feat(rbac/ui): gate Graph tab on any-KB-readable + add follow-up spec#1576
Closed
sriaradhyula wants to merge 1 commit into
Closed
Conversation
Contributor
🧪 CAIPE UI Test Results✅ All tests passed 🟠 Overall Coverage: 55%
📊 Detailed Coverage
✅ Test Suites
📈 Coverage Thresholds
|
Prebuild Artifacts for `d46da36` (archived)Prebuild Artifacts for
|
| Artifact | Image | Tag | Status | CI |
|---|---|---|---|---|
| caipe-ui | - | - | Failed | CI |
These prebuild artifacts will be automatically cleaned up when the PR is closed or merged.
PR 5 of the 2026-05-27 fine-grained KB ReBAC plan. Closes out the sidebar work and documents the remaining RAG-server effort needed for true per-KB ontology filtering. - `/knowledge-bases/graph` now consults `useKbTabGates` (the PR 2 hook). Non-admins with zero readable KBs see the `NoKbAccessEmpty` empty state instead of the global graph. - New `GraphInfoBanner` is rendered whenever the tab is visible, reminding users (and org admins under PR 1's super-grant) that the ontology graph is currently global. When `kb_count >= 0` the banner also surfaces "you have read access to N knowledge bases" so non- admins know exactly what their scope is. - `__tests__/page.test.tsx` covers: org-admin sees the banner; non-admin with reads sees the banner; non-admin with zero reads sees the empty state instead of the graph; banner stays hidden until the BFF responds (fails closed). - New spec `docs/docs/specs/2026-05-27-per-kb-ontology-graph-filtering/spec.md` tracks the RAG-server work needed for true per-KB filtering (a `kb_ids` filter on `/v1/graphrag/*` plus an OpenFGA-driven membership probe in the BFF). This intentionally lives outside the PR 5 code change because it is a multi-week server-side effort. - RBAC architecture / file-map updated to describe the gate, banner, and the follow-up spec. Assisted-by: Claude:claude-opus-4-7 Signed-off-by: Sri Aradhyula <sraradhy@cisco.com> Co-authored-by: Cursor <cursoragent@cursor.com>
sriaradhyula
force-pushed
the
prebuild/feat/rbac-graph-tab-gate
branch
from
d46da36 to
48c350d
Compare
Prebuild Artifacts for
|
| Artifact | Image | Tag | Status | CI |
|---|---|---|---|---|
| caipe-ui | ghcr.io/cnoe-io/prebuild/caipe-ui |
feat-rbac-graph-tab-gate-2 |
Published | CI |
Docker pull commands
docker pull ghcr.io/cnoe-io/prebuild/caipe-ui:feat-rbac-graph-tab-gate-2These prebuild artifacts will be automatically cleaned up when the PR is closed or merged.
7 tasks
Member
Author
|
Superseded by collapsed replacement PR #1584. |
github-project-automation
Bot
moved this to Done
in CAIPE (AI Platform Engineering) Project Backlog
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PR 5 of the 2026-05-27 fine-grained KB ReBAC plan (see
docs/docs/specs/2026-05-27-fine-grained-rbac-for-withauth-routes/plan.md).Closes out the Knowledge sidebar work and documents the remaining RAG-server effort needed for true per-KB ontology filtering.
Graph tab gate
/knowledge-bases/graphnow consultsuseKbTabGates(the PR 2 hook). Non-admins with zero readable KBs see theNoKbAccessEmptyempty state instead of the global graph. Behaviour mirrors Search / Data Sources / MCP Tools.Info banner
New
GraphInfoBanneris rendered whenever the tab is visible, reminding users (and org admins under PR 1's super-grant) that the ontology graph is currently global — it lives in Neo4j keyed only by_datasource_idtoday. Whenkb_count >= 0the banner also surfaces "you have read access to N knowledge bases" so non-admins know exactly what their scope is.Per-KB filtering follow-up spec
New spec
docs/docs/specs/2026-05-27-per-kb-ontology-graph-filtering/spec.mdtracks the RAG-server work needed for true per-KB ontology filtering: akb_idsquery filter on/v1/graphrag/*plus an OpenFGA-driven membership probe in the BFF. This intentionally lives outside the PR 5 code change because it's a multi-week server-side effort.Stacked on
This PR is the tip of the stack:
data_source+mcp_tooltypes + BFF list filterBase branch is
prebuild/feat/rbac-data-source-mcp-tool-types. Merge order: 1 → 2 → 3 → 4 → 5.Test plan
npx jest --testPathPatterns "knowledge-bases/graph"— 4 passed./knowledge-bases/graph, confirmNoKbAccessEmptyis rendered.(read access to N)suffix and the global graph renders.Assisted-by: Claude:claude-opus-4-7