Add BYOC page, admin section, and is_byoc team visibility gating

- Frontend: BYOC hosts page (/dashboard/byoc) with register/delete flows, shimmer loading, pulsing online status, animated token reveal checkmark - Frontend: Admin section (/admin/hosts) with platform + BYOC tabs, stat pills, skeleton loading, slide-in animations for new rows - Frontend: AdminSidebar component with accent top bar and admin pill badge - Frontend: BYOC nav item shown only when team.is_byoc is true (derived from teams store, not JWT); disabled for members - Frontend: Admin shield button in Sidebar, visible only to platform admins - Backend: is_admin in JWT claims + requireAdmin middleware (DB-validated) - Backend: is_byoc added to teamResponse so frontend derives visibility from fresh team data rather than stale JWT fields - Backend: SetBYOC admin endpoint (PUT /v1/admin/teams/{id}/byoc) - Backend: Admin hosts list enriches BYOC entries with team_name - Host agent: load .env file via godotenv on startup
2026-03-25 03:10:41 +06:00
parent 9bf67aa7f7
commit e069b3e679
36 changed files with 2200 additions and 163 deletions
--- a/internal/auth/context.go
+++ b/internal/auth/context.go
@ -8,11 +8,12 @@ const authCtxKey contextKey = 0

 // AuthContext is stamped into request context by auth middleware.
 type AuthContext struct {
-	TeamID string
-	UserID string // empty when authenticated via API key
-	Email  string // empty when authenticated via API key
-	Name   string // empty when authenticated via API key
-	Role   string // owner, admin, or member; empty when authenticated via API key
+	TeamID  string
+	UserID  string // empty when authenticated via API key
+	Email   string // empty when authenticated via API key
+	Name    string // empty when authenticated via API key
+	Role    string // owner, admin, or member; empty when authenticated via API key
+	IsAdmin bool   // platform-level admin; always false when authenticated via API key
 }

 // WithAuthContext returns a new context with the given AuthContext.
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@ -13,22 +13,24 @@ const HostRefreshTokenExpiry = 60 * 24 * time.Hour // 60 days; exported for serv

 // Claims are the JWT payload for user tokens.
 type Claims struct {
-	Type   string `json:"typ,omitempty"` // empty for user tokens; used to reject host tokens
-	TeamID string `json:"team_id"`
-	Role   string `json:"role"` // owner, admin, or member within TeamID
-	Email  string `json:"email"`
-	Name   string `json:"name"`
+	Type    string `json:"typ,omitempty"` // empty for user tokens; used to reject host tokens
+	TeamID  string `json:"team_id"`
+	Role    string `json:"role"`    // owner, admin, or member within TeamID
+	Email   string `json:"email"`
+	Name    string `json:"name"`
+	IsAdmin bool   `json:"is_admin,omitempty"` // platform-level admin flag
 	jwt.RegisteredClaims
 }

 // SignJWT signs a new 6-hour JWT for the given user.
-func SignJWT(secret []byte, userID, teamID, email, name, role string) (string, error) {
+func SignJWT(secret []byte, userID, teamID, email, name, role string, isAdmin bool) (string, error) {
 	now := time.Now()
 	claims := Claims{
-		TeamID: teamID,
-		Role:   role,
-		Email:  email,
-		Name:   name,
+		TeamID:  teamID,
+		Role:    role,
+		Email:   email,
+		Name:    name,
+		IsAdmin: isAdmin,
 		RegisteredClaims: jwt.RegisteredClaims{
 			Subject:   userID,
 			IssuedAt:  jwt.NewNumericDate(now),