feat: improve system status graph and add developer role (#1664)

Author: yottahmd

api/v1/api.gen.go

@@ -659,7 +659,7 @@ paths:
   /workers:
     get:
       summary: "List distributed workers"
-      description: "Retrieves information about distributed workers connected to the coordinator"
+      description: "Retrieves information about distributed workers connected to the coordinator. Developer, manager, or admin only."
       operationId: "getWorkers"
       tags:
         - "system"
@@ -2807,7 +2807,7 @@ paths:
   /services/resources/history:
     get:
       summary: "Get resource usage history"
-      description: "Returns historical data for system resources"
+      description: "Returns historical data for system resources. Developer, manager, or admin only."
       operationId: "getResourceHistory"
       tags:
         - "system"
@@ -2837,7 +2837,7 @@ paths:
   /services/scheduler:
     get:
       summary: "Get scheduler service status"
-      description: "Returns status information about all registered scheduler instances"
+      description: "Returns status information about all registered scheduler instances. Developer, manager, or admin only."
       operationId: "getSchedulerStatus"
       tags:
         - "system"
@@ -2860,7 +2860,7 @@ paths:
   /services/coordinator:
     get:
       summary: "Get coordinator service status"
-      description: "Returns status information about all registered coordinator instances"
+      description: "Returns status information about all registered coordinator instances. Developer, manager, or admin only."
       operationId: "getCoordinatorStatus"
       tags:
         - "system"
@@ -2883,7 +2883,7 @@ paths:
   /services/tunnel:
     get:
       summary: "Get tunnel service status"
-      description: "Returns status information about the tunnel service (Tailscale)"
+      description: "Returns status information about the tunnel service (Tailscale). Developer, manager, or admin only."
       operationId: "getTunnelStatus"
       tags:
         - "system"
@@ -3031,7 +3031,7 @@ paths:
   /webhooks:
     get:
       summary: "List all webhooks"
-      description: "Returns a list of all webhooks across all DAGs. Admin only."
+      description: "Returns a list of all webhooks across all DAGs. Developer, manager, or admin only."
       operationId: "listWebhooks"
       tags:
         - "webhooks"
@@ -3086,6 +3086,7 @@ paths:
       description: |
         Creates a new webhook for the specified DAG. Returns the full webhook token,
         which is only shown once. Store it securely.
+        Developer, manager, or admin only.
       operationId: "createDAGWebhook"
       tags:
         - "webhooks"
@@ -3114,7 +3115,7 @@ paths:
 
     delete:
       summary: "Delete webhook for DAG"
-      description: "Removes the webhook configuration for the specified DAG."
+      description: "Removes the webhook configuration for the specified DAG. Developer, manager, or admin only."
       operationId: "deleteDAGWebhook"
       tags:
         - "webhooks"
@@ -3143,6 +3144,7 @@ paths:
       description: |
         Generates a new token for the existing webhook. The old token becomes
         invalid immediately. Returns the new token, which is only shown once.
+        Developer, manager, or admin only.
       operationId: "regenerateDAGWebhookToken"
       tags:
         - "webhooks"
@@ -3172,7 +3174,7 @@ paths:
   /dags/{fileName}/webhook/toggle:
     post:
       summary: "Toggle webhook enabled state"
-      description: "Enables or disables the webhook without changing the token."
+      description: "Enables or disables the webhook without changing the token. Developer, manager, or admin only."
       operationId: "toggleDAGWebhook"
       tags:
         - "webhooks"
@@ -3208,7 +3210,7 @@ paths:
   /audit:
     get:
       summary: "List audit log entries"
-      description: "Returns audit log entries matching the filter criteria. Admin only."
+      description: "Returns audit log entries matching the filter criteria. Manager or admin only."
       operationId: "listAuditLogs"
       tags:
         - "audit"
@@ -3271,7 +3273,7 @@ paths:
               schema:
                 $ref: "#/components/schemas/Error"
         "403":
-          description: "Forbidden - requires admin role"
+          description: "Forbidden - requires manager or admin role"
           content:
             application/json:
               schema:
@@ -5893,6 +5895,22 @@ components:
           type: array
           items:
             $ref: "#/components/schemas/MetricPoint"
+        memoryTotalBytes:
+          type: integer
+          format: int64
+          description: Total physical memory in bytes
+        memoryUsedBytes:
+          type: integer
+          format: int64
+          description: Used physical memory in bytes
+        diskTotalBytes:
+          type: integer
+          format: int64
+          description: Total disk space in bytes
+        diskUsedBytes:
+          type: integer
+          format: int64
+          description: Used disk space in bytes
 
     MetricPoint:
       type: object
@@ -5910,10 +5928,11 @@ components:
 
     UserRole:
       type: string
-      description: "User role determining access permissions. admin: full access including user management, manager: DAG CRUD and execution, operator: DAG execution only, viewer: read-only"
+      description: "User role determining access permissions. admin: full access including user management, manager: DAG CRUD and execution with audit log access, developer: DAG CRUD and execution, operator: DAG execution only, viewer: read-only"
       enum:
         - admin
         - manager
+        - developer
         - operator
         - viewer
 

api/v1/api.yaml

@@ -38,6 +38,7 @@ const maxRequestBodySize = 1 << 20
 // defaultUserID is used when no user is authenticated (e.g., auth disabled).
 // This value should match the system's expected default user identifier.
 const defaultUserID = "admin"
+const defaultUserRole = auth.RoleAdmin
 
 // getUserIDFromContext extracts the user ID from the request context.
 // Returns "admin" if no user is authenticated (e.g., auth mode is "none").
@@ -49,11 +50,13 @@ func getUserIDFromContext(ctx context.Context) string {
 }
 
 // getUserContextFromRequest extracts user identity and IP from the request context.
-func getUserContextFromRequest(r *http.Request) (userID, username, ipAddress string) {
+func getUserContextFromRequest(r *http.Request) (userID, username string, role auth.Role, ipAddress string) {
 	userID, username = defaultUserID, defaultUserID
+	role = defaultUserRole
 	if user, ok := auth.UserFromContext(r.Context()); ok && user != nil {
 		userID = user.ID
 		username = user.Username
+		role = user.Role
 	}
 	ipAddress, _ = auth.ClientIPFromContext(r.Context())
 	return
@@ -331,7 +334,7 @@ func (a *API) handleNewSession(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	userID, username, ipAddress := getUserContextFromRequest(r)
+	userID, username, role, ipAddress := getUserContextFromRequest(r)
 	model := selectModel(req.Model, "", a.getDefaultModelID(r.Context()))
 
 	provider, modelCfg, err := a.resolveProvider(r.Context(), model)
@@ -362,6 +365,7 @@ func (a *API) handleNewSession(w http.ResponseWriter, r *http.Request) {
 		Hooks:           a.hooks,
 		Username:        username,
 		IPAddress:       ipAddress,
+		Role:            role,
 		InputCostPer1M:  modelCfg.InputCostPer1M,
 		OutputCostPer1M: modelCfg.OutputCostPer1M,
 		MemoryStore:     a.memoryStore,
@@ -534,13 +538,14 @@ func (a *API) getStoredSession(ctx context.Context, id, userID string) (*Session
 // POST /api/v1/agent/sessions/{id}/chat
 func (a *API) handleChat(w http.ResponseWriter, r *http.Request) {
 	id := chi.URLParam(r, "id")
-	userID, username, ipAddress := getUserContextFromRequest(r)
+	userID, username, role, ipAddress := getUserContextFromRequest(r)
 
-	mgr, ok := a.getOrReactivateSession(r.Context(), id, userID, username, ipAddress)
+	mgr, ok := a.getOrReactivateSession(r.Context(), id, userID, username, role, ipAddress)
 	if !ok {
 		a.respondError(w, http.StatusNotFound, api.ErrorCodeNotFound, "Session not found")
 		return
 	}
+	mgr.UpdateUserContext(username, ipAddress, role)
 
 	var req ChatRequest
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestBodySize)
@@ -577,18 +582,18 @@ func (a *API) handleChat(w http.ResponseWriter, r *http.Request) {
 }
 
 // getOrReactivateSession retrieves an active session or reactivates it from storage.
-func (a *API) getOrReactivateSession(ctx context.Context, id, userID, username, ipAddress string) (*SessionManager, bool) {
+func (a *API) getOrReactivateSession(ctx context.Context, id, userID, username string, role auth.Role, ipAddress string) (*SessionManager, bool) {
 	// Check active sessions first
 	if mgr, ok := a.getActiveSession(id, userID); ok {
 		return mgr, true
 	}
 
 	// Try to reactivate from store
-	return a.reactivateSession(ctx, id, userID, username, ipAddress)
+	return a.reactivateSession(ctx, id, userID, username, role, ipAddress)
 }
 
 // reactivateSession restores a session from storage and makes it active.
-func (a *API) reactivateSession(ctx context.Context, id, userID, username, ipAddress string) (*SessionManager, bool) {
+func (a *API) reactivateSession(ctx context.Context, id, userID, username string, role auth.Role, ipAddress string) (*SessionManager, bool) {
 	if a.store == nil {
 		return nil, false
 	}
@@ -624,6 +629,7 @@ func (a *API) reactivateSession(ctx context.Context, id, userID, username, ipAdd
 		IPAddress:   ipAddress,
 		MemoryStore: a.memoryStore,
 		DAGName:     sess.DAGName,
+		Role:        role,
 	})
 	a.sessions.Store(id, mgr)
 

internal/agent/api.go

@@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/dagu-org/dagu/internal/llm"
 	"github.com/google/uuid"
 )
@@ -141,6 +142,9 @@ func bashRun(toolCtx ToolContext, input json.RawMessage) ToolOut {
 	if args.Command == "" {
 		return toolError("Command is required")
 	}
+	if toolCtx.Role != auth.Role("") && !toolCtx.Role.CanExecute() {
+		return toolError("Permission denied: bash requires execute permission")
+	}
 
 	if toolCtx.SafeMode && commandRequiresApproval(args.Command) {
 		approved, err := requestApproval(toolCtx, args.Command)

internal/agent/bash.go

@@ -7,6 +7,7 @@ import (
 	"testing"
 	"time"
 
+	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -120,6 +121,21 @@ func TestBashTool_Run(t *testing.T) {
 		assert.False(t, result.IsError)
 		assert.Contains(t, result.Content, "test")
 	})
+
+	t.Run("rejects role without execute permission", func(t *testing.T) {
+		t.Parallel()
+
+		tool := NewBashTool()
+		input := json.RawMessage(`{"command": "echo test"}`)
+
+		result := tool.Run(ToolContext{
+			Context: context.Background(),
+			Role:    auth.RoleViewer,
+		}, input)
+
+		assert.True(t, result.IsError)
+		assert.Contains(t, result.Content, "requires execute permission")
+	})
 }
 
 func TestBashTool_Timeout(t *testing.T) {

internal/agent/bash_test.go

@@ -3,6 +3,8 @@ package agent
 import (
 	"context"
 	"encoding/json"
+
+	"github.com/dagu-org/dagu/internal/auth"
 )
 
 // ToolExecInfo provides context about a tool execution for hooks.
@@ -13,6 +15,7 @@ type ToolExecInfo struct {
 	UserID    string
 	Username  string
 	IPAddress string
+	Role      auth.Role
 	Audit     *AuditInfo // from AgentTool.Audit; nil = not audited
 }
 

internal/agent/hooks.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 	"testing"
 
+	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
@@ -33,6 +34,7 @@ func TestHooks_AfterToolExec(t *testing.T) {
 		UserID:    "user-1",
 		Username:  "alice",
 		IPAddress: "10.0.0.1",
+		Role:      auth.RoleDeveloper,
 	}
 	result := ToolOut{Content: "file.txt", IsError: false}
 
@@ -43,6 +45,7 @@ func TestHooks_AfterToolExec(t *testing.T) {
 	assert.Equal(t, "user-1", captured.info.UserID)
 	assert.Equal(t, "alice", captured.info.Username)
 	assert.Equal(t, "10.0.0.1", captured.info.IPAddress)
+	assert.Equal(t, auth.RoleDeveloper, captured.info.Role)
 	assert.Equal(t, "file.txt", captured.result.Content)
 	assert.False(t, captured.result.IsError)
 }