Plugin-based datasource credentials (Notion, Jina, Firecrawl, etc.) were
implicitly shared with every workspace member. PR #35468 added the
visibility column, creator tracking and read-side filtering for datasource
providers, but left no way to actually set or change a credential's scope,
so every datasource credential stayed effectively all_team_members.
This completes the datasource side:
Backend:
- add_datasource_api_key_provider / add_datasource_oauth_provider accept
user_id and visibility; API keys default to all_team_members, OAuth
defaults to only_me (matching the plugin-credential philosophy)
- new update_datasource_credential_visibility (+ console endpoint) so the
creator can switch between only_me / all_team_members / partial_members;
only the creator (or legacy NULL-owner rows) may change the scope
- replace_partial_member_list / clear_partial_member_list helpers on
CredentialPermissionService (caller owns the transaction)
- list_datasource_credentials returns visibility, user_id, is_editable and
partial_member_list
Frontend:
- VisibilityModal reusing PermissionSelector, with an empty-partial-members
guard (the backend rejects an empty list)
- "Who can use" action in the credential operator, gated on is_editable
- scope badges (only me / partial team members) on the credential item
Existing credentials keep working: the visibility column defaults to
all_team_members and legacy rows with a NULL owner are always visible.
c232375fd2