add a claude code command to analyze a jira issue and create a plan from
it. This should be used in plan mode!
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Converted all remaining prop-types usage to TypeScript interfaces:
- SystemStatusBanner: Added BannerContentProps interface
- DateTimePicker: Added DateTimePickerProps interface
prop-types remains as transitive dependency but is no longer directly
imported or used in the codebase.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
pullstats: updated bulk upsert function to track correct pull count and timestamp in case of race condition
Co-authored-by: shudeshp <shudeshp@redhat.com>
fix(api): implement proper superuser permission model and fix access controls
Fixes multiple issues with superuser functionality and implements a comprehensive
permission model for FEATURE_SUPERUSERS_FULL_ACCESS:
**Permission Model:**
- Global Readonly Superusers (auditors): Always have read access to all content,
independent of FEATURE_SUPERUSERS_FULL_ACCESS setting
- Regular Superusers: Can access /v1/superuser endpoints and their own content.
Require FEATURE_SUPERUSERS_FULL_ACCESS=true for cross-namespace read access
- Full Access Superusers: Regular superusers with FULL_ACCESS enabled, can
perform CRUD on content they don't own
- Write operations: Only allowed for full access superusers (global readonly
superusers never get write access)
**Key Fixes:**
1. Fixed superuser panel endpoints returning 403 when FULL_ACCESS was disabled.
Basic panel operations (user list, logs, org list, messages) now work with
just FEATURE_SUPER_USERS enabled.
2. Updated decorators to properly differentiate between basic superuser
operations and permission bypass operations.
3. Implemented license bypass: Superusers with FULL_ACCESS now bypass
license/quota limits when creating or modifying private repositories.
4. Fixed 18 permission checks across 7 files to properly implement cross-namespace
access controls for different superuser types.
**Changes:**
- endpoints/api/__init__.py: Fixed allow_if_superuser(), require_repo_permission, and decorators
- endpoints/api/superuser.py: Updated SuperUserAppTokens permission check
- endpoints/api/organization.py: Updated 4 GET endpoints to require FULL_ACCESS
- endpoints/api/namespacequota.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/team.py: Updated 2 GET endpoints to require FULL_ACCESS
- endpoints/api/prototype.py: Updated 1 GET endpoint to require FULL_ACCESS
- endpoints/api/policy.py: Updated auto-prune policy endpoints
- endpoints/api/robot.py: Updated robot endpoints
- endpoints/api/build.py: Updated repository build logs
- endpoints/api/repository.py: Added license bypass for superusers with FULL_ACCESS
- endpoints/api/repository_models_pre_oci.py: Updated repository visibility query
- endpoints/api/logs.py: Fixed log access to require FULL_ACCESS for permission bypass
- endpoints/api/test/test_superuser_full_access.py: Added comprehensive test suite
- endpoints/api/test/test_appspecifictoken.py: Updated test mocking and added 403 test
- test/test_api_usage.py: Updated test expectations for license bypass behavior
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix(web): hide Create User button for external authentication in superuser panel (PROJQUAY-9736)
When Quay is configured with external authentication (LDAP, OIDC, etc.),
the Create User button is now hidden in the superuser Organizations page
and replaced with an informational alert explaining that users can only
be created in the external authentication system. This matches the
behavior of the old AngularJS UI and prevents the confusing error that
occurred when users clicked the button.
Changes:
- Conditionally render Create User button only for Database auth
- Add PatternFly Alert for external auth with user-friendly message
- Add Cypress tests covering Database, LDAP, OIDC, and AppToken auth types
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: drop proptypes use in orgs list
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
When AUTHENTICATION_TYPE is LDAP or other external auth (not Database),
the superuser user management panel now correctly hides "Change E-mail Address"
and "Change Password" options from the user actions menu. These options are only
shown for Database authentication since external auth users are managed in the
external system.
Also hides "Send Recovery E-mail" option for external auth as it only works
with Database authentication.
Adds Cypress tests to verify correct behavior for LDAP, OIDC, and Database
authentication types.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Superusers could not add/update/delete quota limits for user namespaces
because the React UI was calling non-existent /api/v1/superuser/users/
endpoints instead of the correct /api/v1/organization/ endpoints.
The backend only provides /api/v1/organization/{namespace}/quota/*
endpoints which work for both organizations AND user namespaces. The
Angular UI correctly used these endpoints for all cases, but the React
UI incorrectly tried to use separate /api/v1/superuser/users/ endpoints
for user namespaces, resulting in HTTP 405 Method Not Allowed errors.
Changes:
- QuotaResource.ts: Removed isUser conditional logic from createQuotaLimit,
updateQuotaLimit, and deleteQuotaLimit functions - now always use
/api/v1/organization/ endpoints
- UseQuotaManagement.ts: Updated hooks to remove isUser parameter from
quota limit function calls
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
When logging in with LDAP authentication, the new React UI was skipping the
username confirmation page and going directly to the Organizations page. This
fix ensures that users with the confirm_username prompt are redirected to the
/updateuser page after successful login.
Changes:
- Modified Signin.tsx to check for user prompts after successful login
- Added redirect to /updateuser if prompts exist
- Enhanced UpdateUser.tsx to honor quay.redirectAfterLoad for external logins
- Added Cypress e2e tests for username confirmation flow
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
when user with unverified email attempts login, display "You must verify
your email address before you can sign in" instead of misleading "CSRF
token expired - please refresh" error
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* chore: set up CTRF cypress reporting
generate and upload cypress test results to PRs using CTRF (common test
report format)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* chore: set up multi workflow ctrf pr reporting
and simplify the uploading into 2 stages
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
When INVITE_ONLY_USER_CREATION is enabled and a valid LDAP user attempts
to login without an existing Quay account, the frontend now displays the
proper error message from the backend: "User creation is disabled. Please
contact your administrator to gain access."
Previously, the frontend hardcoded "Invalid login credentials" regardless
of the actual error message returned by the backend, which was misleading.
Changes:
- Use backend error message instead of hardcoded string in Signin.tsx
- Add Cypress test for INVITE_ONLY_USER_CREATION error scenario
- Fix existing test to align with new behavior
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Migrates UI state management from Recoil atoms to a centralized
UIContext using pure React Context API. This is part of the broader
effort to simplify state management and reduce dependencies.
Changes:
- Create UIContext with sidebar and alert state management
- Migrate SidebarState: isSidebarOpen with localStorage persistence
- Migrate AlertState: alerts array with add/remove/clear operations
- Move AlertVariant enum and AlertDetails interface to UIContext
- Remove UseAlerts hook (now redundant - consumers use useUI directly)
- Update Alerts component to use removeAlert from context
- Update QuayHeader and QuaySidebar to use useUI hook
- Update 128 files to import types/hooks from UIContext
- Delete AlertState.ts, SidebarState.ts, and UseAlerts.ts
Benefits:
- Zero runtime logic changes for consumers
- Centralized UI state in single context
- Reduced Recoil surface area (2 fewer atoms)
- Simpler architecture (removed unnecessary hook wrapper)
- Future-proof for additional UI state (theme, plugin mode)
- Pure React with no external dependencies for UI state
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
to help guide dev and coderabbit reviews. Claude users can symlink the
file or mention the file to have it loaded
Signed-off-by: Brady Pratt <bpratt@redhat.com>
- Rename ApplicationTokenCredentials to CredentialsModal for reusability
- Add support for both application tokens and encrypted passwords
- Fix memory leak by moving state cleanup to useEffect
- Fix error handling to clear errors on successful responses
- Add null checks for user loading state
- Update data-testid naming for better specificity
- Mock encrypted password API in Cypress tests
- Simplify Cypress selectors for better reliability
Co-authored-by: Claude <noreply@anthropic.com>
Users can now navigate directly to organizations and repositories using
shorthand URLs, matching the Angular UI behavior:
- /myorg → /organization/myorg
- /openshift/release → /repository/openshift/release
Implementation improvements:
- Dynamically derives reserved route prefixes from NavigationPath enum
- TypeScript interface for type-safe route parameters
- Comprehensive JSDoc documentation with examples
- Preserves query parameters and hash fragments during redirects
- Factory function for test mock data reusability
Test coverage:
- 11 comprehensive Cypress e2e tests (up from 6)
- Tests for organization and repository redirects
- Query parameter and hash fragment preservation
- Reserved route prefix handling
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): superuser usage logs filter searches across all fields (PROJQUAY-9622)
The filter in the superuser usage logs page was only searching the log.kind
field, causing it to return no results when users searched for namespaces,
usernames, or other visible data.
Changes:
- Enhanced filter to search across namespace, repository, performer, IP address,
log kind, and description fields
- Removed duplicate filtering logic (filterLogs function and select option)
- Now follows codebase standard pattern used by other tables
- Filter applied once in usePaginatedSortableTable hook instead of twice
- Added comprehensive Cypress tests for filter functionality
The filter now performs case-insensitive substring matching across all
displayed fields, matching the behavior of the Angular UI.
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): extract text from JSX for usage logs filter search
The filter was converting React elements to "[object Object]" instead of
searchable text. Added extractTextFromReactNode() utility to recursively
extract plain text from JSX while maintaining rich formatting for display
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): fallback to user orgs when superuser API fails (PROJQUAY-9650)
Always show user's own organizations from /api/v1/user/ and
combine with superuser orgs when available. Prevents empty org
list when FEATURE_SUPER_USERS is enabled but superuser API
returns 403.
Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: harishsurf <hgovinda@redhat.com>
* fix(ui): resolve React hooks violations in OrganizationsList
Optimize UseOrganizations with useMemo to prevent unnecessary
re-renders. Move all useState hooks before early returns in Organizations
kebab menu. Also fix PropTypes warning by ensuring showRegistrySize
is always boolean. Add cypress tests for regression
---------
Signed-off-by: harishsurf <hgovinda@redhat.com>
Application token table now shows relative time ("5 minutes ago") for Last Accessed,
Expiration, and Created columns, with full timestamp displayed in tooltip on hover.
This matches the behavior of the current Angular UI.
Uses existing formatRelativeTime and formatDate utilities from libs/utils with
PatternFly Tooltip component.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* proxy: Drop error 403 token requests for anonymous pulls (PROJQUAY-9012)
ghcr.io returns 403 when attempting an anonymous pull, which causes the
proxy to attempt authentication even when authentication is disabled.
This change ignores 403 status codes when requesting anonymous pulls,
similar to the existing behavior for 401 responses.
* fix formatting
Application token and robot token credentials modals were using double
quotes in podman/docker login commands, causing authentication failures.
Changed to single quotes to match current UI behavior and ensure CLI
compatibility.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
adds the missing "Send Recovery E-mail" option to the new React UI's
superuser user management panel
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
add React.lazy() and Suspense boundaries to all route components in both
StandaloneMain and PluginMain to reduce initial bundle size by 40-60%
and improve time-to-interactive performance
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* Add missing nginx routes for assign user oauth flow for react
* Add Oauth flow for assinged user token generation
* Add cypress test for assigned user oauth flow
* Show Authorized app section even when external login isnt available
* fix(ui): add contact link to login page footer (PROJQUAY-9660)
the login page footer was missing the contact link when CONTACT_INFO
was configured in config.yaml. this adds the same logic used in the
main app footer to display the contact link on the login page
Co-authored-by: Claude <noreply@anthropic.com>
* fix(ui): display Quay version in login page footer (PROJQUAY-9651)
The new React UI login page was missing the version number display
that appears in the Angular UI. Added version_number to login footer
items so it displays alongside Documentation and Contact links.
Co-authored-by: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
Mirror configuration should only allow robot accounts, not teams. This
removes the "Create team" option and "Teams" group from the robot user
dropdown in the mirroring configuration form. Also updates placeholder
text to clarify robot-only selection.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
superusers can now see quota consumed data in the organizations list for
both organizations and user namespaces. the fix preserves quota_report data
from the /api/v1/superuser/organizations/ endpoint instead of discarding it.
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
* feat(ui): add repository activity heatmap (PROJQUAY-9353)
Implements an activity heatmap showing last 90 days of repository
pull/push activity to match feature available in Angular UI.
Features:
- Continuous week-by-week calendar grid layout
- Smart month labels (Aug, Sep, Oct) with spacing optimization
- Day labels (Mon, Wed, Fri) positioned clearly
- 5-level color scaling from gray (no activity) to dark blue (high activity)
- Interactive tooltips with date and action counts
- Full-width responsive design
- PatternFly design system integration
- ARIA labels for accessibility
Technical implementation:
- Custom React component using SVG rendering
- API integration with includeStats=true endpoint
- Color-coded cells based on activity intensity
- Tooltip with high contrast for dark/light mode support
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
* fix(test): resolve builds.cy.ts failures from includeStats param change (PROJQUAY-9353)
Fixed 21 failing Cypress tests in builds.cy.ts caused by two issues:
1. Updated all repository detail API intercepts to use includeStats=true
instead of includeStats=false to match the actual API call changed
in the heatmap feature implementation
2. Added optional chaining to error.response?.status in ErrorHandling.ts
to prevent null reference errors when error.response is undefined
All 27 tests now pass (previously 6 passing, 21 failing).
Co-authored-by: Claude <noreply@anthropic.com>
Signed-off-by: Brady Pratt <bpratt@redhat.com>
---------
Signed-off-by: Brady Pratt <bpratt@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
this adds the GlobalMessages component to LoginPageLayout so that
superuser-configured global messages display on the login page,
matching the behavior of the Angular UI
Co-authored-by: Claude <noreply@anthropic.com>
* chore: remove unused QuayConfigState Recoil atoms
Removed dead code from state management migration. The QuayConfigState
and IsPluginState Recoil atoms were never read - only written to. All
config state is now properly managed via React Query using the
useQuayConfig hook.
Co-authored-by: Claude <noreply@anthropic.com>
* chore: remove unused CurrentUsernameState Recoil atom
The CurrentUsernameState atom was dead code - never imported or used
anywhere in the codebase. User data is now managed via React Query's
useCurrentUser hook, which is already in use across 24 files.
Co-authored-by: Claude <noreply@anthropic.com>
* chore: migrate SecurityDetailsState from Recoil to React Query
Replaced Recoil atoms (SecurityDetailsState, SecurityDetailsErrorState)
with useSecurityDetails React Query hook. This eliminates manual cache
management and simplifies component logic.
Changes:
- Created useSecurityDetails hook with automatic caching by org/repo/digest
- Updated 7 components to use the new hook
- Removed manual fetch logic, local state, and Recoil reset calls
- Removed cacheResults prop (React Query caches automatically)
- Simplified SecurityDetails.tsx from ~100 lines to ~60 lines
Benefits:
- Automatic cache invalidation when parameters change
- Better loading/error state handling
- No manual cache management needed
- Reduced code complexity (~50 lines removed)
Co-authored-by: Claude <noreply@anthropic.com>
---------
Co-authored-by: Claude <noreply@anthropic.com>
* notifications: Support slash in repository names (PROJQUAY-7538)
Fix for PROJQUAY-7538 discussed in #3069 by only considering the first slash when separating namespace and repository.
* Test and devcontainer
* Remove devcontainer.json
* Revert irrelevant test change.
* ui: removing default ui check
* ui: add option to disable angular UI
* Creating explicit angular and react cookies with config default
* Fixing "current ui" display text to respond to light theme
* initial superuser framework
* all service key functionality except create key
* add create preshareable key
* add change logs panel and fresh login component
* messages ui and config without display
* add global display of messages
* CSRF token changes required for fresh login
* usage logs functionality first pass
* fix fetch user logs, colors, legend, chart and default route
* usage logs prevent greater than 30 days
* usage logs functionality complete
* superuser organization action menu commands
* add framework and service keys tests, fix service key date mismatch
* add all remaining superuser tests
* Re-design sidenav for superuser component
* Add missing columns and access control for organization list
Signed-off-by: harishsurf <hgovinda@redhat.com>
Adds Size and Admin columns and superuser checks + readonly support
for superuser capabilities
* Add build logs functionality for superusers
* Add missing functionality for user and org management for superuser
Adds create user modal, and other missing modals for superuser related
actions for both user and organization
* Redesign quota functionality for superuser
Only superuser should be allowed to configure quota. Adds new modal
to configure quota. Removes modifying quota from org settings tab
* Fix cypress tests + formatting + undo X-Next-CSRF-Token token change
---------
Signed-off-by: harishsurf <hgovinda@redhat.com>
Co-authored-by: harishsurf <hgovinda@redhat.com>
