Add record-level authorization for system accounts

Record mutations (create, update, delete) no longer require admin role. Authorization rules: - admin: full access (unchanged) - system mcp-agent: create/delete any record - system account α: create/delete records named α only - human users: read-only (unchanged) Zone mutations remain admin-only. Both REST and gRPC paths enforce the same rules. Update checks authorization against both old and new names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 15:52:43 -07:00
parent baa058d4a4
commit 871b1fb8f4
7 changed files with 120 additions and 21 deletions
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -44,14 +44,14 @@ func NewRouter(deps Deps) *chi.Mux {
 		r.With(requireAdmin).Put("/v1/zones/{zone}", updateZoneHandler(deps.DB))
 		r.With(requireAdmin).Delete("/v1/zones/{zone}", deleteZoneHandler(deps.DB))

-		// Record endpoints — reads for all authenticated users, writes for admin.
+		// Record endpoints — reads for all authenticated users.
 		r.Get("/v1/zones/{zone}/records", listRecordsHandler(deps.DB))
 		r.Get("/v1/zones/{zone}/records/{id}", getRecordHandler(deps.DB))

-		// Admin-only record mutations.
-		r.With(requireAdmin).Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
-		r.With(requireAdmin).Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
-		r.With(requireAdmin).Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
+		// Record mutations — admin, mcp-agent (any name), or system account (own name).
+		r.Post("/v1/zones/{zone}/records", createRecordHandler(deps.DB))
+		r.Put("/v1/zones/{zone}/records/{id}", updateRecordHandler(deps.DB))
+		r.Delete("/v1/zones/{zone}/records/{id}", deleteRecordHandler(deps.DB))
 	})

 	return r