Skip to content

feat(admin): add superadmin and session viewer permissions#4564

Merged
pandemicsyn merged 7 commits into
mainfrom
feat/admin-superadmin-session-viewer
Jul 16, 2026
Merged

feat(admin): add superadmin and session viewer permissions#4564
pandemicsyn merged 7 commits into
mainfrom
feat/admin-superadmin-session-viewer

Conversation

@pandemicsyn

@pandemicsyn pandemicsyn commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Summary

Adds explicit Superadmin and Session viewer capabilities beneath the existing platform-admin role.

The database migration adds is_super_admin and can_view_sessions and enforces that subordinate permissions require platform-admin access. The superadmin backfill preserves the previous grant-authority boundary: it promotes only existing admins whose hosted domain is exactly kilocode.ai and whose email ends exactly in @kilocode.ai. Other existing admins and all non-admins remain non-superadmins, and can_view_sessions remains false for every existing user.

Architecturally, sensitive authorization now uses primary-database permission revalidation instead of cached session claims. Superadmins can manage platform-admin membership, Session viewer, Superadmin, and Credit manager permissions from /admin/admins. Permission changes are atomic, rotate active credentials, record attributed admin notes, and serialize only operations that reduce superadmin membership. All Session Traces procedures and in-product links now fail closed without Session viewer access. Successful permission data remains visible during background refetches so admin controls and loaded Session Traces do not reset on window focus.

Verification

  • Manually opened /admin/admins and verified the admin roster displays permission badges and the Manage dialog exposes Superadmin, Session viewer, and Credit manager controls plus the separate revoke-admin action.
  • Manually verified an admin without Session viewer permission does not see Session Traces in the admin sidebar.

Visual Changes

SCR-20260715-lyng-2

Reviewer Notes

The migration backfill mirrors the former isEligibleForPlatformAdmin predicate: is_admin = true, hosted_domain = 'kilocode.ai', and a case-sensitive @kilocode.ai email suffix. Existing admins outside that boundary are not promoted. No existing user receives Session viewer access.

Review the last-unblocked-superadmin safeguard and its narrowly scoped transaction advisory lock. Platform-admin revocation and soft deletion clear every subordinate capability. Changing permissions rotates both web and API credential peppers, so affected users must sign in again.

@pandemicsyn pandemicsyn force-pushed the feat/admin-superadmin-session-viewer branch from 75ab77b to b4ca7f6 Compare July 15, 2026 19:26
@pandemicsyn pandemicsyn marked this pull request as ready for review July 15, 2026 20:22
Comment thread apps/web/src/app/admin/components/PlatformAdminsContent.tsx
@kilo-code-bot

kilo-code-bot Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Code Review Summary

Status: 2 Issues Found | Recommendation: Address before merge

Executive Summary

A malformed statement-breakpoint marker in the new migration and a stale-cache inconsistency in listPlatformAdmins are the only new findings; both prior findings (loading copy, last-unblocked-superadmin design note) remain accurately tracked and unaffected.

Overview

Severity Count
CRITICAL 0
WARNING 1
SUGGESTION 1
Issue Details (click to expand)

WARNING

File Line Issue
packages/db/src/migrations/0187_modern_colonel_america.sql 4 Double-space --> statement-breakpoint marker deviates from the single-space convention and may fail to split as a separate migration statement

SUGGESTION

File Line Issue
apps/web/src/routers/admin-router.ts 1577 listPlatformAdmins derives canManageAdmins from cached ctx.user instead of the fresh-DB revalidation pattern used by the new getPermissions procedure
Files Reviewed (27 files)
  • apps/web/src/app/(app)/cloud/webhooks/[triggerId]/requests/WebhookRequestsContent.tsx
  • apps/web/src/app/admin/api/session-traces/hooks.ts
  • apps/web/src/app/admin/components/AppBuilder/AppBuilderProjectDetail.tsx
  • apps/web/src/app/admin/components/AppSidebar.tsx
  • apps/web/src/app/admin/components/PlatformAdminsContent.tsx - 1 prior issue (resolved)
  • apps/web/src/app/admin/components/SessionTraceViewer.tsx
  • apps/web/src/app/admin/useAdminCreditManagementPermission.ts
  • apps/web/src/app/admin/useAdminPermissions.test.ts
  • apps/web/src/app/admin/useAdminPermissions.ts
  • apps/web/src/app/admin/webhooks/AdminWebhookTriggerDetails.tsx
  • apps/web/src/lib/admin/admin-permissions-migration.test.ts
  • apps/web/src/lib/admin/admin-permissions.test.ts
  • apps/web/src/lib/admin/admin-permissions.ts
  • apps/web/src/lib/token.test.ts
  • apps/web/src/lib/trpc/init.ts
  • apps/web/src/lib/user/index.test.ts
  • apps/web/src/lib/user/index.ts
  • apps/web/src/lib/user/server.test.ts
  • apps/web/src/routers/admin-platform-admins.test.ts
  • apps/web/src/routers/admin-router.ts - 1 new issue, 1 prior issue (unresolved design note)
  • apps/web/src/routers/admin-session-traces.test.ts
  • apps/web/src/routers/root-router.test.ts
  • apps/web/src/tests/helpers/user.helper.ts
  • packages/db/src/migrations/0187_modern_colonel_america.sql - 1 new issue, 1 prior issue (unresolved deploy-window note)
  • packages/db/src/migrations/meta/0187_snapshot.json
  • packages/db/src/migrations/meta/_journal.json
  • packages/db/src/schema.ts

Fix these issues in Kilo Cloud

Previous Review Summaries (2 snapshots, latest commit 79a79d2)

Current summary above is authoritative. Previous snapshots are kept for context only.

Previous review (commit 79a79d2)

Status: No Issues Found | Recommendation: Merge

Executive Summary

The follow-up commit fixes the previously flagged transient-copy issue by gating the neutral "Checking your permissions…" message on permissions.isPermissionResolved, so no code-review findings remain in the incremental diff.

Files Reviewed (1 file)
  • apps/web/src/app/admin/components/PlatformAdminsContent.tsx

Previous review (commit 4dc9a81)

Status: 1 Issue Found | Recommendation: Address before merge

Executive Summary

A transient UI-copy issue in PlatformAdminsContent.tsx can briefly show superadmins a "Superadmin access is required" message before the permissions query resolves; the underlying admin/superadmin/session-viewer authorization logic (DB check constraints, migration backfill, tRPC procedures, permission-revalidation-from-primary, and fail-closed Session Traces gating) all checked out correctly.

Overview

Severity Count
CRITICAL 0
WARNING 0
SUGGESTION 1
Issue Details (click to expand)

SUGGESTION

File Line Issue
apps/web/src/app/admin/components/PlatformAdminsContent.tsx 334 "Superadmin access is required..." copy can flash for an actual superadmin during the window before the getPermissions query resolves, even though the grant/manage UI itself is correctly hidden during that window.
Files Reviewed (25 files)
  • apps/web/src/app/(app)/cloud/webhooks/[triggerId]/requests/WebhookRequestsContent.tsx
  • apps/web/src/app/admin/api/session-traces/hooks.ts
  • apps/web/src/app/admin/components/AppBuilder/AppBuilderProjectDetail.tsx
  • apps/web/src/app/admin/components/AppSidebar.tsx
  • apps/web/src/app/admin/components/PlatformAdminsContent.tsx - 1 issue
  • apps/web/src/app/admin/components/SessionTraceViewer.tsx
  • apps/web/src/app/admin/useAdminCreditManagementPermission.ts
  • apps/web/src/app/admin/useAdminPermissions.test.ts
  • apps/web/src/app/admin/useAdminPermissions.ts
  • apps/web/src/app/admin/webhooks/AdminWebhookTriggerDetails.tsx
  • apps/web/src/lib/admin/admin-permissions-migration.test.ts
  • apps/web/src/lib/admin/admin-permissions.test.ts
  • apps/web/src/lib/admin/admin-permissions.ts
  • apps/web/src/lib/token.test.ts
  • apps/web/src/lib/trpc/init.ts
  • apps/web/src/lib/user/index.test.ts
  • apps/web/src/lib/user/index.ts
  • apps/web/src/lib/user/server.test.ts
  • apps/web/src/routers/admin-platform-admins.test.ts
  • apps/web/src/routers/admin-router.ts
  • apps/web/src/routers/admin-session-traces.test.ts
  • apps/web/src/routers/root-router.test.ts
  • apps/web/src/tests/helpers/user.helper.ts
  • packages/db/src/migrations/0186_concerned_spot.sql
  • packages/db/src/schema.ts

(Generated migration metadata files packages/db/src/migrations/meta/0186_snapshot.json and _journal.json were excluded per review policy.)

Fix these issues in Kilo Cloud


Reviewed by claude-sonnet-5 · Input: 66 · Output: 28.8K · Cached: 2.4M

Review guidance: REVIEW.md from base branch main

Comment thread packages/db/src/migrations/0187_modern_colonel_america.sql
);
}

async function assertNotLastUnblockedSuperadmin(

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Low, Design: assertNotLastUnblockedSuperadmin protects the revoke and setAdminPermissions paths, but two other paths can drive the unblocked-superadmin count to zero without hitting this guard: blocking the last superadmin (sets blocked_reason, which the count filters on via isNull(blocked_reason)), and soft-deleting the last superadmin (clears is_super_admin). If the count reaches zero, no one can grant superadmin through /admin/admins, since every management procedure requires an unblocked superadmin, and recovery requires direct database access.

Likelihood is low given multiple staff were backfilled, and it is recoverable, so this is not a blocker. Consider extending the same guard to the block-user and soft-delete flows, or accepting it as a known operational edge case.

@pandemicsyn pandemicsyn force-pushed the feat/admin-superadmin-session-viewer branch from 79a79d2 to 403187a Compare July 16, 2026 14:21
Comment thread packages/db/src/migrations/0187_modern_colonel_america.sql
Comment thread apps/web/src/routers/admin-router.ts
@pandemicsyn pandemicsyn merged commit b4aec33 into main Jul 16, 2026
63 checks passed
@pandemicsyn pandemicsyn deleted the feat/admin-superadmin-session-viewer branch July 16, 2026 14:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants