Part of #441. Highest near-term value — the public (closed-mode) deploy needs this so each repo has its own revocable upload token instead of a shared/hand-minted one.
Goal
Let a project owner mint scoped, revocable INGEST tokens from the UI.
Approach
- Add token scopes (
INGEST / QUERY / ADMIN) to api_token (Flyway migration, next Vxx) and an optional project-scoped token.
- Owner UI to create / list / revoke / rotate tokens with expiry + last-used (reuse the
TokenExpiryReminder machinery).
- Enforce scope in
ApiTokenAuthFilter + the ingest path (IngestController): a QUERY token can't ingest; a project-scoped token can only touch its project.
Acceptance
- An owner mints a project-scoped
INGEST token and uploads with it in closed-mode.
- A
QUERY token is rejected (403) on ingest; a revoked token stops working immediately.
Depends on
None (independent of OAuth). Unblocks per-user MCP auth + token UX.
Part of #441. Highest near-term value — the public (closed-mode) deploy needs this so each repo has its own revocable upload token instead of a shared/hand-minted one.
Goal
Let a project owner mint scoped, revocable INGEST tokens from the UI.
Approach
INGEST/QUERY/ADMIN) toapi_token(Flyway migration, nextVxx) and an optional project-scoped token.TokenExpiryRemindermachinery).ApiTokenAuthFilter+ the ingest path (IngestController): aQUERYtoken can't ingest; a project-scoped token can only touch its project.Acceptance
INGESTtoken and uploads with it in closed-mode.QUERYtoken is rejected (403) on ingest; a revoked token stops working immediately.Depends on
None (independent of OAuth). Unblocks per-user MCP auth + token UX.