submit+app: gate Submit on HF OAuth; populate hf_username from profile

Bundle 1+2 C10. Login-required submit shaped per the bundle spec.

submit.py:
- `handle_submit` grows a `profile: gr.OAuthProfile | None` arg.
Gradio dependency-injects the visitor's profile based on the
signature. None -> immediate `gr.Error("Please log in via the
HF button before submitting.")` so a UI mishap can't write an
anonymous row.
- `_build_pending_row` grows an `hf_username=None` kwarg.
`handle_submit` passes `profile.username` through so the row
carries the canonical HF identity (not a free-text claim in
meta.json's submitter_name).

app.py:
- New `gr.LoginButton()` in the Submit tab above the zip dropzone.
- Submit button starts `interactive=False`; new
`_enable_submit_when_logged_in(profile)` reads the visitor's
OAuth profile via `blocks.load` and flips the button on / off
per page load. Server-side gate in `handle_submit` mirrors this
so a logged-out user who somehow bypasses the disabled-button
UI still gets rejected.

requirements.txt:
- `gradio==5.50.0` -> `gradio[oauth]==5.50.0`. The `[oauth]` extra
pulls in `authlib` + `itsdangerous` + `cryptography`, which
gr.LoginButton + gr.OAuthProfile depend on. Without them
importing app.py fails with `ImportError: Cannot initialize OAuth`
(caught both locally and at Space build time).

README.md: untouched. Bundle 3 already landed `hf_oauth: true` on
line 10 of the front-matter, so the defensive add C10 was
prepared to do is a no-op.

tests/test_submit.py:
- New `test_pending_row_populates_hf_username_when_provided`
covers the kwarg path the OAuth flow takes.
- New `test_pending_row_hf_username_defaults_to_none` confirms
pre-OAuth callers (tests + pre-C10 row writers) stay clean.
- Existing tests untouched (still call _build_pending_row without
the hf_username kwarg, exercising the default).

Verification (autonomous):

- 24/24 unit tests green (2 new + 22 existing).
- Local boot: Gradio config carries the LoginButton (`"Sign in"` /
`"Logout"` label strings present), Submit button starts
non-interactive (`"interactive":false`), accordions / Download
CSV / report viewer all intact. handle_submit signature exposes
`profile`.

Manual OAuth check (per bundle spec C10) requires a real browser
login and is up to the human reviewer; can't simulate the HF
OAuth handshake from a sandboxed shell.

app.py

@@ -158,6 +158,21 @@ def _refresh_leaderboard_with_toast():
     return load_leaderboard_split()
 
 
+def _enable_submit_when_logged_in(
+    profile: gr.OAuthProfile | None,
+) -> gr.Button:
+    """Flip the Submit button's interactivity based on login state.
+
+    Runs once per page load via ``blocks.load``. Gradio injects
+    ``gr.OAuthProfile`` automatically (``None`` if the visitor isn't
+    logged in via the LoginButton). The visible-disable mirrors the
+    server-side gate in :func:`submit.handle_submit`; the handler
+    still raises ``gr.Error`` defensively if it ever gets called
+    without a profile.
+    """
+    return gr.Button(interactive=profile is not None)
+
+
 def _format_detail_and_report(
     df: pd.DataFrame | None, evt: gr.SelectData,
 ) -> tuple[str, str]:
@@ -359,10 +374,21 @@ not in the main leaderboard table.
 to publish the resulting row on the public leaderboard.
 """
         )
+        # OAuth gate. The user must log in via the HF button before
+        # the Submit button becomes interactive; the row gets the
+        # canonical `hf_username` from `gr.OAuthProfile.username`
+        # (not a free-text claim in meta.json). README front-matter
+        # already carries `hf_oauth: true` so HF's OAuth integration
+        # is wired up at the Space level.
+        login_btn = gr.LoginButton()
         zip_in = gr.File(label="Submission ZIP", file_types=[".zip"])
-        submit_btn = gr.Button("Submit", variant="primary")
+        # Starts disabled; the `blocks.load` handler below flips it
+        # to interactive when an OAuthProfile is present.
+        submit_btn = gr.Button("Submit", variant="primary", interactive=False)
         # No static markdown output: handle_submit surfaces every
-        # status update via gr.Info / gr.Error toasts.
+        # status update via gr.Info / gr.Error toasts. The handler
+        # also reads `gr.OAuthProfile` implicitly via its parameter
+        # type annotation (Gradio's dependency-injection convention).
         submit_btn.click(fn=handle_submit, inputs=[zip_in])
 
     with gr.Tab("About"):
@@ -378,6 +404,12 @@ to publish the resulting row on the public leaderboard.
         outputs=[validated_view, unvalidated_view],
     )
 
+    # On page load, read the visitor's OAuth profile (None if not
+    # logged in) and flip the Submit button's interactivity. Runs once
+    # per page load; LoginButton clicks also re-trigger this through
+    # Gradio's auth-event plumbing.
+    blocks.load(fn=_enable_submit_when_logged_in, outputs=submit_btn)
+
 
 # Mount Gradio under a FastAPI parent so the custom proxy route
 # above lives at the same origin as the UI. Direct routes on `app`

requirements.txt

@@ -7,7 +7,9 @@
 # DABstep, bigcodebench) all run on this stack. Revisit once a
 # Gradio 6-compatible gradio_leaderboard ships AND the underlying
 # Dataframe-update bug is fixed upstream.
-gradio==5.50.0
+# OAuth extras (authlib + itsdangerous) are required by gr.LoginButton
+# + gr.OAuthProfile, which gate the Submit tab on HF login.
+gradio[oauth]==5.50.0
 gradio-leaderboard==0.0.14
 pandas>=2.0
 huggingface_hub>=0.27.0

submit.py

@@ -131,9 +131,18 @@ class _HubWriteError(Exception):
     """Raised when a Hub upload fails after validation succeeded."""
 
 
-def handle_submit(zip_file) -> None:
+def handle_submit(
+    zip_file, profile: gr.OAuthProfile | None,
+) -> None:
     """Validate a submission upload; surface progress + outcome via toasts.
 
+    Requires the user to be logged in via ``gr.LoginButton`` so the
+    row's ``hf_username`` is the canonical HF identity (not a
+    free-text claim). The submit button in :mod:`app` is disabled
+    until login completes; this function also raises ``gr.Error``
+    defensively if it's called without a profile so a UI mishap
+    can't write an anonymous row.
+
     Side-effect-only (returns ``None``): every status update lands in
     a ``gr.Info`` / ``gr.Error`` toast instead of a static markdown
     output below the button. Rejection paths raise ``gr.Error``,
@@ -147,9 +156,12 @@ def handle_submit(zip_file) -> None:
          the pending row + zip are on the Hub and the worker has
          been spawned.
 
-    On rejection (form-level, validation gate, dedup, or Hub write),
-    a single ``gr.Error`` toast carries the message; no second toast.
+    On rejection (login-missing, form-level, validation gate, dedup,
+    or Hub write), a single ``gr.Error`` toast carries the message;
+    no second toast.
     """
+    if profile is None:
+        raise gr.Error("Please log in via the HF button before submitting.")
     form_err = _validate_form(zip_file)
     if form_err is not None:
         raise gr.Error(form_err)
@@ -191,7 +203,8 @@ def handle_submit(zip_file) -> None:
         try:
             blob_url = _upload_submission_zip(submission_id, zip_path)
             row = _build_pending_row(
-                submission_id, meta, blob_url, zip_sha256
+                submission_id, meta, blob_url, zip_sha256,
+                hf_username=profile.username,
             )
             _append_pending_row(row)
         except _HubWriteError as e:
@@ -406,6 +419,7 @@ def _build_pending_row(
     meta: dict[str, Any],
     blob_url: str,
     submission_sha256: str,
+    hf_username: str | None = None,
 ) -> dict[str, Any]:
     """Construct the JSON row written for a freshly-queued submission.
 
@@ -416,9 +430,11 @@ def _build_pending_row(
 
     Validation-tier fields default per the validation-policy decision
     doc: ``validation_status: "unvalidated"`` (maintainers promote
-    post-eval), ``validation_method: None``. ``hf_username`` is also
-    ``None`` here; C10 wires it through from ``gr.OAuthProfile`` once
-    the LoginButton lands.
+    post-eval), ``validation_method: None``. ``hf_username`` defaults
+    to ``None``; callers post-OAuth pass ``profile.username`` so the
+    row carries the canonical HF identity. Pre-OAuth-era rows
+    (anything written before C10 landed) and any test paths that
+    don't supply the kwarg keep ``null``.
     """
     return {
         "submission_id": submission_id,
@@ -441,7 +457,7 @@ def _build_pending_row(
         "submission_sha256": submission_sha256,
         "validation_status": "unvalidated",
         "validation_method": None,
-        "hf_username": None,
+        "hf_username": hf_username,
     }
 
 

tests/test_submit.py

@@ -52,6 +52,42 @@ def test_pending_row_preserves_sha256(monkeypatch):
     assert row["submission_sha256"] == expected_hash
 
 
+def test_pending_row_populates_hf_username_when_provided(monkeypatch):
+    """C10 OAuth path: profile.username flows into the row's hf_username.
+
+    The submit handler reads ``gr.OAuthProfile`` (injected by Gradio)
+    and passes ``profile.username`` through as a kwarg. This test
+    exercises just the row builder's side of that handoff so a
+    refactor that drops the kwarg gets caught.
+    """
+    monkeypatch.setattr(submit, "_resolve_data_revision", lambda: "test-rev")
+    row = submit._build_pending_row(
+        submission_id="sub-test-x",
+        meta=_stub_meta(),
+        blob_url="https://huggingface.co/datasets/example/sub-test-x.zip",
+        submission_sha256="a" * 64,
+        hf_username="alice",
+    )
+    assert row["hf_username"] == "alice"
+
+
+def test_pending_row_hf_username_defaults_to_none(monkeypatch):
+    """Omitting the kwarg keeps `hf_username` null.
+
+    Covers the pre-OAuth callers (test fixtures, scripts) that don't
+    have a profile in scope. Pre-C10 row writers and any future
+    non-OAuth caller default cleanly.
+    """
+    monkeypatch.setattr(submit, "_resolve_data_revision", lambda: "test-rev")
+    row = submit._build_pending_row(
+        submission_id="sub-test-x",
+        meta=_stub_meta(),
+        blob_url="https://huggingface.co/datasets/example/sub-test-x.zip",
+        submission_sha256="a" * 64,
+    )
+    assert row["hf_username"] is None
+
+
 def test_pending_row_preserves_existing_metadata(monkeypatch):
     """Pre-Bundle-1+2 fields keep their values from meta + args.