aevgarik/paperclip
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(server): integrate Better Auth, access control, and deployment mode startup

Browse Source 
Wire up Better Auth for session-based authentication. Add actor middleware
that resolves local_trusted mode to an implicit board actor and authenticated
mode to Better Auth sessions. Add access service with membership, permission,
invite, and join-request management. Register access routes for member/invite/
join-request CRUD. Update health endpoint to report deployment mode and
bootstrap status. Enforce tasks:assign and agents:create permissions in issue
and agent routes. Add deployment mode validation at startup with guardrails
(loopback-only for local_trusted, auth config required for authenticated).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Forgotten
2026-02-23 14:40:32 -06:00
parent 60d6122271
commit e1f2be7ecf
24 changed files with 1530 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
server/src/__tests__/board-mutation-guard.test.ts
View File

@@ -3,11 +3,13 @@ import express from "express";
import request from "supertest";
import { boardMutationGuard } from "../middleware/board-mutation-guard.js";
function createApp(actorType: "board" | "agent") {
function createApp(actorType: "board" | "agent", boardSource: "session" | "local_implicit" = "session") {
const app = express();
app.use(express.json());
app.use((req, _res, next) => {
req.actor = actorType === "board" ? { type: "board", userId: "board" } : { type: "agent", agentId: "agent-1" };
req.actor = actorType === "board"
? { type: "board", userId: "board", source: boardSource }
: { type: "agent", agentId: "agent-1" };
next();
});
app.use(boardMutationGuard());
@@ -34,6 +36,12 @@ describe("boardMutationGuard", () => {
expect(res.body).toEqual({ error: "Board mutation requires trusted browser origin" });
});
it("allows local implicit board mutations without origin", async () => {
const app = createApp("board", "local_implicit");
const res = await request(app).post("/mutate").send({ ok: true });
expect(res.status).toBe(204);
});
it("allows board mutations from trusted origin", async () => {
const app = createApp("board");
const res = await request(app)