feat: add global viewer role and global token support

.gitignore

@@ -45,3 +45,5 @@ src/services/gcp/tmp/_output/
 src/services/namespace/vendor
 src/services/namespace/namespace
 src/services/namespace/tmp/_output/
+infrabox/local-dev/.env
+infrabox/test/api/test.json

infrabox/local-dev/.env.example

@@ -0,0 +1 @@
+INFRABOX_DB_PASSWORD=changeme

infrabox/local-dev/Makefile

@@ -0,0 +1,20 @@
+COMPOSE = DOCKER_BUILDKIT=0 COMPOSE_DOCKER_CLI_BUILD=0 \
+  docker compose -f $(CURDIR)/docker-compose.yml
+ROOT = $(CURDIR)/../..
+
+.PHONY: start stop logs frontend
+
+start:
+	@if [ ! -f .env ]; then cp .env.example .env; echo "Created .env from .env.example — edit the password before retrying."; exit 1; fi
+	$(COMPOSE) up -d
+
+stop:
+	$(COMPOSE) down
+
+logs:
+	$(COMPOSE) logs -f api
+
+frontend:
+	cd $(ROOT)/src/dashboard-client && \
+	  npm install --legacy-peer-deps --ignore-scripts && \
+	  npm run dev

infrabox/local-dev/README.md

@@ -0,0 +1,61 @@
+# InfraBox Local Dev Stack
+
+A Docker Compose environment for running the full backend stack locally,
+including PostgreSQL, MinIO, OPA, and the API server.
+
+## Quick Start
+
+```bash
+cd infrabox/local-dev
+
+# 1. Create your local config (only needed once)
+cp .env.example .env
+#    Edit .env and set INFRABOX_DB_PASSWORD to any value you like.
+
+# 2. Start the backend stack
+make start
+
+# 3. Start the frontend dev server (separate terminal)
+make frontend
+```
+
+Open http://localhost:8081 (increments automatically if 8080 is taken).
+
+**Default credentials** (created by `seed.sql` on first run):
+
+| Email | Password | Role | Project access |
+|-------|----------|------|----------------|
+| admin@local.dev | admin123 | admin | — |
+| alice@local.dev | password123 | user | Owner: project-alpha, Developer: project-beta |
+| bob@local.dev | password123 | user | none |
+
+Log in with the **email** address, not the username.
+
+## Other Commands
+
+```bash
+make logs    # tail API logs
+make stop    # tear down all containers
+```
+
+## How It Works
+
+- `seed.sql` is mounted into the postgres container and runs on first startup.
+  It inserts the required `cluster` row and the default admin user.
+- The API is exposed on host port `8090` (container port `8080`).
+- API requests from the frontend dev server are proxied to `http://localhost:8090`
+  via the webpack `proxyTable` — no manual CORS configuration needed.
+- RSA keys are reused from `infrabox/test/utils/id_rsa[.pub]` — local dev only.
+- OPA and API are built from source to pick up the latest policies and handlers.
+
+## Adding More Users
+
+```bash
+# Generate a bcrypt hash for any password
+python3 -c "import bcrypt; print(bcrypt.hashpw(b'yourpassword', bcrypt.gensalt()).decode())"
+
+docker exec local-dev-postgres-1 psql -U postgres -c "
+  INSERT INTO \"user\" (username, email, password, role)
+  VALUES ('alice', 'alice@example.com', '<bcrypt-hash>', 'user');
+"
+```

infrabox/local-dev/docker-compose.yml

@@ -0,0 +1,87 @@
+version: "3.2"
+
+services:
+    postgres:
+        build:
+            context: ../../
+            dockerfile: ./src/postgres/Dockerfile
+        environment:
+            - POSTGRES_USER=postgres
+            - POSTGRES_PASSWORD=${INFRABOX_DB_PASSWORD}
+            - POSTGRES_DB=postgres
+            - POSTGRES_HOST_AUTH_METHOD=trust
+        volumes:
+            - ./seed.sql:/docker-entrypoint-initdb.d/99_seed.sql
+        ports:
+            - "5432:5432"
+
+    minio:
+        image: minio/minio
+        command: server /data
+        environment:
+            - MINIO_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
+            - MINIO_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+        ports:
+            - "9000:9000"
+
+    opa:
+        build:
+            context: ../../
+            dockerfile: ./src/openpolicyagent/Dockerfile
+        ports:
+            - "8181:8181"
+
+    api:
+        build:
+            context: ../../
+            dockerfile: ./src/api/Dockerfile
+            args:
+                INFRABOX_BUILD_NUMBER: "3091"
+        environment:
+            - INFRABOX_VERSION=local-dev
+            - INFRABOX_DATABASE_HOST=postgres
+            - INFRABOX_DATABASE_USER=postgres
+            - INFRABOX_DATABASE_PASSWORD=${INFRABOX_DB_PASSWORD}
+            - INFRABOX_DATABASE_PORT=5432
+            - INFRABOX_DATABASE_DB=postgres
+            - INFRABOX_GENERAL_REPORT_ISSUE_URL=https://github.com/SAP/InfraBox/issues
+            - INFRABOX_STORAGE_GCS_ENABLED=false
+            - INFRABOX_STORAGE_AZURE_ENABLED=false
+            - INFRABOX_STORAGE_SWIFT_ENABLED=false
+            - INFRABOX_STORAGE_S3_ENABLED=true
+            - INFRABOX_STORAGE_S3_BUCKET=infrabox
+            - INFRABOX_STORAGE_S3_REGION=us-east-1
+            - INFRABOX_STORAGE_S3_SECURE=false
+            - INFRABOX_STORAGE_S3_ACCESS_KEY=AKIAIOSFODNN7EXAMPLE
+            - INFRABOX_STORAGE_S3_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+            - INFRABOX_STORAGE_S3_ENDPOINT=minio
+            - INFRABOX_STORAGE_S3_PORT=9000
+            - GOOGLE_APPLICATION_CREDENTIALS=
+            - INFRABOX_ROOT_URL=http://localhost:8090
+            - INFRABOX_CLUSTER_NAME=master
+            - INFRABOX_HA_ENABLED=false
+            - INFRABOX_OPA_HOST=opa
+            - INFRABOX_OPA_PORT=8181
+            - INFRABOX_OPA_PUSH_INTERVAL=30
+            - INFRABOX_ACCOUNT_SIGNUP_ENABLED=true
+            - INFRABOX_ACCOUNT_LDAP_ENABLED=false
+            - INFRABOX_ACCOUNT_SAML_ENABLED=false
+            - INFRABOX_LEGAL_PRIVACY_URL=
+            - INFRABOX_LEGAL_TERMS_OF_USE_URL=
+            - INFRABOX_GITHUB_ENABLED=false
+            - INFRABOX_GITHUB_LOGIN_ENABLED=false
+            - INFRABOX_GERRIT_ENABLED=false
+            - INFRABOX_LOG_LEVEL=debug
+        volumes:
+            - ../test/utils/id_rsa:/var/run/secrets/infrabox.net/rsa/id_rsa:ro
+            - ../test/utils/id_rsa.pub:/var/run/secrets/infrabox.net/rsa/id_rsa.pub:ro
+        ports:
+            - "8090:8080"
+        links:
+            - postgres
+            - minio
+            - opa
+        depends_on:
+            - postgres
+            - minio
+            - opa

infrabox/local-dev/seed.sql

@@ -0,0 +1,22 @@
+INSERT INTO cluster (name, active, labels, root_url, nodes, cpu_capacity, memory_capacity)
+VALUES ('master', true, '{master,default}', 'http://localhost:8090', 1, 10, 10000);
+
+-- Default admin user: admin@local.dev / admin123
+INSERT INTO "user" (username, email, password, role)
+VALUES ('admin', 'admin@local.dev', '$2b$12$QxG47fCe3dqJQCjx6Z5vy./jM7/o8cZFeudhTTfcoII0IE0PmY10m', 'admin');
+
+-- Regular users: password123
+INSERT INTO "user" (id, username, email, password, role) VALUES
+  ('aaaaaaaa-0001-0001-0001-aaaaaaaaaaaa', 'alice', 'alice@local.dev', '$2b$12$oi46ZRkcmGP4A8klhxe0reHN0FBn8.N7dupNhcjP.2S6nZjlpauzq', 'user'),
+  ('aaaaaaaa-0002-0002-0002-aaaaaaaaaaaa', 'bob',   'bob@local.dev',   '$2b$12$oi46ZRkcmGP4A8klhxe0reHN0FBn8.N7dupNhcjP.2S6nZjlpauzq', 'user');
+
+-- Sample projects
+INSERT INTO project (id, name, type) VALUES
+  ('bbbbbbbb-0001-0001-0001-bbbbbbbbbbbb', 'project-alpha', 'upload'),
+  ('bbbbbbbb-0002-0002-0002-bbbbbbbbbbbb', 'project-beta',  'upload'),
+  ('bbbbbbbb-0003-0003-0003-bbbbbbbbbbbb', 'project-gamma', 'upload');
+
+-- alice: Owner on alpha, Developer on beta; no access to gamma
+INSERT INTO collaborator (user_id, project_id, role) VALUES
+  ('aaaaaaaa-0001-0001-0001-aaaaaaaaaaaa', 'bbbbbbbb-0001-0001-0001-bbbbbbbbbbbb', 'Owner'),
+  ('aaaaaaaa-0001-0001-0001-aaaaaaaaaaaa', 'bbbbbbbb-0002-0002-0002-bbbbbbbbbbbb', 'Developer');

infrabox/test/api/docker-compose.override.yml

@@ -0,0 +1,16 @@
+version: "3.2"
+
+services:
+    postgres:
+        environment:
+            - POSTGRES_USER=postgres
+            - POSTGRES_PASSWORD=postgres
+            - POSTGRES_DB=postgres
+            - POSTGRES_HOST_AUTH_METHOD=trust
+
+    test:
+        build:
+            args:
+                INFRABOX_BUILD_NUMBER: "3091"
+        volumes:
+            - ../../../:/infrabox/context