* Enterprise BYOK key management for the current workspace's mothership. * * Unlike the cross-environment admin inspector (`/api/admin/mothership`), this * talks to the SAME copilot the workspace's mothership actually runs on — * `SIM_AGENT_API_URL` (local in dev, prod copilot in prod) — and aut
()
| 28 | * request and is resolved by the caller from the route. |
| 29 | */ |
| 30 | async function getAuthorizedSuperUserId(): Promise<string | null> { |
| 31 | const session = await getSession() |
| 32 | if (!session?.user?.id) return null |
| 33 | |
| 34 | const [currentUser] = await db |
| 35 | .select({ role: user.role, superUserModeEnabled: settings.superUserModeEnabled }) |
| 36 | .from(user) |
| 37 | .leftJoin(settings, eq(settings.userId, user.id)) |
| 38 | .where(eq(user.id, session.user.id)) |
| 39 | .limit(1) |
| 40 | |
| 41 | const authorized = currentUser?.role === 'admin' && (currentUser.superUserModeEnabled ?? false) |
| 42 | return authorized ? session.user.id : null |
| 43 | } |
| 44 | |
| 45 | async function forwardToCopilot( |
| 46 | method: 'GET' | 'POST' | 'DELETE', |