resolutionflow

chihlasm/resolutionflow

Fork 0

Commit Graph

Author	SHA1	Message	Date
Michael Chihlas	50cb0fc7f0	feat: admin invite codes with plan assignment + user detail page - Migration 030: add email, assigned_plan, trial_duration_days, email_sent_at to invite_codes with CHECK constraints - Resend email integration (graceful degradation when API key not set) - Invite codes now support plan assignment (free/pro/team) and trial duration (1-90 days) - Registration applies invite code plan/trial to new subscription - Auto-downgrade expired trials on authenticated access - Enriched GET /admin/users/{id} with account, subscription, sessions, audit logs - New endpoints: PUT /admin/users/{id}/subscription/plan and extend-trial - Frontend: enhanced invite codes page with email, plan, trial fields - Frontend: new user detail page at /admin/users/:userId - Fixed API path drift: /invite-codes -> /invites - 11 new backend tests, 416 total passing Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-11 21:42:58 -05:00
chihlasm	71ba0b95a5	fix: high-severity security hardening (Phase B permissions audit) Phase B addresses 7 high-severity gaps from the permissions audit: - B1: Enforce tree access check on session start via can_access_tree - B2: Replace all inline permission helpers with centralized permissions.py - B3: Fix require_engineer_or_admin to check is_team_admin before role - B4: Add is_active field on User with enforcement in get_current_active_user - B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate) - B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG) - B7: Implement refresh token rotation with JTI-based revocation and meaningful logout Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md with SaaS/MSP context for future planning sessions. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-05 22:44:05 -05:00
Michael Chihlas	20c4c40a1f	Add invite code registration system for beta Backend: - Add InviteCode model with single-use codes - Add invite API endpoints (create, list, revoke, validate) - Modify registration to require invite code when enabled - Add REQUIRE_INVITE_CODE config toggle (default: true) - Add Alembic migration for invite_codes table Frontend: - Add invite code field to registration page - Validate invite code on blur with visual feedback - Pass invite code to registration API Admins can generate invite codes via /api/docs (Swagger UI). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>	2026-02-01 00:08:06 -05:00

Author

SHA1

Message

Date

Michael Chihlas

50cb0fc7f0

feat: admin invite codes with plan assignment + user detail page

- Migration 030: add email, assigned_plan, trial_duration_days, email_sent_at
  to invite_codes with CHECK constraints
- Resend email integration (graceful degradation when API key not set)
- Invite codes now support plan assignment (free/pro/team) and trial duration (1-90 days)
- Registration applies invite code plan/trial to new subscription
- Auto-downgrade expired trials on authenticated access
- Enriched GET /admin/users/{id} with account, subscription, sessions, audit logs
- New endpoints: PUT /admin/users/{id}/subscription/plan and extend-trial
- Frontend: enhanced invite codes page with email, plan, trial fields
- Frontend: new user detail page at /admin/users/:userId
- Fixed API path drift: /invite-codes -> /invites
- 11 new backend tests, 416 total passing

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-11 21:42:58 -05:00

chihlasm

71ba0b95a5

fix: high-severity security hardening (Phase B permissions audit)

Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-05 22:44:05 -05:00

Michael Chihlas

20c4c40a1f

Add invite code registration system for beta

Backend:
- Add InviteCode model with single-use codes
- Add invite API endpoints (create, list, revoke, validate)
- Modify registration to require invite code when enabled
- Add REQUIRE_INVITE_CODE config toggle (default: true)
- Add Alembic migration for invite_codes table

Frontend:
- Add invite code field to registration page
- Validate invite code on blur with visual feedback
- Pass invite code to registration API

Admins can generate invite codes via /api/docs (Swagger UI).

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2026-02-01 00:08:06 -05:00

3 Commits