Auth: ownership + view-group access model & per-machine project identity#50
Merged
Merged
Conversation
…ct identity
Introduce a per-user authorization model so a shared cix-server can serve
agents of many users safely, and fix local-project identity collisions across
machines.
Authorization (server + dashboard):
- Roles renamed viewer -> user; two-tier RBAC (admin, user).
- Projects/workspaces gain owner_user_id; external projects (git_repos peer)
are ownerless and admin-administered.
- New view_groups + membership + project/workspace share tables. Members of a
group get read/search on external projects and workspaces shared to it.
- Access enforced in handlers (requireProjectAccess/Ownership,
requireWorkspaceVisible/Ownership, mustBeAdmin): list filtering, owner-on
create, admin-only git-repos/github-tokens/groups, owner-or-admin mutations.
- New endpoints: groups CRUD + members, project/workspace shares,
PUT /projects/{hash}/owner; /auth/me returns the caller's groups.
- Dashboard: View Groups admin module, share-to-group cards, reassign-owner,
role-aware control hiding.
Per-machine project identity:
- Local project key is namespaced local:{machine_id}:{path}; path_hash derives
from it so the same path on different machines/users no longer collides.
display_path holds the real path; machine_id/machine_label added.
- CLI generates ~/.cix/machine_id, sends it on create, and computes the
matching hash (client.EncodeProjectPath); server is the formula authority.
Migrations #10 (auth) and #11 (machine identity): existing users -> admin,
local projects + workspaces -> first active admin, external stay ownerless;
display_path backfilled. Breaking — announce in release notes; re-init local
projects. Coordinated CLI<->server bump.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
viewer→user. Projects/workspaces getowner_user_id; external projects (git_repos peer) are ownerless and admin-administered. View-group members get read/search on external projects + workspaces shared to the group. Enforced server-side (requireProjectAccess/Ownership,requireWorkspaceVisible/Ownership,mustBeAdmin) — list filtering, owner-on-create, admin-only git-repos/github-tokens/groups, owner-or-admin mutations.PUT /projects/{hash}/owner;/auth/mereturns the caller's groups.local:{machine_id}:{path}so the same path on different machines/users no longer collides.display_pathholds the real path; CLI generates~/.cix/machine_idand computes the matching hash (server is the formula authority).Migrations (breaking)
admin; local projects + workspaces → first active admin; external stay ownerless.display_path/machine_id/machine_label; backfilldisplay_path = host_path.cix init); external untouched. Coordinated CLI↔server bump (old CLI ↔ new server diverge on local hashes).Test plan
cd server && go test ./...— 34 pkgs green (migration backfill, group sharing, ownership mutations, admin-only gating, machine namespacing/collision tests)cd cli && go test ./...— green (hash mirrors delegate toclient.EncodeProjectPath)cd server/dashboard && npm run build+tsc --noEmit— greenmake openapi-genregenerated; codegen stableuservsadmin, share an external project/workspace to a group, confirm a member's agent (API key) can search it but not see others' personal projects🤖 Generated with Claude Code