ZdenekSrotyr e0ce91ddb9 feat: add dataset permissions, script execution, Kamal config, CI/CD

- SyncSettingsRepository + DatasetPermissionRepository with RBAC
- Script deploy/run/undeploy API with import sandboxing
- User sync settings API with permission checks
- 4 CLI skills (connectors, security, notifications, corporate-memory)
- Kamal production + staging configs
- GitHub Actions CI + deploy workflows
- 91 total tests passing

2026-03-27 15:40:11 +01:00

1.1 KiB

Raw Blame History

Security — RBAC, permissions, and audit

Roles

Role	Permissions
`viewer`	Read catalog, view profiles, browse corporate memory
`analyst`	+ sync data, run queries, vote, run/deploy scripts
`admin`	+ manage users, approve knowledge, trigger sync
`km_admin`	+ corporate memory governance

Managing Users

da admin add-user user@company.com --role analyst
da admin list-users
da admin remove-user <user-id>

Dataset Permissions

Admins grant dataset access per user. Users can only sync datasets they have access to.

Audit Trail

Every API call is logged. Query with:

da query "SELECT * FROM system.audit_log ORDER BY timestamp DESC LIMIT 20" --remote

Script Sandboxing

User scripts run in isolated subprocess with:

Limited environment (no access to secrets)
Timeout (default 5 min)
Blocked imports (subprocess, shutil, ctypes)
Stdout/stderr size cap (64KB)

JWT Tokens

Issued on login, valid 30 days
Contains: user_id, email, role
Set JWT_SECRET_KEY in .env (min 32 chars)

1.1 KiB Raw Blame History

Security — RBAC, permissions, and audit

Roles

Managing Users

Dataset Permissions

Audit Trail

Script Sandboxing

JWT Tokens

1.1 KiB

Raw Blame History