fix(auth): first direct signup is not provisioned as super_admin #21
Open
opened 2026-05-19 22:24:00 +00:00 by simon
·
0 comments
No Branch/Tag specified
main
codex/docs-menu-link
ci/forgejo-ansible-api-debian
ci/forgejo-nexus-docker-proxy-apk
ci/forgejo-nexus-docker-proxy
release-please--branches--main
chore/sync-shared-agent-instructions-25823681308
fix/agent-token-url-modal
chore/sync-shared-agent-instructions-25823634922
codex/fix-docker-inventory-conn-busy
codex/docker-host-retention-done
codex/docker-host-retention
codex/docker-global-retention
codex/fix-ansible-host-log-scope
codex/fix-people-direct-signups
codex/show-unscoped-pending-users
codex/fix-people-after-org-removal
codex/remove-org-task-11-run8
codex/fix-dashboard-instance-scope
codex/remove-org-task-11-run6
codex/remove-org-task-5-run3
codex/remove-org-task2-auth-onboarding
codex/remove-org-task1-reset-schema
fix/install-api-403
fix/bundle-agent-0343
fix/agent-self-update-release-probe
fix/web-release-self-update-cert
fix/agent-self-update-download-tls
fix/patch-age-calendar-days
codex/carrtech-ct-ops-brand
fix/auth-2fa-login-action
perf/password-manager-user-experience
codex/legal-notice-licence-tiers
codex/legal-risk-disclaimer
feat/password-manager-task15-e2e-v2
feat/password-manager-route-shell
codex/task7-password-manager-bundle-v2
fix/bug-scan-agent-org-token
fix/issue-908-ldap-2fa-run2
fix/issue-908-ldap-2fa
fix/issue-888-notification-access
copilot/fix-privileged-server-actions
copilot/fix-slack-webhook-credential-exposure
copilot/fix-cross-user-inbox-access
copilot/fix-drizzle-migration-metadata-drift
chore/sync-shared-agent-instructions-25329056889
chore/sync-shared-agent-instructions-25326253587
feat/password-vault-schema
docs/password-vault-architecture
chore/sync-shared-agent-instructions-25313095713
chore/sync-shared-agent-instructions-25312041197
docs/remove-ct-passwd-plan
docs/ct-passwd-dedicated-repo-note
automation/impliment-ct-passwd
feat/licence-verifier-key-rotation
docs/ct-passwd-implementation-plan
fix/seat-licence-activation-refresh
fix/upgrade-licence-key-perms
fix/upgrade-missing-backup
fix/force-web-licence-key-release
fix/release-fetch-licence-public-key
feat/licence-public-key-repo
fix/invite-membership
feat/ct-ops-seat-expiry-admission
fix/start-tls-dir-permissions
fix/web-entrypoint-postgres-env
codex/add-upgrade-helper
codex/fix-installer-web-release
fix/install-db-url-password
docs/plugin-auth-licensing
docs/ct-cve-final-residue-audit
fix/web-release-cve-cleanup
fix/ct-cve-release-guidance
feat/ct-cve-residue-audit
feat/remove-ct-cve-source-settings
feat/ct-cve-connector-setup-ui
feat/ct-cve-gui-logs
feat/ct-cve-next-task
codex/fix-auth-cookie-redirect-loop
fix/auth-redirect-loop
feat/ct-cve-connection-status
feat/ct-cve-inventory-export
feat/ct-cve-finding-ingest
feat/ct-ops-ct-cve-connector
feat/ct-cve-source-config-ui
feat/ct-cve-gui-phase8
docs/track-ct-cve-distro-sync
ct-cve-phase7-next
docs/track-ct-cve-feed-sync
ct-cve-next-slice
docs/track-ct-cve-release-publishing
docs/ct-cve-dependent-product-plan
feat/ct-cve-bootstrap
ct-cve-api-contract
docs/licensing-ui-seat-docs
docs/migration-coordination-refresh
feat/remove-pro-core-gates
feat/remove-pro-gates
feat/seat-capacity-model
docs/migration-plan-cleanup-rule
feat/seat-enforcement
docs/free-enterprise-seat-licensing
docs/ct-cve-migration-plan
automation/create-e2e-tests-for-ct-ops-20260429n
codex/tighten-rpm-version-compare
codex/redhat-csaf-package-ingest
automation/create-e2e-tests-for-ct-ops-20260429m
automation/create-e2e-tests-for-ct-ops-20260429k
fix/delete-host-patch-status
automation/create-e2e-tests-for-ct-ops-20260429j
fix/enrolment-token-command
automation/create-e2e-tests-for-ct-ops-20260429i
automation/create-e2e-tests-for-ct-ops-20260429T090218Z
automation/create-e2e-tests-for-ct-ops-20260429g
codex/rhel-compatible-rpm-hosts
codex/confirmed-linux-cve-matching
automation/create-e2e-tests-for-ct-ops-20260429f
fix/issue-760-tooling-role-gate
fix/agent-update-version-discovery
automation/create-e2e-tests-for-ct-ops-20260429e2
automation/create-e2e-tests-for-ct-ops-20260429e
codex/create-e2e-tests-for-ct-ops-20260429
fix/issue-743-install-token-leak
automation/create-e2e-tests-for-ct-ops-20260429d
automation/create-e2e-tests-for-ct-ops-20260429c
daily-bug-scan-20260429
automation/create-e2e-tests-for-ct-ops-20260429b
test/web-e2e-coverage-20260429
codex/create-e2e-tests-for-ct-ops-20260428run3
automation/create-e2e-tests-for-ct-ops-20260428run2
automation/create-e2e-tests-for-ct-ops-20260428z
codex/build-docs-rich-editor
automation/create-e2e-tests-for-ct-ops-20260428k
feat/vulnerability-detail-modal
fix/web-directory-lookup-e2e-release
automation/create-e2e-tests-for-ct-ops-20260428j
feat/vulnerability-management-interface
fix/web-certificate-checker-private-targets
feat/admin-ingest-status
automation/create-e2e-tests-for-ct-ops-20260428i
automation/create-e2e-tests-for-ct-ops-20260428h
codex/build-docs-capability
feat/linux-cve-checking
automation/create-e2e-tests-for-ct-ops-20260428g
fix/password-reset-smtp-relay
automation/create-e2e-tests-for-ct-ops-20260428f
feat/support-data-script
codex/create-e2e-tests-for-ct-ops
fix/agent-auto-update
feat/patch-status-report
codex/create-e2e-tests-for-ct-ops-20260428-100235
fix/move-network-tab
fix/web-admin-e2e-release
automation/create-e2e-tests-for-ct-ops-20260428090108
feat/admin-layout
automation/create-e2e-tests-for-ct-ops-20260428e
fix/e2e-auth-session-harness
feat/smtp-relay-test-recipient
codex/create-e2e-tests-for-ct-ops-20260428
automation/create-e2e-tests-for-ct-ops-20260428c
automation/create-e2e-tests-for-ct-ops-20260428b
automation/create-e2e-tests-for-ct-ops-20260428
feat/e2e-coverage-20260428
codex/create-e2e-tests-for-ct-ops-20260428-000235
fix/docs-pnpm-install-eagain
feat/central-smtp-settings
automation/create-e2e-tests-for-ct-ops-20260427
codex/email-verification-resend
docs/conventional-pr-titles
feat/notification-purge
docs/agents-worktree-instructions
codex/optional-email-verification
codex/add-test-completion-rule
codex/update-agent-security-rules
fix/issue-319-agent-config-perms
automation/create-e2e-tests-for-ct-ops
codex/fix-customer-bundle-image-ref-export
fix/web-docker-pnpm-retry
codex/fix-agent-heartbeat-jwt
codex/ssh-backed-terminal-access
automation/e2e-coverage-20260426
fix/bundle-transfer-mtls
fix/bundle-transfer-streaming
feat/bundle-transfer
fix/issue-274-session-auth
fix/bundle-transfer-route-types
feat/gitlab-latest-target
fix/pin-buildkit-image
feature/gitlab-bundler
fix/plugin-download-status
fix/web-installer-release-checks
fix/installer-release-bundle
claude/jenkins-plugin-dependency-test-GRblf
claude/jenkins-bundler-offline-script
claude/validate-jenkins-java-compatibility-5ee9d
claude/ingest-slowloris-fix
claude/jenkins-bundler-java-and-war-only
claude/release-event-trigger-recovery
claude/fix-release-docker-publish-dispatch
claude/debug-github-actions-HrpO8
claude/fix-duplicate-builds-0pL35
claude/jenkins-plugin-automation-pMCDp
claude/resolve-pr520-conflicts-LPXcm
claude/debug-github-actions-aH3Ce
claude/cleanup-github-actions-runners-wy27V
claude/fix-install-script-skip-verify
claude/fix-nginx-tls-init
claude/verify-secure-comms-MIPad
claude/debug-agent-install-3zc05
claude/add-mtls-security-PWQM7
feat/bake-agent-binaries-into-web-image
chore/rename-to-ct-ops
security/grpc-limits-jwt-symlink-perms
claude/fix-cloudflare-tunnel-terminal-ZVhJB
ci/self-hosted-runners
claude/pensive-dijkstra-6dd249
fix/ingest-dockerfile-harden
claude/github-issue-work-MkOq4
claude/fix-cloudflare-origin-error-IzjG1
claude/sweet-buck-4ebfe3
claude/add-support-uploads-qzgsl
claude/amazing-austin-35334d
claude/add-doc-reference-links-n6WPJ
feat/support-admin-health
feat/support-ticket-autorefresh
feat/support-markdown-rendering
fix/support-ai-trees-search
fix/support-worker-tool-logging
fix/support-worker-env
chore/support-env-example
claude/amazing-zhukovsky-65a873
claude/agent-windows-eventlog
claude/nervous-cannon-2c1634
claude/plan-ct-ops-features-SAqqo
fix/issue-357-agent-log-mode
fix/issue-352-timing-safe-comparisons
fix/issue-348-drop-sha1-fingerprint
fix/issue-350-env-example-comments
fix/issue-349-dev-tls-cert-expiry
fix/dependabot-broaden-major-ignores
fix/react-hooks-set-state-in-effect
fix/361-sast-scans
fix/363-secret-scanning
fix/364-sbom-per-release
fix/362-dependabot-config
fix/360-security-disclosure-policy
claude/thirsty-edison-812951
claude/condescending-gagarin-4aafe0
claude/romantic-volhard-f6eb45
claude/zealous-spence-f524ef
claude/cool-matsumoto-cf7094
claude/stripe-price-source-of-truth
claude/flat-pricing-no-seats
claude/mystifying-lichterman-e5b806
claude/distracted-ishizaka-91a269
claude/fix-deploy-docs-package-filter
claude/remove-licence-public-key-override
claude/recursing-yalow-0cd636
claude/amazing-kare-6c9f0d
claude/github-issues-Gxgxu
claude/improve-readme-Yb7v7
claude/github-issue-j7rds
fix/c09-delete-certificate-auth-check
fix/licence-purchase-contact-display
fix/licence-purchase-bootstrap-org
claude/recursing-driscoll-2d51a4
feat/notes-data-layer
claude/confident-heyrovsky-7750cb
feat/command-palette-scaffold
claude/competent-vaughan-38eeea
claude/keen-nobel-d2f362
claude/practical-ramanujan-275b00
revert/remove-podman-support
fix/rootless-podman-session-check
fix/podman-compose-compat
fix/podman-compose-missing-provider
claude/frosty-grothendieck-03ca48
claude/competent-roentgen-d7b502
claude/zen-wright-dfe08f
feat/podman-runtime-detection
claude/determined-rosalind-475a9a
claude/fix-ramp-sem-leak
claude/fix-connpool-negative-index
claude/fix-runid-test-flake
claude/loadtest-admin-key-forward
claude/cool-spence-511593
claude/nice-galileo-ea5007
claude/dreamy-knuth-258473
claude/fix-enrolment-url-env-JS3qR
claude/cert-checker-paste-and-key-input
claude/ssl-certificate-checker-kvI78
claude/update-start-sh-repo-CaoP7
claude/elated-taussig-d1af01
claude/work-github-issue-mi6fu
feat/directory-lookup-improvements
claude/funny-yalow-44f103
fix/directory-lookup-error-surfacing
feat/directory-lookup
docs/networks-graph-vuepress
feat/terminal-font-size
feat/terminal-tabs-and-splits
copilot/add-tty-terminal-capability
feat/network-graph-dashed-edges
feat/network-graph-animated-edges
feat/networks
copilot/fix-system-diagram-image-aspect-ratio
feat/migrate-docs-to-vuepress
fix/deploy-docs-pnpm-version
gh-pages
feat/docusaurus-docs-site
fix/export-rate-limit-and-error-modal
fix/software-report-chart-darkmode
feat/software-report-charts-firstseen
feat/software-report-unified-table
fix/delete-host-software-scans-fk
fix/delete-host-cascade
fix/delete-host-notifications-fk
fix/jwt-key-db-persistence
fix/inventory-failed-scan-visibility
fix/inventory-scan-polling
feat/software-report-improvements
fix/monitoring-cpu-spikes-and-alert-evaluation
fix/software-report-select-empty-value
fix/reports-fragment-keys
fix/windows-registry-import-conflict
feature/software-inventory
fix/agent-uninstall-cgroup-escape
feature/host-delete-uninstall-agent
feature/terminal-fixed-bottom
feature/host-notification-charts
feature/notification-trend-timerange
fix/notification-chart-axis-labels
feature/notification-improvements
feature/notification-channels
feature/terminal-ux-improvements
feature/terminal-persist-tabs
fix/terminal-panel-provider-scope
feature/terminal-panel-tabs
fix/terminal-login-auth
feature/terminal-per-user-auth
fix/terminal-shell-env-and-alma
fix/terminal-heartbeat-response-push
fix/terminal-agent-connection-diagnostics
fix/terminal-xterm-hidden-container
fix/terminal-heartbeat-and-ws-url
feat/chart-zoom-metrics-bucketing
docs/progress-update-sessions-21-27
feat/106-agent-task-framework
feat/105-host-groups
feat/101-token-list-copy-actions
fix/92-ldap-cert-preview-height
fix/92-ldap-cert-textarea-overflow
fix/heartbeat-liveness-check
fix/enrollment-token-usage-count
feat/agent-uninstall
feat/phase4-service-accounts
fix/agent-checks-reliability
fix/ci-agent-dist-missing
feat/phase2-complete-session15
claude/youthful-blackwell
fix/agent-heartbeat-backoff-reset
ci/inline-customer-bundle
fix/customer-bundle-dispatch
feat/customer-bundle
fix/ingest-bake-manifest-no-source-deps
fix/agent-self-update-restart
ci/docker-multi-arch
fix/start-pull-from-ghcr
copilot/explain-repository-structure
feat/agent-version-flag-and-ui-version
feat/alert-rules-and-notifications
release-please--branches--main--components--agent
feat/host-realtime-sse
bundle/v0.28.7
web/v0.160.0
bundle/v0.28.6
web/v0.159.5
bundle/v0.28.5
web/v0.159.4
bundle/v0.28.4
bundle/v0.28.3
web/v0.159.3
web/v0.159.2
bundle/v0.28.2
web/v0.159.1
bundle/v0.28.1
forgejo-ci-proof/v2026.05.17.2
ansible-api/v0.5.0
bundle/v0.28.0
web/v0.159.0
bundle/v0.27.3
web/v0.158.2
bundle/v0.27.2
ingest/v0.17.2
bundle/v0.27.1
ingest/v0.17.1
web/v0.158.1
bundle/v0.27.0
ingest/v0.17.0
web/v0.158.0
bundle/v0.26.0
bundle/v0.25.1
web/v0.157.1
bundle/v0.25.0
web/v0.157.0
bundle/v0.24.0
web/v0.156.0
bundle/v0.23.0
web/v0.155.0
ansible-api/v0.4.0
bundle/v0.22.0
web/v0.154.0
bundle/v0.21.0
web/v0.153.0
bundle/v0.20.3
web/v0.152.2
bundle/v0.20.2
bundle/v0.20.1
web/v0.152.1
bundle/v0.20.0
web/v0.152.0
bundle/v0.19.4
web/v0.151.4
bundle/v0.19.3
web/v0.151.3
bundle/v0.19.2
web/v0.151.2
bundle/v0.19.1
web/v0.151.1
bundle/v0.19.0
web/v0.151.0
bundle/v0.18.1
web/v0.150.1
bundle/v0.18.0
bundle/v0.17.0
ingest/v0.16.0
web/v0.150.0
bundle/v0.16.0
web/v0.149.0
bundle/v0.15.1
ingest/v0.15.1
bundle/v0.15.0
web/v0.148.0
agent/v0.38.1
bundle/v0.14.1
web/v0.147.1
bundle/v0.14.0
ingest/v0.15.0
web/v0.147.0
bundle/v0.13.0
ingest/v0.14.0
web/v0.146.0
bundle/v0.12.0
web/v0.145.0
bundle/v0.11.0
ingest/v0.13.0
bundle/v0.10.0
web/v0.144.0
bundle/v0.9.0
web/v0.143.0
bundle/v0.8.0
web/v0.142.0
agent/v0.38.0
bundle/v0.7.0
ingest/v0.12.0
web/v0.141.0
agent/v0.37.0
bundle/v0.6.0
web/v0.140.0
bundle/v0.5.0
ingest/v0.11.0
web/v0.139.0
agent/v0.36.0
bundle/v0.4.0
web/v0.138.0
bundle/v0.3.0
ingest/v0.10.0
web/v0.137.0
agent/v0.35.0
bundle/v0.2.0
ansible-api/v0.3.3
bundle/v0.1.7
bundle/v0.1.6
web/v0.136.2
bundle/v0.1.5
bundle/v0.1.4
web/v0.136.1
bundle/v0.1.3
bundle/v0.1.2
bundle/v0.1.1
ansible-api/v0.3.2
ansible-api/v0.3.1
ansible-api/v0.3.0
web/v0.136.0
web/v0.135.2
web/v0.135.1
web/v0.135.0
web/v0.134.0
web/v0.133.1
web/v0.133.0
web/v0.132.1
web/v0.132.0
web/v0.131.9
Labels
Clear labels
E2E Failure
Regression found by end-to-end automation
area:agent
Go agent
area:audit-log
Audit logging
area:auth
Authentication
area:authz
Authorisation / RBAC
area:ci
CI / tooling / scanning
area:crypto
Cryptography / secrets
area:db
Database / schema
area:docker
Docker / deployment
area:headers
HTTP headers / CSP
area:ingest
gRPC ingest service
area:ldap
LDAP integration
area:rate-limit
Rate limiting / abuse prevention
area:ssrf
Server-side request forgery
area:supply-chain
Supply chain / deploy
area:terminal
Terminal / PTY
autorelease: pending
autorelease: tagged
bug
Something isn't working
claude-working
documentation
Improvements or additions to documentation
duplicate
This issue or pull request already exists
enhancement
New feature or request
good first issue
Good for newcomers
help wanted
Extra attention is needed
invalid
This doesn't seem right
priority: critical
Critical - blocking or data loss
priority: high
High priority - should be addressed soon
priority: low
Low priority - nice to have
priority: medium
Medium priority - address after high priority items
question
Further information is requested
security
Security finding from pre-pentest audit
sev:critical
Severity: Critical
sev:high
Severity: High
sev:info
Severity: Informational / Hardening
sev:low
Severity: Low
sev:medium
Severity: Medium
tests-required
Needs tests or stronger coverage before fix is complete
wontfix
This will not be worked on
No labels
E2E Failure
area:agent
area:audit-log
area:auth
area:authz
area:ci
area:crypto
area:db
area:docker
area:headers
area:ingest
area:ldap
area:rate-limit
area:ssrf
area:supply-chain
area:terminal
autorelease: pending
autorelease: tagged
bug
claude-working
documentation
duplicate
enhancement
good first issue
help wanted
invalid
priority: critical
priority: high
priority: low
priority: medium
question
security
sev:critical
sev:high
sev:info
sev:low
sev:medium
tests-required
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".
No due date set.
Dependencies
No dependencies set.
Reference
carrtech/ct-ops#21
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
During a fresh CT-Ops install validation on 2026-05-19, I registered the first local user through the Better Auth sign-up endpoint after starting the stack from a clean database.
Expected: the first direct sign-up should be provisioned as
super_admin, matchingapps/web/lib/auth/signup-provisioning.tsand the getting-started flow.Actual: the created user had
role = engineer,roles = [],email_verified = false, andinstance_id = NULL. This blocks the documented first-run path because creating auto-approve enrolment tokens requiressuper_admin.Evidence from the clean VM database after sign-up:
Environment: Ubuntu 24.04 Vagrant VM, Docker 29.1.3, Compose 2.40.3, CT-Ops stack started with
./start.sh,REQUIRE_EMAIL_VERIFICATION=false,BETTER_AUTH_URL=https://192.168.8.237.Suggested fix: investigate whether the Better Auth user create hook return value is being ignored or overwritten, and add an integration/E2E assertion that the first direct local sign-up receives
super_admin,roles=["super_admin"], and the default instance id.