unit/pandora-operator-action-ui.test.tsx, and tests/unit/pandora-operator-action-guards.test.ts, and they passed as part of the test run.

Codex Task

@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
memory Ready Ready Preview, Comment Jul 3, 2026 8:19pm

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@besfeng23, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 23 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c4cda03-2440-4d86-8716-d12bfc68e5ee

📥 Commits

Reviewing files that changed from the base of the PR and between a8731de and 96e4ed9.

📒 Files selected for processing (18)
  • app/api/pandora/operator-actions/[id]/cancel/route.ts
  • app/api/pandora/operator-actions/[id]/dry-run/route.ts
  • app/api/pandora/operator-actions/route.ts
  • components/pandora/OperatorActionCenterCard.tsx
  • components/pandora/OperatorActionComposer.tsx
  • components/pandora/OperatorActionEnvelope.tsx
  • components/pandora/OperatorActionList.tsx
  • components/pandora/PandoraDashboard.tsx
  • components/pandora/mock-data.ts
  • components/pandora/types.ts
  • docs/pandora-operator-action-center.md
  • lib/services/pandora-dashboard-service.ts
  • lib/services/pandora-operator-action-service.ts
  • supabase/migrations/20260703000000_pandora_operator_action_center.sql
  • tests/unit/pandora-dashboard-ui.test.tsx
  • tests/unit/pandora-operator-action-guards.test.ts
  • tests/unit/pandora-operator-action-service.test.ts
  • tests/unit/pandora-operator-action-ui.test.tsx
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/create-production-safe-pandora-operator-action-center

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@besfeng23 besfeng23 merged commit d5482a1 into main Jul 3, 2026
5 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 96e4ed9d90

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

create policy "pandora_operator_actions_update_own_bookkeeping" on public.pandora_operator_actions for update to authenticated using (user_id = auth.uid()) with check (user_id = auth.uid());

revoke update on public.pandora_operator_actions from authenticated;
grant update (status, result, warnings, updated_at, approved_at, completed_at, failed_at) on public.pandora_operator_actions to authenticated;

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Keep action status/result writes out of the client role

Because Supabase browser clients use the same authenticated role, this grant lets any logged-in user update their own action rows directly through PostgREST, including setting status to dry_ran/completed, fabricating result/warnings, and filling approval/completion timestamps without going through the dry-run or cancel routes. The dashboard reads these fields from pandora_operator_actions, so the current audit/dry-run history can be forged even though live actions are described as gated; these bookkeeping transitions need to be enforced behind a trusted server/RPC path rather than granted broadly to authenticated.

Useful? React with 👍 / 👎.

create policy "pandora_operator_action_events_select_own" on public.pandora_operator_action_events for select to authenticated using (user_id = auth.uid());

drop policy if exists "pandora_operator_action_events_insert_own" on public.pandora_operator_action_events;
create policy "pandora_operator_action_events_insert_own" on public.pandora_operator_action_events for insert to authenticated with check (user_id = auth.uid());

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Require event action ownership in the insert policy

With this policy, an authenticated client only has to set user_id = auth.uid(); action_id can reference any existing pandora_operator_actions.id, including another user's action if the UUID is known or leaked. That permits cross-user audit rows attached to someone else's action, and future reads by action_id would mix another user's event into the action history. Add a with check that verifies the referenced action exists and has user_id = auth.uid().

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant