Skip to content

Document the app config hive#272

Merged
maximelb merged 2 commits into
masterfrom
docs-app-hive
Jun 14, 2026
Merged

Document the app config hive#272
maximelb merged 2 commits into
masterfrom
docs-app-hive

Conversation

@maximelb

@maximelb maximelb commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Documents the new app config hive introduced in legion_config_hive (Add \app` hive for AI-generated iframe web appsand follow-ups). Theapphive stores user-authored, AI-generated mini web applications — each record is a single self-contained HTML document rendered in a sandboxed<iframe>` in the LimaCharlie web UI.

What's added

  • New page docs/7-administration/config-hive/apps.md covering:
    • What the hive is and the single-document rationale (schema_version forward-compat).
    • The security model: the per-viewer scoped iframe JWT (granted = required_permissions ∩ viewer_permissions) and the three write-time invariants that defeat the confused-deputy escalation (perm must be real/JWT-issuable, non-root, and already held by the author).
    • CSP egress allowlisting via allowed_origins (third-party https) and required_services (first-party search/replay/cases/ai).
    • Full record format table for every field, with size/count bounds and the 10 MB record cap.
    • The dedicated app.* permissions that gate app-record management (distinct from the app's own required_permissions).
    • REST / Python / Go / CLI management examples (list, get, create/update, delete, enable/disable).
  • Added an Apps section to the Permissions Reference for the new app.get/set/del/get.mtd/set.mtd permissions (added in go-essentials).
  • Linked the page from the Config Hive index and the mkdocs nav.

🤖 Generated with Claude Code

maximelb and others added 2 commits June 14, 2026 08:14
@maximelb @claude
Document the app config hive
480ebcb 
Add documentation for the new `app` hive (AI-generated, single-document
iframe web apps): record format, the per-viewer scoped-JWT security model
and write-time permission invariants, CSP egress allowlisting via
allowed_origins/required_services, the playbook.* management permissions,
and REST/Python/Go/CLI management examples.

Wire the new page into the Config Hive index and the mkdocs nav.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@maximelb @claude
Use dedicated app.* permissions for the app hive
04a610a 
The app hive now has its own app.* permission set (added in go-essentials)
rather than reusing playbook.*. Update the apps page and the permissions
reference accordingly.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@maximelb maximelb requested a review from lcbill June 14, 2026 21:03
@maximelb maximelb added the to-code-review Used to tag PRs that are force-pushed and will need to be reviewed after the fact. label Jun 14, 2026
@maximelb maximelb merged commit 32cdede into master Jun 14, 2026
2 checks passed
@maximelb maximelb deleted the docs-app-hive branch June 14, 2026 21:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lcbill lcbill Awaiting requested review from lcbill

Assignees

No one assigned

Labels

to-code-review Used to tag PRs that are force-pushed and will need to be reviewed after the fact.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maximelb