syntaxmatrix 1.4.6__py3-none-any.whl → 2.5.5.4__py3-none-any.whl

syntaxmatrix/auth.py

@@ -1,3 +1,4 @@
+from __future__ import annotations
 import os
 import sqlite3
 from werkzeug.security import generate_password_hash, check_password_hash
@@ -24,8 +25,10 @@ def _get_conn():
     conn.execute("PRAGMA foreign_keys = ON;")
     return conn
 
+
 def init_auth_db():
     """Create users table and seed the superadmin from env vars."""
+    # --- Users table ---
     conn = _get_conn()
     conn.execute("""
     CREATE TABLE IF NOT EXISTS users (
@@ -38,6 +41,33 @@ def init_auth_db():
     );
     """)
 
+    # --- Roles table ---
+    conn.execute("""
+    CREATE TABLE IF NOT EXISTS roles (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        name TEXT UNIQUE NOT NULL,
+        description TEXT DEFAULT '',
+        is_employee INTEGER NOT NULL DEFAULT 0,
+        is_admin INTEGER NOT NULL DEFAULT 0,
+        is_superadmin INTEGER NOT NULL DEFAULT 0,
+        created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+    );
+    """)
+
+    # --- Role change audit table ---
+    conn.execute("""
+    CREATE TABLE IF NOT EXISTS role_audit (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        actor_id INTEGER,
+        actor_label TEXT,
+        target_id INTEGER NOT NULL,
+        target_label TEXT,
+        from_role TEXT NOT NULL,
+        to_role TEXT NOT NULL,
+        created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
+    );
+    """)
+
     row = conn.execute(
         "SELECT 1 FROM users WHERE username = 'ceo' AND role='superadmin'"
     ).fetchone()
@@ -45,9 +75,9 @@ def init_auth_db():
     if not row:
         # (a) generate or read the one-off password file
         fw_data_dir = _CLIENT_DIR  # returns Path to <project>/.syntaxmatrix
-        cred_file = fw_data_dir / "superadmin_creds.txt"
+        cred_file = fw_data_dir / "superadmin_credentials.txt"
 
-        superadmin_email = "ceo@syntaxmatrix.com"
+        superadmin_email = "ceo@syntaxmatrix.ceo"
         superadmin_username = "ceo"
 
         if cred_file.exists():
@@ -69,10 +99,193 @@ def init_auth_db():
             "VALUES (?, ?, ?, ?)",
             (superadmin_email, superadmin_username, pw_hash, "superadmin")
         )
+
+    # --- Roles table + seed ---
+    # canonical roles
+    seed_roles = [
+        ("user", "Default registration", 0, 0, 0),
+        ("employee", "Employee", 1, 0, 0),
+        ("admin", "Administrator", 1, 1, 0),
+        ("superadmin", "Super administrator", 1, 1, 1),
+    ]
+    for r in seed_roles:
+        conn.execute("""
+            INSERT OR IGNORE INTO roles (name, description, is_employee, is_admin, is_superadmin)
+            VALUES (?, ?, ?, ?, ?)
+        """, r)
+    
     conn.commit()
     conn.close()
 
 
+def list_roles():
+    conn = _get_conn()
+    rows = conn.execute("""
+        SELECT id, name, description, is_employee, is_admin, is_superadmin, created_at
+        FROM roles
+        ORDER BY
+          CASE name
+            WHEN 'superadmin' THEN 0
+            WHEN 'admin' THEN 1
+            WHEN 'employee' THEN 2
+            WHEN 'user' THEN 3
+            ELSE 4
+          END, name
+    """).fetchall()
+    conn.close()
+    return [
+        {
+            "id": r[0], "name": r[1], "description": r[2],
+            "is_employee": bool(r[3]), "is_admin": bool(r[4]),
+            "is_superadmin": bool(r[5]), "created_at": r[6]
+        } for r in rows
+    ]
+
+
+RESERVED_ROLES = {"user", "employee", "admin", "superadmin"}
+
+def create_role(name: str, description: str = "", *, is_employee: bool = False, is_admin: bool = False) -> bool:
+    name = (name or "").strip().lower()
+    if not name or name in RESERVED_ROLES:
+        return False
+    if is_employee and is_admin:
+        # keep the hierarchy simple: a role can't be both employee and admin
+        return False
+    conn = _get_conn()
+    try:
+        conn.execute(
+            "INSERT INTO roles (name, description, is_employee, is_admin, is_superadmin) VALUES (?, ?, ?, ?, 0)",
+            (name, description or "", 1 if is_employee else 0, 1 if is_admin else 0)
+        )
+        conn.commit()
+        return True
+    except sqlite3.IntegrityError:
+        return False
+    finally:
+        conn.close()
+
+def delete_role(role_name: str):
+    """
+    Delete a custom role if:
+      - it is not reserved (superadmin, admin, employee, user)
+      - no users are currently assigned to it
+    Returns (ok, error_message_or_None)
+    """
+    import sqlite3
+    from . import db as _db
+
+    if not role_name:
+        return (False, "missing role_name")
+
+    name_l = role_name.strip().lower()
+    if name_l in {"superadmin", "admin", "employee", "user"}:
+        return (False, "reserved role")
+
+    conn = _get_conn()
+    conn.row_factory = sqlite3.Row
+    cur = conn.cursor()
+
+    # ensure role exists
+    cur.execute("SELECT id FROM roles WHERE lower(name)=?", (name_l,))
+    row = cur.fetchone()
+    if not row:
+        conn.close()
+        return (False, "not found")
+
+    # block if any user has this role
+    cur.execute("SELECT COUNT(*) AS c FROM users WHERE lower(role)=?", (name_l,))
+    in_use = (cur.fetchone() or {"c": 0})["c"]
+    if in_use:
+        conn.close()
+        return (False, "role in use by users")
+
+    cur.execute("DELETE FROM roles WHERE lower(name)=?", (name_l,))
+    conn.commit()
+    conn.close()
+    return (True, None)
+
+#############################################################
+# --- Minimal helpers for the Admin Users card ---
+def list_users():
+    """Return users for admin listing."""
+    conn = _get_conn()
+    rows = conn.execute("""
+        SELECT id, email, username, role, created_at
+        FROM users
+        ORDER BY created_at DESC
+    """).fetchall()
+    conn.close()
+    out = []
+    for r in rows:
+        out.append({
+            "id": r[0],
+            "email": r[1],
+            "username": r[2],
+            "role": (r[3] or "user"),
+            "created_at": r[4],
+        })
+    return out
+
+
+def _can_assign_role(actor_role: str, from_role: str, to_role: str) -> bool:
+    """Business rules:
+       - Admin can only do user -> employee
+       - Only superadmin can promote employee -> admin (or user -> admin)
+       - Never demote a superadmin
+    """
+    actor_role = (actor_role or "").lower()
+    from_role  = (from_role or "").lower()
+    to_role    = (to_role   or "").lower()
+
+    if actor_role == "superadmin":
+        if from_role == "superadmin" and to_role != "superadmin":
+            return False
+        return True
+
+    if actor_role == "admin":
+        # admins can: user -> employee  OR  employee -> user
+        return (from_role == "user" and to_role == "employee") or \
+               (from_role == "employee" and to_role == "user")
+
+    return False
+
+
+def set_user_role(actor_role: str, user_id: int, role_name: str) -> bool:
+    """Assign a role to a user, enforcing the rules above."""
+    role_name = (role_name or "").strip().lower()
+    if not role_name:
+        return False
+
+    conn = _get_conn()
+    try:
+        # ensure target role exists
+        exists = conn.execute(
+            "SELECT 1 FROM roles WHERE name = ?", (role_name,)
+        ).fetchone()
+        if not exists:
+            return False
+
+        # current role of target user
+        row = conn.execute(
+            "SELECT role FROM users WHERE id = ?", (user_id,)
+        ).fetchone()
+        if not row:
+            return False
+        from_role = (row[0] or "user")
+
+        if not _can_assign_role(actor_role, from_role, role_name):
+            return False
+
+        conn.execute(
+            "UPDATE users SET role = ? WHERE id = ?",
+            (role_name, user_id)
+        )
+        conn.commit()
+        return True
+    finally:
+        conn.close()
+
+
 def register_user(email:str, username:str, password:str, role:str = "user") -> bool:
     """Return True if registration succeeded, False if username taken."""
     hashed = generate_password_hash(password)
@@ -111,17 +324,17 @@ def login_required(f):
         return f(*args, **kwargs)
     return decorated
 
-def admin_required(f):
-    @wraps(f)
-    def decorated(*args, **kwargs):
-        if not session.get("user_id"):
-            flash("Please log in to access this page.")
-            return redirect(url_for("login", next=request.path))
-        if session.get("role") not in ("admin", "superadmin"):
-            flash("You do not have permission to access this page.")
-            return redirect(url_for("dashboard"))
-        return f(*args, **kwargs)
-    return decorated
+
+def admin_required(view):
+    @wraps(view)
+    def wrapper(*args, **kwargs):
+        role = (session.get("role") or "").lower()
+        if not has_admin_privileges(role):
+            flash("You do not have permission to access that page.", "error")
+            return redirect(url_for("login"))
+        return view(*args, **kwargs)
+    return wrapper
+
 
 def superadmin_required(f):
     @wraps(f)
@@ -134,4 +347,85 @@ def superadmin_required(f):
             return redirect(url_for("dashboard"))
         return f(*args, **kwargs)
     return decorated
-    
+
+
+def has_admin_privileges(role_name: str) -> bool:
+    role = (role_name or "").strip().lower()
+    if role == "superadmin":
+        return True
+    conn = _get_conn()
+    row = conn.execute("SELECT is_admin FROM roles WHERE name = ?", (role,)).fetchone()
+    conn.close()
+    return bool(row and row[0])
+
+
+def get_user_basic(user_id: int):
+    if not user_id:
+        return None
+    conn = _get_conn()
+    row = conn.execute(
+        "SELECT id, email, username, role FROM users WHERE id = ?",
+        (user_id,)
+    ).fetchone()
+    conn.close()
+    if not row:
+        return None
+    return {"id": row[0], "email": row[1], "username": row[2], "role": (row[3] or "user")}
+
+def add_role_audit(actor_id: int, actor_label: str, target_id: int, target_label: str, from_role: str, to_role: str):
+    conn = _get_conn()
+    conn.execute(
+        "INSERT INTO role_audit (actor_id, actor_label, target_id, target_label, from_role, to_role) VALUES (?,?,?,?,?,?)",
+        (actor_id, actor_label or "", target_id, target_label or "", (from_role or "user"), (to_role or "user"))
+    )
+    conn.commit()
+    conn.close()
+
+def list_role_audit(limit: int = 50):
+    conn = _get_conn()
+    rows = conn.execute(
+        "SELECT actor_label, target_label, from_role, to_role, created_at FROM role_audit ORDER BY id DESC LIMIT ?",
+        (int(limit),)
+    ).fetchall()
+    conn.close()
+    return [
+        {"actor_label": r[0], "target_label": r[1], "from_role": r[2], "to_role": r[3], "created_at": r[4]}
+        for r in rows
+    ]
+
+
+def delete_user(actor_id: int, target_id: int) -> bool:
+    """Delete a user account. Blocks deleting superadmin and self."""
+    if not target_id or (actor_id and actor_id == target_id):
+        return False
+    conn = _get_conn()
+    try:
+        row = conn.execute("SELECT role FROM users WHERE id = ?", (target_id,)).fetchone()
+        if not row:
+            return False
+        if (row[0] or "user").lower() == "superadmin":
+            return False
+        conn.execute("DELETE FROM users WHERE id = ?", (target_id,))
+        conn.commit()
+        return True
+    finally:
+        conn.close()
+
+def clear_role_audit(before_iso: Optional[str] = None) -> int:
+    """
+    Delete audit rows. If before_iso is provided (ISO timestamp or 'YYYY-MM-DD'),
+    delete only rows older than that. Returns number of rows removed.
+    """
+    conn = _get_conn() 
+
+    if before_iso:
+        conn.execute(
+            "DELETE FROM role_audit WHERE datetime(created_at) < datetime(?)",
+            (before_iso,)
+        )
+    else:
+        conn.execute("DELETE FROM role_audit")
+    deleted = conn.rowcount if hasattr(conn, "rowcount") else 0
+    conn.commit()
+    return int(deleted)
+

syntaxmatrix/commentary.py

@@ -0,0 +1,328 @@
+from __future__ import annotations
+
+import os, io, re, json, base64
+from typing import Any, Dict, List, Optional
+
+from syntaxmatrix import profiles as _prof
+from syntaxmatrix.settings.model_map import GPT_MODELS_LATEST 
+from syntaxmatrix.gpt_models_latest import extract_output_text as _out, set_args
+from google.genai import types
+
+
+# Axes/labels/legend (read-only; no plotting changes)
+MPL_PROBE_SNIPPET = r"""
+    import json
+    import matplotlib.pyplot as plt
+
+    out=[]
+    for num in plt.get_fignums():
+        fig = plt.figure(num)
+        for ax in fig.get_axes():
+            info = {
+                "title": (ax.get_title() or "").strip(),
+                "x_label": (ax.get_xlabel() or "").strip(),
+                "y_label": (ax.get_ylabel() or "").strip(),
+                "legend": []
+            }
+            try:
+                leg = ax.get_legend()
+                if leg:
+                    info["legend"] = [t.get_text().strip() for t in leg.get_texts() if t.get_text().strip()]
+            except Exception:
+                pass
+            out.append(info)
+    print("SMX_VIS_SUMMARY::" + json.dumps(out))
+"""
+
+# 2) Figure images to base64 (tight bbox, high DPI)
+MPL_IMAGE_PROBE_SNIPPET = r"""
+    import json, io, base64
+    import matplotlib.pyplot as plt
+
+    payload=[]
+    for num in plt.get_fignums():
+        fig = plt.figure(num)
+        axes=[]
+        for ax in fig.get_axes():
+            info={"title": (ax.get_title() or "").strip(),
+                "x_label": (ax.get_xlabel() or "").strip(),
+                "y_label": (ax.get_ylabel() or "").strip(),
+                "legend": []}
+            try:
+                leg = ax.get_legend()
+                if leg:
+                    info["legend"] = [t.get_text().strip() for t in leg.get_texts() if t.get_text().strip()]
+            except Exception:
+                pass
+            axes.append(info)
+
+        b64 = ""
+        try:
+            buf = io.BytesIO()
+            fig.savefig(buf, format="png", dpi=192, bbox_inches="tight", facecolor="white")
+            buf.seek(0)
+            b64 = base64.b64encode(buf.read()).decode("ascii")
+        except Exception:
+            b64 = ""
+        payload.append({"png_b64": b64, "axes": axes})
+    print("SMX_FIGS_B64::" + json.dumps(payload))
+"""
+
+
+def _json(obj: Any) -> str:
+    return json.dumps(obj, ensure_ascii=False, separators=(",", ":"), indent=2)
+
+
+def parse_mpl_probe_output(text_blocks: List[str]) -> List[Dict[str, Any]]:
+    joined = "\n".join(text_blocks)
+    m = re.search(r"SMX_VIS_SUMMARY::(\[.*\]|\{.*\})", joined, re.DOTALL)
+    if not m:
+        return []
+    try:
+        data = json.loads(m.group(1))
+        return data if isinstance(data, list) else []
+    except Exception:
+        return []
+    
+def parse_image_probe_output(text_blocks: List[str]) -> List[Dict[str, Any]]:
+    joined = "\n".join(text_blocks)
+    m = re.search(r"SMX_FIGS_B64::(\[.*\])", joined, re.DOTALL)
+    if not m:
+        return []
+    try:
+        data = json.loads(m.group(1))
+        return data if isinstance(data, list) else []
+    except Exception:
+        return []
+
+# 3) Table headers (from already-rendered HTML) — optional but helps context
+def _strip_tags(s: str) -> str:
+    return re.sub(r"<[^>]+>", " ", s).strip()
+
+def sniff_tables_from_html(html: str) -> List[Dict[str, Any]]:
+    tables=[]
+    for tbl in re.findall(r"<table[^>]*class=[\"'][^\"']*smx-table[^\"']*[\"'][^>]*>(.*?)</table>",
+                          html, re.DOTALL|re.IGNORECASE):
+        ths = re.findall(r"<th[^>]*>(.*?)</th>", tbl, re.DOTALL|re.IGNORECASE)
+        headers = [_strip_tags(h) for h in ths][:50]
+        trs = re.findall(r"<tr[^>]*>", tbl, re.IGNORECASE)
+        tables.append({
+            "columns": headers,
+            "columns_count": len(headers),
+            "rows_approx": max(0, len(trs)-1)
+        })
+    return tables
+
+
+def build_display_summary(question: str,
+                          mpl_axes: List[Dict[str, Any]],
+                          html_blocks: List[str]) -> Dict[str, Any]:
+    html_joined = "\n".join(str(b) for b in html_blocks)
+    tables = sniff_tables_from_html(html_joined)
+
+    axes_clean=[]
+    for ax in mpl_axes:
+        axes_clean.append({
+            "title": ax.get("title",""),
+            "x_label": ax.get("x_label",""),
+            "y_label": ax.get("y_label",""),
+            "legend": ax.get("legend", []),
+        })
+
+    return {
+        "question": (question or "").strip(),
+        "axes": axes_clean,
+        "tables": tables
+    }
+
+def _context_strings(context: Dict[str, Any]) -> List[str]:
+    s = [context.get("question","")]
+    for ax in context.get("axes", []) or []:
+        s += [ax.get("title",""), ax.get("x_label",""), ax.get("y_label","")]
+        s += (ax.get("legend", []) or [])
+    for t in context.get("tables", []) or []:
+        s += (t.get("columns", []) or [])
+    # de-dup
+    seen=set(); out=[]
+    for it in s:
+        it=(it or "").strip()
+        if not it: continue
+        k=it.lower()
+        if k in seen: continue
+        seen.add(k); out.append(it)
+    return out
+
+
+def phrase_commentary_vision(context: Dict[str, Any], images_b64: List[str]) -> str:
+    """
+    Use the project's 'vision2text' profile (profiles.py). If the provider supports images,
+    send figures + text; otherwise fall back to a text-only prompt grounded by labels.
+    """
+    
+    _SYSTEM_VISION = (
+        "You are a data analyst. Write a detailed analysis that explains what the "
+        "already-rendered visuals mean for the user's question. "
+        "You use information visible in the attached figures and the provided context strings (texs, field names, labels). "
+        "You interprete the output without preamble."
+    )
+
+    _USER_TMPL_VISION = """
+    question:
+    {q}
+
+    Visible context strings (titles, axes, legends, headers):
+    {ctx}
+
+    Write a comprehensive conclusion (~250-350 words) as follows:
+    - <b>Headline</b> 
+      2-3 sentence answering the question from an overview of all the output.
+    - <b>Evidence</b> 
+      8-10 bullets referencing the (output-texts/tables/panels/axes/legend groups) seen in the output. 
+      As you reference the visuals, you should interprete them in a way to show how they answer the question.
+    - <b>Limitations</b> 
+      1 bullet; avoid quoting numbers unless present in context.
+    - <b>Next step</b> 
+      1 bullet.
+    """
+
+    visible = _context_strings(context)
+    user = _USER_TMPL_VISION.format(
+        q=context.get("question",""),
+        ctx=json.dumps(visible, ensure_ascii=False, indent=2)
+    )
+     
+    prof = _prof.get_profile("vision2text") or _prof.get_profile("admin")
+    if not prof:    
+        return (
+            "<div class='smx-alert smx-alert-warn'>"
+                "No LLM profile is configured for Image2Text. Please, do that in the Admin panel or contact your Administrator."
+            "</div>"
+        )
+    
+    prof['client'] = _prof.get_client(prof)
+    _client = prof["client"]
+    _provider = prof["provider"].lower()
+    _model = prof["model"]
+
+    try:
+        #1 Google
+        if _provider == "google":
+            try:
+                input_contents = []
+                
+                # Add text part first
+                text_part = {"text": user}
+                input_contents.append(text_part)
+                
+                # Add image parts
+                for b64 in images_b64:
+                    if b64:
+                        image_part = {
+                            "inline_data": {
+                                "mime_type": "image/png",
+                                "data": b64
+                            }
+                        }
+                        input_contents.append(image_part)
+                
+                response = _client.models.generate_content(
+                    model=_model,
+                    contents=input_contents,
+                    config=types.GenerateContentConfig(
+                        system_instruction=_SYSTEM_VISION,
+                        temperature=0.7,
+                        max_output_tokens=1024,
+                    ),
+                )
+                txt = response.text.strip()
+                return txt.strip()
+            except Exception:
+                pass
+            
+        #2 Openai
+        elif _provider == "openai" and _model in GPT_MODELS_LATEST:
+            try:
+                input_contents = []
+
+                text_part = {"type": "input_text", "text": user}
+                input_contents.append(text_part)
+                for b64 in images_b64:
+                    if b64:
+                        image_part = {
+                            "type": "input_image", 
+                            "image_url": f"data:image/png;base64,{b64}"
+                        }
+                        input_contents.append(image_part)
+
+                args = set_args(
+                    model=_model,
+                    instructions=_SYSTEM_VISION,
+                    input=[{"role": "user", "content": input_contents}],
+                    previous_id=None,
+                    store=False,
+                    reasoning_effort="low",
+                    verbosity="medium",
+                )
+                resp = _client.responses.create(**args)
+                txt = _out(resp) or ""
+                if txt.strip():
+                    return txt.strip()
+            except Exception:
+                pass 
+                    
+        # Anthropic
+        elif _provider == "anthropic":
+            try:
+                input_contents = []
+
+                text_part = {"type":"text","text": user}
+                input_contents.append(text_part)
+
+                for b64 in images_b64:
+                    if b64:
+                        image_part = {
+                            "type":"image_url",
+                            "image_url":{"url": f"data:image/png;base64,{b64}"}
+                        }
+                        input_contents.append(image_part)       
+
+                response = _client.messages.create(
+                    model=_model,
+                    max_tokens=1024,
+                    system=_SYSTEM_VISION,
+                    messages=[{"role": "user", "content":input_contents}],
+                    stream=False,
+                )
+                return response.content[0].text.strip()   
+            except Exception:
+                pass 
+        
+        # OpenAI SDK
+        else: 
+            try:
+                input_contents = [{"type":"text","text": user}]
+                for b64 in images_b64:
+                    if b64:
+                        input_contents.append({"type":"image_url","image_url":{"url": f"data:image/png;base64,{b64}"}})
+                resp = _client.chat.completions.create(
+                    model=_model,
+                    temperature=1,
+                    messages=[
+                        {"role":"system","content":_SYSTEM_VISION},
+                        {"role":"user","content":input_contents},
+                    ],
+                    max_tokens=1024,
+                )
+                return (resp.choices[0].message.content or "").strip()
+            except Exception:
+                pass
+    except Exception:
+        return "Insufficient context to comment usefully."
+
+def wrap_html(card_text: str) -> str:
+    return f"""
+        <div class="smx-commentary-card" style="margin-top:1rem;padding:1rem;border:1px solid #e5e7eb;border-radius:0.75rem;background:#fafafa">
+        <div style="font-weight:600;margin-bottom:0.5rem;">smxAI Feedback</div>
+        <div class="prose" style="white-space:pre-wrap;line-height:1.45">{card_text}</div>
+        </div>
+    """.strip()