PiCloud

fabi/PiCloud

Fork 0

Commit Graph

Author	SHA1	Message	Date
MechaCat02	2aab92af31	style: cargo fmt across Phase 3.5 changes Pure formatting pass — no behavior changes. Catches the line-wrapping drift across the new authz / api_keys / middleware / handler edits that piled up during the implementation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-26 22:21:37 +02:00
MechaCat02	8659a58eb2	feat(manager-core,picloud): api_keys_api + deactivation cascade * auth: generate_api_key() mints pic_<base32(32 bytes)>, splits the indexed 8-char prefix, and Argon2-hashes the body. Adds the data-encoding workspace dep for unpadded base32. * api_keys_api: POST /api/v1/admin/api-keys (mint, returns raw_token exactly once), GET (caller's own, no raw), DELETE {id} (caller's own; 404 deliberately covers both 'missing' and 'not yours'). Mint validation rejects bound keys carrying instance:* scopes (422). * AdminsState gains the api keys repo; PATCH set_active(false) now expires every active key for that user alongside session wipe — Phase 3.5 deactivation symmetry. * picloud lib wires PostgresApiKeyRepository through AuthDeps into AdminsState + ApiKeysState; api_keys_router merges into the guarded_admin layer. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-26 22:00:33 +02:00
MechaCat02	6891496589	feat(manager-core): admin auth gate (Phase 3a) Closes the regression risk of the admin API and dashboard being open to anyone reaching the bound port. Required foundation before v1.1 data-plane services land. Per-user accounts (admin_users), Argon2id passwords, env-var bootstrap of the first admin that becomes inert once any admin exists, opaque 32-byte session token doubling as bearer credential, 24h sliding TTL configurable via PICLOUD_SESSION_TTL_HOURS. is_active column lets admins be deactivated without losing audit history; last-active-admin guard on DELETE and on PATCH that flips is_active to false (sessions also wiped on deactivation). require_admin middleware fronts every /api/v1/admin/* route. The data plane (/api/v1/execute/{id}), /healthz, /version, and user routes stay open. picloud admin reset-password <username> subcommand handles recovery without going through HTTP. Dashboard gains /admin/login and /admin/admins surfaces, a top-bar user menu, and a token store with a localStorage echo so refreshes don't sign you out. Cookie-based auth works in parallel for non-SPA clients. Forward compatibility: future RBAC tables (admin_roles, admin_user_roles) join on admin_users.id; the auth middleware is the seam where role checks slot in. Email, 2FA, passkeys, and personal API tokens are all additive without touching admin_users. Blueprint §11.4 updated to reflect what actually shipped. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-25 19:30:25 +02:00

Author

SHA1

Message

Date

MechaCat02

2aab92af31

style: cargo fmt across Phase 3.5 changes

Pure formatting pass — no behavior changes. Catches the line-wrapping
drift across the new authz / api_keys / middleware / handler edits
that piled up during the implementation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 22:21:37 +02:00

MechaCat02

8659a58eb2

feat(manager-core,picloud): api_keys_api + deactivation cascade

* auth: generate_api_key() mints pic_<base32(32 bytes)>, splits the
  indexed 8-char prefix, and Argon2-hashes the body. Adds the
  data-encoding workspace dep for unpadded base32.
* api_keys_api: POST /api/v1/admin/api-keys (mint, returns raw_token
  exactly once), GET (caller's own, no raw), DELETE {id} (caller's
  own; 404 deliberately covers both 'missing' and 'not yours').
  Mint validation rejects bound keys carrying instance:* scopes (422).
* AdminsState gains the api keys repo; PATCH set_active(false) now
  expires every active key for that user alongside session wipe —
  Phase 3.5 deactivation symmetry.
* picloud lib wires PostgresApiKeyRepository through AuthDeps into
  AdminsState + ApiKeysState; api_keys_router merges into the
  guarded_admin layer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-26 22:00:33 +02:00

MechaCat02

6891496589

feat(manager-core): admin auth gate (Phase 3a)

Closes the regression risk of the admin API and dashboard being open
to anyone reaching the bound port. Required foundation before v1.1
data-plane services land.

Per-user accounts (admin_users), Argon2id passwords, env-var bootstrap
of the first admin that becomes inert once any admin exists, opaque
32-byte session token doubling as bearer credential, 24h sliding TTL
configurable via PICLOUD_SESSION_TTL_HOURS. is_active column lets
admins be deactivated without losing audit history; last-active-admin
guard on DELETE and on PATCH that flips is_active to false (sessions
also wiped on deactivation).

require_admin middleware fronts every /api/v1/admin/* route. The data
plane (/api/v1/execute/{id}), /healthz, /version, and user routes
stay open. picloud admin reset-password <username> subcommand handles
recovery without going through HTTP.

Dashboard gains /admin/login and /admin/admins surfaces, a top-bar
user menu, and a token store with a localStorage echo so refreshes
don't sign you out. Cookie-based auth works in parallel for non-SPA
clients.

Forward compatibility: future RBAC tables (admin_roles,
admin_user_roles) join on admin_users.id; the auth middleware is the
seam where role checks slot in. Email, 2FA, passkeys, and personal
API tokens are all additive without touching admin_users.

Blueprint §11.4 updated to reflect what actually shipped.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-25 19:30:25 +02:00

3 Commits