Add OpenSpec change proposal for provider-model cascade delete

Author: ruibaby

openspec/changes/provider-model-cascade-delete/.openspec.yaml

@@ -0,0 +1,2 @@
+schema: spec-driven
+created: 2026-05-15

openspec/changes/provider-model-cascade-delete/design.md

@@ -0,0 +1,42 @@
+## Context
+
+Currently, `ProviderConsoleEndpoint.deleteProvider()` blocks deletion if the provider has associated models. This guard only protects the console API path. When a provider is deleted via Halo Core API (e.g., by another plugin, admin CLI, or direct ExtensionClient call), the associated `AiModel` records become orphaned — their `spec.providerName` points to a provider that no longer exists.
+
+The project already uses Halo's `Watcher` pattern (`ProviderCacheInvalidationWatcher`) for reacting to Extension changes, but for this case we will use Halo's `Reconciler` framework because it provides built-in retry, rate limiting, and queue management for handling deletion events reliably.
+
+## Goals / Non-Goals
+
+**Goals:**
+- Automatically delete all `AiModel` extensions when their parent `AiProvider` is deleted
+- Remove the manual "has associated models" check from console API since cascade delete handles cleanup
+- Ensure the reconciler is registered on plugin startup
+
+**Non-Goals:**
+- UI changes (no frontend impact)
+- Cascading other relationships (e.g., if models had their own children)
+- Soft delete / trash bin behavior
+
+## Decisions
+
+**Decision: Use Reconciler over Watcher**
+- Rationale: The project already has a `Watcher` (`ProviderCacheInvalidationWatcher`), but `Reconciler` provides better reliability for destructive operations. It handles retries, exponential backoff, and worker queueing out of the box. Deleting orphaned models is exactly the kind of operation that benefits from these guarantees.
+- Alternative considered: Extending the existing `Watcher.onDelete()` to also delete models. Rejected because Watcher callbacks run synchronously inline with the delete event; if model deletion fails, there's no retry mechanism.
+
+**Decision: Use synchronous ExtensionClient in the Reconciler**
+- Rationale: Halo's `ControllerBuilder` accepts `ExtensionClient` (synchronous), not `ReactiveExtensionClient`. The reconciler runs in a background worker thread, so blocking IO is acceptable here.
+
+**Decision: Use Halo's Finalizer pattern for deletion detection**
+- Rationale: Halo Reconcilers detect deletion via `ExtensionUtil.isDeleted()` (checks `deletionTimestamp != null`), not by empty fetch. When a delete request is issued, Halo sets `deletionTimestamp` and invokes the reconciler. The reconciler then performs cleanup, removes the finalizer, and calls `client.update()`. Only after the finalizer is removed does Halo actually delete the Extension from storage. This ensures cleanup always completes before the object disappears.
+- Pattern observed in Halo core: `CategoryReconciler`, `AttachmentReconciler`, `TagReconciler`, etc. all use `addFinalizers` on normal reconcile and `removeFinalizers` + cleanup inside `if (isDeleted(...))`.
+
+## Risks / Trade-offs
+
+- [Risk] Race condition: A model is created for a provider that is being deleted at the same time → Mitigation: Finalizer pattern prevents this — the provider cannot be fully deleted until the finalizer is removed, which only happens after all associated models are deleted.
+- [Risk] Large number of models associated with a single provider causes slow deletion → Mitigation: The `listAll` query with field selector is efficient (uses Halo's indexed query engine). If a provider has thousands of models, deletion may take seconds but runs in a background thread.
+
+## Migration Plan
+
+1. Implement `AiProviderReconciler`
+2. Remove model guard from `ProviderConsoleEndpoint.deleteProvider()`
+3. Register reconciler in `AiFoundationPlugin` or as a `@Component`
+4. Deploy and test by creating a provider + models, then deleting the provider via Core API

openspec/changes/provider-model-cascade-delete/proposal.md

@@ -0,0 +1,24 @@
+## Why
+
+`ProviderConsoleEndpoint.deleteProvider()` checks for associated models and blocks deletion, but this protection only applies to the console API. When a provider is deleted directly through Halo's Core API (e.g., via `kubectl delete` or another plugin), orphaned `AiModel` records remain with `spec.providerName` pointing to a non-existent provider. This was identified as issue #17 in the code review.
+
+## What Changes
+
+- Add `AiProviderReconciler` using Halo's `Reconciler` framework to listen for `AiProvider` deletion events
+- On detecting an `AiProvider` deletion (fetch returns empty), query and delete all `AiModel` extensions whose `spec.providerName` matches the deleted provider
+- Remove the "has associated models" guard from `ProviderConsoleEndpoint.deleteProvider()` since cascade delete now handles cleanup automatically
+- Register the reconciler via `ControllerBuilder` on plugin startup
+
+## Capabilities
+
+### New Capabilities
+- `provider-model-cascade-delete`: Automatic deletion of associated AI models when their parent provider is removed
+
+### Modified Capabilities
+- `console-model-management`: Provider deletion no longer blocks when models exist; instead, cascade delete handles cleanup
+
+## Impact
+
+- `app/src/main/java/run/halo/aifoundation/provider/AiProviderReconciler.java` (new)
+- `app/src/main/java/run/halo/aifoundation/endpoint/ProviderConsoleEndpoint.java` (remove model guard)
+- `app/src/main/java/run/halo/aifoundation/AiFoundationPlugin.java` (register reconciler if needed)

openspec/changes/provider-model-cascade-delete/specs/console-model-management/spec.md

@@ -0,0 +1,21 @@
+## MODIFIED Requirements
+
+### Requirement: Delete provider
+
+The Console UI SHALL allow admins to delete an `AiProvider` Extension.
+
+#### Scenario: Delete provider
+- **WHEN** an admin clicks delete on a provider
+- **AND** confirms the deletion in a warning dialog
+- **THEN** the system SHALL call DELETE on the Console API (`/apis/console.api.aifoundation.halo.run/v1alpha1/providers/{name}`)
+- **AND** the backend SHALL allow deletion even if the provider has associated `AiModel` entries
+- **AND** the associated models SHALL be automatically deleted by the cascade delete reconciler
+- **AND** the provider SHALL disappear from the list
+
+## REMOVED Requirements
+
+### Requirement: Block deleting provider with models
+
+**Reason**: Cascade delete via `AiProviderReconciler` now automatically cleans up associated models. Blocking deletion at the console API layer is redundant and creates a poor user experience.
+
+**Migration**: Deleting a provider via console API will now succeed immediately; associated models will be cleaned up asynchronously by the reconciler.

openspec/changes/provider-model-cascade-delete/specs/provider-model-cascade-delete/spec.md

@@ -0,0 +1,29 @@
+## ADDED Requirements
+
+### Requirement: Reconciler detects deleted provider
+
+The system SHALL use a `Reconciler` to monitor `AiProvider` Extensions and detect when they are deleted.
+
+#### Scenario: Provider deletion triggers reconcile
+- **WHEN** an `AiProvider` Extension is deleted via any API path (console or core)
+- **THEN** the `AiProviderReconciler` SHALL receive a reconcile request for that provider name
+
+### Requirement: Cascade delete associated models
+
+When a provider deletion is detected, the system SHALL delete all `AiModel` Extensions whose `spec.providerName` matches the deleted provider.
+
+#### Scenario: Models are cleaned up after provider deletion
+- **WHEN** the reconciler detects that an `AiProvider` no longer exists
+- **THEN** it SHALL query all `AiModel` entries with `spec.providerName` equal to the deleted provider's name
+- **AND** it SHALL delete each associated `AiModel`
+- **AND** the deletion SHALL complete without manual intervention
+
+#### Scenario: No models exist for deleted provider
+- **WHEN** the reconciler detects a deleted provider
+- **AND** no `AiModel` entries reference that provider
+- **THEN** the reconciler SHALL complete successfully with no action taken
+
+#### Scenario: Model deletion failure triggers retry
+- **WHEN** the reconciler attempts to delete an associated model
+- **AND** the deletion fails (e.g., due to a transient database error)
+- **THEN** the reconciler SHALL requeue the request with a retry delay

openspec/changes/provider-model-cascade-delete/tasks.md

@@ -0,0 +1,24 @@
+## 1. Reconciler Implementation
+
+- [x] 1.1 Create `AiProviderReconciler` implementing `Reconciler<Reconciler.Request>`
+- [x] 1.2 Implement `reconcile()` using Finalizer pattern:
+  - On normal state: `addFinalizers()` to register the finalizer
+  - On `ExtensionUtil.isDeleted()`: query associated `AiModel`s, delete them, then `removeFinalizers()`
+- [x] 1.3 Implement `setupWith()` to register with `ControllerBuilder` for `AiProvider` extension
+- [x] 1.4 Add constructor injection for `ExtensionClient` (synchronous)
+
+## 2. Console API Update
+
+- [x] 2.1 Remove "has associated models" guard from `ProviderConsoleEndpoint.deleteProvider()`
+- [x] 2.2 Simplify `deleteProvider()` to directly delete the provider without pre-check
+
+## 3. Registration
+
+- [x] 3.1 Ensure `AiProviderReconciler` is registered as a `@Component` so Spring picks it up
+- [x] 3.2 Halo's `DefaultControllerManager` auto-discovers Reconciler beans and calls `setupWith()` — no manual registration needed
+
+## 4. Verification
+
+- [x] 4.1 Run `./gradlew compileJava` to verify backend compiles
+- [x] 4.2 Run `./gradlew build` to verify full build and tests pass
+- [x] 4.3 Add unit test for `AiProviderReconciler` covering: provider deletion triggers model cleanup, no models = no-op, fetch still exists = no action