@lovelybunch/api 1.0.78-alpha.3 → 1.0.78-alpha.4

package/dist/lib/auth/auth-manager.d.ts

@@ -98,7 +98,7 @@ export declare class AuthManager {
     /**
      * Create API key
      */
-    createApiKey(name: string, createdBy: string, scopes: string[], expiresIn?: string): Promise<{
+    createApiKey(name: string, createdBy: string, scopes: string[], expiresIn?: string, createdByRole?: UserRole): Promise<{
         apiKey: ApiKey;
         rawKey: string;
     }>;

package/dist/lib/auth/auth-manager.js

@@ -340,7 +340,7 @@ export class AuthManager {
     /**
      * Create API key
      */
-    async createApiKey(name, createdBy, scopes, expiresIn) {
+    async createApiKey(name, createdBy, scopes, expiresIn, createdByRole) {
         const config = await this.loadAuthConfig();
         const rawKey = this.generateApiKey();
         const hashedKey = await bcrypt.hash(rawKey, SALT_ROUNDS);
@@ -350,6 +350,7 @@ export class AuthManager {
             key: hashedKey,
             keyPreview: rawKey.slice(-4),
             createdBy,
+            createdByRole,
             createdAt: new Date(),
             expiresAt: expiresIn ? this.calculateExpiry(expiresIn) : undefined,
             scopes,

package/dist/lib/symlinks/symlink-manager.d.ts

@@ -5,6 +5,7 @@ import { SymlinkConfig, SymlinkOperationResult } from './types.js';
 export declare class SymlinkManager {
     private configPath;
     private projectRoot;
+    private resolvedProjectRoot;
     private state;
     constructor(projectRoot: string);
     /**
@@ -39,10 +40,8 @@ export declare class SymlinkManager {
      * Toggle a symlink on/off
      */
     toggleSymlink(id: string): Promise<SymlinkOperationResult>;
-    /**
-     * Expand tilde in path to actual home directory
-     */
-    private expandTilde;
+    private validateConfiguredPaths;
+    private resolveProjectPath;
     /**
      * Create a symlink on the filesystem
      */

package/dist/lib/symlinks/symlink-manager.js

@@ -1,16 +1,17 @@
 import { promises as fs } from 'fs';
 import path from 'path';
-import os from 'os';
 /**
  * SymlinkManager handles all symlink operations and persists state
  */
 export class SymlinkManager {
     configPath;
     projectRoot;
+    resolvedProjectRoot;
     state;
     constructor(projectRoot) {
         this.projectRoot = projectRoot;
-        this.configPath = path.join(projectRoot, '.nut', 'symlinks.json');
+        this.resolvedProjectRoot = path.resolve(projectRoot);
+        this.configPath = path.join(this.resolvedProjectRoot, '.nut', 'symlinks.json');
         this.state = {
             version: '1.0.0',
             symlinks: []
@@ -24,7 +25,7 @@ export class SymlinkManager {
             console.log(`[SymlinkManager] Initializing with project root: ${this.projectRoot}`);
             console.log(`[SymlinkManager] Config path: ${this.configPath}`);
             // Ensure .nut directory exists
-            const nutDir = path.join(this.projectRoot, '.nut');
+            const nutDir = path.join(this.resolvedProjectRoot, '.nut');
             await fs.mkdir(nutDir, { recursive: true });
             // Try to load existing configuration
             try {
@@ -83,11 +84,17 @@ export class SymlinkManager {
      */
     async validateSymlinks() {
         for (const symlink of this.state.symlinks) {
-            // Expand tilde and resolve path
-            const expandedLinkPath = this.expandTilde(symlink.linkPath);
-            const fullLinkPath = path.isAbsolute(expandedLinkPath)
-                ? expandedLinkPath
-                : path.join(this.projectRoot, expandedLinkPath);
+            let fullLinkPath;
+            try {
+                fullLinkPath = this.resolveProjectPath(symlink.linkPath);
+            }
+            catch {
+                if (symlink.isActive) {
+                    symlink.isActive = false;
+                    symlink.updatedAt = new Date().toISOString();
+                }
+                continue;
+            }
             try {
                 const stats = await fs.lstat(fullLinkPath);
                 const actuallyActive = stats.isSymbolicLink();
@@ -146,6 +153,7 @@ export class SymlinkManager {
      */
     async addSymlink(config) {
         try {
+            this.validateConfiguredPaths(config.linkPath, config.targetPath);
             // Check if link path already exists
             if (this.state.symlinks.some(s => s.linkPath === config.linkPath)) {
                 return {
@@ -201,14 +209,26 @@ export class SymlinkManager {
             return await this.createSymlink(id);
         }
     }
-    /**
-     * Expand tilde in path to actual home directory
-     */
-    expandTilde(filepath) {
-        if (filepath.startsWith('~/')) {
-            return path.join(os.homedir(), filepath.slice(2));
+    validateConfiguredPaths(linkPath, targetPath) {
+        this.resolveProjectPath(linkPath);
+        this.resolveProjectPath(targetPath);
+    }
+    resolveProjectPath(configuredPath) {
+        if (!configuredPath || typeof configuredPath !== 'string') {
+            throw new Error('Path is required');
+        }
+        if (configuredPath.includes('\0')) {
+            throw new Error('Path contains invalid characters');
         }
-        return filepath;
+        if (path.isAbsolute(configuredPath) || configuredPath === '~' || configuredPath.startsWith('~/')) {
+            throw new Error('Symlink paths must be relative to the project root');
+        }
+        const resolved = path.resolve(this.resolvedProjectRoot, configuredPath);
+        const relative = path.relative(this.resolvedProjectRoot, resolved);
+        if (relative === '' || relative.startsWith('..') || path.isAbsolute(relative)) {
+            throw new Error('Symlink paths must stay inside the project root');
+        }
+        return resolved;
     }
     /**
      * Create a symlink on the filesystem
@@ -222,16 +242,8 @@ export class SymlinkManager {
             };
         }
         try {
-            // Expand tilde in paths and resolve them
-            const expandedLinkPath = this.expandTilde(symlink.linkPath);
-            const expandedTargetPath = this.expandTilde(symlink.targetPath);
-            // If paths are relative (not starting with / or ~), make them relative to project root
-            const fullLinkPath = path.isAbsolute(expandedLinkPath)
-                ? expandedLinkPath
-                : path.join(this.projectRoot, expandedLinkPath);
-            const fullTargetPath = path.isAbsolute(expandedTargetPath)
-                ? expandedTargetPath
-                : path.join(this.projectRoot, expandedTargetPath);
+            const fullLinkPath = this.resolveProjectPath(symlink.linkPath);
+            const fullTargetPath = this.resolveProjectPath(symlink.targetPath);
             // Ensure target exists
             try {
                 await fs.access(fullTargetPath);
@@ -249,6 +261,13 @@ Created: ${new Date().toISOString()}
             }
             // Remove existing file/symlink if it exists
             try {
+                const existingStats = await fs.lstat(fullLinkPath);
+                if (!existingStats.isSymbolicLink()) {
+                    return {
+                        success: false,
+                        message: `Cannot replace non-symlink path ${symlink.linkPath}`,
+                    };
+                }
                 await fs.unlink(fullLinkPath);
             }
             catch (error) {
@@ -256,6 +275,7 @@ Created: ${new Date().toISOString()}
                     throw error;
             }
             // Create the symlink (use relative path for portability)
+            await fs.mkdir(path.dirname(fullLinkPath), { recursive: true });
             const relativePath = path.relative(path.dirname(fullLinkPath), fullTargetPath);
             await fs.symlink(relativePath, fullLinkPath);
             symlink.isActive = true;
@@ -287,11 +307,7 @@ Created: ${new Date().toISOString()}
             };
         }
         try {
-            // Expand tilde and resolve path
-            const expandedLinkPath = this.expandTilde(symlink.linkPath);
-            const fullLinkPath = path.isAbsolute(expandedLinkPath)
-                ? expandedLinkPath
-                : path.join(this.projectRoot, expandedLinkPath);
+            const fullLinkPath = this.resolveProjectPath(symlink.linkPath);
             try {
                 const stats = await fs.lstat(fullLinkPath);
                 if (stats.isSymbolicLink()) {
@@ -354,6 +370,9 @@ Created: ${new Date().toISOString()}
             };
         }
         try {
+            const nextLinkPath = updates.linkPath ?? symlink.linkPath;
+            const nextTargetPath = updates.targetPath ?? symlink.targetPath;
+            this.validateConfiguredPaths(nextLinkPath, nextTargetPath);
             // If changing paths and symlink is active, need to recreate
             if (symlink.isActive && (updates.linkPath || updates.targetPath)) {
                 await this.removeSymlink(id);

package/dist/lib/terminal/terminal-manager.d.ts

@@ -3,6 +3,7 @@ import { ShellType } from './shell-utils.js';
 export interface TerminalSession {
     id: string;
     taskId: string;
+    ownerId?: string;
     pty: any;
     websocket?: WebSocket;
     createdAt: Date;
@@ -19,15 +20,17 @@ export declare class TerminalManager {
     private cleanupInterval;
     private static readonly MAX_BACKLOG_BYTES;
     constructor();
-    createSession(taskId: string, shellPreference?: ShellType, startupCommand?: string): Promise<TerminalSession>;
+    createSession(taskId: string, shellPreference?: ShellType, startupCommand?: string, ownerId?: string): Promise<TerminalSession>;
     getSession(sessionId: string): TerminalSession | undefined;
     getSessionsByTask(taskId: string): TerminalSession[];
-    attachWebSocket(sessionId: string, ws: WebSocket): boolean;
-    destroySession(sessionId: string): boolean;
-    resizeSession(sessionId: string, cols: number, rows: number): boolean;
+    getSessionsForOwner(ownerId: string): TerminalSession[];
+    canAccessSession(session: TerminalSession | undefined, ownerId: string): boolean;
+    attachWebSocket(sessionId: string, ws: WebSocket, ownerId: string): boolean;
+    destroySession(sessionId: string, ownerId?: string): boolean;
+    resizeSession(sessionId: string, cols: number, rows: number, ownerId?: string): boolean;
     private cleanupInactiveSessions;
     getAllSessions(): TerminalSession[];
     destroy(): void;
     private enqueuePreviewBroadcast;
-    attachPreviewWebSocket(sessionId: string, ws: WebSocket): boolean;
+    attachPreviewWebSocket(sessionId: string, ws: WebSocket, ownerId: string): boolean;
 }

package/dist/lib/terminal/terminal-manager.js

@@ -44,7 +44,7 @@ export class TerminalManager {
             this.cleanupInactiveSessions();
         }, 5 * 60 * 1000);
     }
-    async createSession(taskId, shellPreference = 'bash', startupCommand) {
+    async createSession(taskId, shellPreference = 'bash', startupCommand, ownerId) {
         if (!spawnHelperFixed) {
             ensureSpawnHelperPermissions();
             spawnHelperFixed = true;
@@ -133,6 +133,7 @@ export class TerminalManager {
         const session = {
             id: sessionId,
             taskId,
+            ownerId,
             pty: ptyProcess,
             createdAt: new Date(),
             lastActivity: new Date(),
@@ -244,8 +245,23 @@ export class TerminalManager {
     getSessionsByTask(taskId) {
         return Array.from(this.sessions.values()).filter(session => session.taskId === taskId);
     }
-    attachWebSocket(sessionId, ws) {
+    getSessionsForOwner(ownerId) {
+        return Array.from(this.sessions.values()).filter(session => this.canAccessSession(session, ownerId));
+    }
+    canAccessSession(session, ownerId) {
+        if (!session) {
+            return false;
+        }
+        if (ownerId === 'localhost:localhost' || ownerId === 'anonymous:anonymous') {
+            return true;
+        }
+        return session.ownerId === ownerId;
+    }
+    attachWebSocket(sessionId, ws, ownerId) {
         const session = this.sessions.get(sessionId);
+        if (!this.canAccessSession(session, ownerId)) {
+            return false;
+        }
         if (!session) {
             return false;
         }
@@ -318,11 +334,14 @@ export class TerminalManager {
         });
         return true;
     }
-    destroySession(sessionId) {
+    destroySession(sessionId, ownerId) {
         const session = this.sessions.get(sessionId);
         if (!session) {
             return false;
         }
+        if (ownerId && !this.canAccessSession(session, ownerId)) {
+            return false;
+        }
         // Clear main WebSocket ping interval
         if (session.pingInterval) {
             clearInterval(session.pingInterval);
@@ -360,11 +379,14 @@ export class TerminalManager {
         this.sessions.delete(sessionId);
         return true;
     }
-    resizeSession(sessionId, cols, rows) {
+    resizeSession(sessionId, cols, rows, ownerId) {
         const session = this.sessions.get(sessionId);
         if (!session) {
             return false;
         }
+        if (ownerId && !this.canAccessSession(session, ownerId)) {
+            return false;
+        }
         try {
             session.pty.resize(cols, rows);
             session.lastActivity = new Date();
@@ -441,8 +463,10 @@ export class TerminalManager {
         }
         catch { }
     }
-    attachPreviewWebSocket(sessionId, ws) {
+    attachPreviewWebSocket(sessionId, ws, ownerId) {
         const session = this.sessions.get(sessionId);
+        if (!this.canAccessSession(session, ownerId))
+            return false;
         if (!session)
             return false;
         if (!session.previewSockets)

package/dist/middleware/auth.d.ts

@@ -1,5 +1,24 @@
 import { Context, Next } from 'hono';
 import { AuthSession } from '@lovelybunch/types';
+import type { ApiKey } from '@lovelybunch/types';
+export type AuthPrincipal = {
+    type: 'session';
+    id: string;
+    role: AuthSession['role'];
+    session: AuthSession;
+} | {
+    type: 'apiKey';
+    id: string;
+    role?: AuthSession['role'];
+    apiKey: ApiKey;
+} | {
+    type: 'localhost';
+    id: 'localhost';
+    role: 'admin';
+} | {
+    type: 'anonymous';
+    id: 'anonymous';
+};
 /**
  * Authentication middleware
  * Checks for valid JWT token in cookie or Authorization header
@@ -7,10 +26,10 @@ import { AuthSession } from '@lovelybunch/types';
 export declare function authMiddleware(c: Context, next: Next): Promise<void | (Response & import("hono").TypedResponse<{
     error: string;
     message: string;
-}, 401, "json">) | (Response & import("hono").TypedResponse<{
+}, 403, "json">) | (Response & import("hono").TypedResponse<{
     error: string;
     message: string;
-}, 403, "json">)>;
+}, 401, "json">)>;
 /**
  * Helper to get current session from context
  */
@@ -25,6 +44,8 @@ export declare function isAdmin(c: Context): boolean;
  * Also accepts API key authentication
  */
 export declare function requireAuth(c: Context): AuthSession | null;
+export declare function getAuthPrincipal(c: Context): AuthPrincipal;
+export declare function getAuthPrincipalKey(c: Context): string;
 /**
  * Helper to require admin access (throws if not admin)
  * Returns null if auth is disabled

package/dist/middleware/auth.js

@@ -54,6 +54,9 @@ function isPublicRoute(path) {
 function isAdminRoute(path) {
     return ADMIN_ROUTES.some((route) => path.startsWith(route));
 }
+function apiKeyHasAdminAccess(apiKey) {
+    return apiKey.createdByRole === 'admin' && apiKey.scopes.some((scope) => (scope === 'admin' || scope === 'admin:all' || scope.startsWith('admin:')));
+}
 /**
  * Authentication middleware
  * Checks for valid JWT token in cookie or Authorization header
@@ -103,6 +106,9 @@ export async function authMiddleware(c, next) {
         if (apiKey) {
             const validApiKey = await authManager.verifyApiKey(apiKey);
             if (validApiKey) {
+                if (isAdminRoute(path) && !apiKeyHasAdminAccess(validApiKey)) {
+                    return c.json({ error: 'Forbidden', message: 'Admin access required' }, 403);
+                }
                 // Store API key info in context
                 c.set('apiKey', validApiKey);
                 c.set('authType', 'apikey');
@@ -197,6 +203,34 @@ export function requireAuth(c) {
     }
     throw new Error('Authentication required');
 }
+export function getAuthPrincipal(c) {
+    const authEnabled = c.get('authEnabled');
+    if (authEnabled === false) {
+        return { type: 'anonymous', id: 'anonymous' };
+    }
+    const session = getSession(c);
+    if (session) {
+        return { type: 'session', id: session.userId, role: session.role, session };
+    }
+    const authType = c.get('authType');
+    if (authType === 'apikey') {
+        const apiKey = c.get('apiKey');
+        if (apiKey) {
+            return { type: 'apiKey', id: apiKey.createdBy || apiKey.id, role: apiKey.createdByRole, apiKey };
+        }
+    }
+    if (authType === 'localhost') {
+        return { type: 'localhost', id: 'localhost', role: 'admin' };
+    }
+    return { type: 'anonymous', id: 'anonymous' };
+}
+export function getAuthPrincipalKey(c) {
+    const principal = getAuthPrincipal(c);
+    if (principal.type === 'session' || principal.type === 'apiKey') {
+        return `user:${principal.id}`;
+    }
+    return `${principal.type}:${principal.id}`;
+}
 /**
  * Helper to require admin access (throws if not admin)
  * Returns null if auth is disabled
@@ -207,13 +241,19 @@ export function requireAdmin(c) {
     if (authEnabled === false) {
         return null;
     }
-    // Trusted non-session authenticators (direct localhost connection, valid API
-    // key) are authoritative: they've already passed auth at the middleware
-    // layer, so admin-gated routes accept them without a session.role check.
+    // Direct localhost connections are trusted because the middleware only marks
+    // raw, unproxied loopback sockets this way.
     const authType = c.get('authType');
-    if (authType === 'localhost' || authType === 'apikey') {
+    if (authType === 'localhost') {
         return null;
     }
+    const apiKey = c.get('apiKey');
+    if (authType === 'apikey' && apiKey && apiKeyHasAdminAccess(apiKey)) {
+        return null;
+    }
+    if (authType === 'apikey') {
+        throw new Error('Admin access required');
+    }
     const session = requireAuth(c);
     if (!session) {
         throw new Error('Authentication required');

package/dist/routes/api/v1/ai/route.js

@@ -1,4 +1,6 @@
 import { createHash } from 'node:crypto';
+import { lookup } from 'node:dns/promises';
+import { isIP } from 'node:net';
 import { homedir } from 'os';
 import { join, resolve as pathResolve, basename } from 'path';
 import { existsSync, readFileSync, promises as fs, createReadStream } from 'fs';
@@ -780,6 +782,118 @@ function getInternalApiBase() {
     const port = process.env.PORT ? parseInt(process.env.PORT) : 3001;
     return `http://127.0.0.1:${port}`;
 }
+const MAX_EXTERNAL_RESOURCE_BYTES = 20 * 1024 * 1024;
+const EXTERNAL_FETCH_TIMEOUT_MS = 10_000;
+const MAX_EXTERNAL_REDIRECTS = 3;
+function isPrivateIpAddress(address) {
+    const normalized = address.toLowerCase().split('%')[0];
+    const ipv4Mapped = normalized.match(/^::ffff:(\d+\.\d+\.\d+\.\d+)$/);
+    const ip = ipv4Mapped ? ipv4Mapped[1] : normalized;
+    const version = isIP(ip);
+    if (version === 4) {
+        const octets = ip.split('.').map(Number);
+        const [a, b] = octets;
+        return (a === 0 ||
+            a === 10 ||
+            a === 127 ||
+            (a === 100 && b >= 64 && b <= 127) ||
+            (a === 169 && b === 254) ||
+            (a === 172 && b >= 16 && b <= 31) ||
+            (a === 192 && b === 168) ||
+            (a === 198 && (b === 18 || b === 19)) ||
+            a >= 224);
+    }
+    if (version === 6) {
+        return (ip === '::' ||
+            ip === '::1' ||
+            ip.startsWith('fc') ||
+            ip.startsWith('fd') ||
+            ip.startsWith('fe80') ||
+            ip.startsWith('ff'));
+    }
+    return true;
+}
+function parseExternalUrl(rawUrl) {
+    const parsed = new URL(rawUrl);
+    if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') {
+        throw new Error('Only http and https URLs are allowed');
+    }
+    if (parsed.username || parsed.password) {
+        throw new Error('URLs with embedded credentials are not allowed');
+    }
+    if (!parsed.hostname) {
+        throw new Error('URL host is required');
+    }
+    return parsed;
+}
+async function assertPublicUrlHost(parsed) {
+    const host = parsed.hostname.replace(/^\[|\]$/g, '');
+    if (isIP(host)) {
+        if (isPrivateIpAddress(host)) {
+            throw new Error('URL host resolves to a blocked network address');
+        }
+        return;
+    }
+    const records = await lookup(host, { all: true, verbatim: false });
+    if (records.length === 0 || records.some(record => isPrivateIpAddress(record.address))) {
+        throw new Error('URL host resolves to a blocked network address');
+    }
+}
+async function readResponseWithLimit(response) {
+    const contentLength = response.headers.get('content-length');
+    if (contentLength && Number(contentLength) > MAX_EXTERNAL_RESOURCE_BYTES) {
+        throw new Error('Downloaded resource is too large');
+    }
+    if (!response.body) {
+        const fallback = Buffer.from(await response.arrayBuffer());
+        if (fallback.length > MAX_EXTERNAL_RESOURCE_BYTES) {
+            throw new Error('Downloaded resource is too large');
+        }
+        return fallback;
+    }
+    const reader = response.body.getReader();
+    const chunks = [];
+    let total = 0;
+    while (true) {
+        const { done, value } = await reader.read();
+        if (done)
+            break;
+        const chunk = Buffer.from(value);
+        total += chunk.length;
+        if (total > MAX_EXTERNAL_RESOURCE_BYTES) {
+            try {
+                await reader.cancel();
+            }
+            catch {
+                // Ignore cancel errors.
+            }
+            throw new Error('Downloaded resource is too large');
+        }
+        chunks.push(chunk);
+    }
+    return Buffer.concat(chunks, total);
+}
+async function fetchExternalResource(rawUrl) {
+    let currentUrl = parseExternalUrl(rawUrl);
+    for (let redirects = 0; redirects <= MAX_EXTERNAL_REDIRECTS; redirects += 1) {
+        await assertPublicUrlHost(currentUrl);
+        const response = await fetch(currentUrl, {
+            redirect: 'manual',
+            signal: AbortSignal.timeout(EXTERNAL_FETCH_TIMEOUT_MS),
+        });
+        if (response.status >= 300 && response.status < 400) {
+            const location = response.headers.get('location');
+            if (!location) {
+                throw new Error('Redirect response did not include a location');
+            }
+            currentUrl = parseExternalUrl(new URL(location, currentUrl).toString());
+            continue;
+        }
+        const buffer = await readResponseWithLimit(response);
+        return { response, buffer, finalUrl: currentUrl.toString() };
+    }
+    throw new Error('Too many redirects while downloading URL');
+}
 async function executeResourcesToolDirect(args) {
     const { operation, query, type_filter, resource_id, prompt, model, aspect_ratio, text, voice, duration, resolution, url, tags, description } = args;
     const apiBase = getInternalApiBase();
@@ -939,17 +1053,16 @@ async function executeResourcesToolDirect(args) {
                 if (!url) {
                     return { success: false, error: 'url is required for add_from_url operation' };
                 }
-                // Download the URL
-                const dlResponse = await fetch(url);
+                // Download the URL after validating the host and redirect chain.
+                const { response: dlResponse, buffer, finalUrl } = await fetchExternalResource(url);
                 if (!dlResponse.ok) {
                     return { success: false, error: `Failed to download URL: ${dlResponse.statusText}` };
                 }
-                const buffer = Buffer.from(await dlResponse.arrayBuffer());
                 const contentType = dlResponse.headers.get('content-type') || 'application/octet-stream';
                 // Derive filename from URL path
                 let fileName;
                 try {
-                    const urlPath = new URL(url).pathname;
+                    const urlPath = new URL(finalUrl).pathname;
                     fileName = basename(urlPath);
                     if (!fileName || fileName === '/') {
                         fileName = `downloaded-${Date.now()}`;

package/dist/routes/api/v1/api-keys/route.js

@@ -29,6 +29,7 @@ apiKeys.get('/', async (c) => {
                     name: k.name,
                     keyPreview: k.keyPreview,
                     createdBy: k.createdBy,
+                    createdByRole: k.createdByRole,
                     createdAt: k.createdAt,
                     expiresAt: k.expiresAt,
                     lastUsedAt: k.lastUsedAt,
@@ -61,8 +62,12 @@ apiKeys.post('/', async (c) => {
         if (!scopes || scopes.length === 0) {
             return c.json({ success: false, error: 'At least one scope is required' }, 400);
         }
+        const requestsAdminScope = scopes.some((scope) => (scope === 'admin' || scope === 'admin:all' || scope.startsWith('admin:')));
+        if (requestsAdminScope && session.role !== 'admin') {
+            return c.json({ success: false, error: 'Admin access is required to create admin-scoped API keys' }, 403);
+        }
         // Create API key
-        const { apiKey, rawKey } = await authManager.createApiKey(name, session.userId, scopes, expiresIn);
+        const { apiKey, rawKey } = await authManager.createApiKey(name, session.userId, scopes, expiresIn, session.role);
         return c.json({
             success: true,
             data: {
@@ -71,6 +76,7 @@ apiKeys.post('/', async (c) => {
                     name: apiKey.name,
                     keyPreview: apiKey.keyPreview,
                     createdBy: apiKey.createdBy,
+                    createdByRole: apiKey.createdByRole,
                     createdAt: apiKey.createdAt,
                     expiresAt: apiKey.expiresAt,
                     scopes: apiKey.scopes,