cameleer-saas

cameleer/cameleer-saas

Fork 0

Commit Graph

Author	SHA1	Message	Date
hsiegeln	051f7fdae9	feat: auth hardening — scope enforcement, tenant isolation, and docs All checks were successful CI / build (push) Successful in 38s Details CI / docker (push) Successful in 39s Details Add @PreAuthorize annotations to all API controllers (14 endpoints across 6 controllers) enforcing OAuth2 scopes: apps:manage, apps:deploy, billing:manage, observe:read, platform:admin. Enforce tenant isolation: TenantResolutionFilter now rejects cross-tenant access on /api/tenants/{id}/* paths. New TenantOwnershipValidator checks environment/app ownership for paths without tenantId. Platform admins bypass both layers. Fix frontend: OrgResolver split into two useEffect hooks so scopes refresh on org switch. Scopes now served from /api/config (single source of truth). Bootstrap cleaned — standalone org permissions removed. Update docs/architecture.md, docs/user-manual.md, and CLAUDE.md to reflect all auth hardening changes. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 15:32:53 +02:00
hsiegeln	c5596d8ea4	docs: add user manual Task-oriented guide for SaaS customers and self-hosted operators covering login, environments, applications, deployments, observability, licenses, platform admin, roles, self-hosted setup, and troubleshooting. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 14:15:40 +02:00

Author

SHA1

Message

Date

hsiegeln

051f7fdae9

feat: auth hardening — scope enforcement, tenant isolation, and docs

CI / build (push) Successful in 38s

Details

CI / docker (push) Successful in 39s

Details

Add @PreAuthorize annotations to all API controllers (14 endpoints
across 6 controllers) enforcing OAuth2 scopes: apps:manage, apps:deploy,
billing:manage, observe:read, platform:admin.

Enforce tenant isolation: TenantResolutionFilter now rejects cross-tenant
access on /api/tenants/{id}/* paths. New TenantOwnershipValidator checks
environment/app ownership for paths without tenantId. Platform admins
bypass both layers.

Fix frontend: OrgResolver split into two useEffect hooks so scopes
refresh on org switch. Scopes now served from /api/config (single source
of truth). Bootstrap cleaned — standalone org permissions removed.

Update docs/architecture.md, docs/user-manual.md, and CLAUDE.md to
reflect all auth hardening changes.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 15:32:53 +02:00

hsiegeln

c5596d8ea4

docs: add user manual

Task-oriented guide for SaaS customers and self-hosted operators
covering login, environments, applications, deployments, observability,
licenses, platform admin, roles, self-hosted setup, and troubleshooting.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 14:15:40 +02:00

2 Commits