Merge security/critical-auth-fixes into main

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Dockerfile

@@ -1,25 +1,46 @@
-FROM python:3.11-slim
+# Stage 1: build dependencies
+FROM python:3.11-slim AS builder
 
 WORKDIR /app
 
-# Install system dependencies
+# Install build dependencies
 RUN apt-get update && apt-get install -y \
     build-essential \
-    curl \
     default-libmysqlclient-dev \
     pkg-config \
     && rm -rf /var/lib/apt/lists/*
 
+# Pre-download wheels to avoid recompiling bcrypt from source
+RUN pip install --no-cache-dir --prefix=/install \
+    'bcrypt==4.0.1' \
+    'cffi>=2.0' \
+    'pycparser>=2.0'
+
 # Install Python dependencies
 COPY requirements.txt .
-RUN pip install --no-cache-dir -r requirements.txt
+RUN pip install --no-cache-dir --prefix=/install -r requirements.txt
+
+# Stage 2: slim runtime
+FROM python:3.11-slim
+
+WORKDIR /app
+
+# Install runtime dependencies only (no build tools)
+RUN apt-get update && apt-get install -y \
+    default-libmysqlclient-dev \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Copy installed packages from builder
+COPY --from=builder /install /usr/local
 
 # Copy application code
-COPY . .
+COPY app/ ./app/
+COPY requirements.txt ./
+
+# Make entrypoint
+COPY entrypoint.sh .
 RUN chmod +x entrypoint.sh
 
-# Expose port
 EXPOSE 8000
-
-# Wait for wizard config, then start uvicorn
 ENTRYPOINT ["./entrypoint.sh"]

README.md

@@ -1,100 +1,163 @@
 # HarborForge Backend
 
-Agent/人类协同任务管理平台 - FastAPI 后端
+The core REST API for HarborForge — an Agent/人类协同任务管理平台 (Agent/Human collaborative task-management platform).
 
-## API Endpoints (38)
+Part of the [HarborForge](../README.md) platform.
 
-### Auth
-- `POST /auth/token` - 登录获取 JWT token
-- `GET /auth/me` - 获取当前用户信息
+- **Role:** core REST API — users, projects, tasks, milestones, proposals, RBAC, webhooks, worklogs, notifications, monitor telemetry.
+- **Stack:** Python 3.11 · FastAPI · SQLAlchemy · MySQL
+- **Port:** `8000`
 
-### Issues
+The service reads its database configuration from the AbstractWizard config volume (falling back to env/defaults) and authenticates requests with JWT (HS256) signed by `SECRET_KEY`.
 
-> Issues 和 Search 列表接口返回分页格式：`{items, total, page, page_size, total_pages}`
-> Issues 支持排序参数：`sort_by` (created_at/priority/title/due_date/status), `sort_order` (asc/desc)
-> Issues 支持额外过滤：`assignee_id`, `tag`
+## Run / Build
 
+### Docker
 
-> Issues 和 Search 列表接口返回分页格式：
-> Issues 支持排序参数： (created_at/priority/title/due_date/status),  (asc/desc)
-> Issues 支持额外过滤：, 
-- `POST /issues` - 创建 issue（支持 resolution 决议案类型）
-- `GET /issues` - 列表（分页、排序、按 assignee/tag 过滤）（支持按 project/status/type 过滤）
-- `GET /issues/{id}` - 详情
-- `PATCH /issues/{id}` - 更新
-- `DELETE /issues/{id}` - 删除
-- `POST /issues/{id}/transition` - 状态变更（触发 webhook）
-- `GET /search/issues?q=keyword` - 搜索
+```bash
+docker build -t harborforge-backend .
+docker run -p 8000:8000 \
+  -e SECRET_KEY="$(openssl rand -hex 32)" \
+  -v /path/to/config:/config \
+  harborforge-backend
+```
 
-### Comments
-- `POST /comments` - 创建评论
-- `GET /issues/{id}/comments` - 列表
-- `PATCH /comments/{id}` - 更新
-- `DELETE /comments/{id}` - 删除
+### Local (uvicorn)
 
-### Projects
-- `POST /projects` - 创建
-- `GET /projects` - 列表
-- `GET /projects/{id}` - 详情
-- `PATCH /projects/{id}` - 更新
-- `DELETE /projects/{id}` - 删除
+```bash
+pip install -r requirements.txt
+export SECRET_KEY="$(openssl rand -hex 32)"
+uvicorn app.main:app --host 0.0.0.0 --port 8000
+```
 
-### Project Members
-- `POST /projects/{id}/members` - 添加成员
-- `GET /projects/{id}/members` - 列表
-- `DELETE /projects/{id}/members/{user_id}` - 移除
+On startup the app creates/migrates the schema, runs AbstractWizard
+initialization (admin user, default project, default roles), and starts a
+background monitor-polling thread.
 
-### Users
-- `POST /users` - 注册
-- `GET /users` - 列表
-- `GET /users/{id}` - 详情
-- `PATCH /users/{id}` - 更新
+## Configuration
 
-### Webhooks
-- `POST /webhooks` - 创建
-- `GET /webhooks` - 列表
-- `GET /webhooks/{id}` - 详情
-- `PATCH /webhooks/{id}` - 更新
-- `DELETE /webhooks/{id}` - 删除
-- `GET /webhooks/{id}/logs` - 投递日志
+Environment variables (also loadable from a `.env` file):
 
-### System
-- `GET /health` - 健康检查
-- `GET /version` - 版本信息
-- `GET /dashboard/stats` - 统计面板
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `SECRET_KEY` | *(none — must be set)* | JWT signing key (HS256). The server **refuses to start** with a weak/default/short value. |
+| `DATABASE_URL` | `mysql+pymysql://harborforge:harborforge_pass@mysql:3306/harborforge` | Fallback DB URL when the wizard config volume is absent. |
+| `ALGORITHM` | `HS256` | JWT algorithm. |
+| `ACCESS_TOKEN_EXPIRE_MINUTES` | `30` | Access-token lifetime. |
+| `LOG_LEVEL` | `INFO` | Log level. |
+| `CONFIG_DIR` | `/config` | AbstractWizard config volume directory. |
+| `CONFIG_FILE` | `harborforge.json` | Config file name within `CONFIG_DIR`. |
 
-### Milestones
-- `POST /milestones` - 创建里程碑
-- `GET /milestones` - 列表（支持按 project/status 过滤）
-- `GET /milestones/{id}` - 详情
-- `PATCH /milestones/{id}` - 更新
-- `DELETE /milestones/{id}` - 删除
-- `GET /milestones/{id}/issues` - 里程碑下的 issue 列表
-- `GET /milestones/{id}/progress` - 里程碑完成进度
+Database resolution order: **wizard config volume** (`$CONFIG_DIR/$CONFIG_FILE` → `database` block) → `DATABASE_URL` env → built-in default.
 
-### Notifications
-- `GET /notifications` - 列表（支持 user_id, unread_only 过滤）
-- `GET /notifications/count` - 未读通知计数
-- `POST /notifications/{id}/read` - 标记已读
-- `POST /notifications/read-all` - 全部标记已读
+## Security
 
-### Issue Assignment
-- `POST /issues/{id}/assign` - 指派 issue（自动发送通知）
+The current code enforces the following security posture. These are
+operational requirements, not optional hardening.
 
-### Webhook Retry
-- `POST /webhooks/{id}/retry/{log_id}` - 重试失败的 webhook 投递
+### Mandatory strong `SECRET_KEY`
 
-### Time Tracking (Work Logs)
-- `POST /worklogs` - 记录工时
-- `GET /issues/{id}/worklogs` - 某 issue 的工时记录
-- `GET /issues/{id}/worklogs/summary` - 某 issue 工时汇总
-- `GET /users/{id}/worklogs` - 某用户的工时记录
-- `DELETE /worklogs/{id}` - 删除工时记录
-- `GET /projects/{id}/worklogs/summary` - 项目工时汇总（按用户分组）
+`app/core/config.py` validates `SECRET_KEY` at import time and **raises and
+refuses to start** if the value is empty, shorter than 32 characters, or a
+known default/placeholder (e.g. `change-me-in-production`, `secret`,
+`changeme`). Operators **must** provide a strong random key:
 
-### Export
-- `GET /export/issues` - 导出 issues CSV
-- `GET /issues/overdue` - 逾期未完成的 issue
+```bash
+openssl rand -hex 32
+```
+
+A weak signing key allows JWT forgery and full authentication bypass, so this
+check is intentionally fatal.
+
+### API-key management is admin-only and masked
+
+The `/api-keys` endpoints (`POST`, `GET`, `DELETE /api-keys/{id}`) all require
+a global admin (`require_admin`). Listing **never returns the full secret** —
+keys are masked to a short prefix/suffix (e.g. `abc123…9f`). The full key is
+only returned once, on creation.
+
+### Webhooks router is admin-only with SSRF protection
+
+The entire `/webhooks` router is mounted with `dependencies=[Depends(require_admin)]`,
+so every webhook endpoint (create/list/get/update/delete/logs/retry) requires a
+global admin. Webhook delivery (`app/services/webhook.py`) validates the target
+URL before sending:
+
+- Only `http`/`https` schemes are allowed.
+- The host is DNS-resolved and **every** resolved address is rejected if it is
+  private, loopback, link-local, multicast, reserved, or unspecified
+  (SSRF protection).
+- HTTP redirects are disabled (`follow_redirects=False`).
+
+### Project role hierarchy enforcement
+
+`check_project_role` in `app/api/rbac.py` enforces a real, ordered role
+hierarchy rather than a flat membership check:
+
+```
+guest(0) < viewer(1) < member(2) < dev(3) < mgr(4) < admin(5)
+```
+
+A caller below the required rank is denied with `403`, and any unknown role on
+either side is denied by default. Global admins bypass project-level checks.
+
+### Authentication on previously open endpoints
+
+The following endpoints now require an authenticated caller
+(JWT bearer token **or** `X-API-Key`) and enforce ownership/permission:
+
+- `DELETE /milestones/{id}` — requires milestone-edit permission.
+- `POST /worklogs` — worklogs are always attributed to the caller; only admins
+  may log time for another user.
+- `DELETE /worklogs/{id}` — caller-scoped; non-admins cannot delete another
+  user's worklog.
+- `POST /tasks/{task_code}/assign` and `POST /tasks/batch/assign`.
+- `GET /activity`.
+- `GET /export/tasks`.
+
+## Authentication
+
+- `POST /auth/token` — OAuth2 password grant; returns a JWT bearer token.
+- Authenticated requests send `Authorization: Bearer <token>` **or**
+  `X-API-Key: <key>` (API keys map to a user and are created by admins).
+- `GET /auth/me` — current user.
+- `GET /auth/me/permissions`, `GET /auth/me/apikey-permissions` — permission introspection.
+
+## Key API Areas
+
+| Area | Prefix / Routes | Notes |
+|------|-----------------|-------|
+| Auth | `/auth/*` | token, current user, permission introspection |
+| Users | `/users` | registration, list/detail/update (list & mutate are admin-only) |
+| Projects | `/projects` | CRUD, members (`/projects/{id}/members`), worklog summary |
+| Project members | `/projects/{id}/members` | add/list/remove with role |
+| Milestones | `/projects/{id}/milestones`, `/milestones/{id}` | CRUD, items, progress |
+| Milestone actions | preflight / freeze / start / close | lifecycle transitions |
+| Tasks | `/tasks` | CRUD, transition, take, assign, batch transition/assign, tags, search |
+| Comments | `/comments`, `/tasks/{id}/comments` | CRUD |
+| Proposals | `/projects/{code}/proposals` | propose / accept / reject / reopen (legacy `/proposes`) |
+| Essentials | proposal essentials | feature/improvement/refactor items |
+| Meetings | `/meetings` | create/list/detail/update/delete/attend |
+| Roles & RBAC | `/roles` | roles, permissions, role-permission assignment |
+| Webhooks | `/webhooks` | **admin-only**; CRUD, logs, retry (SSRF-guarded delivery) |
+| API keys | `/api-keys` | **admin-only**; create/list (masked)/revoke |
+| Worklogs | `/worklogs`, `/tasks/{id}/worklogs`, `/users/{id}/worklogs` | time tracking & summaries |
+| Notifications | `/notifications` | list, unread count, mark read / read-all |
+| Activity | `/activity` | activity log (authenticated) |
+| Export | `/export/tasks` | CSV export (authenticated) |
+| Calendar | `/calendar` | scheduling / time slots |
+| Monitor | `/monitor` | public overview, admin providers/servers, heartbeat telemetry |
+| Dashboard | `/dashboard/stats` | aggregate statistics |
+| System | `/health`, `/version`, `/config/status` | health, version, init status |
+
+## Task Types
+
+| Type | 用途 |
+|------|------|
+| issue | 普通任务 |
+| story | 用户故事 |
+| test | 测试用例 |
+| resolution | 决议案（Agent 僵局提交）|
 
 ## CLI
 
@@ -102,18 +165,9 @@ The legacy Python CLI (`cli.py`) has been retired. Use the Go-based `hf` CLI ins
 
 See [HarborForge.Cli](../HarborForge.Cli/README.md) for installation and usage.
 
-## 技术栈
+## Tech Stack
 
 - Python 3.11 + FastAPI
-- SQLAlchemy + MySQL
-- JWT (python-jose)
+- SQLAlchemy + MySQL (auto schema create/migrate on startup)
+- JWT (python-jose, HS256) + bcrypt password hashing
 - Docker
-
-## Issue Types
-
-| Type | 用途 |
-|------|------|
-| task | 普通任务 |
-| story | 用户故事 |
-| test | 测试用例 |
-| resolution | 决议案（Agent 僵局提交）|

app/api/deps.py

@@ -76,3 +76,10 @@ async def get_current_user_or_apikey(
     if token:
         return await get_current_user(token=token, db=db)
     raise HTTPException(status_code=401, detail="Not authenticated")
+
+
+def require_admin(current_user: models.User = Depends(get_current_user_or_apikey)) -> models.User:
+    """Dependency: caller must be a global admin (JWT or API key)."""
+    if not getattr(current_user, "is_admin", False):
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin privileges required")
+    return current_user

app/api/rbac.py

@@ -81,12 +81,28 @@ def check_project_role(db: Session, user_id: int, project_id: int, min_role: str
             detail="Role not found"
         )
 
-    # Legacy compatibility: most current routes use non-hierarchical names like dev/mgr.
-    # For now, any valid membership passes those broad checks; strict edit rules are handled
-    # by the explicit can_edit_* helpers below.
-    if min_role in {"dev", "mgr", "viewer", "member", "guest", "admin"}:
-        return True
-
+    # Enforce a real role hierarchy. Higher rank == more privilege.
+    _RANK = {
+        "guest": 0,
+        "viewer": 1,
+        "member": 2,
+        "dev": 3,
+        "mgr": 4,
+        "admin": 5,
+    }
+    role_rank = _RANK.get((role.name or "").lower())
+    required_rank = _RANK.get((min_role or "member").lower())
+    if role_rank is None or required_rank is None:
+        # Unknown role on either side -> deny by default.
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Insufficient project role (have '{role.name}', need '{min_role}')",
+        )
+    if role_rank < required_rank:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=f"Insufficient project role (have '{role.name}', need '{min_role}')",
+        )
     return True
 
 

app/api/routers/calendar.py

@@ -361,6 +361,62 @@ def agent_heartbeat(
     )
 
 
+@router.get(
+    "/sync",
+    summary="Sync today's schedules for all agents on a claw instance",
+)
+def sync_schedules(
+    x_claw_identifier: str = Header(..., alias="X-Claw-Identifier"),
+    db: Session = Depends(get_db),
+):
+    """Return today's slots for all agents belonging to the given claw instance.
+
+    Used by the HF OpenClaw plugin to maintain a local schedule cache.
+    Returns a dict of { agent_id: [slots] } for all agents with matching
+    claw_identifier.
+    """
+    today = date_type.today()
+
+    # Find all agents on this claw instance
+    agents = (
+        db.query(Agent)
+        .filter(Agent.claw_identifier == x_claw_identifier)
+        .all()
+    )
+
+    schedules: dict[str, list[dict]] = {}
+    for agent in agents:
+        # Get real slots for today
+        real_slots = (
+            db.query(TimeSlot)
+            .filter(
+                TimeSlot.user_id == agent.user_id,
+                TimeSlot.date == today,
+                TimeSlot.status.notin_(list(_INACTIVE_STATUSES)),
+            )
+            .all()
+        )
+        items = [_real_slot_to_item(s).model_dump(mode="json") for s in real_slots]
+
+        # Get virtual plan slots
+        virtual_slots = get_virtual_slots_for_date(db, agent.user_id, today)
+        for vs in virtual_slots:
+            items.append(_virtual_slot_to_item(vs).model_dump(mode="json"))
+
+        schedules[agent.agent_id] = items
+
+    # Record heartbeat for liveness
+    for agent in agents:
+        record_heartbeat(db, agent)
+    db.commit()
+
+    return {
+        "schedules": schedules,
+        "date": today.isoformat(),
+        "agent_count": len(agents),
+    }
+
+
 @router.patch(
     "/slots/{slot_id}/agent-update",
     response_model=TimeSlotEditResponse,

app/api/routers/misc.py

@@ -12,7 +12,7 @@ from sqlalchemy import func as sqlfunc
 from pydantic import BaseModel
 
 from app.core.config import get_db
-from app.api.deps import get_current_user_or_apikey
+from app.api.deps import get_current_user_or_apikey, require_admin
 from app.api.rbac import check_project_role, ensure_can_edit_milestone
 from app.models import models
 from app.models.apikey import APIKey
@@ -60,7 +60,8 @@ class APIKeyResponse(BaseModel):
 
 
 @router.post("/api-keys", response_model=APIKeyResponse, status_code=status.HTTP_201_CREATED, tags=["API Keys"])
-def create_api_key(data: APIKeyCreate, db: Session = Depends(get_db)):
+def create_api_key(data: APIKeyCreate, db: Session = Depends(get_db),
+                   _: models.User = Depends(require_admin)):
     user = db.query(models.User).filter(models.User.id == data.user_id).first()
     if not user:
         raise HTTPException(status_code=404, detail="User not found")
@@ -73,15 +74,22 @@ def create_api_key(data: APIKeyCreate, db: Session = Depends(get_db)):
 
 
 @router.get("/api-keys", response_model=List[APIKeyResponse], tags=["API Keys"])
-def list_api_keys(user_id: int = None, db: Session = Depends(get_db)):
+def list_api_keys(user_id: int = None, db: Session = Depends(get_db),
+                 _: models.User = Depends(require_admin)):
     query = db.query(APIKey)
     if user_id:
         query = query.filter(APIKey.user_id == user_id)
-    return query.all()
+    keys = query.all()
+    # Never expose the full secret on listing; show only a masked prefix.
+    for k in keys:
+        if k.key and len(k.key) > 8:
+            k.key = k.key[:6] + "…" + k.key[-2:]
+    return keys
 
 
 @router.delete("/api-keys/{key_id}", status_code=status.HTTP_204_NO_CONTENT, tags=["API Keys"])
-def revoke_api_key(key_id: int, db: Session = Depends(get_db)):
+def revoke_api_key(key_id: int, db: Session = Depends(get_db),
+                  _: models.User = Depends(require_admin)):
     key_obj = db.query(APIKey).filter(APIKey.id == key_id).first()
     if not key_obj:
         raise HTTPException(status_code=404, detail="API key not found")
@@ -106,7 +114,8 @@ class ActivityLogResponse(BaseModel):
 
 @router.get("/activity", response_model=List[ActivityLogResponse], tags=["Activity"])
 def list_activity(entity_type: str = None, entity_id: int = None, user_id: int = None,
-                  limit: int = 50, db: Session = Depends(get_db)):
+                  limit: int = 50, db: Session = Depends(get_db),
+                  _: models.User = Depends(get_current_user_or_apikey)):
     query = db.query(ActivityLog)
     if entity_type:
         query = query.filter(ActivityLog.entity_type == entity_type)
@@ -199,8 +208,10 @@ def update_milestone(milestone_id: str, ms_update: schemas.MilestoneUpdate, db:
 
 
 @router.delete("/milestones/{milestone_id}", status_code=status.HTTP_204_NO_CONTENT, tags=["Milestones"])
-def delete_milestone(milestone_id: str, db: Session = Depends(get_db)):
+def delete_milestone(milestone_id: str, db: Session = Depends(get_db),
+                     current_user: models.User = Depends(get_current_user_or_apikey)):
     ms = _resolve_milestone(db, milestone_id)
+    ensure_can_edit_milestone(db, current_user.id, ms)
     db.delete(ms)
     db.commit()
     return None
@@ -322,16 +333,18 @@ class WorkLogResponse(BaseModel):
 
 
 @router.post("/worklogs", response_model=WorkLogResponse, status_code=status.HTTP_201_CREATED, tags=["Time Tracking"])
-def create_worklog(wl: WorkLogCreate, db: Session = Depends(get_db)):
+def create_worklog(wl: WorkLogCreate, db: Session = Depends(get_db),
+                   current_user: models.User = Depends(get_current_user_or_apikey)):
     task = db.query(Task).filter(Task.id == wl.task_id).first()
     if not task:
         raise HTTPException(status_code=404, detail="Task not found")
-    user = db.query(models.User).filter(models.User.id == wl.user_id).first()
-    if not user:
-        raise HTTPException(status_code=404, detail="User not found")
     if wl.hours <= 0:
         raise HTTPException(status_code=400, detail="Hours must be positive")
-    db_wl = WorkLog(**wl.model_dump())
+    data = wl.model_dump()
+    # Worklogs are always attributed to the caller (non-admins cannot log time for others).
+    if not current_user.is_admin or not data.get("user_id"):
+        data["user_id"] = current_user.id
+    db_wl = WorkLog(**data)
     db.add(db_wl)
     db.commit()
     db.refresh(db_wl)
@@ -370,10 +383,13 @@ def task_worklog_summary(task_id: str, db: Session = Depends(get_db)):
 
 
 @router.delete("/worklogs/{worklog_id}", status_code=status.HTTP_204_NO_CONTENT, tags=["Time Tracking"])
-def delete_worklog(worklog_id: int, db: Session = Depends(get_db)):
+def delete_worklog(worklog_id: int, db: Session = Depends(get_db),
+                   current_user: models.User = Depends(get_current_user_or_apikey)):
     wl = db.query(WorkLog).filter(WorkLog.id == worklog_id).first()
     if not wl:
         raise HTTPException(status_code=404, detail="Work log not found")
+    if not current_user.is_admin and wl.user_id != current_user.id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Cannot delete another user's worklog")
     db.delete(wl)
     db.commit()
     return None
@@ -382,7 +398,8 @@ def delete_worklog(worklog_id: int, db: Session = Depends(get_db)):
 # ============ Export ============
 
 @router.get("/export/tasks", tags=["Export"])
-def export_tasks_csv(project_id: int = None, db: Session = Depends(get_db)):
+def export_tasks_csv(project_id: int = None, db: Session = Depends(get_db),
+                     _: models.User = Depends(get_current_user_or_apikey)):
     query = db.query(Task)
     if project_id:
         query = query.filter(Task.project_id == project_id)

app/api/routers/schedule_type.py

@@ -0,0 +1,209 @@
+"""ScheduleType API router.
+
+CRUD for schedule types (work/entertainment time periods)
+and agent schedule type assignment.
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, Header
+from sqlalchemy.orm import Session
+from typing import List
+
+from app.core.config import get_db
+from app.api.deps import get_current_user
+from app.models.models import User
+from app.models.agent import Agent
+from app.models.schedule_type import ScheduleType
+from app.models.role_permission import Permission, RolePermission
+from app.schemas.schedule_type import (
+    ScheduleTypeCreate,
+    ScheduleTypeUpdate,
+    ScheduleTypeResponse,
+    AgentScheduleTypeAssign,
+)
+
+router = APIRouter(prefix="/schedule-types", tags=["ScheduleTypes"])
+
+
+# ---------------------------------------------------------------------------
+# Permission helpers
+# ---------------------------------------------------------------------------
+
+def _has_permission(db: Session, user: User, permission_name: str) -> bool:
+    if user.is_admin:
+        return True
+    if not user.role_id:
+        return False
+    return (
+        db.query(RolePermission)
+        .join(Permission)
+        .filter(
+            RolePermission.role_id == user.role_id,
+            Permission.name == permission_name,
+        )
+        .first()
+        is not None
+    )
+
+
+def _require_schedule_read(db: Session, user: User) -> User:
+    if not _has_permission(db, user, "schedule_type.read"):
+        raise HTTPException(403, "Permission denied: schedule_type.read")
+    return user
+
+
+def _require_schedule_manage(db: Session, user: User) -> User:
+    if not _has_permission(db, user, "schedule_type.manage"):
+        raise HTTPException(403, "Permission denied: schedule_type.manage")
+    return user
+
+
+# ---------------------------------------------------------------------------
+# Schedule Type CRUD
+# ---------------------------------------------------------------------------
+
+@router.get(
+    "/",
+    response_model=List[ScheduleTypeResponse],
+    summary="List all schedule types",
+)
+def list_schedule_types(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    _require_schedule_read(db, current_user)
+    return db.query(ScheduleType).all()
+
+
+@router.post(
+    "/",
+    response_model=ScheduleTypeResponse,
+    summary="Create a schedule type",
+)
+def create_schedule_type(
+    payload: ScheduleTypeCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    _require_schedule_manage(db, current_user)
+
+    existing = db.query(ScheduleType).filter(ScheduleType.name == payload.name).first()
+    if existing:
+        raise HTTPException(409, f"Schedule type '{payload.name}' already exists")
+
+    st = ScheduleType(
+        name=payload.name,
+        work_from=payload.work_from,
+        work_to=payload.work_to,
+        entertainment_from=payload.entertainment_from,
+        entertainment_to=payload.entertainment_to,
+    )
+    db.add(st)
+    db.commit()
+    db.refresh(st)
+    return st
+
+
+@router.patch(
+    "/{schedule_type_id}",
+    response_model=ScheduleTypeResponse,
+    summary="Update a schedule type",
+)
+def update_schedule_type(
+    schedule_type_id: int,
+    payload: ScheduleTypeUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    _require_schedule_manage(db, current_user)
+
+    st = db.query(ScheduleType).filter(ScheduleType.id == schedule_type_id).first()
+    if not st:
+        raise HTTPException(404, "Schedule type not found")
+
+    for field, value in payload.model_dump(exclude_unset=True).items():
+        setattr(st, field, value)
+
+    db.commit()
+    db.refresh(st)
+    return st
+
+
+@router.delete(
+    "/{schedule_type_id}",
+    summary="Delete a schedule type",
+)
+def delete_schedule_type(
+    schedule_type_id: int,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    _require_schedule_manage(db, current_user)
+
+    st = db.query(ScheduleType).filter(ScheduleType.id == schedule_type_id).first()
+    if not st:
+        raise HTTPException(404, "Schedule type not found")
+
+    # Check if any agents are using this schedule type
+    agents_using = db.query(Agent).filter(Agent.schedule_type_id == schedule_type_id).count()
+    if agents_using > 0:
+        raise HTTPException(
+            409,
+            f"Cannot delete: {agents_using} agent(s) are assigned to this schedule type",
+        )
+
+    db.delete(st)
+    db.commit()
+    return {"ok": True, "deleted": schedule_type_id}
+
+
+# ---------------------------------------------------------------------------
+# Agent schedule type assignment (agent-facing, uses X-Agent-ID header)
+# ---------------------------------------------------------------------------
+
+@router.get(
+    "/agent/me",
+    response_model=ScheduleTypeResponse | None,
+    summary="Get my schedule type",
+)
+def get_my_schedule_type(
+    x_agent_id: str = Header(..., alias="X-Agent-ID"),
+    x_claw_identifier: str = Header(..., alias="X-Claw-Identifier"),
+    db: Session = Depends(get_db),
+):
+    agent = (
+        db.query(Agent)
+        .filter(Agent.agent_id == x_agent_id, Agent.claw_identifier == x_claw_identifier)
+        .first()
+    )
+    if not agent:
+        raise HTTPException(404, "Agent not found")
+
+    if not agent.schedule_type_id:
+        return None
+
+    return db.query(ScheduleType).filter(ScheduleType.id == agent.schedule_type_id).first()
+
+
+@router.put(
+    "/agent/{agent_id}/assign",
+    summary="Assign a schedule type to an agent",
+)
+def assign_schedule_type(
+    agent_id: str,
+    payload: AgentScheduleTypeAssign,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    _require_schedule_manage(db, current_user)
+
+    agent = db.query(Agent).filter(Agent.agent_id == agent_id).first()
+    if not agent:
+        raise HTTPException(404, f"Agent '{agent_id}' not found")
+
+    st = db.query(ScheduleType).filter(ScheduleType.name == payload.schedule_type_name).first()
+    if not st:
+        raise HTTPException(404, f"Schedule type '{payload.schedule_type_name}' not found")
+
+    agent.schedule_type_id = st.id
+    db.commit()
+    return {"ok": True, "agent_id": agent_id, "schedule_type": st.name}

app/api/routers/tasks.py

@@ -576,8 +576,10 @@ def take_task(
 # ---- Assignment ----
 
 @router.post("/tasks/{task_code}/assign")
-def assign_task(task_code: str, assignee_id: int, db: Session = Depends(get_db)):
+def assign_task(task_code: str, assignee_id: int, db: Session = Depends(get_db),
+                current_user: models.User = Depends(get_current_user_or_apikey)):
     task = _resolve_task(db, task_code)
+    ensure_can_edit_task(db, current_user.id, task)
     user = db.query(models.User).filter(models.User.id == assignee_id).first()
     if not user:
         raise HTTPException(status_code=404, detail="User not found")
@@ -765,7 +767,8 @@ def batch_transition(
 
 
 @router.post("/tasks/batch/assign")
-def batch_assign(data: BatchAssign, db: Session = Depends(get_db)):
+def batch_assign(data: BatchAssign, db: Session = Depends(get_db),
+                 current_user: models.User = Depends(get_current_user_or_apikey)):
     user = db.query(models.User).filter(models.User.id == data.assignee_id).first()
     if not user:
         raise HTTPException(status_code=404, detail="Assignee not found")
@@ -773,6 +776,7 @@ def batch_assign(data: BatchAssign, db: Session = Depends(get_db)):
     for task_code in data.task_codes:
         task = db.query(Task).filter(Task.task_code == task_code).first()
         if task:
+            ensure_can_edit_task(db, current_user.id, task)
             task.assignee_id = data.assignee_id
             updated.append(task.task_code)
     db.commit()

app/api/routers/users.py

@@ -9,6 +9,7 @@ from sqlalchemy.orm import Session
 
 from app.api.deps import get_current_user, get_current_user_or_apikey, get_password_hash
 from app.core.config import get_db
+from app.init_wizard import DELETED_USER_USERNAME
 from app.models import models
 from app.models.agent import Agent
 from app.models.role_permission import Permission, Role, RolePermission
@@ -212,6 +213,86 @@ def update_user(
     return _user_response(user)
 
 
+_BUILTIN_USERNAMES = {"acc-mgr", DELETED_USER_USERNAME}
+
+
+def _reassign_user_references(db: Session, old_id: int, new_id: int) -> None:
+    """Reassign all foreign key references from old_id to new_id, then delete
+    records that would be meaningless under deleted-user (api_keys, notifications,
+    project memberships)."""
+    from app.models.apikey import APIKey
+    from app.models.notification import Notification
+    from app.models.activity import ActivityLog as Activity
+    from app.models.worklog import WorkLog as WorkLogModel
+    from app.models.meeting import Meeting, MeetingParticipant
+    from app.models.task import Task
+    from app.models.support import Support
+    from app.models.proposal import Proposal
+    from app.models.milestone import Milestone
+    from app.models.calendar import TimeSlot, SchedulePlan
+    from app.models.minimum_workload import MinimumWorkload
+    from app.models.essential import Essential
+
+    # Delete records that are meaningless without the real user
+    db.query(APIKey).filter(APIKey.user_id == old_id).delete()
+    db.query(Notification).filter(Notification.user_id == old_id).delete()
+    db.query(models.ProjectMember).filter(models.ProjectMember.user_id == old_id).delete()
+
+    # Reassign ownership/authorship references
+    db.query(models.Project).filter(models.Project.owner_id == old_id).update(
+        {"owner_id": new_id})
+    db.query(models.Comment).filter(models.Comment.author_id == old_id).update(
+        {"author_id": new_id})
+    db.query(Activity).filter(Activity.user_id == old_id).update(
+        {"user_id": new_id})
+    db.query(WorkLogModel).filter(WorkLogModel.user_id == old_id).update(
+        {"user_id": new_id})
+
+    # Tasks
+    db.query(Task).filter(Task.reporter_id == old_id).update(
+        {"reporter_id": new_id})
+    db.query(Task).filter(Task.assignee_id == old_id).update(
+        {"assignee_id": new_id})
+    db.query(Task).filter(Task.created_by_id == old_id).update(
+        {"created_by_id": new_id})
+
+    # Meetings
+    db.query(Meeting).filter(Meeting.reporter_id == old_id).update(
+        {"reporter_id": new_id})
+    db.query(MeetingParticipant).filter(MeetingParticipant.user_id == old_id).update(
+        {"user_id": new_id})
+
+    # Support
+    db.query(Support).filter(Support.reporter_id == old_id).update(
+        {"reporter_id": new_id})
+    db.query(Support).filter(Support.assignee_id == old_id).update(
+        {"assignee_id": new_id})
+
+    # Proposals
+    db.query(Proposal).filter(Proposal.created_by_id == old_id).update(
+        {"created_by_id": new_id})
+
+    # Milestones
+    db.query(Milestone).filter(Milestone.created_by_id == old_id).update(
+        {"created_by_id": new_id})
+
+    # Calendar
+    db.query(TimeSlot).filter(TimeSlot.user_id == old_id).update(
+        {"user_id": new_id})
+    db.query(SchedulePlan).filter(SchedulePlan.user_id == old_id).update(
+        {"user_id": new_id})
+
+    # Minimum workload / Essential
+    db.query(MinimumWorkload).filter(MinimumWorkload.user_id == old_id).update(
+        {"user_id": new_id})
+    db.query(Essential).filter(Essential.created_by_id == old_id).update(
+        {"created_by_id": new_id})
+
+    # Agent profile
+    db.query(Agent).filter(Agent.user_id == old_id).update(
+        {"user_id": new_id})
+
+
 @router.delete("/{identifier}", status_code=status.HTTP_204_NO_CONTENT)
 def delete_user(
     identifier: str,
@@ -223,17 +304,26 @@ def delete_user(
         raise HTTPException(status_code=404, detail="User not found")
     if current_user.id == user.id:
         raise HTTPException(status_code=400, detail="You cannot delete your own account")
-    # Protect built-in accounts from deletion
     if user.is_admin:
         raise HTTPException(status_code=400, detail="Admin accounts cannot be deleted")
-    if user.username == "acc-mgr":
-        raise HTTPException(status_code=400, detail="The acc-mgr account is a built-in account and cannot be deleted")
-    try:
+    if user.username in _BUILTIN_USERNAMES:
+        raise HTTPException(
+            status_code=400,
+            detail=f"The {user.username} account is a built-in account and cannot be deleted",
+        )
+
+    deleted_user = db.query(models.User).filter(
+        models.User.username == DELETED_USER_USERNAME
+    ).first()
+    if not deleted_user:
+        raise HTTPException(
+            status_code=500,
+            detail="Built-in deleted-user account not found. Run init_wizard first.",
+        )
+
+    _reassign_user_references(db, user.id, deleted_user.id)
     db.delete(user)
     db.commit()
-    except IntegrityError:
-        db.rollback()
-        raise HTTPException(status_code=400, detail="User has related records. Deactivate the account instead.")
     return None
 
 
@@ -241,7 +331,7 @@ def delete_user(
 def reset_user_apikey(
     identifier: str,
     db: Session = Depends(get_db),
-    current_user: models.User = Depends(get_current_user),
+    current_user: models.User = Depends(get_current_user_or_apikey),
 ):
     """Reset (regenerate) a user's API key.
 
@@ -249,6 +339,8 @@ def reset_user_apikey(
     - user.reset-apikey: can reset any user's API key
     - user.reset-self-apikey: can reset only own API key
     - admin: can reset any user's API key
+
+    Accepts both OAuth2 Bearer token and X-API-Key authentication.
     """
     import secrets
     from app.models.apikey import APIKey

app/api/routers/webhooks.py

@@ -5,11 +5,13 @@ from fastapi import APIRouter, Depends, HTTPException, status, BackgroundTasks
 from sqlalchemy.orm import Session
 
 from app.core.config import get_db
+from app.api.deps import require_admin
 from app.models.webhook import Webhook, WebhookLog
 from app.schemas.webhook import WebhookCreate, WebhookUpdate, WebhookResponse, WebhookLogResponse
 from app.services.webhook import fire_webhooks_sync
 
-router = APIRouter(prefix="/webhooks", tags=["Webhooks"])
+# Webhook management is admin-only (registration, inspection, retry, logs).
+router = APIRouter(prefix="/webhooks", tags=["Webhooks"], dependencies=[Depends(require_admin)])
 
 
 @router.post("", response_model=WebhookResponse, status_code=status.HTTP_201_CREATED)

app/core/config.py

@@ -44,6 +44,22 @@ class Settings(BaseSettings):
 
 settings = Settings()
 
+# Fail fast on a weak/default JWT signing key (prevents token forgery).
+_WEAK_SECRETS = {
+    "change-me-in-production",
+    "change_me_in_production",
+    "change-me-use-openssl-rand-hex-32",
+    "secret",
+    "changeme",
+    "",
+}
+if settings.SECRET_KEY in _WEAK_SECRETS or len(settings.SECRET_KEY) < 32:
+    raise RuntimeError(
+        "Insecure SECRET_KEY: set a strong random value "
+        "(e.g. `openssl rand -hex 32`) via the SECRET_KEY env var. "
+        "Refusing to start with a default/short key."
+    )
+
 # Resolve DB URL: wizard config volume > env > default
 _db_url = _resolve_db_url(settings.DATABASE_URL)
 engine = create_engine(_db_url, pool_pre_ping=True)

app/init_wizard.py

@@ -189,6 +189,7 @@ _DEV_PERMISSIONS = {
 
 _ACCOUNT_MANAGER_PERMISSIONS = {
     "account.create",
+    "user.reset-apikey",
 }
 
 # Role definitions: (name, description, permission_set)
@@ -294,6 +295,39 @@ def init_acc_mgr_user(db: Session) -> models.User | None:
     return user
 
 
+DELETED_USER_USERNAME = "deleted-user"
+
+
+def init_deleted_user(db: Session) -> models.User | None:
+    """Create the built-in deleted-user if not exists.
+
+    This user serves as a foreign key sink: when a real user is deleted,
+    all references are reassigned here instead of cascading deletes.
+    It has no role (no permissions) and cannot log in.
+    """
+    existing = db.query(models.User).filter(
+        models.User.username == DELETED_USER_USERNAME
+    ).first()
+    if existing:
+        logger.info("deleted-user already exists (id=%d), skipping", existing.id)
+        return existing
+
+    user = models.User(
+        username=DELETED_USER_USERNAME,
+        email="deleted-user@harborforge.internal",
+        full_name="Deleted User",
+        hashed_password=None,
+        is_admin=False,
+        is_active=False,
+        role_id=None,
+    )
+    db.add(user)
+    db.commit()
+    db.refresh(user)
+    logger.info("Created deleted-user (id=%d)", user.id)
+    return user
+
+
 def run_init(db: Session) -> None:
     """Main initialization entry point. Reads config from shared volume."""
     config = load_config()
@@ -318,6 +352,9 @@ def run_init(db: Session) -> None:
     # Built-in acc-mgr user (after roles are created)
     init_acc_mgr_user(db)
 
+    # Built-in deleted-user (foreign key sink for deleted accounts)
+    init_deleted_user(db)
+
     # Default project
     project_cfg = config.get("default_project")
     if project_cfg and admin_user:

app/main.py

@@ -63,6 +63,7 @@ from app.api.routers.proposes import router as proposes_router  # legacy compat
 from app.api.routers.milestone_actions import router as milestone_actions_router
 from app.api.routers.meetings import router as meetings_router
 from app.api.routers.essentials import router as essentials_router
+from app.api.routers.schedule_type import router as schedule_type_router
 from app.api.routers.calendar import router as calendar_router
 
 app.include_router(auth_router)
@@ -80,6 +81,7 @@ app.include_router(proposes_router)  # legacy compat
 app.include_router(milestone_actions_router)
 app.include_router(meetings_router)
 app.include_router(essentials_router)
+app.include_router(schedule_type_router)
 app.include_router(calendar_router)
 
 
@@ -363,6 +365,10 @@ def _migrate_schema():
         if _has_table(db, "time_slots") and not _has_column(db, "time_slots", "wakeup_sent_at"):
             db.execute(text("ALTER TABLE time_slots ADD COLUMN wakeup_sent_at DATETIME NULL"))
 
+        # --- agents: add schedule_type_id FK ---
+        if _has_table(db, "agents") and not _has_column(db, "agents", "schedule_type_id"):
+            db.execute(text("ALTER TABLE agents ADD COLUMN schedule_type_id INTEGER NULL"))
+
         db.commit()
     except Exception as e:
         db.rollback()
@@ -397,7 +403,7 @@ def _sync_default_user_roles(db):
 @app.on_event("startup")
 def startup():
     from app.core.config import Base, engine, SessionLocal
-    from app.models import models, webhook, apikey, activity, milestone, notification, worklog, monitor, role_permission, task, support, meeting, proposal, propose, essential, agent, calendar, minimum_workload
+    from app.models import models, webhook, apikey, activity, milestone, notification, worklog, monitor, role_permission, task, support, meeting, proposal, propose, essential, agent, calendar, minimum_workload, schedule_type
     Base.metadata.create_all(bind=engine)
     _migrate_schema()
 

app/models/agent.py

@@ -131,6 +131,15 @@ class Agent(Base):
         comment="rate_limit | billing — why the agent is exhausted",
     )
 
+    # -- schedule type ------------------------------------------------------
+
+    schedule_type_id = Column(
+        Integer,
+        ForeignKey("schedule_types.id"),
+        nullable=True,
+        comment="FK to schedule_types — defines work/entertainment periods",
+    )
+
     # -- timestamps ---------------------------------------------------------
 
     created_at = Column(DateTime(timezone=True), server_default=func.now())
@@ -138,3 +147,4 @@ class Agent(Base):
     # -- relationships ------------------------------------------------------
 
     user = relationship("User", back_populates="agent", uselist=False)
+    schedule_type = relationship("ScheduleType", lazy="joined")

app/models/schedule_type.py

@@ -0,0 +1,52 @@
+"""ScheduleType model — defines work/entertainment time periods.
+
+Each ScheduleType defines the daily work and entertainment windows.
+Agents reference a schedule_type to know when they should be working
+vs when they can engage in entertainment activities.
+"""
+
+from sqlalchemy import Column, Integer, String, DateTime
+from sqlalchemy.sql import func
+from app.core.config import Base
+
+
+class ScheduleType(Base):
+    """Work/entertainment period definition."""
+
+    __tablename__ = "schedule_types"
+
+    id = Column(Integer, primary_key=True, index=True)
+
+    name = Column(
+        String(64),
+        nullable=False,
+        unique=True,
+        comment="Human-readable schedule type name (e.g., 'standard', 'night-shift')",
+    )
+
+    work_from = Column(
+        Integer,
+        nullable=False,
+        comment="Work period start hour (0-23, UTC)",
+    )
+
+    work_to = Column(
+        Integer,
+        nullable=False,
+        comment="Work period end hour (0-23, UTC)",
+    )
+
+    entertainment_from = Column(
+        Integer,
+        nullable=False,
+        comment="Entertainment period start hour (0-23, UTC)",
+    )
+
+    entertainment_to = Column(
+        Integer,
+        nullable=False,
+        comment="Entertainment period end hour (0-23, UTC)",
+    )
+
+    created_at = Column(DateTime(timezone=True), server_default=func.now())
+    updated_at = Column(DateTime(timezone=True), onupdate=func.now())

app/schemas/schedule_type.py

@@ -0,0 +1,36 @@
+"""Schemas for ScheduleType CRUD."""
+
+from pydantic import BaseModel, Field
+from typing import Optional
+
+
+class ScheduleTypeCreate(BaseModel):
+    name: str = Field(..., min_length=1, max_length=64)
+    work_from: int = Field(..., ge=0, le=23)
+    work_to: int = Field(..., ge=0, le=23)
+    entertainment_from: int = Field(..., ge=0, le=23)
+    entertainment_to: int = Field(..., ge=0, le=23)
+
+
+class ScheduleTypeUpdate(BaseModel):
+    name: Optional[str] = Field(None, min_length=1, max_length=64)
+    work_from: Optional[int] = Field(None, ge=0, le=23)
+    work_to: Optional[int] = Field(None, ge=0, le=23)
+    entertainment_from: Optional[int] = Field(None, ge=0, le=23)
+    entertainment_to: Optional[int] = Field(None, ge=0, le=23)
+
+
+class ScheduleTypeResponse(BaseModel):
+    id: int
+    name: str
+    work_from: int
+    work_to: int
+    entertainment_from: int
+    entertainment_to: int
+
+    class Config:
+        from_attributes = True
+
+
+class AgentScheduleTypeAssign(BaseModel):
+    schedule_type_name: str = Field(..., description="Name of the schedule type to assign")

app/services/webhook.py

@@ -2,12 +2,41 @@ import json
 import hmac
 import hashlib
 import logging
+import socket
+import ipaddress
+from urllib.parse import urlparse
 from sqlalchemy.orm import Session
 from app.models.webhook import Webhook, WebhookLog
 
 logger = logging.getLogger(__name__)
 
 
+def _validate_webhook_url(url: str) -> None:
+    """Raise ValueError if the URL would target a non-public address (SSRF guard)."""
+    parsed = urlparse(url)
+    if parsed.scheme not in ("http", "https"):
+        raise ValueError(f"unsupported scheme: {parsed.scheme!r}")
+    host = parsed.hostname
+    if not host:
+        raise ValueError("missing host")
+    # Resolve every address the host maps to and reject non-global ranges.
+    try:
+        infos = socket.getaddrinfo(host, parsed.port or (443 if parsed.scheme == "https" else 80))
+    except socket.gaierror as e:
+        raise ValueError(f"DNS resolution failed: {e}")
+    for info in infos:
+        ip = ipaddress.ip_address(info[4][0])
+        if (
+            ip.is_private
+            or ip.is_loopback
+            or ip.is_link_local
+            or ip.is_multicast
+            or ip.is_reserved
+            or ip.is_unspecified
+        ):
+            raise ValueError(f"host resolves to non-public address {ip}")
+
+
 def fire_webhooks_sync(event: str, payload: dict, project_id: int, db: Session):
     """Find matching webhooks and send payloads (sync version)."""
     import httpx
@@ -35,6 +64,8 @@ def fire_webhooks_sync(event: str, payload: dict, project_id: int, db: Session):
             payload=payload_json,
         )
         try:
+            _validate_webhook_url(wh.url)
+
             headers = {"Content-Type": "application/json"}
             if wh.secret:
                 sig = hmac.new(
@@ -42,7 +73,7 @@ def fire_webhooks_sync(event: str, payload: dict, project_id: int, db: Session):
                 ).hexdigest()
                 headers["X-Webhook-Signature"] = sig
 
-            with httpx.Client(timeout=10.0) as client:
+            with httpx.Client(timeout=10.0, follow_redirects=False) as client:
                 resp = client.post(wh.url, content=payload_json, headers=headers)
                 log.response_status = resp.status_code
                 log.response_body = resp.text[:1000]