[codex] Use admin role for platform admin access#1453
Merged
Conversation
5c0c609 to
9a99d46
Compare
bfe7461 to
4b0a89a
Compare
4b0a89a to
2785777
Compare
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 2785777. Configure here.
jonastemplestein
added a commit
that referenced
this pull request
Jun 10, 2026
mmkal
added a commit
that referenced
this pull request
Jun 10, 2026
Conflict resolutions: - packages/iterate/src/cli.ts: took this branch's version wholesale. Main's only change was the superadmin->admin rename (#1453), and every renamed region (auth strategies, impersonation dance, device flow, --superadmin login flag) was already deleted here in the OAuth PKCE rewrite — there is nothing to port. - apps/os/e2e/vitest/e2e-test-map.e2e.test.ts: accepted main's deletion (codemode rip #1447); this branch had only touched a doc comment. - event-stream-terminal.tsx (auto-merged, needed follow-up): main's new listChildren itx walk gets the authedFetch arg, matching the getState adaptation from the previous merge. - apps/iterate-com skills-registry.ts: took main's regenerated copy; this branch carried a stale-formatted version of the generated file. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the custom
superadminOAuth scope model with the Better Auth admin-plugin role as the platform-admin source of truth. Auth access tokens now carry the existingrole/is_adminclaims, and OS derives global itx access from those claims or from the admin API secret.Also renames the auth admin oRPC/router/UI namespace from
superadmintoadmin, updates the CLI admin impersonation strategy, renames the bootstrap admin seed path/account, and refreshes docs around the access model.Impact
user.role === "admin"are clearly identifiable as admin in OS principals.Principal.type === "admin"/authType: "admin_api_secret".superadminOAuth scope is removed from shared auth claims and auth-provider advertised scopes.ADMIN_ALLOWLIST; no legacySUPERADMIN_*compatibility path is retained.Validation
pnpm exec oxlint . --threads 1 --deny-warningspnpm --dir apps/auth typecheckpnpm --dir apps/os typecheckpnpm --dir apps/auth-contract typecheckpnpm --dir packages/iterate typecheckpnpm --dir apps/os exec vitest run src/auth/principal.test.ts src/domains/inbound-mcp-server/mcp-handler.test.tspnpm --dir apps/os testpnpm exec oxfmt --check apps/auth-contract/src/index.ts apps/auth/src apps/auth/scripts apps/auth/alchemy.run.ts apps/os/src apps/os/docs packages/iterate/src/cli.ts packages/iterate/README.md packages/shared/src/auth-claims.ts apps/auth-example/.env.example docs/plan-replace-clerk-with-auth-worker.mdNote
High Risk
Changes how platform-wide authorization is derived (tokens, MCP, itx global access) and renames admin API routes/env; misconfiguration could block operators or widen access until tokens refresh.
Overview
Replaces the custom
superadminOAuth scope with Better Auth’s platform admin role (user.role === "admin") as the source of truth for deployment-wide access. Auth no longer advertises or server-grants that scope; access tokens carryis_admin/roleclaims instead, and project scoping stays onproject:<id>entries.Auth renames the operator surface from
superadmintoadmin: oRPC contract paths (/admin/oauth/*), TanStack routes (/admin/clients), env (ADMIN_ALLOWLIST, admin seed SQL), bootstrap user (admin@nustom.com), and helpers (isPlatformAdminUser,platformAdminOnlyMiddleware). Deploy-time allowlist backfill now uses aplatformAdminBackfillmarker table (replacingsuperadminBackfillnaming in seed generation).OS threads admin through principals:
UserPrincipal.isAdmin,principalIsAdmin, andaccessForPrincipaltreat admin API secret or admin-role users as"all"project access. Inbound MCP skips the project-scope gate whenprincipal.isAdmininstead of checking asuperadminscope. Consent UI and sharedITERATE_SUPERADMIN_SCOPE/hasSuperadminScopeare removed.CLI/docs rename the CI impersonation strategy from
superadmintoadminand update smoke/bootstrap references to the new bootstrap admin email.Reviewed by Cursor Bugbot for commit 2785777. Bugbot is set up for automated code reviews on this repo. Configure here.
Environment Config Lease
No active environment config lease.
OS
Status: released
Commit:
2785777Preview: https://os.iterate-preview-1.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-10T14:47:57.444Z
Semaphore
Status: released
Commit:
2785777Preview: https://semaphore.iterate-preview-1.com
Summary: Preview app released.
Workflow run
Updated: 2026-06-10T14:47:44.656Z