release: v0.20.0 — workspace folder permissions + SendMessage cards

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: DavidsonGomes

CHANGELOG.md

@@ -5,6 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.20.0] - 2026-04-13
+
+### Added
+
+- **Workspace folder permissions** — roles can now restrict access to specific workspace folders (finance, marketing, personal, etc.). Three modes: All, Selected (checkbox grid), None. Admin always bypasses. Enforced on all workspace browser endpoints: tree, read, write, create, rename, delete, upload, download, recent, and file share creation
+- **Role editor UI for folder access** — Settings → Roles now has a "Pastas do Workspace" section with radio buttons for mode and a dynamic checkbox grid that scans existing folders from disk
+- **Dynamic folder scan endpoint** — `GET /api/roles/workspace-folders` lists all top-level directories under `workspace/` without hardcoding
+- **SendMessage tool card** — chat UI now renders `SendMessage` tool calls with subagent avatar and description, same as Agent tool cards
+
+### Fixed
+
+- **SQLite auto-migration** — added `ALTER TABLE roles ADD COLUMN workspace_folders_json` to `app.py` startup migration, preventing crash on existing databases
+- **Chat textarea height** — input area resets to single line after sending (carried over from v0.19.1)
+
 ## [0.19.1] - 2026-04-13
 
 ### Added

cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@evoapi/evo-nexus",
-  "version": "0.19.1",
+  "version": "0.20.0",
   "description": "Unofficial open source toolkit for Claude Code — AI-powered business operating system",
   "keywords": [
     "claude-code",

dashboard/backend/app.py

@@ -58,6 +58,9 @@
     if "agent_access_json" not in _existing_cols:
         _cur.execute("ALTER TABLE roles ADD COLUMN agent_access_json TEXT DEFAULT '{\"mode\": \"all\"}'")
         _conn.commit()
+    if "workspace_folders_json" not in _existing_cols:
+        _cur.execute("ALTER TABLE roles ADD COLUMN workspace_folders_json TEXT DEFAULT '{\"mode\": \"all\"}'")
+        _conn.commit()
 
     # Fix corrupted datetime columns (NULL or non-string values crash SQLAlchemy)
     for _tbl, _col in [("roles", "created_at"), ("users", "created_at"), ("users", "last_login")]:

dashboard/backend/models.py

@@ -142,10 +142,12 @@ def to_dict(self):
         "description": "Full access to all resources",
         "permissions": {r: actions[:] for r, actions in ALL_RESOURCES.items()},
         "agent_access": {"mode": "all"},
+        "workspace_folders": {"mode": "all"},
     },
     "operator": {
         "description": "Can view and execute, but not manage users or audit",
         "agent_access": {"mode": "all"},
+        "workspace_folders": {"mode": "all"},
         "permissions": {
             "chat": ["view", "execute"],
             "services": ["view", "execute"],
@@ -168,6 +170,7 @@ def to_dict(self):
     "viewer": {
         "description": "Read-only access to dashboards",
         "agent_access": {"mode": "none"},
+        "workspace_folders": {"mode": "all"},
         "permissions": {
             "workspace": ["view"],
             "agents": ["view"],
@@ -395,6 +398,7 @@ class Role(db.Model):
     description = db.Column(db.String(200))
     permissions_json = db.Column(db.Text, nullable=False, default="{}")
     agent_access_json = db.Column(db.Text, nullable=True, default='{"mode": "all"}')
+    workspace_folders_json = db.Column(db.Text, nullable=True, default='{"mode": "all"}')
     is_builtin = db.Column(db.Boolean, default=False)
     created_at = db.Column(db.DateTime, default=lambda: datetime.now(timezone.utc))
 
@@ -421,13 +425,26 @@ def agent_access(self) -> dict:
     def agent_access(self, value: dict):
         self.agent_access_json = json.dumps(value)
 
+    @property
+    def workspace_folders(self) -> dict:
+        try:
+            result = json.loads(self.workspace_folders_json) if self.workspace_folders_json else None
+            return result if result else {"mode": "all"}
+        except (json.JSONDecodeError, TypeError):
+            return {"mode": "all"}
+
+    @workspace_folders.setter
+    def workspace_folders(self, value: dict):
+        self.workspace_folders_json = json.dumps(value)
+
     def to_dict(self):
         return {
             "id": self.id,
             "name": self.name,
             "description": self.description,
             "permissions": self.permissions,
             "agent_access": self.agent_access,
+            "workspace_folders": self.workspace_folders,
             "is_builtin": self.is_builtin,
             "created_at": self.created_at.strftime("%Y-%m-%dT%H:%M:%S.%fZ") if self.created_at else None,
         }
@@ -460,6 +477,11 @@ def seed_roles():
             if existing.agent_access_json is None:
                 existing.agent_access = config.get("agent_access", {"mode": "all"})
             # --- fim migração ---
+
+            # --- Migração workspace_folders: set default for existing roles ---
+            if existing.workspace_folders_json is None:
+                existing.workspace_folders = config.get("workspace_folders", {"mode": "all"})
+            # --- fim migração ---
         else:
             role = Role(
                 name=name,
@@ -468,6 +490,7 @@ def seed_roles():
             )
             role.permissions = config["permissions"]
             role.agent_access = config.get("agent_access", {"mode": "all"})
+            role.workspace_folders = config.get("workspace_folders", {"mode": "all"})
             db.session.add(role)
     db.session.commit()
 
@@ -539,6 +562,65 @@ def has_agent_access(role_name: str, agent_name: str) -> bool:
     return True
 
 
+def get_role_workspace_folders(role_name: str) -> dict:
+    """Get workspace_folders config for a role from DB, fallback to builtin defaults."""
+    role = Role.query.filter_by(name=role_name).first()
+    if role:
+        return role.workspace_folders
+    builtin = BUILTIN_ROLES.get(role_name)
+    if builtin:
+        return builtin.get("workspace_folders", {"mode": "all"})
+    return {"mode": "all"}
+
+
+def has_workspace_folder_access(role_name: str, path: str) -> bool:
+    """Check if a role has access to a specific workspace folder.
+
+    Only enforces top-level folder access (e.g. workspace/finance/).
+    Subfolders inherit parent access.
+
+    NOTE: This check applies only to the Flask API workspace endpoints.
+    Terminal-server / agent sessions (Claude Code CLI) do NOT enforce folder
+    restrictions — they bypass the Flask API entirely. This is a known
+    limitation to be addressed in a future iteration.
+
+    Args:
+        role_name: The role name string.
+        path: A repo-relative path string (e.g. "workspace/finance/report.md").
+
+    Returns:
+        True if access is allowed, False otherwise.
+    """
+    if role_name == "admin":
+        return True
+
+    parts = path.strip("/").split("/")
+
+    # Root "workspace" listing — always allowed (filtering happens on children)
+    if len(parts) == 0 or parts[0] != "workspace":
+        return True  # Non-workspace paths are unaffected by folder permissions
+    if len(parts) < 2 or parts[1] == "":
+        return True  # Browsing workspace root is allowed; children are filtered
+
+    folder = parts[1]
+
+    config = get_role_workspace_folders(role_name)
+    mode = config.get("mode", "all")
+
+    if mode == "all":
+        return True
+    if mode == "none":
+        return False
+    if mode == "selected":
+        folders = config.get("folders", [])
+        # Empty selected list behaves as none
+        if not folders:
+            return False
+        return folder in [f.strip("/") for f in folders]
+    # Unknown mode — default to all
+    return True
+
+
 def audit(user, action: str, resource: str = None, detail: str = None):
     """Log an action to the audit trail."""
     from flask import request

dashboard/backend/routes/auth_routes.py

@@ -4,7 +4,7 @@
 from functools import wraps
 from flask import Blueprint, request, jsonify, abort
 from flask_login import login_user, logout_user, login_required, current_user
-from models import db, User, AuditLog, Role, has_permission, audit, needs_setup, get_role_permissions, get_role_agent_access, ALL_RESOURCES, AGENT_LAYERS
+from models import db, User, AuditLog, Role, has_permission, audit, needs_setup, get_role_permissions, get_role_agent_access, get_role_workspace_folders, ALL_RESOURCES, AGENT_LAYERS
 
 bp = Blueprint("auth", __name__)
 
@@ -189,10 +189,12 @@ def logout():
 def me():
     perms = get_role_permissions(current_user.role)
     agent_access = get_role_agent_access(current_user.role)
+    workspace_folders = get_role_workspace_folders(current_user.role)
     return jsonify({
         "user": current_user.to_dict(),
         "permissions": perms,
         "agent_access": agent_access,
+        "workspace_folders": workspace_folders,
     })
 
 
@@ -350,6 +352,28 @@ def list_agent_layers():
     return jsonify(AGENT_LAYERS)
 
 
+@bp.route("/api/roles/workspace-folders")
+@login_required
+@require_permission("users", "view")
+def list_workspace_folders():
+    """Return sorted list of top-level workspace folder names from disk."""
+    import os
+    from pathlib import Path
+    workspace_path = Path(__file__).resolve().parents[3] / "workspace"
+    folders = []
+    if workspace_path.is_dir():
+        blocklist = {
+            ".git", "node_modules", "dist", ".venv", "__pycache__",
+            "backups", ".mypy_cache", ".pytest_cache", "target", "build",
+            ".next", ".turbo", "coverage", ".trash",
+        }
+        for name in sorted(os.listdir(workspace_path)):
+            full = workspace_path / name
+            if full.is_dir() and not name.startswith('.') and name not in blocklist:
+                folders.append(name)
+    return jsonify({"folders": folders})
+
+
 @bp.route("/api/roles", methods=["POST"])
 @login_required
 @require_permission("users", "manage")
@@ -369,6 +393,7 @@ def create_role():
     role = Role(name=name, description=description)
     role.permissions = permissions
     role.agent_access = data.get("agent_access", {"mode": "all"})
+    role.workspace_folders = data.get("workspace_folders", {"mode": "all"})
     db.session.add(role)
     db.session.commit()
 
@@ -389,6 +414,8 @@ def update_role(role_id):
         role.permissions = data["permissions"]
     if "agent_access" in data:
         role.agent_access = data["agent_access"]
+    if "workspace_folders" in data:
+        role.workspace_folders = data["workspace_folders"]
     if "name" in data and not role.is_builtin:
         new_name = data["name"].strip().lower()
         if new_name != role.name and Role.query.filter_by(name=new_name).first():

dashboard/backend/routes/shares.py

@@ -8,7 +8,7 @@
 from flask import Blueprint, jsonify, request, Response
 from flask_login import login_required, current_user
 
-from models import db, FileShare, audit
+from models import db, FileShare, audit, has_workspace_folder_access
 from routes.auth_routes import require_permission
 
 bp = Blueprint("shares", __name__)
@@ -90,6 +90,10 @@ def create_share():
     if not full.exists() or not full.is_file():
         return jsonify({"error": "File not found", "code": "not_found"}), 404
 
+    # Enforce folder access before creating a share
+    if not has_workspace_folder_access(current_user.role, path):
+        return jsonify({"error": "Access to this workspace folder is restricted", "code": "forbidden"}), 403
+
     # Calculate expiry
     expires_at = None
     if expires_in and expires_in in _EXPIRY_MAP:

dashboard/backend/routes/workspace.py

@@ -11,7 +11,7 @@
 from flask import Blueprint, jsonify, request, abort, send_file, current_app
 from flask_login import login_required, current_user
 
-from models import has_permission
+from models import has_permission, has_workspace_folder_access
 from routes.auth_routes import require_permission
 
 bp = Blueprint("workspace", __name__)
@@ -186,6 +186,23 @@ def _is_blocklisted(name: str) -> bool:
     return False
 
 
+def _check_folder_access(path_str: str):
+    """Abort 403 if user's role cannot access this workspace folder.
+
+    Only enforced for paths inside WORKSPACE_DIR. Admin paths are skipped
+    (they are gated by config:manage permission already).
+    """
+    if not current_user.is_authenticated:
+        return
+    # Only enforce for workspace/ paths
+    parts = path_str.strip("/").split("/")
+    if not parts or parts[0] != "workspace":
+        return
+    if not has_workspace_folder_access(current_user.role, path_str):
+        _audit("denied", path_str, result="denied", reason="folder_restricted")
+        abort(403, description="Access to this workspace folder is restricted")
+
+
 # ── Endpoints ──────────────────────────────────────────────────────────────
 
 @bp.route("/api/workspace/tree")
@@ -236,6 +253,16 @@ def _build_entries(directory: Path, current_depth: int) -> list:
 
     entries = _build_entries(full, depth)
 
+    # Filter top-level workspace folders based on role access
+    rel_check = _repo_rel(full)
+    if rel_check == "workspace" and current_user.is_authenticated:
+        entries = [
+            e for e in entries
+            if not e.get("is_dir") or has_workspace_folder_access(
+                current_user.role, f"workspace/{e['name']}"
+            )
+        ]
+
     # Build breadcrumbs from repo-rel path
     rel = _repo_rel(full)
     parts = [p for p in rel.split("/") if p]
@@ -266,6 +293,7 @@ def workspace_file_read():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if not full.exists():
         return jsonify({"error": "File not found", "code": "not_found"}), 404
@@ -314,6 +342,7 @@ def workspace_file_write():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if full.is_dir():
         return jsonify({"error": "Path is a directory", "code": "bad_path"}), 409
@@ -351,6 +380,7 @@ def workspace_file_create():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if full.exists():
         return jsonify({"error": "File already exists", "code": "conflict"}), 409
@@ -385,6 +415,7 @@ def workspace_folder_create():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if full.exists():
         return jsonify({"error": "Directory already exists", "code": "conflict"}), 409
@@ -422,6 +453,8 @@ def workspace_rename():
     )
     full_from = _resolve_safe(from_path, require_admin=require_admin)
     full_to = _resolve_safe(to_path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full_from))
+    _check_folder_access(_repo_rel(full_to))
 
     if not full_from.exists():
         return jsonify({"error": "Source not found", "code": "not_found"}), 404
@@ -456,6 +489,7 @@ def workspace_file_delete():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if not full.exists():
         return jsonify({"error": "File not found", "code": "not_found"}), 404
@@ -515,6 +549,7 @@ def workspace_upload():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     dir_full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(dir_full))
 
     if not dir_full.is_dir():
         return jsonify({"error": "Target path is not a directory", "code": "bad_path"}), 400
@@ -549,6 +584,7 @@ def workspace_download():
         (REPO_ROOT / path).resolve(), WORKSPACE_DIR.resolve()
     )
     full = _resolve_safe(path, require_admin=require_admin)
+    _check_folder_access(_repo_rel(full))
 
     if not full.exists():
         return jsonify({"error": "File not found", "code": "not_found"}), 404
@@ -585,7 +621,11 @@ def workspace_recent():
             continue
         if _is_blocklisted(f.name):
             continue
-        if any(_is_blocklisted(part) for part in f.relative_to(WORKSPACE_DIR).parts):
+        rel_parts = f.relative_to(WORKSPACE_DIR).parts
+        if any(_is_blocklisted(part) for part in rel_parts):
+            continue
+        # Enforce folder access: check top-level folder
+        if rel_parts and not has_workspace_folder_access(current_user.role, f"workspace/{rel_parts[0]}"):
             continue
         try:
             stat = f.stat()