Layer gated admin writes onto the read-only GPS-audit skill, driven through occ over SSH (same paramiko/vault/filecache plumbing): - user lifecycle (add/delete/enable/disable/reset-password/modify), quota get/set/reset, groups (create/delete/members), read-only share listing (from oc_share; occ has no share create/list), apps, system config, maintenance mode, files scan, ownership transfer, trashbin/versions cleanup. - All writes gated behind --confirm (refuse -> rc 3); hard-fail guards (rc 2) for invalid uid, missing password, and all-users cleanup with no target. - --all-users trashbin/versions purge now ALSO requires --force-all-users in addition to --confirm, so a single stray --confirm cannot trigger an irreversible fleet-wide purge. Built against the verified live occ surface (occ list / occ help), not guessed flags. Fixes from code-review + security-review: Python-side share filtering (no MySQL SQL-injection via '' -doubling), occ reads no longer mask a failed read as healthy (maintenance/quota/config), guarded json.loads, clean --json output, and '--' end-of-options guards so dash-leading uids can't be parsed as occ flags. dry_test.sh added as a non-destructive regression harness (43 checks). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
28 KiB
28 KiB