feat: role-based access via Zitadel project roles

Replace the ALLOWED_USER_IDS sub-allowlist with a Zitadel project role check: tokens must carry the role from REQUIRED_ROLE (default "user") in the urn:zitadel:iam:org:project[:id]:roles claim. Roles are granted per account in Zitadel (project ClaudeDo), where access is now managed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-10 11:25:34 +00:00
parent 725f75fdd1
commit d4c734737b
6 changed files with 72 additions and 27 deletions
--- a/README.md
+++ b/README.md
@@ -83,7 +83,7 @@ Server-only values are read from `process.env` at runtime (set them in Coolify):
 | `DATABASE_URL` | `postgres://mika:…@l8kogcggsc80sgcgk8kswww4:5432/claudedo` (shared PG, internal host) |
 | `ZITADEL_ISSUER` | `https://auth.kuns.dev` |
 | `ZITADEL_AUDIENCE` | accepted audiences (CSV): web id, desktop id, project id |
-| `ALLOWED_USER_IDS` | owner `sub` allowlist (CSV) |
+| `REQUIRED_ROLE` | Zitadel project role required for API access (default `user`; grant it to accounts in Zitadel) |
 | `WEB_ORIGIN` | CORS allowed origin (`https://claudedo.kuns.dev`) |

 Public web-client config is **baked at build time** (non-secret) via Dockerfile build args