fix: add ResolutionFlow service account to own default tree steps in library

Default/system trees had no author_id (NULL), causing a NOT NULL violation when syncing steps to step_library.created_by on publish. - Add is_service_account flag to users table (migration 4f4137ce) - Add service_account.py: idempotent ensure_service_account() creates noreply@resolutionflow.com with unusable password on startup - Cache service account ID on app.state at lifespan startup - Add get_service_account_id() FastAPI dep (returns None in tests) - sync_steps_from_tree: resolve author_id or service_account_id as created_by - create_tree: set author_id=service_account_id for is_default trees - Migration 1490781700bc: backfill author_id on 31 existing default trees Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-25 23:17:04 -05:00
parent 0002f75232
commit c2b3937e86
8 changed files with 221 additions and 6 deletions
--- a/backend/app/api/deps.py
+++ b/backend/app/api/deps.py
@@ -155,6 +155,14 @@ async def require_account_owner(
    )


+def get_service_account_id(request: Request) -> Optional[UUID]:
+    """Return the cached ResolutionFlow service account UUID from app.state.
+
+    Returns None in test environments where lifespan startup did not run.
+    """
+    return getattr(request.app.state, "service_account_id", None)
+
+
 async def get_plan_limits_for_user(
    current_user: Annotated[User, Depends(get_current_active_user)],
    db: Annotated[AsyncSession, Depends(get_db)],
--- a/backend/app/api/endpoints/trees.py
+++ b/backend/app/api/endpoints/trees.py
@@ -21,7 +21,7 @@ from app.schemas.tree import (
    PinnedFlowResponse, PinnedFlowsListResponse, PinnedFlowReorderRequest
 )
 from app.models.user_pinned_tree import UserPinnedTree
-from app.api.deps import get_current_active_user, require_engineer_or_admin, require_admin
+from app.api.deps import get_current_active_user, require_engineer_or_admin, require_admin, get_service_account_id
 from app.core.permissions import can_edit_tree, can_access_tree
 from app.core.filters import build_tree_access_filter
 from app.core.subscriptions import check_tree_limit
@@ -400,7 +400,8 @@ async def get_tree(
 async def create_tree(
    tree_data: TreeCreate,
    db: Annotated[AsyncSession, Depends(get_db)],
-    current_user: Annotated[User, Depends(require_engineer_or_admin)]
+    current_user: Annotated[User, Depends(require_engineer_or_admin)],
+    service_account_id: Annotated[Optional[UUID], Depends(get_service_account_id)],
 ):
    """Create a new tree (engineers and admins only).

@@ -465,7 +466,7 @@ async def create_tree(
        tree_type=tree_data.tree_type,
        tree_structure=tree_data.tree_structure,
        intake_form=intake_form_data,
-        author_id=None if is_default else current_user.id,  # Default trees have no author
+        author_id=service_account_id if is_default else current_user.id,
        account_id=None if is_default else current_user.account_id,
        is_public=True if is_default else tree_data.is_public,  # Default trees are always public
        is_default=is_default,
@@ -549,7 +550,8 @@ async def update_tree(
    tree_id: UUID,
    tree_data: TreeUpdate,
    db: Annotated[AsyncSession, Depends(get_db)],
-    current_user: Annotated[User, Depends(require_engineer_or_admin)]
+    current_user: Annotated[User, Depends(require_engineer_or_admin)],
+    service_account_id: Annotated[Optional[UUID], Depends(get_service_account_id)],
 ):
    """Update an existing tree (engineers and admins only).

@@ -654,6 +656,7 @@ async def update_tree(
            author_id=tree.author_id,
            account_id=tree.account_id,
            is_public=_is_public,
+            service_account_id=service_account_id,
        )

    # Handle tags replacement
--- a/backend/app/core/service_account.py
+++ b/backend/app/core/service_account.py
@@ -0,0 +1,60 @@
+"""ResolutionFlow system service account.
+
+This module manages the platform-level service account used as the author
+for system/default content (seeded trees, synced step library entries, etc.).
+
+The service account ID is resolved once at startup and cached on app.state
+so that sync operations can use it without a DB query per request.
+"""
+from __future__ import annotations
+
+import uuid
+import logging
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+logger = logging.getLogger(__name__)
+
+SERVICE_ACCOUNT_EMAIL = "noreply@resolutionflow.com"
+SERVICE_ACCOUNT_NAME = "ResolutionFlow"
+
+
+async def ensure_service_account(db: AsyncSession) -> uuid.UUID:
+    """Ensure the ResolutionFlow service account exists and return its ID.
+
+    Idempotent — safe to call on every startup. Creates the account if it
+    does not exist. The account has no usable password and is_service_account=True
+    so it can never log in via normal auth flows.
+    """
+    from app.models.user import User
+
+    result = await db.execute(
+        select(User).where(User.email == SERVICE_ACCOUNT_EMAIL)
+    )
+    user = result.scalar_one_or_none()
+
+    if user is not None:
+        if not user.is_service_account:
+            user.is_service_account = True
+            await db.commit()
+        return user.id
+
+    # Create the service account with a random, unusable password hash
+    new_user = User(
+        id=uuid.uuid4(),
+        email=SERVICE_ACCOUNT_EMAIL,
+        name=SERVICE_ACCOUNT_NAME,
+        password_hash="!service-account-no-login",  # bcrypt can't produce this prefix
+        role="engineer",
+        is_super_admin=False,
+        is_team_admin=False,
+        is_active=True,
+        is_service_account=True,
+        must_change_password=False,
+        account_role="engineer",
+    )
+    db.add(new_user)
+    await db.commit()
+    logger.info(f"[service_account] Created service account (id={new_user.id})")
+    return new_user.id
--- a/backend/app/core/step_sync.py
+++ b/backend/app/core/step_sync.py
@@ -109,14 +109,22 @@ async def sync_steps_from_tree(
    tree_id: UUID,
    tree_type: str,
    tree_structure: dict,
-    author_id: UUID,
+    author_id: Optional[UUID],
    account_id: Optional[UUID],
    is_public: bool,
+    service_account_id: Optional[UUID] = None,
 ) -> int:
    """Upsert step library entries from a published tree.

    Returns the number of steps synced.
+
+    For default/system trees that have no author_id, pass service_account_id
+    so that created_by is set to the ResolutionFlow service account.
    """
+    resolved_author_id = author_id or service_account_id
+    if not resolved_author_id:
+        return 0
+
    now = datetime.now(timezone.utc)
    extracted = list(extract_steps_for_sync(tree_structure, tree_type))

@@ -157,7 +165,7 @@ async def sync_steps_from_tree(
                "title": step_data["title"],
                "step_type": step_data["step_type"],
                "content": json.dumps(step_data["content"]),
-                "created_by": str(author_id) if author_id else None,
+                "created_by": str(resolved_author_id),
                "account_id": str(account_id) if account_id else None,
                "visibility": visibility,
                "source_tree_id": str(tree_id),
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -14,6 +14,7 @@ from app.core.middleware import RequestLoggingMiddleware, ErrorLoggingMiddleware
 from app.core.rate_limit import limiter
 from app.api.router import api_router
 from app.core.scheduler import scheduler, load_all_schedules, _cleanup_expired_ai_conversations
+from app.core.service_account import ensure_service_account

 # Initialize logging configuration
 setup_logging()
@@ -103,6 +104,12 @@ async def lifespan(app: FastAPI):
    # Note: In production, use Alembic migrations instead of init_db
    # await init_db()

+    # Ensure service account exists and cache its ID for sync operations
+    async with async_session_maker() as db:
+        service_account_id = await ensure_service_account(db)
+    app.state.service_account_id = service_account_id
+    logger.info(f"[service_account] Service account ready (id={service_account_id})")
+
    # Start maintenance schedule runner + AI conversation cleanup
    scheduler.start()
    async with async_session_maker() as db:
--- a/backend/app/models/user.py
+++ b/backend/app/models/user.py
@@ -39,6 +39,7 @@ class User(Base):
    is_super_admin: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
    is_team_admin: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False)
    is_active: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True, server_default="true")
+    is_service_account: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False, server_default="false")
    must_change_password: Mapped[bool] = mapped_column(Boolean, nullable=False, default=False, server_default="false")

    # Account-based multi-tenancy (new)