RBAC - 5

[lbedner]

No description provided.

[Copilot]

Pull request overview

This PR extends the auth/RBAC + org feature set by splitting RBAC-related schema changes into a separate migration, adding a “schema mismatch” detection + fix workflow, and updating generated backend/frontend templates to support org management and an auth-disable dev mode.

Changes:

• Add auth_rbac as an ALTER-only migration spec and update migration generation/tests accordingly.
• Add “schema mismatch” detection on backend startup plus a make migrate-fix workflow that generates an additive Alembic migration.
• Introduce AUTH_ENABLED toggle and update auth/org API + frontend auth modal to support orgs tab and optional auth bypass.

Reviewed changes

Copilot reviewed 18 out of 18 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
aegis/core/migration_generator.py	Adds alter-table migration support and introduces auth_rbac migration spec + migration template changes.
tests/core/test_migration_generator.py	Adds/updates tests for auth_rbac service detection and generated migration contents.
aegis/templates/copier-aegis-project/{{ project_slug }}/Makefile.jinja	Adds migrate-fix target to generate/apply additive fix migrations.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/cli/migrate_fix.py.jinja	New CLI module that diffs models vs DB and generates additive Alembic migrations.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/startup/database_init.py.jinja	Adds schema mismatch detection and refactors signature stamping for migrations.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/core/config.py.jinja	Adds AUTH_ENABLED setting.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/auth_service.py.jinja	Adds auth bypass behavior (synthetic dev user) and adjusts token handling for optional bearer tokens.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/auth/router.py.jinja	Makes bearer token optional at the dependency level (auto_error=False) and passes through to auth service.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/backend/api/orgs/router.py.jinja	Makes bearer token optional and adds dev-mode bypass for org membership checks.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/services/auth/health.py.jinja	Adds org-count metrics to auth health metadata when org auth is enabled.
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/dashboard/modals/auth_orgs_tab.py.jinja	New Organizations tab for the auth modal (org list + expandable members + delete).
aegis/templates/copier-aegis-project/{{ project_slug }}/app/components/frontend/dashboard/modals/auth_modal.py.jinja	Conditionally adds the Organizations tab into the auth modal UI.
aegis/templates/copier-aegis-project/{{ project_slug }}/.env.example.jinja	Adds AUTH_ENABLED=false example env var.
aegis/core/auth_service_parser.py	Extends auth bracket syntax to support auth[level,engine].
aegis/core/service_resolver.py	Applies auth engine override by swapping in database[engine] component dependency.
aegis/cli/callbacks.py	Wires auth bracket syntax parsing into interactive selections (including DB engine selection).
aegis/i18n/locales/en.py / aegis/i18n/locales/zh.py	Marks RBAC/org auth levels as “experimental” in prompts.