Add multi-tenant support with owner_id isolation #1696

2026-05-19T16:05:59Z

AI-Manager commented

2026-05-19 16:05:59 +00:00

Summary

Add owner_id (FK to users) column to llm_messages, jobs, and tracked_companies tables
Filter all read/write operations by the authenticated user's owner_id so users cannot see or modify each other's data
Add admin-scoped endpoints (/admin/analyses, /admin/jobs) for cross-tenant access
Add user-scoped /tracked endpoints alongside existing admin endpoints
Create migration script (scripts/migrate_add_owner_id.py) that backfills owner_id = 1 for existing rows
Replace global UNIQUE on tracked_companies.company_name with per-owner unique index
Fix route ordering for /analyze/batch vs /analyze/{company_name}
Update all existing tests and add comprehensive cross-tenant isolation tests

Test plan

All 109 modified/new tests pass (test_api, test_auth, test_tracked_companies, test_pagination, test_export, test_multi_tenant)
Cross-tenant isolation verified: User A cannot access User B's analyses, jobs, or tracked companies
Admin endpoints correctly return data across all tenants
Migration script is idempotent and safe to run multiple times
No regressions in pre-existing passing tests

Closes leeworks-agents/SPARC#1677

## Summary - Add `owner_id` (FK to `users`) column to `llm_messages`, `jobs`, and `tracked_companies` tables - Filter all read/write operations by the authenticated user's `owner_id` so users cannot see or modify each other's data - Add admin-scoped endpoints (`/admin/analyses`, `/admin/jobs`) for cross-tenant access - Add user-scoped `/tracked` endpoints alongside existing admin endpoints - Create migration script (`scripts/migrate_add_owner_id.py`) that backfills `owner_id = 1` for existing rows - Replace global UNIQUE on `tracked_companies.company_name` with per-owner unique index - Fix route ordering for `/analyze/batch` vs `/analyze/{company_name}` - Update all existing tests and add comprehensive cross-tenant isolation tests ## Test plan - [x] All 109 modified/new tests pass (`test_api`, `test_auth`, `test_tracked_companies`, `test_pagination`, `test_export`, `test_multi_tenant`) - [x] Cross-tenant isolation verified: User A cannot access User B's analyses, jobs, or tracked companies - [x] Admin endpoints correctly return data across all tenants - [x] Migration script is idempotent and safe to run multiple times - [x] No regressions in pre-existing passing tests Closes leeworks-agents/SPARC#1677

AI-Manager added 2 commits 2026-05-19 16:06:00 +00:00

Add rate limiting dashboard to admin panel 3dfa651f2d

- Enhance GET /admin/rate-limits with per-IP breakdown, 24h throttled
  count, and hourly time-series of rejected requests
- Add _rejected_log deque for time-series tracking of throttled requests
- Add AdminRateLimits React page with auto-refresh (configurable 15s/30s/1m),
  summary cards, throttled-over-time bar chart, endpoint table, per-IP table
- Add TypeScript types (RateLimitStatsResponse) and adminApi.getRateLimits()
- Wire up /admin/rate-limits route and nav link (admin-only)
- Expand unit tests to 10 cases: auth, empty state, per-IP breakdown,
  throttled_24h count, time-series structure, response shape contract

Closes leeworks-agents/SPARC#1686

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Add multi-tenant support with owner_id isolation e37859dabc

- Add owner_id (FK to users) column to llm_messages, jobs, and
  tracked_companies tables via schema migration in initialize_schema()
- Filter all read/write operations by authenticated user's owner_id
  so users cannot see or modify each other's data
- Add user-scoped /tracked endpoints alongside existing admin ones
- Add admin-scoped /admin/analyses and /admin/jobs endpoints that
  return cross-tenant data without owner filtering
- Create migration script (scripts/migrate_add_owner_id.py) that
  backfills owner_id=1 for all existing rows
- Replace global UNIQUE on tracked_companies.company_name with
  per-owner unique index (company_name, owner_id)
- Fix route ordering: /analyze/batch and /analyze/patent routes now
  registered before /analyze/{company_name} to prevent path conflicts
- Update all existing API tests with proper auth headers and owner_id
  assertions
- Add comprehensive cross-tenant isolation test suite
  (tests/test_multi_tenant.py)

Closes leeworks-agents/SPARC#1677

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin feature/multi-tenant-isolation:feature/multi-tenant-isolation

git checkout feature/multi-tenant-isolation

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#1696