Skip to content

feat: require Manager membership for Admin auth#919

Open
lumberman wants to merge 1 commit into
stagefrom
feat/manager-admin-auth-membership
Open

feat: require Manager membership for Admin auth#919
lumberman wants to merge 1 commit into
stagefrom
feat/manager-admin-auth-membership

Conversation

@lumberman
Copy link
Copy Markdown
Collaborator

@lumberman lumberman commented May 9, 2026

Summary

  • add Admin ManagerMembership/ManagerRole.OPERATOR and retarget access:manager away from Admin editorial roles
  • update Manager Admin-backed login/session guards to trust only Admin-verified managerRole and reject legacy strapi-jwt panel access
  • split service bearer permissions for Manager read models/jobs, regenerate Admin GraphQL contracts, and add stage operator assignment docs/script

Validation

  • pnpm --filter @forge/admin test -- src/auth/permissions.test.ts src/graphql/types/managerSession.test.ts src/graphql/types/managerJob.test.ts src/graphql/schema.test.ts
  • pnpm --filter @forge/manager test -- src/backend/admin-client.test.ts src/lib/auth.test.ts src/lib/require-auth.test.ts src/lib/agentic-studio-proxy.test.ts src/app/api/auth/login/route.test.ts src/app/api/auth/logout/route.test.ts src/cms/gateway.test.ts 'src/app/api/automations/runs/[id]/enqueue/route.test.ts' 'src/app/api/jobs/[id]/embedding-sync/override/route.test.ts'
  • pnpm --filter @forge/admin lint && pnpm --filter @forge/manager lint
  • pnpm --filter @forge/admin typecheck && pnpm --filter @forge/manager typecheck
  • MANAGER_BACKEND_MODE=mock MANAGER_MOCK_SESSION_SECRET=local-smoke-secret MUX_TOKEN_ID=mock MUX_TOKEN_SECRET=mock OPENROUTER_API_KEY=mock pnpm --filter @forge/manager build
  • Production-mode local smoke: login returned 200 with manager-session; /dashboard followed to 200; legacy strapi-jwt redirected to /login

Rollout

Deploy Admin first: migration -> Admin schema/session contracts -> grant ManagerRole.OPERATOR -> Admin GraphQL smoke -> Manager in MANAGER_BACKEND_MODE=admin.

@railway-app
Copy link
Copy Markdown

railway-app Bot commented May 9, 2026
edited
Loading

🚅 Deployed to the forge-pr-919 environment in forge

Service Status Web Updated (UTC)
@forge/admin ✅ Success (View Logs) Web May 9, 2026 at 2:16 am
@forge/roadmap ✅ Success (View Logs) May 9, 2026 at 2:15 am
@forge/web ⏭️ Skipped (View Logs) May 9, 2026 at 2:14 am
@forge/manager ⏭️ Skipped (View Logs) May 9, 2026 at 2:14 am
@forge/cms ⏭️ Skipped (View Logs) May 9, 2026 at 2:14 am
2 services not affected by this PR
  • @forge/agentic-studio
  • @forge/agentic

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lumberman