feat(gastown): Admin impersonation — allow Kilo admins to view and interact with any town #1467
Description
Summary
Kilo admins need the ability to view and interact with any user's town for support, debugging, and monitoring purposes. An admin should be able to navigate directly to any town URL and interact with it as if they were the town owner — chatting with the mayor, viewing beads, inspecting agent sessions, and reading settings.
Requirements
Auth / Access Control
- Kilo admins (identified by a role flag on the user record or a list of admin user IDs) can access any town's routes without being the town creator or org member
- The existing auth middleware (
authMiddlewareingastown.worker.ts) needs to accept admin tokens in addition to town-owner tokens - Admin access should be logged (audit trail) — record which admin accessed which town and when
- Admins get full read access and the ability to chat with the mayor, but should NOT be able to delete towns or modify billing-sensitive settings
Admin Panel Integration
- Add a "Towns" section to the Kilo admin panel that lists all towns across all users
- Each town row shows: town name, owner, created date, last activity, active agents, container status
- "View Town" button navigates the admin to the town's full UI (same routes the owner sees)
- Visual indicator when an admin is viewing a town they don't own (e.g., a banner: "Viewing as admin — this town belongs to user@example.com")
Town-Level Experience
- Admin sees the same UI as the owner: beads, agents, convoys, terminal, settings, mayor chat
- Settings page shows as read-only for admins (they can view but not modify, except for specific support actions)
- Admin can chat with the mayor (useful for debugging stuck convoys, inspecting agent state)
- Admin can view agent PTY sessions (read-only terminal view)
- Admin can trigger manual actions: force-close a bead, restart the container, refresh tokens
API / Middleware Changes
The gastown worker's auth flow currently validates that the requesting user owns the town (or is a member of the org that owns the town). Add an admin bypass:
// Pseudocode for auth middleware
if (isKiloAdmin(user)) {
// Allow access to any town
// Log the access for audit
logAdminAccess(user.id, townId, action);
return next();
}
// ... existing owner/org-member checkThe admin check should use a secure mechanism — either:
- A
role: "admin"field on the user JWT (set during login for admin accounts) - A server-side lookup against an admin users table/list
- A Cloudflare Access group that maps to admin privileges
Non-Goals
- Admins should NOT be able to impersonate users for billing purposes
- Admins should NOT be able to create beads or convoys on behalf of users (they can ask the mayor, which logs the interaction)
- This is not a multi-tenant "support agent" system — it is a simple admin override for debugging
Files
src/gastown.worker.ts— auth middlewaresrc/handlers/*.handler.ts— any handler that checks ownership- Admin panel pages (likely in the main Next.js app under
/admin/)
Acceptance Criteria
- Kilo admins can navigate to any town URL and see the full town UI
- Admin access is logged with user ID, town ID, and timestamp
- Admin banner visible when viewing another user's town
- Admins can chat with the mayor and view agent terminals
- Admins cannot delete towns or modify billing settings
- Non-admins cannot access towns they do not own (no regression)