Backend User Entity & Secrets Ownership Model (#608 Phase 1-2)
✅ File: autobot-user-backend/knowledge/pipeline/models/entity.py
- Added
"USER"toEntityTypeliteral type - Enables user entities in knowledge graph
✅ File: autobot-user-backend/models/secret.py (NEW)
-
Complete SQLAlchemy model for secrets with ownership
-
Fields:
owner_id: User who owns the secret (UUID, indexed)scope: Visibility level (user/session/shared)session_id: For session-scoped secrets (indexed)shared_with: JSONB array of user IDs for shared secretsencrypted_value: Fernet-encrypted secret valuetype,name,description,tags,expires_atis_active: Soft activation/deactivationmetadata: JSONB for additional data- Timestamps:
created_at,updated_at
-
Methods:
is_accessible_by(user_id, session_id): Access control logicshare_with(user_id): Add user to shared access listunshare_with(user_id): Remove user from shared accessactivate()/deactivate(): Manage active statusis_expired: Property for expiration checking
✅ File: autobot-user-backend/database/migrations/002_create_secrets_table.py (NEW)
- Alembic migration for secrets table
- Indices:
ix_secrets_owner_idix_secrets_nameix_secrets_typeix_secrets_scopeix_secrets_session_id- Composite:
ix_secrets_owner_scopefor common queries
- Full upgrade/downgrade support
✅ File: autobot-user-backend/models/secret_test.py (NEW)
- 15 test functions covering:
- Secret creation and properties
- Expiration logic
- Access control for all scope types (user/session/shared)
- Share/unshare operations
- Database persistence (structure ready, needs DB fixture)
autobot_memory_graph.core module is missing
- Current code references
.coreimport but file doesn't exist - Need to either:
- Create core.py with ENTITY_TYPES, AutoBotMemoryGraphCore
- OR refactor imports to use existing structure
Affected Files:
autobot-user-backend/autobot_memory_graph/__init__.py(line 33)- All memory graph mixins (entities.py, secrets.py, etc.)
📋 Not Started - Blocked by #1
- Create
create_user_entity()in memory graph - User entity with user_id, username, metadata
- Relationships: user -> session, user -> secret
📋 Not Started
- Update
autobot-user-backend/api/secrets.py:- Extract user_id from JWT token
- Pass owner_id to secret creation
- Filter secrets by ownership in list/get endpoints
- Implement share/unshare endpoints
📋 Not Started
- Integrate with existing
encryption_service.py - OR implement Fernet encryption in secrets API
- Key management and rotation
📋 Not Started
- Connect to existing user_management database
- OR set up separate secrets database
- Implement async session management
📋 Not Started
- Secret creation with user ownership
- Access control enforcement
- Session-scoped secret lifecycle
- Share/unshare workflows
User (from user_management.models.user)
└─> owns Secret (models.secret)
├─> scope: "user" (accessible across all sessions)
├─> scope: "session" (only in specific session_id)
└─> scope: "shared" (accessible to users in shared_with list)
- Owner: Always has access (any session)
- Session-scoped: Requires matching session_id
- Shared: User ID must be in shared_with array
- User-scoped: Only owner can access
CREATE TABLE secrets (
id UUID PRIMARY KEY,
owner_id UUID NOT NULL, -- FK to users.id
name VARCHAR(256) NOT NULL,
type VARCHAR(50) NOT NULL,
scope VARCHAR(20) NOT NULL DEFAULT 'user',
session_id VARCHAR(128),
shared_with JSONB NOT NULL DEFAULT '[]',
encrypted_value TEXT NOT NULL,
description VARCHAR(1024),
tags JSONB NOT NULL DEFAULT '[]',
expires_at TIMESTAMPTZ,
is_active BOOLEAN NOT NULL DEFAULT TRUE,
metadata JSONB NOT NULL DEFAULT '{}',
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
);
CREATE INDEX ix_secrets_owner_id ON secrets(owner_id);
CREATE INDEX ix_secrets_scope ON secrets(scope);
CREATE INDEX ix_secrets_session_id ON secrets(session_id);
CREATE INDEX ix_secrets_owner_scope ON secrets(owner_id, scope);-
Fix Memory Graph Core (Blocker)
- Investigate missing core.py module
- Either restore or refactor imports
-
Complete User Entity Operations
- Add create_user_entity() to memory graph
- Test user entity CRUD
-
Integrate Database
- Run migration 002
- Connect to PostgreSQL
- Verify table creation
-
Update Secrets API
- Extract user_id from JWT
- Use Secret model instead of file storage
- Implement ownership filtering
-
Add Encryption
- Integrate Fernet encryption
- Secure key management
-
Integration Tests
- End-to-end secret lifecycle
- Access control validation
autobot-user-backend/models/secret.py(280 lines)autobot-user-backend/models/secret_test.py(370 lines)autobot-user-backend/database/migrations/002_create_secrets_table.py(110 lines)IMPLEMENTATION_STATUS.md(this file)
autobot-user-backend/knowledge/pipeline/models/entity.py(+1 line)- Added "USER" to EntityType
- User entity operations in memory graph
- Secret-to-user relationships
- Existing user_management system (users table)
- PostgreSQL with JSONB support
- SQLAlchemy async
- Fernet encryption (cryptography package)
- FastAPI JWT authentication
- Secret model properties
- Access control logic
- Share/unshare operations
- Scope validation
- Database persistence
- Encryption/decryption
- API endpoints with authentication
- Memory graph integration
- Full secret lifecycle
- Multi-user sharing
- Session-scoped cleanup
- Expiration handling