@exulu/backend 1.9.0 → 1.11.0

package/dist/index.cjs

@@ -308,46 +308,55 @@ var mapType = (t, type, name, defaultValue, unique) => {
   if (type === "text") {
     t.text(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "longText") {
     t.text(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "shortText") {
     t.string(name, 100);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "number") {
     t.float(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "boolean") {
     t.boolean(name).defaultTo(defaultValue || false);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "code") {
     t.text(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "json") {
     t.jsonb(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "date") {
     t.timestamp(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   if (type === "uuid") {
     t.uuid(name);
     if (unique) t.unique(name);
+    if (defaultValue) t.defaultTo(defaultValue);
     return;
   }
   throw new Error("Invalid type: " + type);
@@ -576,6 +585,12 @@ var ExuluAgent = class {
     this.slug = `/agents/${generateSlug(this.name)}/run`;
     this.model = this.config?.model;
   }
+  get providerName() {
+    return this.config?.model?.create({ apiKey: "" })?.provider || "";
+  }
+  get modelName() {
+    return this.config?.model?.create({ apiKey: "" })?.modelId || "";
+  }
   // Exports the agent as a tool that can be used by another agent
   // todo test this
   tool = () => {
@@ -1938,6 +1953,7 @@ var import_schema = require("@graphql-tools/schema");
 var import_graphql_type_json = __toESM(require("graphql-type-json"), 1);
 var import_graphql = require("graphql");
 var import_crypto_js2 = __toESM(require("crypto-js"), 1);
+var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
 var GraphQLDate = new import_graphql.GraphQLScalarType({
   name: "Date",
   description: "Date custom scalar type",
@@ -2005,17 +2021,21 @@ function createTypeDefs(table) {
     const required = field.required ? "!" : "";
     return `  ${field.name}: ${type}${required}`;
   });
+  const rbacField = table.RBAC ? "  RBAC: RBACData" : "";
   const typeDef = `
   type ${table.name.singular} {
   ${fields.join("\n")}
-    id: ID!
+    ${table.fields.find((field) => field.name === "id") ? "" : "id: ID!"}
     createdAt: Date!
     updatedAt: Date!
+${rbacField}
   }
   `;
+  const rbacInputField = table.RBAC ? "  RBAC: RBACInput" : "";
   const inputDef = `
 input ${table.name.singular}Input {
 ${table.fields.map((f) => `  ${f.name}: ${map(f)}`).join("\n")}
+${rbacInputField}
 }
 `;
   return typeDef + inputDef;
@@ -2084,33 +2104,184 @@ var getRequestedFields = (info) => {
     acc[field.name.value] = true;
     return acc;
   }, {}));
-  return fields.filter((field) => field !== "pageInfo" && field !== "items");
+  return fields.filter((field) => field !== "pageInfo" && field !== "items" && field !== "RBAC");
+};
+var handleRBACUpdate = async (db3, entityName, resourceId, rbacData, existingRbacRecords) => {
+  const { users = [], roles = [] } = rbacData;
+  if (!existingRbacRecords) {
+    existingRbacRecords = await db3.from("rbac").where({
+      entity: entityName,
+      target_resource_id: resourceId
+    }).select("*");
+  }
+  const newUserRecords = new Set(users.map((u) => `${u.id}:${u.rights}`));
+  const newRoleRecords = new Set(roles.map((r) => `${r.id}:${r.rights}`));
+  const existingUserRecords = new Set(existingRbacRecords.filter((r) => r.access_type === "User").map((r) => `${r.user_id}:${r.rights}`));
+  const existingRoleRecords = new Set(existingRbacRecords.filter((r) => r.access_type === "Role").map((r) => `${r.role_id}:${r.rights}`));
+  const usersToCreate = users.filter((u) => !existingUserRecords.has(`${u.id}:${u.rights}`));
+  const rolesToCreate = roles.filter((r) => !existingRoleRecords.has(`${r.id}:${r.rights}`));
+  const usersToRemove = existingRbacRecords.filter((r) => r.access_type === "User" && !newUserRecords.has(`${r.user_id}:${r.rights}`));
+  const rolesToRemove = existingRbacRecords.filter((r) => r.access_type === "Role" && !newRoleRecords.has(`${r.role_id}:${r.rights}`));
+  if (usersToRemove.length > 0) {
+    await db3.from("rbac").whereIn("id", usersToRemove.map((r) => r.id)).del();
+  }
+  if (rolesToRemove.length > 0) {
+    await db3.from("rbac").whereIn("id", rolesToRemove.map((r) => r.id)).del();
+  }
+  const recordsToInsert = [];
+  usersToCreate.forEach((user) => {
+    recordsToInsert.push({
+      entity: entityName,
+      access_type: "User",
+      target_resource_id: resourceId,
+      user_id: user.id,
+      rights: user.rights,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+  });
+  rolesToCreate.forEach((role) => {
+    recordsToInsert.push({
+      entity: entityName,
+      access_type: "Role",
+      target_resource_id: resourceId,
+      role_id: role.id,
+      rights: role.rights,
+      createdAt: /* @__PURE__ */ new Date(),
+      updatedAt: /* @__PURE__ */ new Date()
+    });
+  });
+  if (recordsToInsert.length > 0) {
+    await db3.from("rbac").insert(recordsToInsert);
+  }
 };
 function createMutations(table) {
   const tableNamePlural = table.name.plural.toLowerCase();
-  const tableNameSingular = table.name.singular.toLowerCase();
+  const validateWriteAccess = async (id, context) => {
+    const { db: db3, req, user } = context;
+    const hasRBAC = table.RBAC === true;
+    if (!hasRBAC) {
+      return true;
+    }
+    if (user.type === "api" || user.super_admin === true) {
+      return true;
+    }
+    try {
+      const authResult = await requestValidators.authenticate(req);
+      if (authResult.error || !authResult.user) {
+        throw new Error("Authentication required");
+      }
+      const user2 = authResult.user;
+      const record = await db3.from(tableNamePlural).select(["rights_mode", "created_by"]).where({ id }).first();
+      if (!record) {
+        throw new Error("Record not found");
+      }
+      if (record.rights_mode === "public") {
+        return true;
+      }
+      if (record.rights_mode === "private") {
+        if (record.created_by === user2.id) {
+          return true;
+        }
+        throw new Error("Only the creator can edit this private record");
+      }
+      if (record.rights_mode === "users") {
+        const rbacRecord = await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: id,
+          access_type: "User",
+          user_id: user2.id,
+          rights: "write"
+        }).first();
+        if (rbacRecord) {
+          return true;
+        }
+        throw new Error("Insufficient user permissions to edit this record");
+      }
+      if (record.rights_mode === "roles" && user2.role) {
+        const rbacRecord = await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: id,
+          access_type: "Role",
+          role_id: user2.role,
+          rights: "write"
+        }).first();
+        if (rbacRecord) {
+          return true;
+        }
+        throw new Error("Insufficient role permissions to edit this record");
+      }
+      throw new Error("Insufficient permissions to edit this record");
+    } catch (error) {
+      console.error("Write access validation error:", error);
+      throw error;
+    }
+  };
   return {
     [`${tableNamePlural}CreateOne`]: async (_, args, context, info) => {
       const { db: db3 } = context;
       const requestedFields = getRequestedFields(info);
       let { input } = args;
+      const rbacData = input.RBAC;
+      delete input.RBAC;
+      delete input.created_by;
       input = encryptSensitiveFields(input);
+      if (table.RBAC) {
+        input.created_by = context.user.id;
+      }
+      if (table.name.singular === "user" && context.user?.super_admin !== true) {
+        throw new Error("You are not authorized to create users");
+      }
+      if (table.name.singular === "user" && input.password) {
+        input.password = await import_bcryptjs2.default.hash(input.password, 10);
+      }
+      Object.keys(input).forEach((key) => {
+        if (table.fields.find((field) => field.name === key)?.type === "json") {
+          if (typeof input[key] === "object" || Array.isArray(input[key])) {
+            input[key] = JSON.stringify(input[key]);
+          }
+        }
+      });
       const results = await db3(tableNamePlural).insert({
         ...input,
+        ...table.RBAC ? { rights_mode: "private" } : {},
         createdAt: /* @__PURE__ */ new Date(),
         updatedAt: /* @__PURE__ */ new Date()
       }).returning(requestedFields);
+      if (table.RBAC && rbacData && results[0]) {
+        await handleRBACUpdate(db3, table.name.singular, results[0].id, rbacData, []);
+      }
       return results[0];
     },
     [`${tableNamePlural}UpdateOne`]: async (_, args, context, info) => {
       const { db: db3, req } = context;
       let { where, input } = args;
-      await validateSuperAdminPermission(tableNamePlural, input, req);
+      await validateCreateOrRemoveSuperAdminPermission(tableNamePlural, input, req);
+      if (where.id) {
+        await validateWriteAccess(where.id, context);
+      }
+      const rbacData = input.RBAC;
+      delete input.RBAC;
+      delete input.created_by;
       input = encryptSensitiveFields(input);
+      Object.keys(input).forEach((key) => {
+        if (table.fields.find((field) => field.name === key)?.type === "json") {
+          if (typeof input[key] === "object" || Array.isArray(input[key])) {
+            input[key] = JSON.stringify(input[key]);
+          }
+        }
+      });
       await db3(tableNamePlural).where(where).update({
         ...input,
         updatedAt: /* @__PURE__ */ new Date()
       });
+      if (table.RBAC && rbacData && where.id) {
+        const existingRbacRecords = await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: where.id
+        }).select("*");
+        await handleRBACUpdate(db3, table.name.singular, where.id, rbacData, existingRbacRecords);
+      }
       const requestedFields = getRequestedFields(info);
       const result = await db3.from(tableNamePlural).select(requestedFields).where(where).first();
       return result;
@@ -2118,12 +2289,30 @@ function createMutations(table) {
     [`${tableNamePlural}UpdateOneById`]: async (_, args, context, info) => {
       const { db: db3, req } = context;
       let { id, input } = args;
-      await validateSuperAdminPermission(tableNamePlural, input, req);
+      await validateCreateOrRemoveSuperAdminPermission(tableNamePlural, input, req);
+      await validateWriteAccess(id, context);
+      const rbacData = input.RBAC;
+      delete input.RBAC;
+      delete input.created_by;
       input = encryptSensitiveFields(input);
+      Object.keys(input).forEach((key) => {
+        if (table.fields.find((field) => field.name === key)?.type === "json") {
+          if (typeof input[key] === "object" || Array.isArray(input[key])) {
+            input[key] = JSON.stringify(input[key]);
+          }
+        }
+      });
       await db3(tableNamePlural).where({ id }).update({
         ...input,
         updatedAt: /* @__PURE__ */ new Date()
       });
+      if (table.RBAC && rbacData) {
+        const existingRbacRecords = await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: id
+        }).select("*");
+        await handleRBACUpdate(db3, table.name.singular, id, rbacData, existingRbacRecords);
+      }
       const requestedFields = getRequestedFields(info);
       const result = await db3.from(tableNamePlural).select(requestedFields).where({ id }).first();
       return result;
@@ -2133,7 +2322,16 @@ function createMutations(table) {
       const { where } = args;
       const requestedFields = getRequestedFields(info);
       const result = await db3.from(tableNamePlural).select(requestedFields).where(where).first();
+      if (!result) {
+        throw new Error("Record not found");
+      }
       await db3(tableNamePlural).where(where).del();
+      if (table.RBAC) {
+        await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: result.id
+        }).del();
+      }
       return result;
     },
     [`${tableNamePlural}RemoveOneById`]: async (_, args, context, info) => {
@@ -2141,11 +2339,54 @@ function createMutations(table) {
       const { db: db3 } = context;
       const requestedFields = getRequestedFields(info);
       const result = await db3.from(tableNamePlural).select(requestedFields).where({ id }).first();
+      if (!result) {
+        throw new Error("Record not found");
+      }
       await db3(tableNamePlural).where({ id }).del();
+      if (table.RBAC) {
+        await db3.from("rbac").where({
+          entity: table.name.singular,
+          target_resource_id: id
+        }).del();
+      }
       return result;
     }
   };
 }
+var applyAccessControl = (table, user, query) => {
+  console.log("table", table);
+  const tableNamePlural = table.name.plural.toLowerCase();
+  const hasRBAC = table.RBAC === true;
+  if (!hasRBAC) {
+    return query;
+  }
+  if (user.type === "api" || user.super_admin === true) {
+    return query;
+  }
+  try {
+    query = query.where(function() {
+      this.where("rights_mode", "public");
+      this.orWhere("created_by", user.id);
+      this.orWhere(function() {
+        this.where("rights_mode", "users").whereExists(function() {
+          this.select("*").from("rbac").whereRaw("rbac.target_resource_id = " + tableNamePlural + ".id").where("rbac.entity", table.name.singular).where("rbac.access_type", "User").where("rbac.user_id", user.id);
+        });
+      });
+      if (user.role) {
+        console.log("user.role", user.role);
+        this.orWhere(function() {
+          this.where("rights_mode", "roles").whereExists(function() {
+            this.select("*").from("rbac").whereRaw("rbac.target_resource_id = " + tableNamePlural + ".id").where("rbac.entity", table.name.singular).where("rbac.access_type", "Role").where("rbac.role_id", user.role);
+          });
+        });
+      }
+    });
+  } catch (error) {
+    console.error("Access control error:", error);
+    return query.where("1", "=", "0");
+  }
+  return query;
+};
 function createQueries(table) {
   const tableNamePlural = table.name.plural.toLowerCase();
   const tableNameSingular = table.name.singular.toLowerCase();
@@ -2180,7 +2421,9 @@ function createQueries(table) {
     [`${tableNameSingular}ById`]: async (_, args, context, info) => {
       const { db: db3 } = context;
       const requestedFields = getRequestedFields(info);
-      const result = await db3.from(tableNamePlural).select(requestedFields).where({ id: args.id }).first();
+      let query = db3.from(tableNamePlural).select(requestedFields).where({ id: args.id });
+      query = applyAccessControl(table, context.user, query);
+      const result = await query.first();
       return result;
     },
     [`${tableNameSingular}One`]: async (_, args, context, info) => {
@@ -2189,6 +2432,7 @@ function createQueries(table) {
       const requestedFields = getRequestedFields(info);
       let query = db3.from(tableNamePlural).select(requestedFields);
       query = applyFilters(query, filters);
+      query = applyAccessControl(table, context.user, query);
       query = applySorting(query, sort);
       const result = await query.first();
       return result;
@@ -2196,15 +2440,19 @@ function createQueries(table) {
     [`${tableNamePlural}Pagination`]: async (_, args, context, info) => {
       const { limit = 10, page = 0, filters = [], sort } = args;
       const { db: db3 } = context;
-      let baseQuery = db3(tableNamePlural);
-      baseQuery = applyFilters(baseQuery, filters);
-      const [{ count }] = await baseQuery.clone().count("* as count");
-      const itemCount = Number(count);
+      let countQuery = db3(tableNamePlural);
+      countQuery = applyFilters(countQuery, filters);
+      countQuery = applyAccessControl(table, context.user, countQuery);
+      console.log("countQuery", countQuery);
+      const countResult = await countQuery.count("* as count");
+      const itemCount = Number(countResult[0]?.count || 0);
       const pageCount = Math.ceil(itemCount / limit);
       const currentPage = page;
       const hasPreviousPage = currentPage > 1;
       const hasNextPage = currentPage < pageCount - 1;
-      let dataQuery = baseQuery.clone();
+      let dataQuery = db3(tableNamePlural);
+      dataQuery = applyFilters(dataQuery, filters);
+      dataQuery = applyAccessControl(table, context.user, dataQuery);
       const requestedFields = getRequestedFields(info);
       dataQuery = applySorting(dataQuery, sort);
       if (page > 1) {
@@ -2222,7 +2470,28 @@ function createQueries(table) {
         items
       };
     },
-    // Add jobStatistics query for jobs table
+    // Add generic statistics query for all tables
+    [`${tableNamePlural}Statistics`]: async (_, args, context, info) => {
+      const { filters = [], groupBy } = args;
+      const { db: db3 } = context;
+      let query = db3(tableNamePlural);
+      query = applyFilters(query, filters);
+      query = applyAccessControl(table, context.user, query);
+      if (groupBy) {
+        const results = await query.select(groupBy).count("* as count").groupBy(groupBy);
+        return results.map((r) => ({
+          group: r[groupBy],
+          count: Number(r.count)
+        }));
+      } else {
+        const [{ count }] = await query.count("* as count");
+        return [{
+          group: "total",
+          count: Number(count)
+        }];
+      }
+    },
+    // Add jobStatistics query for jobs table (backward compatibility)
     ...tableNamePlural === "jobs" ? {
       jobStatistics: async (_, args, context, info) => {
         const { user, agent, from, to } = args;
@@ -2240,6 +2509,11 @@ function createQueries(table) {
         if (to) {
           query = query.where("createdAt", "<=", to);
         }
+        query = applyAccessControl(table, context.user, query);
+        const runningQuery = query.clone().whereIn("status", ["active", "waiting", "delayed", "paused"]);
+        const [{ runningCount }] = await runningQuery.count("* as runningCount");
+        const erroredQuery = query.clone().whereIn("status", ["failed", "stuck"]);
+        const [{ erroredCount }] = await erroredQuery.count("* as erroredCount");
         const completedQuery = query.clone().where("status", "completed");
         const [{ completedCount }] = await completedQuery.count("* as completedCount");
         const failedQuery = query.clone().where("status", "failed");
@@ -2247,6 +2521,8 @@ function createQueries(table) {
         const durationQuery = query.clone().where("status", "completed").whereNotNull("duration").select(db3.raw('AVG("duration") as averageDuration'));
         const [{ averageDuration }] = await durationQuery;
         return {
+          runningCount: Number(runningCount),
+          erroredCount: Number(erroredCount),
           completedCount: Number(completedCount),
           failedCount: Number(failedCount),
           averageDuration: averageDuration ? Number(averageDuration) : 0
@@ -2255,12 +2531,59 @@ function createQueries(table) {
     } : {}
   };
 }
+var RBACResolver = async (db3, table, entityName, resourceId, rights_mode) => {
+  const rbacRecords = await db3.from("rbac").where({
+    entity: entityName,
+    target_resource_id: resourceId
+  }).select("*");
+  const users = rbacRecords.filter((r) => r.access_type === "User").map((r) => ({ id: r.user_id, rights: r.rights }));
+  const roles = rbacRecords.filter((r) => r.access_type === "Role").map((r) => ({ id: r.role_id, rights: r.rights }));
+  let type = rights_mode || "private";
+  if (type === "users" && users.length === 0) type = "private";
+  if (type === "roles" && roles.length === 0) type = "private";
+  return {
+    type,
+    users,
+    roles
+  };
+};
 function createSDL(tables) {
   console.log("[EXULU] Creating SDL");
   let typeDefs = `
     scalar JSON
     scalar Date
     
+    type RBACData {
+      type: String!
+      users: [RBACUser!]
+      roles: [RBACRole!]
+    }
+    
+    type RBACUser {
+      id: ID!
+      rights: String!
+    }
+    
+    type RBACRole {
+      id: ID!
+      rights: String!
+    }
+    
+    input RBACInput {
+      users: [RBACUserInput!]
+      roles: [RBACRoleInput!]
+    }
+    
+    input RBACUserInput {
+      id: ID!
+      rights: String!
+    }
+    
+    input RBACRoleInput {
+      id: ID!
+      rights: String!
+    }
+    
     type Query {
     `;
   let mutationDefs = `
@@ -2269,6 +2592,9 @@ function createSDL(tables) {
   let modelDefs = "";
   const resolvers = { JSON: import_graphql_type_json.default, Date: GraphQLDate, Query: {}, Mutation: {} };
   for (const table of tables) {
+    if (table.graphql === false) {
+      continue;
+    }
     const tableNamePlural = table.name.plural.toLowerCase();
     const tableNameSingular = table.name.singular.toLowerCase();
     const tableNameSingularUpperCaseFirst = table.name.singular.charAt(0).toUpperCase() + table.name.singular.slice(1);
@@ -2277,6 +2603,7 @@ function createSDL(tables) {
       ${tableNameSingular}ById(id: ID!): ${tableNameSingular}
       ${tableNamePlural}Pagination(limit: Int, page: Int, filters: [Filter${tableNameSingularUpperCaseFirst}], sort: SortBy): ${tableNameSingularUpperCaseFirst}PaginationResult
       ${tableNameSingular}One(filters: [Filter${tableNameSingularUpperCaseFirst}], sort: SortBy): ${tableNameSingular}
+      ${tableNamePlural}Statistics(filters: [Filter${tableNameSingularUpperCaseFirst}], groupBy: String): [StatisticsResult]!
       ${tableNamePlural === "jobs" ? `jobStatistics(user: ID, agent: String, from: String, to: String): JobStatistics` : ""}
     `;
     mutationDefs += `
@@ -2305,6 +2632,8 @@ type PageInfo {
     if (tableNamePlural === "jobs") {
       modelDefs += `
 type JobStatistics {
+  runningCount: Int!
+  erroredCount: Int!
   completedCount: Int!
   failedCount: Int!
   averageDuration: Float!
@@ -2313,10 +2642,29 @@ type JobStatistics {
     }
     Object.assign(resolvers.Query, createQueries(table));
     Object.assign(resolvers.Mutation, createMutations(table));
+    if (table.RBAC) {
+      const rbacResolverName = table.name.singular;
+      if (!resolvers[rbacResolverName]) {
+        resolvers[rbacResolverName] = {};
+      }
+      resolvers[rbacResolverName].RBAC = async (parent, args, context) => {
+        const { db: db3 } = context;
+        const resourceId = parent.id;
+        const entityName = table.name.singular;
+        const rights_mode = parent.rights_mode;
+        return RBACResolver(db3, table, entityName, resourceId, rights_mode);
+      };
+    }
   }
   typeDefs += "}\n";
   mutationDefs += "}\n";
-  const fullSDL = typeDefs + mutationDefs + modelDefs;
+  const genericTypes = `
+type StatisticsResult {
+  group: String!
+  count: Int!
+}
+`;
+  const fullSDL = typeDefs + mutationDefs + modelDefs + genericTypes;
   const schema = (0, import_schema.makeExecutableSchema)({
     typeDefs: fullSDL,
     resolvers
@@ -2353,7 +2701,7 @@ var encryptSensitiveFields = (input) => {
   }
   return input;
 };
-var validateSuperAdminPermission = async (tableNamePlural, input, req) => {
+var validateCreateOrRemoveSuperAdminPermission = async (tableNamePlural, input, req) => {
   if (tableNamePlural === "users" && input.super_admin !== void 0) {
     const authResult = await requestValidators.authenticate(req);
     if (authResult.error || !authResult.user) {
@@ -2404,6 +2752,10 @@ var agentSessionsSchema = {
       // next auth stores users with id type SERIAL, so we need to use number
       type: "number"
     },
+    {
+      name: "role",
+      type: "uuid"
+    },
     {
       name: "title",
       type: "text"
@@ -2416,6 +2768,11 @@ var usersSchema = {
     singular: "user"
   },
   fields: [
+    {
+      name: "id",
+      type: "number",
+      index: true
+    },
     {
       name: "firstname",
       type: "text"
@@ -2467,6 +2824,10 @@ var usersSchema = {
       name: "last_used",
       type: "date"
     },
+    {
+      name: "password",
+      type: "text"
+    },
     {
       name: "anthropic_token",
       type: "text"
@@ -2498,7 +2859,7 @@ var rolesSchema = {
     }
   ]
 };
-var statisticsSchema = {
+var statisticsSchema2 = {
   name: {
     plural: "statistics",
     singular: "statistic"
@@ -2664,6 +3025,7 @@ var agentsSchema = {
     plural: "agents",
     singular: "agent"
   },
+  RBAC: true,
   fields: [
     {
       name: "name",
@@ -2694,11 +3056,6 @@ var agentsSchema = {
       type: "boolean",
       default: false
     },
-    {
-      name: "public",
-      type: "boolean",
-      default: false
-    },
     {
       name: "tools",
       type: "json"
@@ -2728,6 +3085,128 @@ var variablesSchema = {
     }
   ]
 };
+var rbacSchema = {
+  name: {
+    plural: "rbac",
+    singular: "rbac"
+  },
+  graphql: false,
+  fields: [
+    {
+      name: "entity",
+      type: "text",
+      required: true
+    },
+    {
+      name: "access_type",
+      type: "text",
+      required: true
+    },
+    {
+      name: "target_resource_id",
+      type: "uuid",
+      required: true
+    },
+    {
+      name: "role_id",
+      type: "uuid"
+    },
+    {
+      name: "user_id",
+      type: "number"
+    },
+    {
+      name: "rights",
+      type: "text",
+      required: true
+    }
+  ]
+};
+var workflowTemplatesSchema = {
+  name: {
+    plural: "workflow_templates",
+    singular: "workflow_template"
+  },
+  RBAC: true,
+  fields: [
+    {
+      name: "name",
+      type: "text",
+      required: true
+    },
+    {
+      name: "description",
+      type: "text"
+    },
+    {
+      name: "owner",
+      type: "number",
+      required: true
+    },
+    {
+      name: "visibility",
+      type: "text",
+      required: true
+    },
+    {
+      name: "shared_user_ids",
+      type: "json"
+    },
+    {
+      name: "shared_role_ids",
+      type: "json"
+    },
+    {
+      name: "variables",
+      type: "json"
+    },
+    {
+      name: "steps_json",
+      type: "json",
+      required: true
+    },
+    {
+      name: "example_metadata_json",
+      type: "json"
+    }
+  ]
+};
+var addRBACfields = (schema) => {
+  if (schema.RBAC) {
+    console.log(`[EXULU] Adding rights_mode field to ${schema.name.plural} table.`);
+    schema.fields.push({
+      name: "rights_mode",
+      type: "text",
+      required: false,
+      default: "private"
+    });
+    schema.fields.push({
+      name: "created_by",
+      type: "number",
+      required: true,
+      default: 0
+    });
+  }
+  return schema;
+};
+var coreSchemas = {
+  get: () => {
+    return {
+      agentsSchema: () => addRBACfields(agentsSchema),
+      agentMessagesSchema: () => addRBACfields(agentMessagesSchema),
+      agentSessionsSchema: () => addRBACfields(agentSessionsSchema),
+      usersSchema: () => addRBACfields(usersSchema),
+      rolesSchema: () => addRBACfields(rolesSchema),
+      statisticsSchema: () => addRBACfields(statisticsSchema2),
+      workflowSchema: () => addRBACfields(workflowSchema),
+      evalResultsSchema: () => addRBACfields(evalResultsSchema),
+      jobsSchema: () => addRBACfields(jobsSchema),
+      variablesSchema: () => addRBACfields(variablesSchema),
+      rbacSchema: () => addRBACfields(rbacSchema),
+      workflowTemplatesSchema: () => addRBACfields(workflowTemplatesSchema)
+    };
+  }
+};
 
 // src/registry/uppy.ts
 var import_express = require("express");
@@ -3161,6 +3640,7 @@ var REQUEST_SIZE_LIMIT = "50mb";
 var global_queues = {
   logs_cleaner: "logs-cleaner"
 };
+var { agentsSchema: agentsSchema2, evalResultsSchema: evalResultsSchema2, jobsSchema: jobsSchema2, agentSessionsSchema: agentSessionsSchema2, agentMessagesSchema: agentMessagesSchema2, rolesSchema: rolesSchema2, usersSchema: usersSchema2, workflowSchema: workflowSchema2, variablesSchema: variablesSchema2, workflowTemplatesSchema: workflowTemplatesSchema2, rbacSchema: rbacSchema2 } = coreSchemas.get();
 var createRecurringJobs = async () => {
   console.log("[EXULU] creating recurring jobs.");
   const recurringJobSchedulersLogs = [];
@@ -3263,7 +3743,22 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
   } else {
     console.log("===========================", "[EXULU] no redis server configured, not setting up recurring jobs.", "===========================");
   }
-  const schema = createSDL([usersSchema, rolesSchema, agentsSchema, jobsSchema, workflowSchema, evalResultsSchema, agentSessionsSchema, agentMessagesSchema, variablesSchema]);
+  const schema = createSDL(
+    [
+      usersSchema2(),
+      rolesSchema2(),
+      agentsSchema2(),
+      jobsSchema2(),
+      workflowSchema2(),
+      evalResultsSchema2(),
+      agentSessionsSchema2(),
+      agentMessagesSchema2(),
+      variablesSchema2(),
+      workflowTemplatesSchema2(),
+      statisticsSchema(),
+      rbacSchema2()
+    ]
+  );
   console.log("[EXULU] graphql server");
   const server = new import_server3.ApolloServer({
     cache: new import_utils2.InMemoryLRUCache(),
@@ -3286,7 +3781,8 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
         const { db: db3 } = await postgresClient();
         return {
           req,
-          db: db3
+          db: db3,
+          user: authenticationResult.user
         };
       }
     })
@@ -3306,7 +3802,10 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
       return;
     }
     const { db: db3 } = await postgresClient();
-    const agentsFromDb = await db3.from("agents").select("*");
+    let query = db3("agents");
+    query.select("*");
+    query = applyAccessControl(agentsSchema2(), authenticationResult.user, query);
+    const agentsFromDb = await query;
     res.status(200).json(agentsFromDb.map((agent) => {
       const backend = agents.find((a) => a.id === agent.backend);
       if (!backend) {
@@ -3316,15 +3815,16 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
         name: agent.name,
         id: agent.id,
         description: agent.description,
-        provider: backend?.model?.provider,
-        model: backend?.model?.modelId,
+        provider: backend.providerName,
+        model: backend.modelName,
         active: agent.active,
-        public: agent.public,
         type: agent.type,
+        rights_mode: agent.rights_mode,
         slug: backend?.slug,
         rateLimit: backend?.rateLimit,
         streaming: backend?.streaming,
         capabilities: backend?.capabilities,
+        RBAC: agent.RBAC,
         // todo add contexts
         availableTools: tools,
         enabledTools: agent.tools
@@ -3345,7 +3845,11 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
       });
       return;
     }
-    const agent = await db3.from("agents").where({ id }).first();
+    let query = db3("agents");
+    query.select("*");
+    query = applyAccessControl(agentsSchema2(), authenticationResult.user, query);
+    query.where({ id });
+    const agent = await query.first();
     if (!agent) {
       res.status(400).json({
         message: "Agent not found in database."
@@ -3354,6 +3858,8 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
     }
     console.log("[EXULU] agent", agent);
     const backend = agents.find((a) => a.id === agent.backend);
+    console.log("[EXULU] agent", agent);
+    const RBAC = await RBACResolver(db3, agentsSchema2(), agentsSchema2().name.singular, agent.id, agent.rights_mode);
     res.status(200).json({
       ...{
         name: agent.name,
@@ -3364,9 +3870,11 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
         active: agent.active,
         public: agent.public,
         type: agent.type,
+        rights_mode: agent.rights_mode,
         slug: backend?.slug,
         rateLimit: backend?.rateLimit,
         streaming: backend?.streaming,
+        RBAC,
         capabilities: backend?.capabilities,
         providerApiKey: agent.providerApiKey,
         // todo add contexts
@@ -4225,9 +4733,11 @@ var createExpressRoutes = async (app, agents, tools, workflows, contexts) => {
         return;
       }
       const { db: db3 } = await postgresClient();
-      const agent = await db3.from("agents").where({
-        id: req.params.id
-      }).first();
+      let query = db3("agents");
+      query.select("*");
+      query = applyAccessControl(agentsSchema2(), authenticationResult.user, query);
+      query.where({ id: req.params.id });
+      const agent = await query.first();
       if (!agent) {
         const arrayBuffer = createCustomAnthropicStreamingMessage(`
 \x1B[41m -- Agent ${req.params.id} not found or you do not have access to it. --
@@ -6093,10 +6603,10 @@ var SentenceChunker = class _SentenceChunker extends BaseChunker {
 };
 
 // src/auth/generate-key.ts
-var import_bcryptjs2 = __toESM(require("bcryptjs"), 1);
+var import_bcryptjs3 = __toESM(require("bcryptjs"), 1);
 var SALT_ROUNDS = 12;
 async function encryptString(string) {
-  const hash = await import_bcryptjs2.default.hash(string, SALT_ROUNDS);
+  const hash = await import_bcryptjs3.default.hash(string, SALT_ROUNDS);
   return hash;
 }
 var generateApiKey = async (name, email) => {
@@ -6144,127 +6654,63 @@ var generateApiKey = async (name, email) => {
 };
 
 // src/postgres/init-db.ts
+var { agentsSchema: agentsSchema3, evalResultsSchema: evalResultsSchema3, jobsSchema: jobsSchema3, agentSessionsSchema: agentSessionsSchema3, agentMessagesSchema: agentMessagesSchema3, rolesSchema: rolesSchema3, usersSchema: usersSchema3, statisticsSchema: statisticsSchema3, variablesSchema: variablesSchema3, workflowTemplatesSchema: workflowTemplatesSchema3, rbacSchema: rbacSchema3 } = coreSchemas.get();
+var addMissingFields = async (knex, tableName, fields, skipFields = []) => {
+  for (const field of fields) {
+    const { type, name, default: defaultValue, unique } = field;
+    if (!type || !name) {
+      continue;
+    }
+    const sanitizedName = sanitizeName(name);
+    if (skipFields.includes(name)) {
+      continue;
+    }
+    const hasColumn = await knex.schema.hasColumn(tableName, sanitizedName);
+    if (!hasColumn) {
+      console.log(`[EXULU] Adding missing field '${sanitizedName}' to ${tableName} table.`);
+      await knex.schema.alterTable(tableName, (table) => {
+        mapType(table, type, sanitizedName, defaultValue, unique);
+      });
+    }
+    console.log(`[EXULU] Field '${sanitizedName}' already exists in ${tableName} table.`);
+  }
+};
 var up = async function(knex) {
   console.log("[EXULU] Database up.");
-  if (!await knex.schema.hasTable("agent_sessions")) {
-    console.log("[EXULU] Creating agent_sessions table.");
-    await knex.schema.createTable("agent_sessions", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of agentSessionsSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("agent_messages")) {
-    console.log("[EXULU] Creating agent_messages table.");
-    await knex.schema.createTable("agent_messages", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of agentMessagesSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("roles")) {
-    console.log("[EXULU] Creating roles table.");
-    await knex.schema.createTable("roles", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of rolesSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("eval_results")) {
-    console.log("[EXULU] Creating eval_results table.");
-    await knex.schema.createTable("eval_results", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of evalResultsSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("statistics")) {
-    console.log("[EXULU] Creating statistics table.");
-    await knex.schema.createTable("statistics", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of statisticsSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("jobs")) {
-    console.log("[EXULU] Creating jobs table.");
-    await knex.schema.createTable("jobs", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of jobsSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("agents")) {
-    console.log("[EXULU] Creating agents table.");
-    await knex.schema.createTable("agents", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of agentsSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
-        }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
-  }
-  if (!await knex.schema.hasTable("variables")) {
-    console.log("[EXULU] Creating variables table.");
-    await knex.schema.createTable("variables", (table) => {
-      table.uuid("id").primary().defaultTo(knex.fn.uuid());
-      table.timestamp("createdAt").defaultTo(knex.fn.now());
-      table.timestamp("updatedAt").defaultTo(knex.fn.now());
-      for (const field of variablesSchema.fields) {
-        const { type, name, default: defaultValue, unique } = field;
-        if (!type || !name) {
-          continue;
+  const schemas = [
+    agentSessionsSchema3(),
+    agentMessagesSchema3(),
+    rolesSchema3(),
+    evalResultsSchema3(),
+    statisticsSchema3(),
+    jobsSchema3(),
+    rbacSchema3(),
+    agentsSchema3(),
+    variablesSchema3(),
+    workflowTemplatesSchema3()
+  ];
+  const createTable = async (schema) => {
+    if (!await knex.schema.hasTable(schema.name.plural)) {
+      console.log(`[EXULU] Creating ${schema.name.plural} table.`);
+      await knex.schema.createTable(schema.name.plural, (table) => {
+        table.uuid("id").primary().defaultTo(knex.fn.uuid());
+        table.timestamp("createdAt").defaultTo(knex.fn.now());
+        table.timestamp("updatedAt").defaultTo(knex.fn.now());
+        for (const field of schema.fields) {
+          const { type, name, default: defaultValue, unique } = field;
+          if (!type || !name) {
+            continue;
+          }
+          mapType(table, type, sanitizeName(name), defaultValue, unique);
         }
-        mapType(table, type, sanitizeName(name), defaultValue, unique);
-      }
-    });
+      });
+    } else {
+      console.log(`[EXULU] Checking missing fields to ${schema.name.plural} table.`);
+      await addMissingFields(knex, schema.name.plural, schema.fields);
+    }
+  };
+  for (const schema of schemas) {
+    await createTable(schema);
   }
   if (!await knex.schema.hasTable("verification_token")) {
     console.log("[EXULU] Creating verification_token table.");
@@ -6286,10 +6732,10 @@ var up = async function(knex) {
       table.string("email", 255);
       table.timestamp("emailVerified", { useTz: true });
       table.text("image");
-      for (const field of usersSchema.fields) {
+      for (const field of usersSchema3().fields) {
         console.log("[EXULU] field", field);
         const { type, name, default: defaultValue, unique } = field;
-        if (name === "id" || name === "name" || name === "email" || name === "emailVerified" || name === "image") {
+        if (name === "id" || name === "name" || name === "email" || name === "emailVerified" || name === "image" || name === "password") {
           continue;
         }
         if (!type || !name) {
@@ -6298,6 +6744,8 @@ var up = async function(knex) {
         mapType(table, type, sanitizeName(name), defaultValue, unique);
       }
     });
+  } else {
+    await addMissingFields(knex, "users", usersSchema3().fields, ["id", "name", "email", "emailVerified", "image"]);
   }
   if (!await knex.schema.hasTable("accounts")) {
     console.log("[EXULU] Creating accounts table.");