banshee86vr
diff --git a/‎.env.example‎
Lines changed: 23 additions & 15 deletions b/‎.env.example‎
Lines changed: 23 additions & 15 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 8 additions & 3 deletions b/‎CHANGELOG.md‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎README.md‎
Lines changed: 25 additions & 15 deletions b/‎README.md‎
Lines changed: 25 additions & 15 deletions
diff --git a/‎backend/prisma/seed.ts‎
Lines changed: 4 additions & 1 deletion b/‎backend/prisma/seed.ts‎
Lines changed: 4 additions & 1 deletion
diff --git a/‎backend/src/config/env.ts‎
Lines changed: 85 additions & 23 deletions b/‎backend/src/config/env.ts‎
Lines changed: 85 additions & 23 deletions
diff --git a/‎backend/src/middleware/auth.ts‎
Lines changed: 7 additions & 1 deletion b/‎backend/src/middleware/auth.ts‎
Lines changed: 7 additions & 1 deletion
@@ -8,7 +8,7 @@ NODE_ENV=development
 # Backend server port
 PORT=3001
 
-# Frontend URL (for OAuth callback redirects)
+# Frontend URL (for OAuth callback redirects when AUTH_ENABLED=true)
 FRONTEND_URL=http://localhost:5173
 
 # ===================================
@@ -24,30 +24,41 @@ FRONTEND_URL=http://localhost:5173
 LOG_LEVEL=INFO
 
 # ===================================
-# GitHub Integration (Required)
+# GitHub scanner (machine identity)
 # ===================================
 
-# GitHub Personal Access Token for API access
-# Required scopes: repo, read:org, read:user
+# Personal access token for API scans (orgs and/or user-owned repos accessible to token)
+# Scopes vary; typically: repo, read:org, read:user
 # Create at: https://github.com/settings/tokens
 GITHUB_TOKEN=ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
-# GitHub organization to scan
-GITHUB_ORG=your-organization
+# Comma-separated GitHub login or organization slugs to scan (multi-owner)
+# Example (org + personal): GITHUB_TARGETS=my-org,myusername,other-org
+# Leave unset if you only use GITHUB_ORG below.
+GITHUB_TARGETS=
+
+# Legacy: single owner when GITHUB_TARGETS is unset (still supported)
+GITHUB_ORG=your-organization-or-username
 
 # ===================================
-# GitHub OAuth App (Required for Authentication)
+# GitHub OAuth App (human login — only when AUTH_ENABLED=true)
 # ===================================
 
-# GitHub OAuth App credentials for user authentication
+AUTH_ENABLED=true
+
 # Create a GitHub OAuth App at: https://github.com/settings/developers
 # Homepage URL: http://localhost:5173
 # Authorization callback URL: http://localhost:3001/api/auth/callback
+# When AUTH_ENABLED=false, leave client id/secret empty or omit.
 GITHUB_AUTH_CLIENT_ID=Ov23xxxxxxxxxxxxxxxxxxxxxxxxxxxx
 GITHUB_AUTH_CLIENT_SECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 
-# Session secret for cookie encryption (use a long random string)
-# Generate with: openssl rand -base64 32
+# Optional: GitHub team slug within each organization in GITHUB_TARGETS / GITHUB_ORG.
+# When set, login requires membership in that team for each org target.
+# When unset, any member of each organization target may sign in.
+GITHUB_AUTH_TEAM_SLUG=
+
+# Session secret for cookie encryption (always required — sessions still used when OAuth off)
 SESSION_SECRET=your-random-secret-key-min-32-chars-long
 
 # ===================================
@@ -72,11 +83,8 @@ SCAN_INTERVAL_MINUTES=60
 # Rate Limiting (Optional)
 # ===================================
 
-# Maximum number of repositories to scan per organization scan
-# Set to 0 for unlimited (default)
+# Maximum number of repositories per full scan (0 = unlimited)
 MAX_SCAN_LIMIT=0
 
-# Specific repositories to scan (comma-separated list)
-# Takes precedence over MAX_SCAN_LIMIT if set
-# Example: repo1,repo2,repo3
+# Optional: limit to repo short names ("a","b") or full names ("org/a","org/b") when set
 SCAN_REPOS=
@@ -4,6 +4,13 @@ All notable changes to the Renovate Bot Dashboard project.
 
 ## [Unreleased] - 2025-12-03
 
+### GitHub configuration and scanning
+
+- **Multi-owner scanning**: `GITHUB_TARGETS` accepts a comma-separated list of organization logins and/or GitHub user logins. `GITHUB_ORG` remains supported as a single-owner fallback when `GITHUB_TARGETS` is unset.
+- **Optional OAuth**: `AUTH_ENABLED=false` allows running without GitHub OAuth client credentials; `requireAuth` and `/api/auth/status` treat the instance as accessible without a GitHub login session.
+- **Authorization**: OAuth callback enforces the existing org team check for each configured **organization** target; **user** targets skip team membership.
+- **API / UI**: Settings responses include `github.targets` and `auth.enabled`. Helm and Docker Compose pass `GITHUB_TARGETS`, `AUTH_ENABLED`, and related variables.
+
 ### 🔐 Security Improvements
 
 #### Package Vulnerabilities Fixed
@@ -41,9 +48,7 @@ All notable changes to the Renovate Bot Dashboard project.
 
 #### Authentication System
 - **GitHub OAuth SSO** - Mandatory authentication for all users
-- **Team-Based Access Control** - Only authorized team members can access
-  - Default: `team_cloud_and_platforms` in `prom-candp` organization
-  - Configurable in `backend/src/routes/auth.routes.ts`
+- **Team-Based Access Control** - Only authorized GitHub users can access (team enforced when `GITHUB_AUTH_TEAM_SLUG` is set; otherwise organization membership)
 - **Login/Logout Flow** with proper session management
 - **Protected Routes** - All API endpoints require authentication
 - **User Profile** displayed in header with avatar
 
@@ -95,17 +95,22 @@ pnpm install
 
 ```bash
 # Copy example environment file
-cp backend/.env.example backend/.env
+cp .env.example .env
 ```
 
-Edit `backend/.env` with your credentials:
+Edit `.env` with your credentials:
 
 ```env
-# GitHub Configuration
+# GitHub Configuration (scanner PAT)
 GITHUB_TOKEN=ghp_your_personal_access_token_here
-GITHUB_ORG=your-organization-name
+# Owners to scan — comma-separated orgs and/or users, OR legacy single value:
+GITHUB_TARGETS=my-org,my-github-username
+# GITHUB_ORG=single-org-or-user
+
+# Optional: set to false for local/demo without OAuth app
+AUTH_ENABLED=true
 
-# GitHub OAuth (create at: https://github.com/settings/developers)
+# GitHub OAuth (when AUTH_ENABLED=true — create at: https://github.com/settings/developers)
 GITHUB_AUTH_CLIENT_ID=your_oauth_client_id
 GITHUB_AUTH_CLIENT_SECRET=your_oauth_client_secret
 
@@ -177,17 +182,17 @@ GRANT ALL PRIVILEGES ON DATABASE renovate_dashboard TO renovate;
 
 ```bash
 # Copy example environment file
-cp backend/.env.example backend/.env
+cp .env.example .env
 ```
 
-Edit `backend/.env`:
+Edit `.env`:
 
 ```env
 # GitHub Configuration
 GITHUB_TOKEN=ghp_your_personal_access_token_here
-GITHUB_ORG=your-organization-name
+GITHUB_TARGETS=my-org,my-github-username
 
-# GitHub OAuth
+AUTH_ENABLED=true
 GITHUB_AUTH_CLIENT_ID=your_oauth_client_id
 GITHUB_AUTH_CLIENT_SECRET=your_oauth_client_secret
 
@@ -366,10 +371,12 @@ pnpm run db:migrate:prod   # Deploy migrations (no prompts)
 
 | Variable                    | Description                               | How to get                                                 |
 | --------------------------- | ----------------------------------------- | ---------------------------------------------------------- |
-| `GITHUB_TOKEN`              | GitHub PAT with `repo`, `read:org` scopes | [Create token](https://github.com/settings/tokens)         |
-| `GITHUB_ORG`                | GitHub organization to monitor            | Your org name                                              |
-| `GITHUB_AUTH_CLIENT_ID`     | OAuth App Client ID                       | [Create OAuth App](https://github.com/settings/developers) |
-| `GITHUB_AUTH_CLIENT_SECRET` | OAuth App Client Secret                   | Same OAuth App                                             |
+| `GITHUB_TOKEN`              | GitHub PAT (`repo`, `read:org`, etc.)     | [Create token](https://github.com/settings/tokens)         |
+| `GITHUB_TARGETS` and/or `GITHUB_ORG` | Owners to scan (comma-separated org/user logins, or single `GITHUB_ORG`) | Your org or username on GitHub |
+| `AUTH_ENABLED`              | When `true`, GitHub OAuth is required for API access | Set `false` only for trusted local/demo use |
+| `GITHUB_AUTH_CLIENT_ID`     | OAuth App Client ID (if `AUTH_ENABLED=true`) | [Create OAuth App](https://github.com/settings/developers) |
+| `GITHUB_AUTH_CLIENT_SECRET` | OAuth App Client Secret (if `AUTH_ENABLED=true`) | Same OAuth App                                             |
+| `GITHUB_AUTH_TEAM_SLUG`     | Optional GitHub team slug for org targets; if unset, org members may sign in | —                                                          |
 | `SESSION_SECRET`            | Random string for session encryption      | Generate: `openssl rand -base64 32`                        |
 
 #### Storage Configuration
@@ -407,9 +414,12 @@ pnpm run db:migrate:prod   # Deploy migrations (no prompts)
 
 ### Team-Based Access Control
 
-By default, only users in the `team_cloud_and_platforms` team under the `prom-candp` organization can access the dashboard. To change this, modify:
+For each configured **organization** target, OAuth checks GitHub access before issuing a session:
+
+- If **`GITHUB_AUTH_TEAM_SLUG`** is set, the user must be in that team within the organization.
+- If it is unset, any **member of the organization** may sign in.
 
-- `backend/src/routes/auth.routes.ts` (lines 10-11)
+Personal (user) targets do not apply this check.
 
 ### Notification Triggers
 
 
@@ -11,7 +11,10 @@ async function main() {
     update: {},
     create: {
       id: 'app-settings',
-      githubOrg: process.env.GITHUB_ORG || 'your-organization',
+      githubOrg:
+        process.env.GITHUB_TARGETS?.trim()?.split(',').map((t) => t.trim()).filter(Boolean).join(',') ||
+        process.env.GITHUB_ORG?.trim() ||
+        'your-organization',
       scanIntervalMinutes: 60,
     },
   });
 
@@ -1,36 +1,61 @@
 import dotenv from 'dotenv';
-import { z } from 'zod';
 import path from 'path';
+import { z } from 'zod';
 
 // Load .env files - try multiple locations
 const envPaths = [
   path.resolve(process.cwd(), '../.env'), // From backend/ to root
-  path.resolve(process.cwd(), '.env'),    // From root
+  path.resolve(process.cwd(), '.env'), // From root
 ];
 
 for (const envPath of envPaths) {
   dotenv.config({ path: envPath });
 }
 
-const envSchema = z.object({
+/** Comma-separated org or user login slugs, or legacy single org via GITHUB_ORG only */
+export function parseGithubTargetLoginList(raw: {
+  GITHUB_TARGETS?: string;
+  GITHUB_ORG?: string;
+}): string[] {
+  const targets = raw.GITHUB_TARGETS?.trim();
+  if (targets) {
+    return targets.split(',').map((t) => t.trim()).filter((t) => t.length > 0);
+  }
+  const legacy = raw.GITHUB_ORG?.trim();
+  if (legacy) {
+    return [legacy];
+  }
+  return [];
+}
+
+const authEnabledSchema = z.enum(['true', 'false']).default('true');
+
+const envSchemaBase = z.object({
   NODE_ENV: z.enum(['development', 'production', 'test']).default('development'),
   PORT: z.string().default('3001'),
   DATABASE_URL: z.string().optional(),
-  
+
   // Logging configuration
   LOG_LEVEL: z.enum(['DEBUG', 'INFO', 'WARN', 'ERROR', 'NONE']).default('INFO'),
-  
-  // GitHub API access (for reading repositories and data)
-  GITHUB_TOKEN: z.string(),
-  GITHUB_ORG: z.string(),
-  
-  // GitHub OAuth App (for user authentication)
-  GITHUB_AUTH_CLIENT_ID: z.string(),
-  GITHUB_AUTH_CLIENT_SECRET: z.string(),
-  
-  // Session configuration
-  SESSION_SECRET: z.string(),
-  
+
+  // GitHub API token (scanner / server-to-server operations)
+  GITHUB_TOKEN: z.string().min(1),
+
+  /** Comma-separated logins or org names to scan */
+  GITHUB_TARGETS: z.string().optional(),
+  /** Legacy single org / user slug (fallback if GITHUB_TARGETS unset) */
+  GITHUB_ORG: z.string().optional(),
+
+  /** When false, OAuth is not used; API accepts requests without logged-in GitHub identity */
+  AUTH_ENABLED: authEnabledSchema,
+
+  GITHUB_AUTH_CLIENT_ID: z.string().optional(),
+  GITHUB_AUTH_CLIENT_SECRET: z.string().optional(),
+  /** GitHub team slug within each organization target; if unset, OAuth allows any member of the org */
+  GITHUB_AUTH_TEAM_SLUG: z.string().optional(),
+
+  SESSION_SECRET: z.string().min(1),
+
   FRONTEND_URL: z.string().default('http://localhost:5173'),
 
   // Storage mode: 'database' or 'memory' (default: memory for easy startup)
@@ -50,12 +75,41 @@ const envSchema = z.object({
   USE_REDIS: z.enum(['true', 'false']).default('false'),
 });
 
+const envSchema = envSchemaBase.superRefine((data, ctx) => {
+  const targets = parseGithubTargetLoginList(data);
+  if (targets.length === 0) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: 'Set GITHUB_TARGETS (comma-separated) and/or GITHUB_ORG to at least one owner',
+      path: ['GITHUB_TARGETS'],
+    });
+  }
+
+  if (data.AUTH_ENABLED === 'true') {
+    if (!data.GITHUB_AUTH_CLIENT_ID?.trim()) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'GITHUB_AUTH_CLIENT_ID is required when AUTH_ENABLED=true',
+        path: ['GITHUB_AUTH_CLIENT_ID'],
+      });
+    }
+    if (!data.GITHUB_AUTH_CLIENT_SECRET?.trim()) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: 'GITHUB_AUTH_CLIENT_SECRET is required when AUTH_ENABLED=true',
+        path: ['GITHUB_AUTH_CLIENT_SECRET'],
+      });
+    }
+  }
+});
+
 export const env = envSchema.parse(process.env);
 
 // Determine storage mode: use database only if explicitly set AND DATABASE_URL is provided
-const effectiveStorageMode = env.STORAGE_MODE === 'database' && env.DATABASE_URL
-  ? 'database'
-  : 'memory';
+const effectiveStorageMode =
+  env.STORAGE_MODE === 'database' && env.DATABASE_URL ? 'database' : 'memory';
+
+const githubTargets = parseGithubTargetLoginList(env);
 
 export const config = {
   nodeEnv: env.NODE_ENV,
@@ -67,11 +121,17 @@ export const config = {
   },
   github: {
     token: env.GITHUB_TOKEN,
-    org: env.GITHUB_ORG,
+    /** Normalized list of org and/or user slugs to scan */
+    targets: githubTargets,
+    /** @deprecated first target only — use `targets` */
+    org: githubTargets[0] ?? '',
   },
   auth: {
-    clientId: env.GITHUB_AUTH_CLIENT_ID,
-    clientSecret: env.GITHUB_AUTH_CLIENT_SECRET,
+    enabled: env.AUTH_ENABLED === 'true',
+    clientId: env.GITHUB_AUTH_CLIENT_ID?.trim() ?? '',
+    clientSecret: env.GITHUB_AUTH_CLIENT_SECRET?.trim() ?? '',
+    /** Trimmed team slug, or empty string to enforce org membership only */
+    teamSlug: env.GITHUB_AUTH_TEAM_SLUG?.trim() ?? '',
     sessionSecret: env.SESSION_SECRET,
   },
   frontendUrl: env.FRONTEND_URL,
@@ -83,7 +143,9 @@ export const config = {
   },
   scan: {
     specificRepos: env.SCAN_REPOS
-      ? env.SCAN_REPOS.split(',').map(r => r.trim()).filter(r => r.length > 0)
+      ? env.SCAN_REPOS.split(',')
+          .map((r) => r.trim())
+          .filter((r) => r.length > 0)
       : undefined,
   },
   redis: {
 
@@ -1,4 +1,6 @@
-import { Request, Response, NextFunction } from 'express';
+import { NextFunction, Request, Response } from 'express';
+
+import { config } from '../config/env.js';
 
 // Custom error class for auth errors
 export class AuthError extends Error {
@@ -13,6 +15,10 @@ export class AuthError extends Error {
 
 // Middleware to check if user is authenticated
 export function requireAuth(req: Request, res: Response, next: NextFunction): void {
+  if (!config.auth.enabled) {
+    next();
+    return;
+  }
   if (!req.session.user) {
     res.status(401).json({
       error: 'Unauthorized',