mirror of
https://github.com/KohakuBlueleaf/KohakuHub.git
synced 2026-07-16 10:42:49 -05:00
The dev seed (``make reset-and-seed``) and the test baseline now plant a known set of API tokens and SSH keys per-user. Three real ed25519 keypairs ship in source, private half included, so local SSH smoke tests against a freshly seeded backend can sign with the matching key without generating one. Dev seed (``scripts/dev/seed_demo_data.py``) - 6 named tokens spread across mai_lin / leo_park / sara_chen / ivy_ops, with last_used set to a mix of "recent", "180+ days stale" and "never used" so admin Credentials filters have something to bite on. - 3 SSH keys: mai_lin holds two distinct keypairs (Workstation + Archived MBP), leo_park holds the secondary keypair. The schema's global UNIQUE on ``fingerprint`` is what forces three keypairs for two users, hence the third generated keypair. - Helpers are idempotent: re-running the seed without a reset is a no-op for already-planted tokens / keys. - ``SEED_VERSION`` bumped from ``v4`` → ``v5`` so existing dev databases are flagged as ``incomplete`` and the operator is told to run ``make reset-local-data``. - Manifest at ``hub-meta/dev/demo-seed-manifest.json`` now lists every planted token plaintext and SSH private key — those are explicitly test fixtures, never production credentials. Test baseline (``test/kohakuhub/support/seed.py``) - Mirrors the same plants for the test users (owner, member, outsider) via the same keypair PEMs, so anything written against ``SEED_TOKENS`` / ``SEED_SSH_KEYS`` carries over to dev manually. - Tokens go in via direct DB insert (the public API never re-emits a fixed plaintext); SSH keys go through ``POST /api/user/keys`` so the fingerprint computed by the production code is the canonical one. Tests (``test/kohakuhub/api/admin/routers/test_credentials.py``) - 8 new cases assert against the seeded baseline: - every seed plant surfaces in the admin list, - planted plaintexts authenticate as real Bearer tokens, - SSH fingerprints match the constants in ``seed_credentials``, - per-user isolation holds, - ``unused_for_days`` filters actually pick stale rows, - revoking a seeded token immediately kills its Bearer auth. - ``test_ssh_keys.py``'s "no keys yet" assumption is replaced with a baseline-aware count check so it coexists with the planted keys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>