feat: plugin market, user_groups, and unified admin/auth for feature toggles (#170)

Co-authored-by: nishenghao.nsh <nishenghao.nsh@oceanbase.com>

Author: niiish32x

packages/derisk-app/src/derisk_app/app.py

@@ -134,6 +134,10 @@ def mount_routers(app: FastAPI, param: Optional[ApplicationConfig] = None):
     app.include_router(streaming_config_router, tags=["Streaming Config"])
     logger.info("[Streaming] Config API routes registered at /api/v1/streaming-config")
 
+    from derisk_app.feature_plugins.bootstrap import register_enabled_feature_plugin_routers
+
+    register_enabled_feature_plugin_routers(app)
+
 
 def mount_static_files(app: FastAPI, param: ApplicationConfig):
     if param.service.web.new_web_ui:

packages/derisk-app/src/derisk_app/feature_plugins/__init__.py

@@ -0,0 +1,15 @@
+"""Builtin feature plugins (official catalog + optional routers)."""
+
+from derisk_app.feature_plugins.catalog import (
+    FeaturePluginManifest,
+    get_manifest,
+    list_manifests,
+    merge_catalog_with_state,
+)
+
+__all__ = [
+    "FeaturePluginManifest",
+    "get_manifest",
+    "list_manifests",
+    "merge_catalog_with_state",
+]

packages/derisk-app/src/derisk_app/feature_plugins/bootstrap.py

@@ -0,0 +1,36 @@
+"""Register routers for enabled builtin feature plugins at process startup."""
+
+import logging
+
+from fastapi import FastAPI
+
+logger = logging.getLogger(__name__)
+
+
+def register_enabled_feature_plugin_routers(app: FastAPI) -> None:
+    """Conditionally mount plugin HTTP routes (requires restart after toggling plugins)."""
+    try:
+        from derisk_core.config import ConfigManager, FeaturePluginEntry
+
+        cfg = ConfigManager.get()
+    except Exception as e:
+        logger.warning("Feature plugins: skip router registration (config unavailable): %s", e)
+        return
+
+    raw = getattr(cfg, "feature_plugins", None) or {}
+
+    def _enabled(plugin_id: str) -> bool:
+        entry = raw.get(plugin_id)
+        if entry is None:
+            return False
+        if isinstance(entry, FeaturePluginEntry):
+            return bool(entry.enabled)
+        if isinstance(entry, dict):
+            return bool(entry.get("enabled"))
+        return False
+
+    if _enabled("user_groups"):
+        from derisk_app.feature_plugins.user_groups.api import router as user_groups_router
+
+        app.include_router(user_groups_router, prefix="/api/v1")
+        logger.info("Feature plugin mounted: user_groups at /api/v1/user-groups")

packages/derisk-app/src/derisk_app/feature_plugins/catalog.py

@@ -0,0 +1,85 @@
+"""Code-defined catalog for builtin feature plugins (metadata + JSON Schema hints)."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from typing import Any, Dict, List, Optional, Union
+
+
+@dataclass(frozen=True)
+class FeaturePluginManifest:
+    """Static manifest shipped with the product; not stored in derisk.json."""
+
+    id: str
+    title: str
+    description: str
+    category: str
+    requires_restart: bool = True
+    # Optional JSON Schema object for plugin-specific settings (UI forms).
+    settings_schema: Optional[Dict[str, Any]] = None
+    # When True, recommend OAuth2 + admin_users for write operations (enforced in API when configured).
+    suggest_oauth2_admin: bool = True
+
+
+_MANIFESTS: Dict[str, FeaturePluginManifest] = {
+    "user_groups": FeaturePluginManifest(
+        id="user_groups",
+        title="用户权限组",
+        description=(
+            "面向登录用户的分组与成员管理（RBAC 数据面）；"
+            "后续可基于权限组对 Agent、工具等做访问控制。"
+        ),
+        category="access_control",
+        requires_restart=True,
+        settings_schema=None,
+        suggest_oauth2_admin=True,
+    ),
+}
+
+
+def list_manifests() -> List[FeaturePluginManifest]:
+    return list(_MANIFESTS.values())
+
+
+def get_manifest(plugin_id: str) -> Optional[FeaturePluginManifest]:
+    return _MANIFESTS.get(plugin_id)
+
+
+def is_known_plugin(plugin_id: str) -> bool:
+    return plugin_id in _MANIFESTS
+
+
+def _entry_enabled_and_settings(
+    entry: Optional[Union[Dict[str, Any], Any]],
+) -> tuple[bool, Dict[str, Any]]:
+    """Normalize FeaturePluginEntry, dict, or None."""
+    if entry is None:
+        return False, {}
+    if isinstance(entry, dict):
+        return bool(entry.get("enabled")), dict(entry.get("settings") or {})
+    enabled = bool(getattr(entry, "enabled", False))
+    raw = getattr(entry, "settings", None) or {}
+    return enabled, dict(raw) if isinstance(raw, dict) else {}
+
+
+def merge_catalog_with_state(
+    feature_plugins: Dict[str, Any],
+) -> List[Dict[str, Any]]:
+    """Merge manifests with persisted enabled/settings for API responses."""
+    out: List[Dict[str, Any]] = []
+    for m in list_manifests():
+        en, st = _entry_enabled_and_settings(feature_plugins.get(m.id))
+        out.append(
+            {
+                "id": m.id,
+                "title": m.title,
+                "description": m.description,
+                "category": m.category,
+                "requires_restart": m.requires_restart,
+                "settings_schema": m.settings_schema,
+                "suggest_oauth2_admin": m.suggest_oauth2_admin,
+                "enabled": en,
+                "settings": st,
+            }
+        )
+    return out

packages/derisk-app/src/derisk_app/feature_plugins/user_groups/__init__.py

@@ -0,0 +1,6 @@
+"""User groups plugin (RBAC-style grouping for logged-in users).
+
+Import ``derisk_app.feature_plugins.user_groups.api`` for the FastAPI router;
+this package ``__init__`` stays lightweight so ORM models can load without
+registering routes (e.g. during DB migrations).
+"""

packages/derisk-app/src/derisk_app/feature_plugins/user_groups/api.py

@@ -0,0 +1,121 @@
+"""HTTP API for user groups (only mounted when feature plugin user_groups is enabled)."""
+
+from typing import List, Optional
+
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel, Field
+from sqlalchemy.exc import IntegrityError
+
+from derisk_serve.utils.auth import UserRequest, get_user_from_headers
+from derisk_app.feature_plugins.user_groups.service import UserGroupService
+
+router = APIRouter(prefix="/user-groups", tags=["UserGroups"])
+
+_svc = UserGroupService()
+
+
+class GroupCreateBody(BaseModel):
+    name: str = Field(..., min_length=1, max_length=128)
+    description: Optional[str] = Field(None, max_length=2000)
+
+
+class GroupUpdateBody(BaseModel):
+    name: Optional[str] = Field(None, min_length=1, max_length=128)
+    description: Optional[str] = Field(None, max_length=2000)
+
+
+class MembersAddBody(BaseModel):
+    user_ids: List[int] = Field(..., min_length=1)
+
+
+@router.get("/groups")
+async def list_groups(_user: UserRequest = Depends(get_user_from_headers)):
+    groups = _svc.list_groups()
+    for g in groups:
+        g["member_count"] = _svc.count_members(g["id"])
+    return {"success": True, "data": groups}
+
+
+@router.post("/groups")
+async def create_group(
+    body: GroupCreateBody,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    try:
+        g = _svc.create_group(body.name, body.description)
+        return {"success": True, "data": g}
+    except IntegrityError:
+        raise HTTPException(status_code=409, detail="Group name already exists")
+
+
+@router.get("/groups/{group_id}")
+async def get_group(
+    group_id: int,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    g = _svc.get_group(group_id)
+    if not g:
+        raise HTTPException(status_code=404, detail="Group not found")
+    g["member_count"] = _svc.count_members(group_id)
+    return {"success": True, "data": g}
+
+
+@router.put("/groups/{group_id}")
+async def update_group(
+    group_id: int,
+    body: GroupUpdateBody,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    try:
+        g = _svc.update_group(group_id, name=body.name, description=body.description)
+        if not g:
+            raise HTTPException(status_code=404, detail="Group not found")
+        return {"success": True, "data": g}
+    except IntegrityError:
+        raise HTTPException(status_code=409, detail="Group name already exists")
+
+
+@router.delete("/groups/{group_id}")
+async def delete_group(
+    group_id: int,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    ok = _svc.delete_group(group_id)
+    if not ok:
+        raise HTTPException(status_code=404, detail="Group not found")
+    return {"success": True, "data": None}
+
+
+@router.get("/groups/{group_id}/members")
+async def list_members(
+    group_id: int,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    if not _svc.get_group(group_id):
+        raise HTTPException(status_code=404, detail="Group not found")
+    members = _svc.list_members(group_id)
+    return {"success": True, "data": members}
+
+
+@router.post("/groups/{group_id}/members")
+async def add_members(
+    group_id: int,
+    body: MembersAddBody,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    if not _svc.get_group(group_id):
+        raise HTTPException(status_code=404, detail="Group not found")
+    added, _ = _svc.add_members(group_id, body.user_ids)
+    return {"success": True, "data": {"added": added}}
+
+
+@router.delete("/groups/{group_id}/members/{member_user_id}")
+async def remove_member(
+    group_id: int,
+    member_user_id: int,
+    _user: UserRequest = Depends(get_user_from_headers),
+):
+    ok = _svc.remove_member(group_id, member_user_id)
+    if not ok:
+        raise HTTPException(status_code=404, detail="Membership not found")
+    return {"success": True, "data": None}

packages/derisk-app/src/derisk_app/feature_plugins/user_groups/models.py

@@ -0,0 +1,40 @@
+"""ORM models for user_group / user_group_member tables."""
+
+from datetime import datetime
+
+from sqlalchemy import Column, DateTime, Integer, String, Text, UniqueConstraint
+
+from derisk.storage.metadata import Model
+
+
+class UserGroupEntity(Model):
+    __tablename__ = "user_group"
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    name = Column(String(128), nullable=False, unique=True, comment="Group name")
+    description = Column(Text, nullable=True, comment="Description")
+    gmt_create = Column(DateTime, default=datetime.utcnow, nullable=False)
+    gmt_modify = Column(
+        DateTime,
+        default=datetime.utcnow,
+        onupdate=datetime.utcnow,
+        nullable=False,
+    )
+
+
+class UserGroupMemberEntity(Model):
+    __tablename__ = "user_group_member"
+    __table_args__ = (
+        UniqueConstraint("group_id", "user_id", name="uk_user_group_member"),
+    )
+
+    id = Column(Integer, primary_key=True, autoincrement=True)
+    group_id = Column(Integer, nullable=False, index=True, comment="user_group.id")
+    user_id = Column(Integer, nullable=False, index=True, comment="user.id")
+    gmt_create = Column(DateTime, default=datetime.utcnow, nullable=False)
+    gmt_modify = Column(
+        DateTime,
+        default=datetime.utcnow,
+        onupdate=datetime.utcnow,
+        nullable=False,
+    )