Merge remote-tracking branch 'origin/dev' into test-main-dev-merge-20260615

# Conflicts: # src/tool_implementations.py # static/js/research/panel.js
2026-06-30 00:22:10 -04:00 · 2026-06-15 21:20:15 +09:00
parent 2cbd55b8bd cd02ac7ef6
commit 6d507f8128
312 changed files with 20047 additions and 2952 deletions
@@ -68,6 +68,7 @@ def _normalize_scopes(scopes: str | list[str] | None = None, profile: str | None
    ensure_before("calendar:write", "calendar:read")
    ensure_before("memory:write", "memory:read")
    ensure_before("email:draft", "email:read")
+    ensure_before("cookbook:launch", "cookbook:read")

    return normalized or [DEFAULT_SCOPES]

@@ -154,6 +155,7 @@ def setup_api_token_routes() -> APIRouter:
    @router.patch("/tokens/{token_id}")
    async def update_token(request: Request, token_id: str):
        require_admin(request)
+        current_user = get_current_user(request)
        try:
            payload = await request.json()
        except Exception:
@@ -162,6 +164,8 @@ def setup_api_token_routes() -> APIRouter:
            token = db.query(ApiToken).filter(ApiToken.id == token_id).first()
            if not token:
                raise HTTPException(404, "Token not found")
+            if current_user and token.owner != current_user:
+                raise HTTPException(403, "Not your token")
            if isinstance(payload.get("name"), str) and payload["name"].strip():
                token.name = payload["name"].strip()[:MAX_NAME_LEN]
            # Only touch scopes when the caller actually sent them. A partial
@@ -189,10 +193,14 @@ def setup_api_token_routes() -> APIRouter:
    @router.delete("/tokens/{token_id}")
    def delete_token(request: Request, token_id: str):
        require_admin(request)
+        current_user = get_current_user(request)
        with get_db_session() as db:
-            deleted = db.query(ApiToken).filter(ApiToken.id == token_id).delete()
-            if not deleted:
+            token = db.query(ApiToken).filter(ApiToken.id == token_id).first()
+            if not token:
                raise HTTPException(404, "Token not found")
+            if current_user and token.owner != current_user:
+                raise HTTPException(403, "Not your token")
+            db.delete(token)
        _invalidate_cache(request)
        return {"status": "deleted"}