forked from molecule-ai/molecule-core
f72fa4cd70
Adds user-facing API keys with full-org admin scope. Replaces the
single ADMIN_TOKEN env var with named, revocable, audited tokens
that users can mint/rotate from the canvas UI without ops
intervention.
Designed for the beta growth phase — one token tier (full admin).
Future work will split into scoped roles (admin / workspace-write
/ read-only) and per-workspace bindings. See docs/architecture/
org-api-keys.md for the design + follow-up roadmap.
## Surface
POST /org/tokens mint (plaintext returned once)
GET /org/tokens list live keys (prefix-only)
DELETE /org/tokens/:id revoke (idempotent)
All AdminAuth-gated. Bootstrap path: mint the first token via
ADMIN_TOKEN or canvas session; tokens can mint more tokens after.
## Validation as a new AdminAuth tier (2a)
AdminAuth evaluation order:
Tier 0 lazy-bootstrap fail-open (only when no live tokens AND
no ADMIN_TOKEN env)
Tier 1 verified WorkOS session via /cp/auth/tenant-member
Tier 2a org_api_tokens SELECT — NEW
Tier 2b ADMIN_TOKEN env (bootstrap / CLI break-glass)
Tier 3 any live workspace token (deprecated, only when ADMIN_TOKEN
unset)
Tier 2a runs ONE indexed lookup (partial index on
token_hash WHERE revoked_at IS NULL) + an async last_used_at
bump. No measurable latency cost on the hot path.
## UI
New "Org API Keys" tab in the settings panel. Label field for
human-readable naming. Plaintext shown once + clipboard copy.
Revoke with confirm dialog. Mirrors the existing workspace-
TokensTab flow so users who've used one get the other for free.
## Security properties
- Plaintext never stored. sha256 hash + 8-char display prefix.
- Revocation is immediate: partial index on revoked_at IS NULL
means the next request validates or fails in microseconds.
- created_by audit field captures provenance: "org-token:<short>"
when a token mints another, "session" for browser-UI mints,
"admin-token" for the ADMIN_TOKEN bootstrap path.
- Validate() collapses all failure shapes into ErrInvalidToken
so response-shape can't distinguish "never existed" from
"revoked".
## Tests
- internal/orgtoken: 9 unit tests (hash storage, empty field
null-ing, validation happy path, empty plaintext, unknown hash,
revoked filtering, list ordering, revoke idempotency, has-any-
live short-circuit).
- AdminAuth tier-2a integration covered by existing middleware
tests unchanged (fail-open + bearer paths).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .. | ||
| __tests__ | ||
| canvas | ||
| settings | ||
| tabs | ||
| ui | ||
| A2ATopologyOverlay.tsx | ||
| ApprovalBanner.tsx | ||
| AuditTrailPanel.tsx | ||
| AuthGate.tsx | ||
| BatchActionBar.tsx | ||
| BundleDropZone.tsx | ||
| Canvas.tsx | ||
| CommunicationOverlay.tsx | ||
| ConfirmDialog.tsx | ||
| ContextMenu.tsx | ||
| ConversationTraceModal.tsx | ||
| CookieConsent.tsx | ||
| CreateWorkspaceDialog.tsx | ||
| EmptyState.tsx | ||
| ErrorBoundary.tsx | ||
| Legend.tsx | ||
| MemoryInspectorPanel.tsx | ||
| MissingKeysModal.tsx | ||
| OnboardingWizard.tsx | ||
| PricingTable.tsx | ||
| ProvisioningTimeout.tsx | ||
| SearchDialog.tsx | ||
| SidePanel.tsx | ||
| Spinner.tsx | ||
| StatusDot.tsx | ||
| TemplatePalette.tsx | ||
| TermsGate.tsx | ||
| Toaster.tsx | ||
| Toolbar.tsx | ||
| Tooltip.tsx | ||
| WorkspaceNode.tsx | ||
| WorkspaceUsage.tsx | ||