app: admin tab as a multi-select table with delete

replaces the single-row dropdown with an editable table: one row per
submission, a leading select checkbox the only editable column, the
rest read-only context. promote, demote and delete now act on every
ticked row at once. promote applies the chosen validation_method to the
whole selection. delete sits in a danger-zone accordion behind a
confirm checkbox that arms the button, and clears companion artifacts
plus the row. a live count line reports how many rows are selected.

app.py

@@ -25,6 +25,8 @@ from gradio_leaderboard import Leaderboard
 from huggingface_hub import hf_hub_download
 
 from leaderboard import (
+    ADMIN_COLUMNS,
+    ADMIN_SELECT_COL,
     HF_DATA_REPO,
     HF_SUBMISSIONS_REPO,
     LEADERBOARD_DATATYPES,
@@ -32,9 +34,16 @@ from leaderboard import (
     VALIDATED_LEADERBOARD_DATATYPES,
     _fmt_timestamp,
     build_combined_csv,
+    load_admin_table,
     load_leaderboard_split,
 )
-from admin import VALID_METHODS, demote_row, is_admin, promote_row
+from admin import (
+    VALID_METHODS,
+    delete_rows,
+    demote_rows,
+    is_admin,
+    promote_rows,
+)
 from submit import handle_submit
 
 logger = logging.getLogger(__name__)
@@ -156,111 +165,138 @@ def _enable_submit_when_logged_in(
     return gr.Button(interactive=profile is not None)
 
 
-def _choices_from_split(
-    validated: pd.DataFrame | None,
-    unvalidated: pd.DataFrame | None,
-) -> list[tuple[str, str]]:
-    """Build the admin dropdown's ``(label, submission_id)`` choice list.
-
-    Lists unvalidated rows first (the common promote target), then
-    validated rows. Each label is tagged with its current tier so the
-    admin can tell which direction a button press moves the row.
-    """
-    choices: list[tuple[str, str]] = []
-    for df, tier in ((unvalidated, "unvalidated"), (validated, "validated")):
-        if df is None or "submission_id" not in df.columns:
-            continue
-        for sid in df["submission_id"].tolist():
-            if sid:
-                choices.append((f"{sid}  ({tier})", str(sid)))
-    return choices
+def _selected_ids(table_df: pd.DataFrame | None) -> list[str]:
+    """Submission ids of the rows whose ``select`` checkbox is ticked."""
+    if (
+        table_df is None
+        or len(table_df) == 0
+        or ADMIN_SELECT_COL not in table_df.columns
+        or "submission_id" not in table_df.columns
+    ):
+        return []
+    mask = table_df[ADMIN_SELECT_COL].apply(bool)
+    return [str(s) for s in table_df.loc[mask, "submission_id"].tolist() if s]
 
 
-def _admin_row_choices() -> list[tuple[str, str]]:
-    """Fresh choice list pulled from the current results split."""
-    return _choices_from_split(*load_leaderboard_split())
+def _admin_selection_status(table_df: pd.DataFrame | None) -> str:
+    """Live count line under the admin table, updated as boxes are ticked."""
+    n = len(_selected_ids(table_df))
+    return f"**{n}** row(s) selected." if n else "_No rows selected._"
 
 
 def _gate_admin_controls(
     profile: gr.OAuthProfile | None,
-) -> tuple[gr.Dropdown, gr.Radio, gr.Button, gr.Button, str]:
+) -> tuple[gr.Dataframe, gr.Radio, gr.Button, gr.Button, gr.Checkbox, gr.Button, str]:
     """Enable the admin controls only for a logged-in user in the admin set.
 
     Runs on every page load and re-runs on LoginButton auth events.
-    Logged-out visitors and non-admins see the tab but every control
-    stays disabled, mirroring the server-side gate in the promote /
-    demote handlers (which raise ``gr.Error`` if invoked without admin
-    rights).
+    Non-admins and logged-out visitors get the tab with the table
+    read-only and every control disabled, mirroring the server-side
+    re-check in each handler. The delete button always loads disarmed:
+    it only enables once the confirm checkbox is ticked.
     """
     admin = is_admin(profile)
     if profile is None:
         status = "Log in with an admin account to enable the controls below."
     elif admin:
-        status = f"Signed in as `{profile.username}`. Promotion controls enabled."
+        status = f"Signed in as `{profile.username}`. Admin controls enabled."
     else:
         status = (
             f"Signed in as `{profile.username}`, which is not in the admin "
             "set. Controls are disabled."
         )
     return (
-        gr.Dropdown(interactive=admin),
+        gr.Dataframe(interactive=admin),
         gr.Radio(interactive=admin),
         gr.Button(interactive=admin),
         gr.Button(interactive=admin),
+        gr.Checkbox(interactive=admin, value=False),
+        gr.Button(interactive=False),
         status,
     )
 
 
+def _arm_delete(
+    confirm: bool, profile: gr.OAuthProfile | None,
+) -> gr.Button:
+    """Enable the delete button only when an admin has ticked the confirm box."""
+    return gr.Button(interactive=bool(confirm) and is_admin(profile))
+
+
 def _admin_promote(
-    submission_id: str | None,
+    table_df: pd.DataFrame | None,
     method: str | None,
     profile: gr.OAuthProfile | None,
-) -> tuple[gr.Dropdown, pd.DataFrame, pd.DataFrame]:
-    """Promote the selected row, then refresh the dropdown + both tables.
+) -> tuple[pd.DataFrame, pd.DataFrame, pd.DataFrame]:
+    """Promote every ticked row, then refresh the admin table + both tiers.
 
     Re-checks :func:`admin.is_admin` server-side so a tampered client
-    that re-enables the button still can't write. Surfaces the outcome
-    via a toast; maps the helper's ``LookupError`` / ``ValueError`` to
-    a clean ``gr.Error``.
+    that re-enables the button still can't write.
     """
     if not is_admin(profile):
         raise gr.Error("You are not in the admin set.")
-    if not submission_id:
-        raise gr.Error("Select a submission first.")
+    ids = _selected_ids(table_df)
+    if not ids:
+        raise gr.Error("Tick at least one row first.")
     if not method:
-        raise gr.Error("Select a validation method first.")
+        raise gr.Error("Pick a validation_method first.")
     try:
-        promote_row(submission_id, method)
+        promote_rows(ids, method)
     except (LookupError, ValueError) as e:
         raise gr.Error(str(e))
-    gr.Info(f"Promoted {submission_id} to validated ({method}).")
+    gr.Info(f"Promoted {len(ids)} row(s) to validated ({method}).")
     validated, unvalidated = load_leaderboard_split()
-    return (
-        gr.Dropdown(choices=_choices_from_split(validated, unvalidated)),
-        validated,
-        unvalidated,
-    )
+    return load_admin_table(), validated, unvalidated
 
 
 def _admin_demote(
-    submission_id: str | None,
+    table_df: pd.DataFrame | None,
+    profile: gr.OAuthProfile | None,
+) -> tuple[pd.DataFrame, pd.DataFrame, pd.DataFrame]:
+    """Demote every ticked row, then refresh the admin table + both tiers."""
+    if not is_admin(profile):
+        raise gr.Error("You are not in the admin set.")
+    ids = _selected_ids(table_df)
+    if not ids:
+        raise gr.Error("Tick at least one row first.")
+    try:
+        demote_rows(ids)
+    except (LookupError, ValueError) as e:
+        raise gr.Error(str(e))
+    gr.Info(f"Demoted {len(ids)} row(s) to unvalidated.")
+    validated, unvalidated = load_leaderboard_split()
+    return load_admin_table(), validated, unvalidated
+
+
+def _admin_delete(
+    table_df: pd.DataFrame | None,
+    confirm: bool,
     profile: gr.OAuthProfile | None,
-) -> tuple[gr.Dropdown, pd.DataFrame, pd.DataFrame]:
-    """Demote the selected row, then refresh the dropdown + both tables."""
+) -> tuple[pd.DataFrame, pd.DataFrame, pd.DataFrame, gr.Checkbox, gr.Button]:
+    """Delete every ticked row (artifacts + row), then refresh and disarm.
+
+    Resets the confirm checkbox and re-disables the delete button on
+    the way out so the next deletion needs a fresh, deliberate confirm.
+    """
     if not is_admin(profile):
         raise gr.Error("You are not in the admin set.")
-    if not submission_id:
-        raise gr.Error("Select a submission first.")
+    if not confirm:
+        raise gr.Error("Tick the confirmation box to enable delete.")
+    ids = _selected_ids(table_df)
+    if not ids:
+        raise gr.Error("Tick at least one row first.")
     try:
-        demote_row(submission_id)
-    except LookupError as e:
+        delete_rows(ids)
+    except ValueError as e:
         raise gr.Error(str(e))
-    gr.Info(f"Demoted {submission_id} to unvalidated.")
+    gr.Info(f"Deleted {len(ids)} submission(s).")
     validated, unvalidated = load_leaderboard_split()
     return (
-        gr.Dropdown(choices=_choices_from_split(validated, unvalidated)),
+        load_admin_table(),
         validated,
         unvalidated,
+        gr.Checkbox(value=False),
+        gr.Button(interactive=False),
     )
 
 
@@ -488,30 +524,40 @@ to publish the resulting row on the public leaderboard.
         gr.Markdown(ABOUT_MD)
 
     with gr.Tab("Admin"):
-        # Maintainer-only promotion controls. The tab is visible to
-        # everyone (a hint that the path exists); the controls are
-        # gated to OAuth users in the CADGENBENCH_ADMINS set via the
-        # `blocks.load` handler below + a server-side re-check in the
-        # promote / demote handlers. See decisions/validation-policy.md.
+        # Maintainer-only controls. The tab is visible to everyone (a
+        # hint the path exists); the table + buttons are gated to OAuth
+        # users in the CADGENBENCH_ADMINS set via the `blocks.load`
+        # handler below + a server-side re-check in every handler. See
+        # decisions/validation-policy.md.
         gr.Markdown(
             "## Admin\n"
-            "Promote a submission into the **Validated** table (recording the "
-            "evidence type) or demote it back to **Unvalidated**. Limited to "
-            "maintainers in the admin set; everyone else sees the tab with the "
-            "controls disabled."
+            "Tick rows in the **select** column, then promote them into the "
+            "**Validated** tier (recording an evidence type), demote them back "
+            "to **Unvalidated**, or delete them. Actions apply to every ticked "
+            "row at once. Limited to maintainers in the admin set; everyone "
+            "else sees the tab with the controls disabled."
         )
         admin_login_btn = gr.LoginButton()
         admin_status = gr.Markdown(
             "Log in with an admin account to enable the controls below."
         )
-        admin_submission_dd = gr.Dropdown(
-            choices=_choices_from_split(initial_validated, initial_unvalidated),
-            label="Submission",
+        # Only the leading `select` column is editable; the rest is
+        # read-only context. Click-to-tick drives every action below.
+        admin_table = gr.Dataframe(
+            value=load_admin_table(),
+            datatype=[
+                "bool", "str", "str", "str", "str", "str", "str", "number",
+                "str",
+            ],
+            static_columns=list(range(1, len(ADMIN_COLUMNS))),
             interactive=False,
+            label="Submissions (tick select to choose rows)",
+            wrap=True,
         )
+        admin_selection_md = gr.Markdown("_No rows selected._")
         admin_method_radio = gr.Radio(
             choices=list(VALID_METHODS),
-            label="validation_method (required to promote)",
+            label="validation_method (applied to all rows on promote)",
             interactive=False,
         )
         with gr.Row():
@@ -519,22 +565,52 @@ to publish the resulting row on the public leaderboard.
                 "Mark validated", variant="primary", interactive=False,
             )
             demote_btn = gr.Button("Mark unvalidated", interactive=False)
-        admin_refresh_btn = gr.Button("Refresh list", size="sm")
+        with gr.Accordion("Danger zone: delete", open=False):
+            gr.Markdown(
+                "Permanently deletes the ticked rows **and** their uploaded "
+                "zip + report files from the submissions dataset. This cannot "
+                "be undone (only a manual revert of the dataset commit)."
+            )
+            delete_confirm = gr.Checkbox(
+                label=(
+                    "I understand this permanently deletes the selected "
+                    "submissions and their files."
+                ),
+                value=False,
+                interactive=False,
+            )
+            delete_btn = gr.Button(
+                "Delete selected", variant="stop", interactive=False,
+            )
+        admin_refresh_btn = gr.Button("Refresh", size="sm")
 
+        admin_table.change(
+            fn=_admin_selection_status,
+            inputs=admin_table,
+            outputs=admin_selection_md,
+        )
         promote_btn.click(
             fn=_admin_promote,
-            inputs=[admin_submission_dd, admin_method_radio],
-            outputs=[admin_submission_dd, validated_view, unvalidated_view],
+            inputs=[admin_table, admin_method_radio],
+            outputs=[admin_table, validated_view, unvalidated_view],
         )
         demote_btn.click(
             fn=_admin_demote,
-            inputs=[admin_submission_dd],
-            outputs=[admin_submission_dd, validated_view, unvalidated_view],
+            inputs=[admin_table],
+            outputs=[admin_table, validated_view, unvalidated_view],
+        )
+        delete_confirm.change(
+            fn=_arm_delete, inputs=[delete_confirm], outputs=delete_btn,
         )
-        admin_refresh_btn.click(
-            fn=lambda: gr.Dropdown(choices=_admin_row_choices()),
-            outputs=admin_submission_dd,
+        delete_btn.click(
+            fn=_admin_delete,
+            inputs=[admin_table, delete_confirm],
+            outputs=[
+                admin_table, validated_view, unvalidated_view,
+                delete_confirm, delete_btn,
+            ],
         )
+        admin_refresh_btn.click(fn=load_admin_table, outputs=admin_table)
 
     # gradio_leaderboard.Leaderboard handles its own update path
     # cleanly; bind a Timer to push fresh dataframes every 10 seconds.
@@ -558,10 +634,12 @@ to publish the resulting row on the public leaderboard.
     blocks.load(
         fn=_gate_admin_controls,
         outputs=[
-            admin_submission_dd,
+            admin_table,
             admin_method_radio,
             promote_btn,
             demote_btn,
+            delete_confirm,
+            delete_btn,
             admin_status,
         ],
     )