feat: The Other Dude v9.0.1 — full-featured email system

ci: add GitHub Pages deployment workflow for docs site Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-08 17:46:37 -05:00
commit b840047e19
511 changed files with 106948 additions and 0 deletions
--- a/backend/alembic/versions/009_api_keys.py
+++ b/backend/alembic/versions/009_api_keys.py
@@ -0,0 +1,93 @@
+"""Add api_keys table with RLS for tenant-scoped API key management.
+
+Revision ID: 009
+Revises: 008
+Create Date: 2026-03-02
+
+This migration:
+1. Creates api_keys table (UUID PK, tenant_id FK, user_id FK, key_hash, scopes JSONB).
+2. Adds unique index on key_hash for O(1) validation lookups.
+3. Adds composite index on (tenant_id, revoked_at) for listing active keys.
+4. Applies RLS policy on tenant_id.
+5. Grants SELECT, INSERT, UPDATE to app_user.
+"""
+
+from typing import Sequence, Union
+
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision: str = "009"
+down_revision: Union[str, None] = "008"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    conn = op.get_bind()
+
+    # 1. Create api_keys table
+    conn.execute(
+        sa.text("""
+            CREATE TABLE IF NOT EXISTS api_keys (
+                id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+                tenant_id UUID NOT NULL REFERENCES tenants(id) ON DELETE CASCADE,
+                user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+                name VARCHAR(200) NOT NULL,
+                key_prefix VARCHAR(12) NOT NULL,
+                key_hash VARCHAR(64) NOT NULL,
+                scopes JSONB NOT NULL DEFAULT '[]'::jsonb,
+                expires_at TIMESTAMPTZ,
+                last_used_at TIMESTAMPTZ,
+                created_at TIMESTAMPTZ NOT NULL DEFAULT now(),
+                revoked_at TIMESTAMPTZ
+            );
+        """)
+    )
+
+    # 2. Unique index on key_hash for fast validation lookups
+    conn.execute(
+        sa.text("""
+            CREATE UNIQUE INDEX IF NOT EXISTS ix_api_keys_key_hash
+            ON api_keys (key_hash);
+        """)
+    )
+
+    # 3. Composite index for listing active keys per tenant
+    conn.execute(
+        sa.text("""
+            CREATE INDEX IF NOT EXISTS ix_api_keys_tenant_revoked
+            ON api_keys (tenant_id, revoked_at);
+        """)
+    )
+
+    # 4. Enable RLS and create tenant isolation policy
+    conn.execute(sa.text("ALTER TABLE api_keys ENABLE ROW LEVEL SECURITY;"))
+    conn.execute(sa.text("ALTER TABLE api_keys FORCE ROW LEVEL SECURITY;"))
+
+    conn.execute(
+        sa.text("""
+            DO $$
+            BEGIN
+                IF NOT EXISTS (
+                    SELECT 1 FROM pg_policies
+                    WHERE tablename = 'api_keys' AND policyname = 'tenant_isolation'
+                ) THEN
+                    CREATE POLICY tenant_isolation ON api_keys
+                    USING (
+                        tenant_id::text = current_setting('app.current_tenant', true)
+                        OR current_setting('app.current_tenant', true) = 'super_admin'
+                    );
+                END IF;
+            END $$;
+        """)
+    )
+
+    # 5. Grant permissions to app_user role
+    conn.execute(sa.text("GRANT SELECT, INSERT, UPDATE ON api_keys TO app_user;"))
+
+
+def downgrade() -> None:
+    conn = op.get_bind()
+    conn.execute(sa.text("DROP TABLE IF EXISTS api_keys CASCADE;"))