@palettelab/cli 0.3.34 → 0.3.36

package/README.md

@@ -275,17 +275,28 @@ async def create_invoice(body: InvoiceIn, ctx: PluginContext = Depends(get_plugi
 
 Backend SDK features for app-owned data:
 
-- `PluginContext` exposes `user_id`, `organization_id`, `plugin_id`, `permissions`, `config`, `storage`, `ctx.db`, `ctx.redis`, and `ctx.vector`.
+- `PluginRouter`, `PluginContext`, and `get_plugin_context` provide the FastAPI route and request-context surface.
+- `PluginContext` exposes `user_id`, `organization_id`, `org_role`, `plugin_id`, `permissions`, `storage`, `ctx.db`, `ctx.data_rooms`, `ctx.members`, `ctx.redis`, `ctx.vector`, `ctx.config`, and `ctx.logger`.
 - `ctx.db` is the full scoped SQLAlchemy `AsyncSession` for app-owned database data.
 - `ctx.repo(Model)` gives org-safe CRUD helpers for app tables.
 - `ctx.data_rooms` gives backend access to Palette Data Rooms without importing platform internals.
+- `ctx.members` gives backend access to current organisation members; it exposes list/get/invite/update-role helpers, but no delete/remove helper.
 - `ctx.has_permission("...")`, `ctx.has_any_permission([...])`, and `ctx.has_all_permissions([...])` check declared permissions.
 - `ctx.config_value("key")` and `ctx.require_config("key")` read app install/config values.
 - `ctx.secret("KEY")` reads app secrets from config or environment variables.
+- `get_config(ctx, key)` and `require_config(ctx, key)` are functional config helper forms.
+- `require_permission(permission)`, `KNOWN_PERMISSIONS`, and `is_known_permission(permission)` support route and manifest permission checks.
 - `ctx.redis` gives a Redis-backed, plugin/org-scoped Redis API when `"redis"` is declared in `platform_services`.
 - `ctx.vector` gives a Qdrant-backed, plugin/org-scoped vector API when `"vector"` is declared in `platform_services`.
 - `LifecycleHooks` lets apps define install/update/enable/disable/uninstall hooks.
 - `OrgScopedTable` and `PluginBase` keep app data inside the plugin schema model set.
+- `plugin_safe_id(...)`, `plugin_schema(...)`, `plugin_table_prefix(...)`, and `ensure_org_rls(...)` keep database names and row-level security consistent.
+- `Event` and `subscribe_event(...)` register in-process platform event handlers.
+- `sign_webhook(...)` and `verify_webhook_signature(...)` handle HMAC-SHA256 webhook signing checks.
+- `ToolDefinition` is the base class for custom agent tools.
+- `PluginManifest` and `load_manifest(...)` parse and validate `palette-plugin.json`.
+- `SuccessResponse`, `ErrorResponse`, and `PaginatedResponse` are reusable response schemas.
+- `route_permission_issues(router, public_routes=None)` is the test helper for detecting ungated backend routes.
 
 Python backend Data Room example:
 
@@ -523,7 +534,7 @@ await ctx.redis.incr("counter")
 await ctx.redis.decr("counter")
 await ctx.redis.scan(prefix="cache:", limit=100)
 
-# Redis hashes, lists, sets, sorted sets, streams, locks
+# Redis hashes, lists, sets, sorted sets, queues, locks
 await ctx.redis.hset("hash", "field", {"value": 1})
 await ctx.redis.hgetall("hash")
 await ctx.redis.lpush("queue", {"job": 1})
@@ -532,8 +543,8 @@ await ctx.redis.sadd("tags", "red", "blue")
 await ctx.redis.smembers("tags")
 await ctx.redis.zadd("scores", {"alice": 10})
 await ctx.redis.zrange("scores", 0, -1, with_scores=True)
-await ctx.redis.xadd("events", {"type": "created"})
-await ctx.redis.xread({"events": "0-0"}, count=10)
+await ctx.redis.enqueue("jobs", {"task": "sync"})
+await ctx.redis.dequeue("jobs")
 await ctx.redis.lock("invoice:1", token, ttl=30)
 await ctx.redis.unlock("invoice:1", token)
 

package/backend-sdk/palette_sdk/__init__.py

@@ -3,6 +3,7 @@
 from palette_sdk.plugin_router import PluginRouter
 from palette_sdk.plugin_context import MissingSecretError, PluginContext, get_plugin_context
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.members import OrganizationMembersClient
 from palette_sdk.platform_services import (
     LocalRedisService,
     LocalVectorService,
@@ -42,6 +43,7 @@ __all__ = [
     "MissingSecretError",
     "get_plugin_context",
     "DataRoomsClient",
+    "OrganizationMembersClient",
     "LocalRedisService",
     "LocalVectorService",
     "PlatformServiceUnavailable",

package/backend-sdk/palette_sdk/members.py

@@ -0,0 +1,45 @@
+"""Backend organization member helpers for plugin Python code."""
+
+from __future__ import annotations
+
+from typing import Any
+
+
+class OrganizationMembersClient:
+    """Thin wrapper around the platform-injected organization member service."""
+
+    def __init__(self, service: Any = None, permissions: list[str] | None = None):
+        self._service = service
+        self._permissions = permissions or []
+
+    def _require_service(self) -> Any:
+        if self._service is None:
+            raise RuntimeError(
+                "Organization member service is not available in this runtime. "
+                "Run inside Palette OS/hosted sandbox or inject a fake service in tests."
+            )
+        return self._service
+
+    def _require_permission(self, permission: str) -> None:
+        if permission not in self._permissions:
+            raise PermissionError(f"App does not declare required permission: {permission}")
+
+    async def list(self) -> list[dict[str, Any]]:
+        self._require_permission("members:read")
+        return await self._require_service().list_members()
+
+    async def get(self, user_id: str) -> dict[str, Any] | None:
+        self._require_permission("members:read")
+        return await self._require_service().get_member(user_id)
+
+    async def get_by_email(self, email: str) -> dict[str, Any] | None:
+        self._require_permission("members:read")
+        return await self._require_service().get_member_by_email(email)
+
+    async def invite(self, email: str, role: str = "member") -> dict[str, Any]:
+        self._require_permission("members:write")
+        return await self._require_service().invite_member(email, role)
+
+    async def update_role(self, user_id: str, role: str) -> dict[str, Any]:
+        self._require_permission("members:write")
+        return await self._require_service().update_member_role(user_id, role)

package/backend-sdk/palette_sdk/permissions.py

@@ -25,6 +25,7 @@ KNOWN_PERMISSIONS: frozenset[str] = frozenset(
         "routines:read",
         "routines:write",
         "members:read",
+        "members:write",
         "resources:read",
         "resources:write",
     }

package/backend-sdk/palette_sdk/plugin_context.py

@@ -11,6 +11,7 @@ from fastapi import Depends, Request
 from sqlalchemy.ext.asyncio import AsyncSession
 
 from palette_sdk.data_rooms import DataRoomsClient
+from palette_sdk.members import OrganizationMembersClient
 from palette_sdk.platform_services import UnavailablePlatformService
 
 
@@ -35,6 +36,7 @@ class PluginContext:
         plugin_id: The plugin's ID from its manifest
         permissions: List of permissions declared in the manifest
         storage: Storage service for file upload/download
+        members: Organization member helpers for the current org
     """
     db: AsyncSession
     user_id: str
@@ -44,6 +46,7 @@ class PluginContext:
     permissions: list[str] = field(default_factory=list)
     storage: Any = None  # Platform storage service injected at runtime
     data_rooms: DataRoomsClient = field(default_factory=DataRoomsClient)
+    members: OrganizationMembersClient = field(default_factory=OrganizationMembersClient)
     redis: Any = field(default_factory=lambda: UnavailablePlatformService("redis"))
     vector: Any = field(default_factory=lambda: UnavailablePlatformService("vector"))
     config: dict[str, Any] = field(default_factory=dict)
@@ -110,6 +113,10 @@ async def get_plugin_context(request: Request) -> PluginContext:
         permissions=getattr(state, "plugin_permissions", []),
         storage=getattr(state, "storage", None),
         data_rooms=DataRoomsClient(getattr(state, "data_rooms", None)),
+        members=OrganizationMembersClient(
+            getattr(state, "org_members", None),
+            getattr(state, "plugin_permissions", []),
+        ),
         redis=getattr(state, "redis", None) or UnavailablePlatformService("redis"),
         vector=getattr(state, "vector", None) or UnavailablePlatformService("vector"),
         config=getattr(state, "plugin_config", {}),

package/docs/python-backend-sdk.md

@@ -112,6 +112,7 @@ Available context values:
 | `ctx.permissions` | Permissions granted from `palette-plugin.json` |
 | `ctx.storage` | Runtime storage service, when available |
 | `ctx.data_rooms` | Backend Data Room client |
+| `ctx.members` | Current organisation member client |
 | `ctx.redis` | Plugin/org-scoped Redis-style service when `platform_services` includes `redis` |
 | `ctx.vector` | Plugin/org-scoped vector service when `platform_services` includes `vector` |
 | `ctx.config` | App install/config values |
@@ -124,6 +125,34 @@ Available context values:
 | `ctx.require_config(key)` | Read required config or raise |
 | `ctx.secret(key, default)` | Read a secret from app config or environment |
 
+## 4a. Backend Helper API Index
+
+These are the public Python helpers exported by `palette_sdk`.
+
+| Helper | Use it for |
+|---|---|
+| `PluginRouter` | FastAPI router mounted under `/api/v1/plugins/<plugin-id>` |
+| `PluginContext`, `get_plugin_context` | Authenticated request context dependency |
+| `MissingSecretError` | Handling missing required declared secrets from `ctx.secret(...)` |
+| `require_permission(permission)` | Route-level permission gate required for protected routes |
+| `KNOWN_PERMISSIONS`, `is_known_permission(...)` | Permission vocabulary checks for manifests/tools |
+| `DataRoomsClient`, `ctx.data_rooms` | Backend Data Room room/folder/file helpers |
+| `OrganizationMembersClient`, `ctx.members` | Current-organization member lookup, invite, and role helpers |
+| `OrgRepository`, `ctx.repo(Model)` | Org-safe convenience CRUD for app-owned models |
+| `PluginBase`, `OrgScopedTable` | SQLAlchemy declarative bases for plugin-owned tables |
+| `ensure_org_rls(op, table)` | Alembic helper that enables org row-level security |
+| `plugin_safe_id(...)`, `plugin_schema(...)`, `plugin_table_prefix(...)` | Manifest id to database-safe naming helpers |
+| `get_config(ctx, key)`, `require_config(ctx, key)` | Functional form of config reads when not using `ctx.config_value(...)` |
+| `LocalRedisService`, `LocalVectorService` | Local `pltt dev` service emulators and test fakes |
+| `PlatformServiceUnavailable`, `UnavailablePlatformService` | Clear errors when an undeclared platform service is used |
+| `LifecycleHooks` | Install/update/enable/disable/uninstall callbacks |
+| `Event`, `subscribe_event(...)` | In-process platform event subscriptions |
+| `sign_webhook(...)`, `verify_webhook_signature(...)` | HMAC-SHA256 webhook signing and verification |
+| `ToolDefinition` | Base class for custom agent tools |
+| `PluginManifest`, `load_manifest(...)` | Typed manifest parsing from `palette-plugin.json` |
+| `SuccessResponse`, `ErrorResponse`, `PaginatedResponse` | Common response schemas for plugin APIs |
+| `route_permission_issues(router, public_routes=None)` | Test helper that reports routes missing `require_permission(...)` |
+
 ## 5. Permissions
 
 Use route-level permission guards for normal APIs:
@@ -167,10 +196,26 @@ data_rooms:read, data_rooms:write
 agents:read, agents:write
 chat:read, chat:write
 routines:read, routines:write
-members:read
+members:read, members:write
 resources:read, resources:write
 ```
 
+Organisation member helpers:
+
+```python
+@router.get("/members", dependencies=[require_permission("members:read")])
+async def members(ctx: PluginContext = Depends(get_plugin_context)):
+    return await ctx.members.list()
+
+@router.post("/members/invite", dependencies=[require_permission("members:write")])
+async def invite_member(email: str, ctx: PluginContext = Depends(get_plugin_context)):
+    return await ctx.members.invite(email, role="member")
+```
+
+`ctx.members` exposes `list()`, `get(user_id)`, `get_by_email(email)`,
+`invite(email, role="member")`, and `update_role(user_id, role)`. Member
+deletion/removal is intentionally not exposed through the app SDK.
+
 ## 6. App-Owned Data
 
 Apps can ship their own tables and migrations. Use `OrgScopedTable` for data
@@ -649,8 +694,6 @@ await ctx.redis.zrem("scores", "bob")
 
 await ctx.redis.enqueue("jobs", {"task": "sync"})
 await ctx.redis.dequeue("jobs")
-await ctx.redis.xadd("events", {"type": "created"})
-await ctx.redis.xread({"events": "0-0"}, count=10)
 await ctx.redis.lock("invoice:1", token, ttl=30)
 await ctx.redis.unlock("invoice:1", token)
 ```
@@ -730,12 +773,10 @@ Frontend code should call backend routes through the platform API helper, not by
 hardcoding backend origins.
 
 ```tsx
-import { createPaletteClient } from "@palettelab/sdk"
-
-const palette = createPaletteClient()
+import { apiFetch } from "@palettelab/sdk"
 
 async function loadInvoices() {
-  const res = await palette.apiFetch("/api/v1/plugins/finance-tools/invoices")
+  const res = await apiFetch("/api/v1/plugins/finance-tools/invoices")
   return res.json()
 }
 ```

package/lib/manifest.js

@@ -18,6 +18,7 @@ const KNOWN_PERMISSIONS = new Set([
   "routines:read",
   "routines:write",
   "members:read",
+  "members:write",
   "resources:read",
   "resources:write",
 ])

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@palettelab/cli",
-  "version": "0.3.34",
+  "version": "0.3.36",
   "description": "Developer CLI for building Palette platform plugins — no platform source access required.",
   "bin": {
     "pltt": "bin/pltt.js"