Invite links gql

[GregorShear]

• Add internal.invite_links table to replace the directives-based invite flow with a simplified model
• Implement GraphQL query and mutations (inviteLinks, createInviteLink, redeemInviteLink, deleteInviteLink)
• Single-use links are deleted upon redemption; multi-use links persist
• Include transitional dual-write triggers that sync between public.directives and internal.invite_links, plus a backfill of existing unredeemed grant directives — to be removed after the UI adopts the new GraphQL API

mutation Create {
  createInviteLink(
    catalogPrefix: "acmeCo/"
    capability: admin
    singleUse: true
  ) {
    token
    catalogPrefix
    capability
    singleUse
    detail
    createdAt
  }
}

mutation Redeem {
  redeemInviteLink(token: "a1b2c3d4-e5f6-7890-abcd-ef1234567890") {
    catalogPrefix
    capability
  }
}

mutation Delete {
  deleteInviteLink(token: "a1b2c3d4-e5f6-7890-abcd-ef1234567890")
}

query {
  inviteLinks(
    catalogPrefix: "acmeCo/"
    filter: { singleUse: { eq: false } }
  ) {
    edges {
      cursor
      node {
        token
        capability
        singleUse
      }
    }
  }
}

Test plan

• Snapshot tests for create, redeem, unauthorized create, bad token, and exhausted single-use redemption
• Manual test of transitional triggers: create a directive via PostgREST and confirm it appears in internal.invite_links
• Verify backfill picks up existing unredeemed grant directives

[GregorShear]

Wanting to start a parallel discussion here about standardizing optional filters that could eventually be exposed in the UI. Bool is the simplest example, here are a couple others that would follow the pattern:

#[derive(Debug, Clone, Default, async_graphql::InputObject)]
pub struct StringFilter {
    pub eq: Option<String>,
    pub ne: Option<String>,
    pub starts_with: Option<String>,
    pub contains: Option<String>,
}

#[derive(Debug, Clone, Default, async_graphql::InputObject)]
pub struct IntFilter {
    pub eq: Option<i64>,
    pub ne: Option<i64>,
    pub gt: Option<i64>,
    pub gte: Option<i64>,
    pub lt: Option<i64>,
    pub lte: Option<i64>,
}

[jshearer]

Like I was talking about below, unless we're applying these filters over a homogenous-enough surface area (i.e, it's not actually clear to me that the UI should be the same datagrid/table sort of thing for captures, collections, materializations, storage mappings, data planes, tenant members, etc), then I'd actually vote for keeping it specific to each resolver. Thoughts?

Or maybe keep these StringFilter/IntFilter reusable chunks, but only implement them as needed in the resolvers where they make sense?

[GregorShear]

i think this is the right compromise - having a standardized pattern can only help, and how far we take the implementation depends on what's needed vs how painful it gets as it grows

[psFried]

I can definitely see the benefit of having consistent terminology for different predicates. Though a problem I foresee with the approach is that not all resolvers will be able to support all predicates. For example, for some we might only support eq, and others maybe only startsWith. I mostly just wouldn't want to have our graphql schema suggest that you could use a contains filter on liveSpecs names, for example, when we don't want to support such queries in the database.

I'm a little on the fence about liveSpecs(by: { prefix: "acmeCo/" }) vs liveSpecs(by: { catalogName: { startsWith: "acmeCo/" } }). I do kinda like the latter, though IDK whether I'd like it better enough to justify migrating existing resolvers or living with two different conventions. Maybe it'd help to understand what the migration process would look like? If we wanted to have some limited backward compatibility during a transition period, would that be pretty easy?

[GregorShear]

migration would be easy - we can deprecate the current param and add it to the filter section ... decide later when we think it's safe to remove the deprecated one.

[GregorShear]

this replaces the directives.uses_remaining field
(and we'll delete consumed invites, instead of setting uses_remaining = 0)

[jshearer]

test comment please ignore

[GregorShear]

related to the optional filters, i'd like these resolvers to do their own check of which prefixes the user can see, and then this catalog_prefix can be an optional filter to narrow the results further.

would love to talk this through w/ phil & joseph

[GregorShear]

The other thing i like about this is that we can define the operators and standardize the prefix filters that phil and i were chatting about a few weeks ago (prefix vs prefixedBy vs exactPrefixes` etc...)

#[derive(Debug, Clone, Default, async_graphql::InputObject)]
pub struct PrefixFilter {
    pub eq: Option<models::Prefix>,
    pub starts_with: Option<models::Prefix>,
}

so an example gql query might look like

query links {
  inviteLinks(filter:  {
     singleUse:  {
        eq: true
     }
     catalogPrefix: {
        startsWith: "gregCo"
     }
  }) {
    ...
  }
}

[jshearer]

Yeah... I both do and don't like this. Back when I wrote a very similar generalized graphql resolver filter for Narwhal's GraphQL API, the reason it was tractable at all was that the entities we were querying over were homogenous enough that there was one centralized place (the "query builder") where we could turn these filters (startsWith, lt, eq, and, or, etc) into a big WHERE clause which could then be applied to any query we wanted.

If we can't do that, then it becomes a combinatorial nightmare of having to support every type of filter on every graphql resolver's individual query/queries.

[jshearer]

I will also note, I spent a lot of time in there optimizing the monstrous queries it would generate. So we should probably not follow that same exact pattern here :P

[GregorShear]

optional filters will make these queries fairly long...

[GregorShear]

just calling out new behavior - delete single-use invites when they're redeemed

[GregorShear]

@jshearer i suppose this could be the record of who invited the user...

[jshearer]

We don't keep logs indefinitely. If it's not required for compliance then I'm 100% whatevs about tracking who invited whom, I was just spitballing features that the existing directive's implementation could offer that we might care about

[psFried]

I found a few things that are probably worth changing. I'm still interested in resolving the conversation on BoolFilter, but just wanted to get you the feedback that I have now.

[psFried]

I actually like this _Filter naming better, though the inconsistency with _By seems unfortunate. IMO if we're going to switch the convention, then it's probably worth trying to switch everything else over, too. I'm kinda on the fence as to whether it's worth while, though. What do you think?

[psFried]

I can definitely see the benefit of having consistent terminology for different predicates. Though a problem I foresee with the approach is that not all resolvers will be able to support all predicates. For example, for some we might only support eq, and others maybe only startsWith. I mostly just wouldn't want to have our graphql schema suggest that you could use a contains filter on liveSpecs names, for example, when we don't want to support such queries in the database.

I'm a little on the fence about liveSpecs(by: { prefix: "acmeCo/" }) vs liveSpecs(by: { catalogName: { startsWith: "acmeCo/" } }). I do kinda like the latter, though IDK whether I'd like it better enough to justify migrating existing resolvers or living with two different conventions. Maybe it'd help to understand what the migration process would look like? If we wanted to have some limited backward compatibility during a transition period, would that be pretty easy?