feat: add permission control to PicaClientOptions

paulkr · paulkr · commit c4672c7b103c · 2025-06-16T16:24:50.000-04:00
diff --git a/README.md b/README.md
@@ -23,6 +23,7 @@ The `PicaClientOptions` class allows you to configure the Pica client with the f
 | server_url | str | No | https://api.picaos.com | URL for self-hosted Pica server. |
 | connectors | List[str] | No | [] | List of connector keys to filter by. Pass ["*"] to initialize all available connectors, or specific connector keys to filter. If empty, no connections will be initialized. |
 | actions | List[str] | No | None | List of action ids to filter by. Default is all actions. |
+| permissions | Literal["read", "write", "admin"] | No | None | Permission level to filter actions by. 'read' allows GET only, 'write' allows POST/PUT/PATCH, 'admin' allows all methods (default: 'admin') |
 | authkit | bool | No | False | If True, the SDK will use Authkit to connect to prompt the user to connect to a platform that they do not currently have access to |
 | identity | str | No | None | Filter connections by specific identity ID. |
 | identity_type | "user", "team", "organization", or "project" | No | None | Filter connections by identity type. |
@@ -54,7 +55,8 @@ pica_client = PicaClient(
         # identity="user-id",
         # authkit=True,
         # actions=[""], # Initialize specific action ids (e.g. ["conn_mod_def::F_JeJ_A_TKg::cc2kvVQQTiiIiLEDauy6zQ"])
-
+        # permissions="read", # Filter actions by permission level
+        
         connectors=["*"] # Initialize all available connections for this example
     )
 )
diff --git a/pica_langchain/client.py b/pica_langchain/client.py
@@ -39,6 +39,7 @@ def __init__(self, secret: str, options: Optional[PicaClientOptions] = None):
                 - server_url: Custom server URL to use instead of the default.
                 - connectors: List of connector keys to filter by.
                 - actions: List of action IDs to filter by. Default is all actions.
+                - permissions: Permission level to filter actions by. 'read' allows GET only, 'write' allows POST/PUT/PATCH, 'admin' allows all methods.
                 - identity: Filter connections by specific identity ID.
                 - identity_type: Filter connections by identity type (user, team, organization, or project).
                 - authkit: Whether to use the AuthKit integration which enables the promptToConnectPlatform tool.
@@ -82,6 +83,10 @@ def __init__(self, secret: str, options: Optional[PicaClientOptions] = None):
         self._actions_filter = options.actions
         if self._actions_filter:
             logger.debug(f"Filtering actions by IDs: {self._actions_filter}")
+        
+        self._permissions_filter = options.permissions
+        if self._permissions_filter:
+            logger.debug(f"Filtering actions by permissions: {self._permissions_filter}")
 
         self.mcp_client = None
         self.mcp_tools = []
@@ -476,7 +481,29 @@ def get_available_actions(self, platform: str) -> ActionsResponse:
                         filtered_actions.append(action)
                 
                 all_actions = filtered_actions
-                logger.info(f"After filtering, {len(all_actions)} actions remain")
+                logger.info(f"After filtering by IDs, {len(all_actions)} actions remain")
+            
+            # Filter actions by permissions if permissions filter is provided
+            if self._permissions_filter:
+                logger.debug(f"Filtering actions by permissions: {self._permissions_filter}")
+                filtered_by_permissions = []
+                
+                if self._permissions_filter == "read":
+                    for action in all_actions:
+                        method = action.method
+                        if method and method.upper() == "GET":
+                            filtered_by_permissions.append(action)
+                elif self._permissions_filter == "write":
+                    for action in all_actions:
+                        method = action.method
+                        if method and method.upper() in ["POST", "PUT", "PATCH"]:
+                            filtered_by_permissions.append(action)
+                # For "admin" or no permissions set, return all actions (no filtering)
+                else:
+                    filtered_by_permissions = all_actions
+                
+                all_actions = filtered_by_permissions
+                logger.info(f"After filtering by permissions ({self._permissions_filter}), {len(all_actions)} actions remain")
             
             # Create simplified action representations
             simplified_actions = []
diff --git a/pica_langchain/models.py b/pica_langchain/models.py
@@ -57,6 +57,7 @@ class AvailableAction(BaseModel):
     path: Optional[str] = None
     base_url: Optional[str] = Field(None, alias="baseUrl")
     tags: Optional[List[str]] = Field(default_factory=list)
+    method: Optional[str] = None
     
     model_config = ConfigDict(
         populate_by_name=True,
@@ -261,6 +262,10 @@ class PicaClientOptions(BaseModel):
         default=None,
         description="List of action ids to filter by. Default is all actions."
     )
+    permissions: Optional[Literal["read", "write", "admin"]] = Field(
+        default=None,
+        description="Permission level to filter actions by. 'read' allows GET only, 'write' allows POST/PUT/PATCH, 'admin' allows all methods (default: 'admin')"
+    )
     identity: Optional[str] = Field(
         default=None,
         description="Filter connections by specific identity ID"
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 
 setup(
     name="pica-langchain",
-    version="1.3.0",
+    version="1.4.0",
     packages=find_packages(),
     install_requires=[
         "langchain==0.3.20",
