feat(phase4+5): role hierarchy, tenant config, fallback material, dead code removal

Phase 4.1 — Role Hierarchy: - UserRole enum: add global_admin (platform operator) + tenant_admin (per-tenant admin); keep legacy 'admin' for backward compat - Role sets: ADMIN_ROLES, TENANT_ADMIN_ROLES, PM_ROLES, RLS_BYPASS_ROLES - New auth guards: require_global_admin(), require_tenant_admin_or_above(), require_pm_or_above(), is_admin(), is_privileged() - Legacy require_admin / require_admin_or_pm now check both old+new roles - Migration 049: ADD VALUE global_admin + tenant_admin with AUTOCOMMIT workaround; backfills admin → global_admin - Seed: new admin users created with global_admin role Phase 4.3 — RLS bypass updated for global_admin in get_db + set_tenant_context Phase 4.4 — Tenant Feature Flags: - Migration 050: tenant_config JSONB on tenants table - Tenant model: tenant_config field + get_config() accessor - Defaults: max_concurrent_renders=3, fallback_material, invoice_prefix etc. Phase 5.1 — Fallback Material: - blender_render.py: replace PALETTE_LINEAR/PALETTE_HEX/_assign_palette_material with _assign_failed_material() → SCHAEFFLER_059999_FailedMaterial (magenta) - Unmatched parts now logged explicitly before rendering Phase 5.2 — Remove EEVEE fallback: - render_blender.py: EEVEE→Cycles silent retry removed; hard failure on EEVEE error Phase 5.3 — Remove Blender version check: - render_blender.py: deleted MIN_BLENDER_VERSION = (5, 0, 1) constant Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-08 19:42:10 +01:00
parent 121fbdafd3
commit 9f54bc3ab1
10 changed files with 225 additions and 64 deletions
@@ -0,0 +1,44 @@
 """Extend UserRole enum: add global_admin and tenant_admin.
 Existing 'admin' users are backfilled to 'global_admin'.
 The legacy 'admin' value is kept in the enum so existing tokens/sessions
 remain valid during the transition period. It will be removed in a later
 cleanup migration once all call sites are updated.
 Revision ID: 049
 Revises: 048
 """
 from alembic import op
 import sqlalchemy as sa
 revision = "049"
 down_revision = "048"
 branch_labels = None
 depends_on = None
 def upgrade() -> None:
    # PostgreSQL requires ALTER TYPE ADD VALUE to be committed in its own transaction
    # before the new value can be used.  Execute each ADD VALUE with AUTOCOMMIT.
    conn = op.get_bind()
    with conn.execution_options(isolation_level="AUTOCOMMIT"):
        conn.execute(sa.text("ALTER TYPE userrole ADD VALUE IF NOT EXISTS 'global_admin'"))
        conn.execute(sa.text("ALTER TYPE userrole ADD VALUE IF NOT EXISTS 'tenant_admin'"))
    # Now in a normal transaction: backfill existing 'admin' → 'global_admin'
    conn.execute(
        sa.text("UPDATE users SET role = 'global_admin'::userrole WHERE role = 'admin'::userrole")
    )
 def downgrade() -> None:
    # Restore global_admin/tenant_admin back to admin (for rollback)
    op.execute(
        "UPDATE users SET role = 'admin'::userrole WHERE role = 'global_admin'::userrole"
    )
    op.execute(
        "UPDATE users SET role = 'client'::userrole WHERE role = 'tenant_admin'::userrole"
    )
    # Note: cannot DROP enum values in PostgreSQL without recreating the type
    # The values will remain in the enum but unused after downgrade
@@ -0,0 +1,46 @@
 """Add tenant_config JSONB column to tenants table.
 Stores per-tenant feature flags and limits:
  max_concurrent_renders, render_engines_allowed, fallback_material,
  max_order_size, notifications_enabled, invoice_prefix.
 Revision ID: 050
 Revises: 049
 """
 from alembic import op
 import sqlalchemy as sa
 from sqlalchemy.dialects.postgresql import JSONB
 revision = "050"
 down_revision = "049"
 branch_labels = None
 depends_on = None
 _DEFAULT_CONFIG = """{
    "max_concurrent_renders": 3,
    "render_engines_allowed": ["cycles", "eevee"],
    "max_order_size": 500,
    "fallback_material": "SCHAEFFLER_059999_FailedMaterial",
    "notifications_enabled": true,
    "invoice_prefix": "INV"
 }"""
 def upgrade() -> None:
    op.add_column(
        "tenants",
        sa.Column(
            "tenant_config",
            JSONB,
            nullable=True,
            server_default=_DEFAULT_CONFIG,
        ),
    )
    # Backfill existing rows with defaults
    op.execute(
        f"UPDATE tenants SET tenant_config = '{_DEFAULT_CONFIG}'::jsonb WHERE tenant_config IS NULL"
    )
 def downgrade() -> None:
    op.drop_column("tenants", "tenant_config")
@@ -44,6 +44,6 @@ class TenantContextMiddleware(BaseHTTPMiddleware):
                pass  # invalid/expired tokens are handled per-endpoint
        request.state.tenant_id = tenant_id
-        request.state.role = role
+        request.state.role = role  # "global_admin"|"tenant_admin"|"project_manager"|"client"|"admin"
        return await call_next(request)
@@ -34,7 +34,9 @@ async def get_db(request: "Request | None" = None) -> AsyncGenerator[AsyncSessio
            tenant_id = getattr(request.state, "tenant_id", None)
            role = getattr(request.state, "role", None)
            if tenant_id:
-                if role == "admin":
+                # global_admin and legacy admin bypass RLS to see all tenants
                _bypass_roles = {"global_admin", "admin"}
                if role in _bypass_roles:
                    await session.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
                else:
                    await session.execute(
@@ -69,7 +71,8 @@ async def get_db_for_tenant(
    if user and hasattr(user, "tenant_id") and user.tenant_id:
        role = getattr(user, "role", None)
        role_value = role.value if hasattr(role, "value") else str(role) if role else ""
-        if role_value == "admin":
+        _bypass = {"global_admin", "admin"}
        if role_value in _bypass:
            await db.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
        else:
            await db.execute(
@@ -120,7 +123,8 @@ async def set_tenant_context(db: AsyncSession, user: Optional[object]) -> None:
    if user and hasattr(user, "tenant_id") and user.tenant_id:
        role = getattr(user, "role", None)
        role_value = role.value if hasattr(role, "value") else str(role) if role else ""
-        if role_value == "admin":
+        _bypass = {"global_admin", "admin"}
        if role_value in _bypass:
            await db.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
        else:
            await db.execute(
@@ -8,9 +8,27 @@ import enum
 class UserRole(str, enum.Enum):
    # New role hierarchy (Phase 4)
    global_admin = "global_admin"    # platform operator — bypasses RLS, all tenants
    tenant_admin = "tenant_admin"    # per-tenant admin — full control within own tenant
    project_manager = "project_manager"  # order/render management within tenant
    client = "client"               # read own orders, create draft orders
    # Legacy alias — kept for backward compat during migration; use global_admin for new code
    admin = "admin"
-    project_manager = "project_manager"
+
-    client = "client"
+
 # Roles that have administrative privileges (global_admin + legacy admin)
 ADMIN_ROLES = {"global_admin", "admin"}
 # Roles with tenant-level admin access
 TENANT_ADMIN_ROLES = {"global_admin", "tenant_admin", "admin"}
 # Roles with project management or above
 PM_ROLES = {"global_admin", "tenant_admin", "project_manager", "admin"}
 # Roles that bypass RLS (see TenantContextMiddleware + get_db)
 RLS_BYPASS_ROLES = {"global_admin", "admin"}
 class User(Base):
@@ -2,9 +2,18 @@ import uuid
 from datetime import datetime
 from sqlalchemy import String, DateTime, Boolean
 from sqlalchemy.orm import Mapped, mapped_column, relationship
-from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.dialects.postgresql import UUID, JSONB
 from app.database import Base
 _DEFAULT_TENANT_CONFIG = {
    "max_concurrent_renders": 3,
    "render_engines_allowed": ["cycles", "eevee"],
    "max_order_size": 500,
    "fallback_material": "SCHAEFFLER_059999_FailedMaterial",
    "notifications_enabled": True,
    "invoice_prefix": "INV",
 }
 class Tenant(Base):
    __tablename__ = "tenants"
@@ -14,6 +23,14 @@ class Tenant(Base):
    slug: Mapped[str] = mapped_column(String(100), nullable=False, unique=True)
    is_active: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
    created_at: Mapped[datetime] = mapped_column(DateTime, default=datetime.utcnow, nullable=False)
    tenant_config: Mapped[dict | None] = mapped_column(
        JSONB, nullable=True, default=_DEFAULT_TENANT_CONFIG
    )
    def get_config(self, key: str, default=None):
        """Safe accessor for tenant_config fields."""
        cfg = self.tenant_config or {}
        return cfg.get(key, default)
    # Relationships (lazy=noload — loaded explicitly when needed)
    users: Mapped[list] = relationship("User", back_populates="tenant", lazy="noload")
@@ -14,8 +14,6 @@ from pathlib import Path
 logger = logging.getLogger(__name__)
 MIN_BLENDER_VERSION = (5, 0, 1)
 def _glb_from_step(step_path: Path, glb_path: Path, quality: str = "low") -> None:
    """Convert STEP → GLB via OCC (export_step_to_gltf.py, no Blender needed).
@@ -226,12 +224,8 @@ def render_still(
    log_lines = [l for l in stdout_lines if "[blender_render]" in l]
-    # EEVEE fallback to Cycles on non-signal error
+    # EEVEE fallback removed (Phase 5.2): EEVEE Next in Blender 5.0+ is stable.
-    if returncode > 0 and engine == "eevee":
+    # If EEVEE fails, it is a hard failure — no silent retry.
        logger.warning("EEVEE failed (exit %d) — retrying with Cycles", returncode)
        returncode, stdout_lines2, stderr_lines2 = _run("cycles")
        engine_used = "cycles (eevee fallback)"
        log_lines.extend(l for l in stdout_lines2 if "[blender_render]" in l)
    if returncode != 0:
        stdout_tail = "\n".join(stdout_lines[-50:]) if stdout_lines else ""
@@ -59,14 +59,68 @@ async def get_current_user(
    return user
 def _role_value(user: User) -> str:
    """Return the string value of a user's role (works for both enum and plain str)."""
    role = user.role
    return role.value if hasattr(role, "value") else str(role)
 # ── New role-hierarchy guards ─────────────────────────────────────────────────
 async def require_global_admin(user: User = Depends(get_current_user)) -> User:
    """GlobalAdmin only (platform operator). Replaces require_admin() for new code."""
    from app.domains.auth.models import ADMIN_ROLES
    if _role_value(user) not in ADMIN_ROLES:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Global admin access required")
    return user
 async def require_tenant_admin_or_above(user: User = Depends(get_current_user)) -> User:
    """TenantAdmin, GlobalAdmin, or legacy admin."""
    from app.domains.auth.models import TENANT_ADMIN_ROLES
    if _role_value(user) not in TENANT_ADMIN_ROLES:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Tenant admin access required")
    return user
 async def require_pm_or_above(user: User = Depends(get_current_user)) -> User:
    """ProjectManager, TenantAdmin, GlobalAdmin, or legacy admin."""
    from app.domains.auth.models import PM_ROLES
    if _role_value(user) not in PM_ROLES:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Project manager or above access required",
        )
    return user
 def is_admin(user: User) -> bool:
    """Helper: True if user has any admin-level role."""
    from app.domains.auth.models import ADMIN_ROLES
    return _role_value(user) in ADMIN_ROLES
 def is_privileged(user: User) -> bool:
    """Helper: True if user can manage orders/renders (PM or above)."""
    from app.domains.auth.models import PM_ROLES
    return _role_value(user) in PM_ROLES
 # ── Legacy guards (kept for backward compatibility) ───────────────────────────
 # These now accept both old ("admin") and new ("global_admin") roles.
 async def require_admin(user: User = Depends(get_current_user)) -> User:
-    if user.role.value != "admin":
+    """Backward-compat alias for require_global_admin(). Prefer require_global_admin() in new code."""
    from app.domains.auth.models import ADMIN_ROLES
    if _role_value(user) not in ADMIN_ROLES:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin access required")
    return user
 async def require_admin_or_pm(user: User = Depends(get_current_user)) -> User:
-    if user.role.value not in ("admin", "project_manager"):
+    """Backward-compat alias for require_pm_or_above(). Prefer require_pm_or_above() in new code."""
    from app.domains.auth.models import PM_ROLES
    if _role_value(user) not in PM_ROLES:
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN,
            detail="Admin or Project Manager access required",
@@ -161,8 +161,8 @@ async def seed(db_url: str, admin_email: str = "admin@schaeffler.com", admin_pas
            admin = User(
                email=admin_email,
                password_hash=hash_password(admin_password),
                role=UserRole.global_admin,
                full_name="Schaeffler Admin",
                role=UserRole.admin,
            )
            session.add(admin)
            print(f"  + Admin user: {admin_email}")
@@ -27,29 +27,8 @@ if hasattr(sys.stdout, "reconfigure"):
 import bpy
 from mathutils import Vector, Matrix
-# ── Colour palette (matches Three.js renderer) ───────────────────────────────
+# Fallback material name — magenta, immediately visible when material assignment fails
-
+FAILED_MATERIAL_NAME = "SCHAEFFLER_059999_FailedMaterial"
 PALETTE_HEX = [
    "#4C9BE8", "#E85B4C", "#4CBE72", "#E8A84C", "#A04CE8",
    "#4CD4E8", "#E84CA8", "#7EC850", "#E86B30", "#5088C8",
 ]
 def _srgb_to_linear(c: int) -> float:
    """Convert 0-255 sRGB integer to linear float."""
    v = c / 255.0
    return v / 12.92 if v <= 0.04045 else ((v + 0.055) / 1.055) ** 2.4
 def _hex_to_linear(hex_color: str) -> tuple:
    """Return (r, g, b, 1.0) in Blender linear colour space."""
    h = hex_color.lstrip('#')
    return (
        _srgb_to_linear(int(h[0:2], 16)),
        _srgb_to_linear(int(h[2:4], 16)),
        _srgb_to_linear(int(h[4:6], 16)),
        1.0,
    )
 PALETTE_LINEAR = [_hex_to_linear(h) for h in PALETTE_HEX]
 # ── Parse arguments ───────────────────────────────────────────────────────────
@@ -156,20 +135,20 @@ def _apply_smooth(part_obj, angle_deg):
        bpy.ops.object.shade_flat()
-def _assign_palette_material(part_obj, index):
+def _assign_failed_material(part_obj):
-    """Assign a palette colour material to a mesh part."""
+    """Assign the standard fallback material (magenta) when no library material matches.
-    color = PALETTE_LINEAR[index % len(PALETTE_LINEAR)]
+
-    mat = bpy.data.materials.new(name=f"Part_{index}")
+    Tries to reuse SCHAEFFLER_059999_FailedMaterial from the library first.
-    mat.use_nodes = True
+    Creates a simple magenta Principled BSDF if the library material is not loaded.
-    bsdf = mat.node_tree.nodes.get("Principled BSDF")
+    """
-    if bsdf:
+    mat = bpy.data.materials.get(FAILED_MATERIAL_NAME)
-        bsdf.inputs["Base Color"].default_value = color
+    if mat is None:
-        bsdf.inputs["Metallic"].default_value   = 0.35
+        mat = bpy.data.materials.new(name=FAILED_MATERIAL_NAME)
-        bsdf.inputs["Roughness"].default_value  = 0.40
+        mat.use_nodes = True
-        try:
+        bsdf = mat.node_tree.nodes.get("Principled BSDF")
-            bsdf.inputs["Specular IOR Level"].default_value = 0.5
+        if bsdf:
-        except KeyError:
+            bsdf.inputs["Base Color"].default_value = (1.0, 0.0, 1.0, 1.0)  # magenta
-            pass
+            bsdf.inputs["Roughness"].default_value  = 0.6
    part_obj.data.materials.clear()
    part_obj.data.materials.append(mat)
@@ -490,13 +469,18 @@ if use_template:
            if _stripped != kl:
                mat_map_lower.setdefault(_stripped, v)
        _apply_material_library(parts, material_library_path, mat_map_lower)
-        # Parts not matched by library get palette fallback
+        # Parts not matched by library get the failed-material fallback (magenta)
-        for i, part in enumerate(parts):
+        unmatched = []
        for part in parts:
            if not part.data.materials or len(part.data.materials) == 0:
-                _assign_palette_material(part, i)
+                _assign_failed_material(part)
                unmatched.append(part.name)
        if unmatched:
            print(f"[blender_render] WARNING: {len(unmatched)} parts unmatched, assigned {FAILED_MATERIAL_NAME}: {unmatched[:5]}", flush=True)
    else:
-        for i, part in enumerate(parts):
+        # No material library — assign fallback to all parts
-            _assign_palette_material(part, i)
+        for part in parts:
            _assign_failed_material(part)
    # ── Shadow catcher (Cycles only, template mode only) ─────────────────────
    if shadow_catcher:
@@ -555,10 +539,10 @@ else:
    import time as _time
    _t_smooth_a = _time.time()
-    for i, part in enumerate(parts):
+    for part in parts:
        _apply_smooth(part, smooth_angle)
-        _assign_palette_material(part, i)
+        _assign_failed_material(part)
-    print(f"[blender_render] smooth+palette: {len(parts)} parts ({_time.time()-_t_smooth_a:.1f}s)", flush=True)
+    print(f"[blender_render] smooth+fallback-material: {len(parts)} parts ({_time.time()-_t_smooth_a:.1f}s)", flush=True)
    # Apply material library on top of palette colours (same logic as Mode B).
    # material_library_path / material_map are parsed from argv even in Mode A
@@ -576,7 +560,7 @@ else:
            if _stripped != kl:
                mat_map_lower.setdefault(_stripped, v)
        _apply_material_library(parts, material_library_path, mat_map_lower)
-        # Parts not matched by the library keep their palette material (already set above)
+        # Parts not matched by the library keep their fallback material (already set above)
 if needs_auto_camera:
    # ── Combined bounding box / bounding sphere ──────────────────────────────