c5631d3eab
Provenance had no system-level owner: ownership was only per-tree (TreeMembership), so a self-hosted instance had no operator account and no instance-admin surface. This adds one, declared by environment per the project's twelve-factor rule. - OWNER_EMAIL (comma-separated): the account(s) named here are instance owners. Derived at request time — no DB column, no migration, can't drift from the env, survives DB resets. is_instance_owner()/InstanceOwner dependency in api/deps.py. - Ownership requires a VERIFIED email (independent of REQUIRE_EMAIL_VERIFICATION). Registration is open, so without this an attacker could seize the role by registering the owner address first; verification ties it to inbox control. - GET /api/v1/admin/instance (owner-only): operational status — version, env, user/tree counts, configured AI providers. Deliberately exposes no tree data or PII: instance ownership is an operator role, NOT a privacy-engine bypass. - /users/me reports is_instance_owner; frontend gains an owner-only /admin page and a conditional sidebar link (server-enforced, not just client-hidden). Found-and-fixed by an adversarial security review before merge: the verified-email land-grab (above) and a frontend null-deref where the admin page crashed on 401/5xx instead of failing closed. Docs: .env.example + ARCHITECTURE (notes the not-a-privacy-bypass boundary and the verified-email requirement). Tests: owner matching, the land-grab guard, /users/me, and owner-only /admin. Suite 96 passing. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Justin Paul <justin@jpaul.me>
39 lines
1.5 KiB
Python
39 lines
1.5 KiB
Python
"""Instance-admin surface — owner-only (OWNER_EMAIL). Operational status and
|
|
instance-wide configuration. Deliberately exposes no tree contents or PII:
|
|
instance ownership is an operator role, not a privacy bypass."""
|
|
|
|
from sqlalchemy import func, select
|
|
|
|
from fastapi import APIRouter
|
|
|
|
from app.api.deps import InstanceOwner, SessionDep, configured_llm_providers
|
|
from app.core.config import get_settings
|
|
from app.models.tree import Tree
|
|
from app.models.user import User
|
|
from app.schemas.admin import InstanceStatus
|
|
from app.schemas.ai_policy import ConfiguredProvider
|
|
|
|
router = APIRouter(prefix="/admin", tags=["admin"])
|
|
|
|
|
|
@router.get("/instance", response_model=InstanceStatus)
|
|
async def instance_status(owner: InstanceOwner, session: SessionDep) -> InstanceStatus:
|
|
"""Operator dashboard data. Requires the caller to be an instance owner."""
|
|
s = get_settings()
|
|
user_count = await session.scalar(
|
|
select(func.count()).select_from(User).where(User.deleted_at.is_(None))
|
|
)
|
|
tree_count = await session.scalar(
|
|
select(func.count()).select_from(Tree).where(Tree.deleted_at.is_(None))
|
|
)
|
|
return InstanceStatus(
|
|
version=s.version,
|
|
env=s.app_env,
|
|
owner_emails=sorted(s.owner_emails()),
|
|
require_email_verification=s.require_email_verification,
|
|
user_count=user_count or 0,
|
|
tree_count=tree_count or 0,
|
|
default_llm_provider=s.default_llm_provider,
|
|
ai_providers=[ConfiguredProvider(**p) for p in configured_llm_providers()],
|
|
)
|