refactor: apply minor improvements

Author: yottahmd

internal/agent/bash.go

@@ -11,7 +11,6 @@ import (
 	"strings"
 	"time"
 
-	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/dagu-org/dagu/internal/llm"
 	"github.com/google/uuid"
 )
@@ -142,7 +141,7 @@ func bashRun(toolCtx ToolContext, input json.RawMessage) ToolOut {
 	if args.Command == "" {
 		return toolError("Command is required")
 	}
-	if toolCtx.Role != auth.Role("") && !toolCtx.Role.CanExecute() {
+	if toolCtx.Role.IsSet() && !toolCtx.Role.CanExecute() {
 		return toolError("Permission denied: bash requires execute permission")
 	}
 

internal/agent/navigate.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/dagu-org/dagu/internal/llm"
 )
 
@@ -63,7 +62,7 @@ func navigateRun(ctx ToolContext, input json.RawMessage) ToolOut {
 	if args.Path == "" {
 		return toolError("Path is required")
 	}
-	if isAdminOnlyPath(args.Path) && ctx.Role != auth.Role("") && !ctx.Role.IsAdmin() {
+	if isAdminOnlyPath(args.Path) && ctx.Role.IsSet() && !ctx.Role.IsAdmin() {
 		return toolError("Permission denied: navigation to %s requires admin role", args.Path)
 	}
 

internal/agent/patch.go

@@ -9,7 +9,6 @@ import (
 	"path/filepath"
 	"strings"
 
-	"github.com/dagu-org/dagu/internal/auth"
 	"github.com/dagu-org/dagu/internal/core"
 	"github.com/dagu-org/dagu/internal/core/spec"
 	"github.com/dagu-org/dagu/internal/llm"
@@ -87,7 +86,7 @@ func NewPatchTool(dagsDir string) *AgentTool {
 }
 
 func patchRun(ctx ToolContext, input json.RawMessage, dagsDir string) ToolOut {
-	if ctx.Role != auth.Role("") && !ctx.Role.CanWrite() {
+	if ctx.Role.IsSet() && !ctx.Role.CanWrite() {
 		return toolError("Permission denied: patch requires write permission")
 	}
 

internal/agent/system_prompt_test.go

@@ -39,6 +39,7 @@ func TestGenerateSystemPrompt(t *testing.T) {
 
 		assert.NotEmpty(t, result)
 		assert.Contains(t, result, "test-dag")
+		assert.Contains(t, result, "Authenticated role: admin")
 	})
 
 	t.Run("works with empty environment", func(t *testing.T) {
@@ -47,6 +48,7 @@ func TestGenerateSystemPrompt(t *testing.T) {
 		result := GenerateSystemPrompt(EnvironmentInfo{}, nil, MemoryContent{}, auth.RoleViewer)
 
 		assert.NotEmpty(t, result)
+		assert.Contains(t, result, "Authenticated role: viewer")
 	})
 
 	t.Run("no memory omits memory section", func(t *testing.T) {

internal/auth/role.go

@@ -24,6 +24,8 @@ const (
 	RoleOperator Role = "operator"
 	// RoleViewer can only view DAGs and execution history (read-only).
 	RoleViewer Role = "viewer"
+	// RoleNone represents an unset or unauthenticated role.
+	RoleNone Role = ""
 )
 
 // allRoles contains all valid roles for iteration and validation.
@@ -41,6 +43,8 @@ func (r Role) Valid() bool {
 	switch r {
 	case RoleAdmin, RoleManager, RoleDeveloper, RoleOperator, RoleViewer:
 		return true
+	case RoleNone:
+		return false
 	}
 	return false
 }
@@ -50,6 +54,11 @@ func (r Role) String() string {
 	return string(r)
 }
 
+// IsSet returns true if the role has been assigned (is not empty).
+func (r Role) IsSet() bool {
+	return r != RoleNone
+}
+
 // CanWrite returns true if the role can create, edit, or delete DAGs.
 func (r Role) CanWrite() bool {
 	return r == RoleAdmin || r == RoleManager || r == RoleDeveloper
@@ -71,7 +80,6 @@ func (r Role) IsAdmin() bool {
 }
 
 // ParseRole converts a string to a Role.
-// ParseRole converts the input string to a Role and verifies it is one of the known roles.
 // If the input is not "admin", "manager", "developer", "operator", or "viewer", it returns an error describing the valid options.
 func ParseRole(s string) (Role, error) {
 	role := Role(s)

internal/service/frontend/api/v1/audit_permissions_test.go

@@ -3,7 +3,6 @@ package api_test
 import (
 	"net/http"
 	"testing"
-	"time"
 
 	"github.com/dagu-org/dagu/api/v1"
 	"github.com/dagu-org/dagu/internal/cmn/config"
@@ -12,54 +11,64 @@ import (
 
 func setupAuditTestServer(t *testing.T) test.Server {
 	t.Helper()
-	return test.SetupServer(t, test.WithConfigMutator(func(cfg *config.Config) {
-		cfg.Server.Auth.Mode = config.AuthModeBuiltin
-		cfg.Server.Auth.Builtin.Admin.Username = "admin"
-		cfg.Server.Auth.Builtin.Admin.Password = "adminpass"
-		cfg.Server.Auth.Builtin.Token.Secret = "jwt-secret-key"
-		cfg.Server.Auth.Builtin.Token.TTL = 24 * time.Hour
+	return setupWebhookTestServer(t, func(cfg *config.Config) {
 		cfg.Server.Audit.Enabled = true
-	}))
+	})
 }
 
 func TestAudit_RequiresManagerOrAbove(t *testing.T) {
 	t.Parallel()
 	server := setupAuditTestServer(t)
 	adminToken := getWebhookAdminToken(t, server)
 
-	server.Client().Post("/api/v1/users", api.CreateUserRequest{
-		Username: "manager-user",
-		Password: "manager1",
-		Role:     api.UserRoleManager,
-	}).WithBearerToken(adminToken).ExpectStatus(http.StatusCreated).Send(t)
+	// Create users for each role below manager.
+	for _, u := range []struct {
+		username string
+		password string
+		role     api.UserRole
+	}{
+		{"manager-user", "manager1", api.UserRoleManager},
+		{"developer-user", "developer1", api.UserRoleDeveloper},
+		{"operator-user", "operator1", api.UserRoleOperator},
+		{"viewer-user", "viewerpass1", api.UserRoleViewer},
+	} {
+		server.Client().Post("/api/v1/users", api.CreateUserRequest{
+			Username: u.username,
+			Password: u.password,
+			Role:     u.role,
+		}).WithBearerToken(adminToken).ExpectStatus(http.StatusCreated).Send(t)
+	}
 
-	server.Client().Post("/api/v1/users", api.CreateUserRequest{
-		Username: "developer-user",
-		Password: "developer1",
-		Role:     api.UserRoleDeveloper,
-	}).WithBearerToken(adminToken).ExpectStatus(http.StatusCreated).Send(t)
+	login := func(username, password string) string {
+		resp := server.Client().Post("/api/v1/auth/login", api.LoginRequest{
+			Username: username,
+			Password: password,
+		}).ExpectStatus(http.StatusOK).Send(t)
+		var result api.LoginResponse
+		resp.Unmarshal(t, &result)
+		return result.Token
+	}
 
-	managerResp := server.Client().Post("/api/v1/auth/login", api.LoginRequest{
-		Username: "manager-user",
-		Password: "manager1",
-	}).ExpectStatus(http.StatusOK).Send(t)
+	managerToken := login("manager-user", "manager1")
+	developerToken := login("developer-user", "developer1")
+	operatorToken := login("operator-user", "operator1")
+	viewerToken := login("viewer-user", "viewerpass1")
 
-	var managerLogin api.LoginResponse
-	managerResp.Unmarshal(t, &managerLogin)
-
-	developerResp := server.Client().Post("/api/v1/auth/login", api.LoginRequest{
-		Username: "developer-user",
-		Password: "developer1",
-	}).ExpectStatus(http.StatusOK).Send(t)
+	// Manager can access audit endpoint.
+	server.Client().Get("/api/v1/audit").
+		WithBearerToken(managerToken).
+		ExpectStatus(http.StatusOK).Send(t)
 
-	var developerLogin api.LoginResponse
-	developerResp.Unmarshal(t, &developerLogin)
+	// Developer, operator, and viewer are forbidden.
+	server.Client().Get("/api/v1/audit").
+		WithBearerToken(developerToken).
+		ExpectStatus(http.StatusForbidden).Send(t)
 
 	server.Client().Get("/api/v1/audit").
-		WithBearerToken(managerLogin.Token).
-		ExpectStatus(http.StatusOK).Send(t)
+		WithBearerToken(operatorToken).
+		ExpectStatus(http.StatusForbidden).Send(t)
 
 	server.Client().Get("/api/v1/audit").
-		WithBearerToken(developerLogin.Token).
+		WithBearerToken(viewerToken).
 		ExpectStatus(http.StatusForbidden).Send(t)
 }

internal/service/frontend/api/v1/webhooks.go

@@ -27,7 +27,7 @@ const (
 )
 
 // ListWebhooks returns all webhooks across all DAGs.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) ListWebhooks(ctx context.Context, _ api.ListWebhooksRequestObject) (api.ListWebhooksResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err
@@ -52,7 +52,7 @@ func (a *API) ListWebhooks(ctx context.Context, _ api.ListWebhooksRequestObject)
 }
 
 // GetDAGWebhook returns the webhook configuration for a specific DAG.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) GetDAGWebhook(ctx context.Context, request api.GetDAGWebhookRequestObject) (api.GetDAGWebhookResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err
@@ -79,7 +79,7 @@ func (a *API) GetDAGWebhook(ctx context.Context, request api.GetDAGWebhookReques
 }
 
 // CreateDAGWebhook creates a new webhook for a DAG.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) CreateDAGWebhook(ctx context.Context, request api.CreateDAGWebhookRequestObject) (api.CreateDAGWebhookResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err
@@ -130,7 +130,7 @@ func (a *API) CreateDAGWebhook(ctx context.Context, request api.CreateDAGWebhook
 }
 
 // DeleteDAGWebhook removes the webhook for a DAG.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) DeleteDAGWebhook(ctx context.Context, request api.DeleteDAGWebhookRequestObject) (api.DeleteDAGWebhookResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err
@@ -167,7 +167,7 @@ func (a *API) DeleteDAGWebhook(ctx context.Context, request api.DeleteDAGWebhook
 }
 
 // RegenerateDAGWebhookToken generates a new token for an existing webhook.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) RegenerateDAGWebhookToken(ctx context.Context, request api.RegenerateDAGWebhookTokenRequestObject) (api.RegenerateDAGWebhookTokenResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err
@@ -203,7 +203,7 @@ func (a *API) RegenerateDAGWebhookToken(ctx context.Context, request api.Regener
 }
 
 // ToggleDAGWebhook enables or disables a webhook.
-// Requires admin role.
+// Requires developer role or above.
 func (a *API) ToggleDAGWebhook(ctx context.Context, request api.ToggleDAGWebhookRequestObject) (api.ToggleDAGWebhookResponseObject, error) {
 	if err := a.requireWebhookManagement(ctx); err != nil {
 		return nil, err

internal/service/frontend/api/v1/webhooks_test.go

@@ -63,14 +63,17 @@ func TestExtractWebhookToken(t *testing.T) {
 }
 
 // setupWebhookTestServer creates a test server with builtin auth enabled
-func setupWebhookTestServer(t *testing.T) test.Server {
+func setupWebhookTestServer(t *testing.T, extraMutators ...func(*config.Config)) test.Server {
 	t.Helper()
 	return test.SetupServer(t, test.WithConfigMutator(func(cfg *config.Config) {
 		cfg.Server.Auth.Mode = config.AuthModeBuiltin
 		cfg.Server.Auth.Builtin.Admin.Username = "admin"
 		cfg.Server.Auth.Builtin.Admin.Password = "adminpass"
 		cfg.Server.Auth.Builtin.Token.Secret = "jwt-secret-key"
 		cfg.Server.Auth.Builtin.Token.TTL = 24 * time.Hour
+		for _, m := range extraMutators {
+			m(cfg)
+		}
 	}))
 }
 
@@ -204,6 +207,13 @@ func TestWebhooks_RequiresDeveloperOrAbove(t *testing.T) {
 	server.Client().Get("/api/v1/webhooks").
 		WithBearerToken(developerLogin.Token).
 		ExpectStatus(http.StatusOK).Send(t)
+
+	// Developer can also create webhooks.
+	dagName := "webhook_dev_access_test"
+	createTestDAG(t, server, adminToken, dagName)
+	server.Client().Post("/api/v1/dags/"+dagName+"/webhook", nil).
+		WithBearerToken(developerLogin.Token).
+		ExpectStatus(http.StatusCreated).Send(t)
 }
 
 // TestWebhooks_CRUD tests the full CRUD lifecycle of webhooks

internal/service/frontend/api/v1/workers.go

@@ -13,10 +13,10 @@ import (
 
 // GetWorkers implements the getWorkers operation
 func (a *API) GetWorkers(ctx context.Context, _ api.GetWorkersRequestObject) (api.GetWorkersResponseObject, error) {
-	logger.Info(ctx, "GetWorkers called")
 	if err := a.requireDeveloperOrAbove(ctx); err != nil {
 		return nil, err
 	}
+	logger.Info(ctx, "GetWorkers called")
 
 	errors := []string{}
 	workers := []api.Worker{}

ui/src/features/dashboard/components/MiniResourceChart.tsx

@@ -89,7 +89,7 @@ function MiniResourceChart({
               }}
               itemStyle={{ color: 'var(--foreground)' }}
               labelStyle={{ color: 'var(--muted-foreground)' }}
-              formatter={(value: number) => [`${value.toFixed(1)}${unit}`, title]}
+              formatter={(value: number | string) => [`${Number(value).toFixed(1)}${unit}`, title]}
             />
             <Area
               type="monotone"