Skip to content

feat: GitOps platform-user management (bootstrap superuser SA + reconcile CLI)#1720

Merged
rohilsurana merged 11 commits into
feat/platform-user-correctnessfrom
feat/gitops-platform-users
Jul 1, 2026
Merged

feat: GitOps platform-user management (bootstrap superuser SA + reconcile CLI)#1720
rohilsurana merged 11 commits into
feat/platform-user-correctnessfrom
feat/gitops-platform-users

Conversation

@rohilsurana

@rohilsurana rohilsurana commented Jun 30, 2026

Copy link
Copy Markdown
Member

What

This PR moves platform-superuser management to a file-based (GitOps) flow. Config seeds one protected bootstrap service account instead of a list of human superusers. From then on, you manage access by editing a file and running the new frontier reconcile command. This is the second of a 2-PR split of #1709, and it builds on #1719.

⚠️ Breaking change — this removes app.admin.users. Only merge it once the new flow is ready: the bootstrap service account is configured and pixxelhq/IAM#139 is in place. Otherwise human superadmins lose access until the first reconcile runs.

Changes

  • Bootstrap superuser service account (app.admin.bootstrap.{client_id, client_secret}) — created and promoted to superuser at boot, with a fixed id. You rotate the secret by changing the config. client_id must be a UUID.
  • Locked down — this service account cannot be changed through the API. It can't be removed, deleted, or have new credentials, tokens, or keys created, not even by a superuser. The reconcile flow skips it too. Rotating the secret at boot still works.
  • frontier reconcile command — reads a file that lists who should have access and makes the platform match it. Anyone listed is added; anyone not listed is removed. It lives in internal/reconcile and can support more kinds later; PlatformUser is the first.
  • Removes app.admin.users and MakeSuperUsers.
  • Supporting changeorg_name can now be null, so the platform service account (which has no org) can be stored.

Testing

Unit tests pass (-race -count 2). Vet, lint, and format are clean. Full e2e tests pass (the test bench seeds data using the bootstrap service account). I also ran a live security check: no one can remove or delete the service account, or create credentials for it, even when the per-object permission check is made to pass.

Related

@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
frontier Ready Ready Preview, Comment Jul 1, 2026 12:36pm

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 869c56dd-be0b-43d0-ac02-ca666255788c

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coveralls

coveralls commented Jun 30, 2026

Copy link
Copy Markdown

Coverage Report for CI Build 28517939074

Warning

No base build found for commit f31dda9 on feat/platform-user-correctness.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 44.629%

Details

  • Patch coverage: 95 uncovered changes across 8 files (299 of 394 lines covered, 75.89%).

Uncovered Changes

File Changed Covered %
cmd/reconcile.go 60 31 51.67%
internal/bootstrap/bootstrapuser.go 89 66 74.16%
internal/reconcile/platformuser_reconciler.go 97 74 76.29%
internal/reconcile/reconcile.go 30 21 70.0%
cmd/serve.go 4 0 0.0%
internal/bootstrap/service.go 3 0 0.0%
internal/reconcile/platformuser.go 67 65 97.01%
internal/store/postgres/serviceuser_repository.go 2 0 0.0%
Total (12 files) 394 299 75.89%

Coverage Regressions

Requires a base build to compare against. How to fix this →


Coverage Stats

Coverage Status
Relevant Lines: 37574
Covered Lines: 16769
Line Coverage: 44.63%
Coverage Strength: 12.44 hits per line

💛 - Coveralls

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 7


ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff2769d7-96b1-4439-9af0-8d1c887c9807

📥 Commits

Reviewing files that changed from the base of the PR and between c556cbd and 54ccfaa.

📒 Files selected for processing (20)
  • cmd/reconcile.go
  • cmd/root.go
  • cmd/serve.go
  • config/sample.config.yaml
  • internal/api/v1beta1connect/platform.go
  • internal/api/v1beta1connect/platform_test.go
  • internal/api/v1beta1connect/serviceuser.go
  • internal/api/v1beta1connect/serviceuser_test.go
  • internal/bootstrap/bootstrapuser.go
  • internal/bootstrap/bootstrapuser_test.go
  • internal/bootstrap/schema/schema.go
  • internal/bootstrap/service.go
  • internal/reconcile/platformuser.go
  • internal/reconcile/platformuser_reconciler.go
  • internal/reconcile/platformuser_reconciler_test.go
  • internal/reconcile/platformuser_test.go
  • internal/reconcile/reconcile.go
  • internal/store/postgres/serviceuser_repository.go
  • test/e2e/testbench/helper.go
  • test/e2e/testbench/testbench.go

Comment thread internal/bootstrap/bootstrapuser.go Outdated
Comment thread internal/bootstrap/bootstrapuser.go
Comment thread internal/reconcile/platformuser_reconciler.go
Comment thread internal/reconcile/platformuser.go Outdated
Comment thread internal/reconcile/platformuser.go Outdated
Comment thread internal/reconcile/reconcile.go
Comment thread test/e2e/testbench/testbench.go Outdated
…eject partial config, guard sentinel ref, add-before-remove, testbench cleanup)

@whoAbhishekSah whoAbhishekSah left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Three small notes, none blocking.

Comment thread internal/api/v1beta1connect/serviceuser.go
Comment thread cmd/reconcile.go Outdated
Comment thread internal/reconcile/platformuser.go
Comment thread internal/api/v1beta1connect/platform.go Outdated
Comment thread config/sample.config.yaml

@whoAbhishekSah whoAbhishekSah left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added some comments. Approving.

…econcile applied count, tidy config + comment
@rohilsurana rohilsurana merged commit 3334397 into feat/platform-user-correctness Jul 1, 2026
8 checks passed
@rohilsurana rohilsurana deleted the feat/gitops-platform-users branch July 1, 2026 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants