HarborForge.Backend

zhi/HarborForge.Backend

Fork 0

Commit Graph

Author	SHA1	Message	Date
hzhang	01f6b562e1	fix(bootstrap): seed 3 perms used in code but missing from catalog Audit cross-referenced every check_permission / _has_permission / _has_global_permission / _require_calendar_permission call against init_bootstrap.DEFAULT_PERMISSIONS. Three were enforced in code but never seeded, so the Role Editor couldn't expose them: - member.remove (projects.py:357 — remove project member) - schedule_type.read (schedule_type.py + schedule_type_special_slot.py) - schedule_type.manage (schedule_type.py + schedule_type_special_slot.py) Seed only — default roles are NOT modified (admin still gets everything via the "None = all perms" rule). Operators can grant via Role Editor. Other audit notes (not fixed in this commit, separate decisions): - GET /projects + GET /projects/{id}/members are completely unauthed (no Depends(get_current_user_or_apikey)). Anonymous can list all projects. Investigate whether this is deliberate (e.g. for monitor external scrape) or an oversight. - create_project hardcodes `if not current_user.is_admin: 403 "Only admins can create projects"` — doesn't consult permissions at all. Means manager-role users can't create projects even if they have project.write or hypothetical project.create. Consider switching to a perm-based gate. - Several catalog perms (project., task.create/read/write/delete, milestone.) are seeded but never checked in code; basic CRUD on task/project/milestone/comment is gated via the parallel check_project_role (viewer/member/dev/mgr ladder) instead. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 21:18:30 +01:00
hzhang	595391b41b	feat(users): auto-default agent accounts to general-agent role Previously every account created via POST /users without an explicit role_id fell through to the `guest` role. Recruitment workflow creates HF accounts for newly-onboarded agents with --agent-id/--claw-identifier set, so we can detect "this is an agent" at the backend boundary and pick a more appropriate default: payload.agent_id set → general-agent (guest reads + reset-self-apikey) payload.agent_id unset → guest (human users keep current behavior) Also adds `general-agent` to init_bootstrap.py's _DEFAULT_ROLES so fresh deployments seed it on first boot — the role already existed on prod (created via UI earlier); this is for re-seedability / new envs. No ClawSkills script changes required: the onboard script already calls `hf user create --agent-id <id> --claw-identifier <claw>`. The recruitment workflow.md is updated to note the new default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 19:38:06 +01:00
hzhang	5ea2cdfc9e	feat(backend)!: kill AbstractWizard, env-driven config + hf-cli Drops the AbstractWizard config-volume bootstrap entirely. All deploy-time config now comes from docker env vars (.env). First-deploy admin user + OIDC provider config are operator-driven via `docker exec hf_backend hf-cli ...`. Backend changes: - entrypoint.sh: drop config-wait loop, just exec uvicorn - app/core/config.py: drop _resolve_db_url + OIDC_* env vars (DB only now); keep HARBORFORGE_OIDC_ONLY (deploy-time policy) - app/init_wizard.py → app/init_bootstrap.py: drop load_config / admin / OIDC / default-project bootstrap; keep idempotent startup seed (permissions, default roles, acc-mgr + deleted-user builtins) - app/main.py: /config/status now returns {initialized: <admin exists>}; startup() imports init_bootstrap.run_bootstrap - app/api/routers/oidc.py: get_effective_oidc reads DB only (no env fallback) - app/services/harborforge_config.py: removed (replaced by direct env reads) - app/services/discord_wakeup.py: HF_DISCORD_GUILD_ID / HF_DISCORD_BOT_TOKEN env - app/api/routers/users.py + tests/conftest.py: rename init_wizard refs New hf-cli surface (app/cli/, invoked via /usr/local/bin/hf-cli shim): hf-cli admin create-user --email <e> [--username <u>] [--password <p>] [--oidc-issuer <url> --oidc-subject <sub>] hf-cli admin list hf-cli admin set-role --username <u> --role <admin\|mgr\|dev\|guest\|account-manager> hf-cli admin reset-password --username <u> --password <p> hf-cli admin bind-oidc --username <u> --oidc-issuer <url> --oidc-subject <sub> hf-cli config oidc [--issuer/...] [--client-id/...] [--client-secret/...] [--redirect-uri/...] [--enabled true\|false] [--show-secret] Bootstrap migration on existing deployments: existing admin / OIDC settings in the DB are preserved across the cutover; only the wizard config-volume + wizard sidecar services need to be removed from compose. Restart picks up the new entrypoint + skips the config wait. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 19:01:37 +01:00

Author

SHA1

Message

Date

hzhang

01f6b562e1

fix(bootstrap): seed 3 perms used in code but missing from catalog

Audit cross-referenced every check_permission / _has_permission /
_has_global_permission / _require_calendar_permission call against
init_bootstrap.DEFAULT_PERMISSIONS. Three were enforced in code but
never seeded, so the Role Editor couldn't expose them:

  - member.remove        (projects.py:357 — remove project member)
  - schedule_type.read   (schedule_type.py + schedule_type_special_slot.py)
  - schedule_type.manage (schedule_type.py + schedule_type_special_slot.py)

Seed only — default roles are NOT modified (admin still gets everything
via the "None = all perms" rule). Operators can grant via Role Editor.

Other audit notes (not fixed in this commit, separate decisions):
- GET /projects + GET /projects/{id}/members are completely unauthed
  (no Depends(get_current_user_or_apikey)). Anonymous can list all
  projects. Investigate whether this is deliberate (e.g. for monitor
  external scrape) or an oversight.
- create_project hardcodes `if not current_user.is_admin: 403 "Only
  admins can create projects"` — doesn't consult permissions at all.
  Means manager-role users can't create projects even if they have
  project.write or hypothetical project.create. Consider switching
  to a perm-based gate.
- Several catalog perms (project.*, task.create/read/write/delete,
  milestone.*) are seeded but never checked in code; basic CRUD on
  task/project/milestone/comment is gated via the parallel
  check_project_role (viewer/member/dev/mgr ladder) instead.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 21:18:30 +01:00

hzhang

595391b41b

feat(users): auto-default agent accounts to general-agent role

Previously every account created via POST /users without an explicit
role_id fell through to the `guest` role. Recruitment workflow creates
HF accounts for newly-onboarded agents with --agent-id/--claw-identifier
set, so we can detect "this is an agent" at the backend boundary and pick
a more appropriate default:

  payload.agent_id  set  → general-agent (guest reads + reset-self-apikey)
  payload.agent_id  unset → guest        (human users keep current behavior)

Also adds `general-agent` to init_bootstrap.py's _DEFAULT_ROLES so fresh
deployments seed it on first boot — the role already existed on prod
(created via UI earlier); this is for re-seedability / new envs.

No ClawSkills script changes required: the onboard script already calls
`hf user create --agent-id <id> --claw-identifier <claw>`. The recruitment
workflow.md is updated to note the new default.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 19:38:06 +01:00

hzhang

5ea2cdfc9e

feat(backend)!: kill AbstractWizard, env-driven config + hf-cli

Drops the AbstractWizard config-volume bootstrap entirely. All deploy-time
config now comes from docker env vars (.env). First-deploy admin user + OIDC
provider config are operator-driven via `docker exec hf_backend hf-cli ...`.

Backend changes:
- entrypoint.sh: drop config-wait loop, just exec uvicorn
- app/core/config.py: drop _resolve_db_url + OIDC_* env vars (DB only now);
  keep HARBORFORGE_OIDC_ONLY (deploy-time policy)
- app/init_wizard.py → app/init_bootstrap.py: drop load_config / admin / OIDC /
  default-project bootstrap; keep idempotent startup seed (permissions,
  default roles, acc-mgr + deleted-user builtins)
- app/main.py: /config/status now returns {initialized: <admin exists>};
  startup() imports init_bootstrap.run_bootstrap
- app/api/routers/oidc.py: get_effective_oidc reads DB only (no env fallback)
- app/services/harborforge_config.py: removed (replaced by direct env reads)
- app/services/discord_wakeup.py: HF_DISCORD_GUILD_ID / HF_DISCORD_BOT_TOKEN env
- app/api/routers/users.py + tests/conftest.py: rename init_wizard refs

New hf-cli surface (app/cli/, invoked via /usr/local/bin/hf-cli shim):
  hf-cli admin create-user --email <e> [--username <u>] [--password <p>]
                            [--oidc-issuer <url> --oidc-subject <sub>]
  hf-cli admin list
  hf-cli admin set-role --username <u> --role <admin|mgr|dev|guest|account-manager>
  hf-cli admin reset-password --username <u> --password <p>
  hf-cli admin bind-oidc --username <u> --oidc-issuer <url> --oidc-subject <sub>
  hf-cli config oidc [--issuer/...] [--client-id/...] [--client-secret/...]
                     [--redirect-uri/...] [--enabled true|false] [--show-secret]

Bootstrap migration on existing deployments: existing admin / OIDC settings
in the DB are preserved across the cutover; only the wizard config-volume
+ wizard sidecar services need to be removed from compose. Restart picks
up the new entrypoint + skips the config wait.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 19:01:37 +01:00

3 Commits