@palettelab/cli 0.3.34 → 0.3.35

package/README.md

@@ -275,10 +275,11 @@ async def create_invoice(body: InvoiceIn, ctx: PluginContext = Depends(get_plugi
 
 Backend SDK features for app-owned data:
 
-- `PluginContext` exposes `user_id`, `organization_id`, `plugin_id`, `permissions`, `config`, `storage`, `ctx.db`, `ctx.redis`, and `ctx.vector`.
+- `PluginContext` exposes `user_id`, `organization_id`, `plugin_id`, `permissions`, `config`, `storage`, `ctx.db`, `ctx.members`, `ctx.redis`, and `ctx.vector`.
 - `ctx.db` is the full scoped SQLAlchemy `AsyncSession` for app-owned database data.
 - `ctx.repo(Model)` gives org-safe CRUD helpers for app tables.
 - `ctx.data_rooms` gives backend access to Palette Data Rooms without importing platform internals.
+- `ctx.members` gives backend access to current organisation members; it exposes list/get/invite/update-role helpers, but no delete/remove helper.
 - `ctx.has_permission("...")`, `ctx.has_any_permission([...])`, and `ctx.has_all_permissions([...])` check declared permissions.
 - `ctx.config_value("key")` and `ctx.require_config("key")` read app install/config values.
 - `ctx.secret("KEY")` reads app secrets from config or environment variables.

package/backend-sdk/palette_sdk/__init__.py

@@ -3,6 +3,7 @@
 from palette_sdk.plugin_router import PluginRouter
 from palette_sdk.plugin_context import MissingSecretError, PluginContext, get_plugin_context
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.members import OrganizationMembersClient
 from palette_sdk.platform_services import (
     LocalRedisService,
     LocalVectorService,
@@ -42,6 +43,7 @@ __all__ = [
     "MissingSecretError",
     "get_plugin_context",
     "DataRoomsClient",
+    "OrganizationMembersClient",
     "LocalRedisService",
     "LocalVectorService",
     "PlatformServiceUnavailable",

package/backend-sdk/palette_sdk/members.py

@@ -0,0 +1,45 @@
+"""Backend organization member helpers for plugin Python code."""
+
+from __future__ import annotations
+
+from typing import Any
+
+
+class OrganizationMembersClient:
+    """Thin wrapper around the platform-injected organization member service."""
+
+    def __init__(self, service: Any = None, permissions: list[str] | None = None):
+        self._service = service
+        self._permissions = permissions or []
+
+    def _require_service(self) -> Any:
+        if self._service is None:
+            raise RuntimeError(
+                "Organization member service is not available in this runtime. "
+                "Run inside Palette OS/hosted sandbox or inject a fake service in tests."
+            )
+        return self._service
+
+    def _require_permission(self, permission: str) -> None:
+        if permission not in self._permissions:
+            raise PermissionError(f"App does not declare required permission: {permission}")
+
+    async def list(self) -> list[dict[str, Any]]:
+        self._require_permission("members:read")
+        return await self._require_service().list_members()
+
+    async def get(self, user_id: str) -> dict[str, Any] | None:
+        self._require_permission("members:read")
+        return await self._require_service().get_member(user_id)
+
+    async def get_by_email(self, email: str) -> dict[str, Any] | None:
+        self._require_permission("members:read")
+        return await self._require_service().get_member_by_email(email)
+
+    async def invite(self, email: str, role: str = "member") -> dict[str, Any]:
+        self._require_permission("members:write")
+        return await self._require_service().invite_member(email, role)
+
+    async def update_role(self, user_id: str, role: str) -> dict[str, Any]:
+        self._require_permission("members:write")
+        return await self._require_service().update_member_role(user_id, role)

package/backend-sdk/palette_sdk/permissions.py

@@ -25,6 +25,7 @@ KNOWN_PERMISSIONS: frozenset[str] = frozenset(
         "routines:read",
         "routines:write",
         "members:read",
+        "members:write",
         "resources:read",
         "resources:write",
     }

package/backend-sdk/palette_sdk/plugin_context.py

@@ -11,6 +11,7 @@ from fastapi import Depends, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.members import OrganizationMembersClient
 from palette_sdk.platform_services import UnavailablePlatformService
 
 
@@ -35,6 +36,7 @@ class PluginContext:
         plugin_id: The plugin's ID from its manifest
         permissions: List of permissions declared in the manifest
         storage: Storage service for file upload/download
+        members: Organization member helpers for the current org
     """
     db: AsyncSession
     user_id: str
@@ -44,6 +46,7 @@ class PluginContext:
     permissions: list[str] = field(default_factory=list)
     storage: Any = None  # Platform storage service injected at runtime
     data_rooms: DataRoomsClient = field(default_factory=DataRoomsClient)
+    members: OrganizationMembersClient = field(default_factory=OrganizationMembersClient)
     redis: Any = field(default_factory=lambda: UnavailablePlatformService("redis"))
     vector: Any = field(default_factory=lambda: UnavailablePlatformService("vector"))
     config: dict[str, Any] = field(default_factory=dict)
@@ -110,6 +113,10 @@ async def get_plugin_context(request: Request) -> PluginContext:
         permissions=getattr(state, "plugin_permissions", []),
         storage=getattr(state, "storage", None),
         data_rooms=DataRoomsClient(getattr(state, "data_rooms", None)),
+        members=OrganizationMembersClient(
+            getattr(state, "org_members", None),
+            getattr(state, "plugin_permissions", []),
+        ),
         redis=getattr(state, "redis", None) or UnavailablePlatformService("redis"),
         vector=getattr(state, "vector", None) or UnavailablePlatformService("vector"),
         config=getattr(state, "plugin_config", {}),

package/docs/python-backend-sdk.md

@@ -112,6 +112,7 @@ Available context values:
 | `ctx.permissions` | Permissions granted from `palette-plugin.json` |
 | `ctx.storage` | Runtime storage service, when available |
 | `ctx.data_rooms` | Backend Data Room client |
+| `ctx.members` | Current organisation member client |
 | `ctx.redis` | Plugin/org-scoped Redis-style service when `platform_services` includes `redis` |
 | `ctx.vector` | Plugin/org-scoped vector service when `platform_services` includes `vector` |
 | `ctx.config` | App install/config values |
@@ -167,10 +168,26 @@ data_rooms:read, data_rooms:write
 agents:read, agents:write
 chat:read, chat:write
 routines:read, routines:write
-members:read
+members:read, members:write
 resources:read, resources:write
 ```
 
+Organisation member helpers:
+
+```python
+@router.get("/members", dependencies=[require_permission("members:read")])
+async def members(ctx: PluginContext = Depends(get_plugin_context)):
+    return await ctx.members.list()
+
+@router.post("/members/invite", dependencies=[require_permission("members:write")])
+async def invite_member(email: str, ctx: PluginContext = Depends(get_plugin_context)):
+    return await ctx.members.invite(email, role="member")
+```
+
+`ctx.members` exposes `list()`, `get(user_id)`, `get_by_email(email)`,
+`invite(email, role="member")`, and `update_role(user_id, role)`. Member
+deletion/removal is intentionally not exposed through the app SDK.
+
 ## 6. App-Owned Data
 
 Apps can ship their own tables and migrations. Use `OrgScopedTable` for data

package/lib/manifest.js

@@ -18,6 +18,7 @@ const KNOWN_PERMISSIONS = new Set([
   "routines:read",
   "routines:write",
   "members:read",
+  "members:write",
   "resources:read",
   "resources:write",
 ])

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@palettelab/cli",
-  "version": "0.3.34",
+  "version": "0.3.35",
   "description": "Developer CLI for building Palette platform plugins — no platform source access required.",
   "bin": {
     "pltt": "bin/pltt.js"