prepping for release

Author: AlexMercedCoder

README.md

@@ -58,18 +58,22 @@ See [Quick Start Guide](docs/getting-started/getting_started.md) for detailed se
 ### 🏁 1. Getting Started
 - **[Installation & Setup](docs/getting-started/getting_started.md)** - Get running in 5 minutes.
 - **[Auth Modes](docs/authentication.md)** - Understanding Auth vs No-Auth and OAuth.
+- **[Service Users](docs/features/service_users.md)** - API keys for programmatic access.
+- **[Multi-Tenancy](docs/features/multi_tenancy.md)** - Understanding isolation.
 - **[User Scopes](docs/getting-started/getting_started.md#user-scopes)** - Roles: Root, Tenant Admin, and Tenant User.
 - **[Configuration](docs/getting-started/configuration.md)** - Server configuration options.
 - **[Environment Variables](docs/getting-started/env_vars.md)** - Complete metadata and storage reference.
 
 ### 🏗️ 2. Core Infrastructure
 - **[Warehouses](docs/warehouse/README.md)** - Managing S3, Azure, and GCS storage.
+- **[Credential Vending](docs/features/security_vending.md)** - Secure direct-to-storage access.
 - **[Catalogs](docs/features/asset_management.md)** - Creating Local and Federated catalogs.
 - **[Backend Storage](docs/backend_storage/README.md)** - Metadata persistence with Postgres, Mongo, or SQLite.
 
 ### 🧪 3. Data Management (API, CLI, UI)
 - **[Branching & Versioning](docs/features/branch_management.md)** - Git-style workflows and auto-add nuances.
 - **[Permissions & RBAC](docs/permissions.md)** - Asset-level access and cascading grants.
+- **[IAM Roles](docs/features/iam_roles.md)** - Cloud provider integration.
 - **[Business Metadata](docs/features/business_catalog.md)** - Tags, search, and data discovery.
 - **[Audit Logging](docs/features/audit_logs.md)** - Security tracking across all tools.
 - **[Maintenance](docs/features/maintenance.md)** - Snapshots, orphan files, and storage optimization.

admin_token.json

@@ -0,0 +1,71 @@
+version: '3.8'
+
+services:
+  minio:
+    image: minio/minio
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    command: server /data --console-address ":9001"
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 30s
+      timeout: 20s
+      retries: 3
+    volumes:
+      - minio_data_release:/data
+
+  createbuckets:
+    image: minio/mc
+    depends_on:
+      minio:
+        condition: service_healthy
+    entrypoint: >
+      /bin/sh -c "
+      /usr/bin/mc alias set myminio http://minio:9000 minioadmin minioadmin;
+      /usr/bin/mc mb myminio/warehouse;
+      /usr/bin/mc anonymous set public myminio/warehouse;
+      /usr/bin/mc mb myminio/warehouse-acme;
+      /usr/bin/mc anonymous set public myminio/warehouse-acme;
+      exit 0;
+      "
+
+  pangolin-api:
+    image: alexmerced/pangolin-api:0.2.0
+    ports:
+      - "8080:8080"
+    environment:
+      - RUST_LOG=info
+      - PANGOLIN_STORE_TYPE=memory
+      - AWS_ACCESS_KEY_ID=minioadmin
+      - AWS_SECRET_ACCESS_KEY=minioadmin
+      - AWS_REGION=us-east-1
+      - AWS_ENDPOINT_URL=http://minio:9000
+      - AWS_ALLOW_HTTP=true
+      - PANGOLIN_NO_AUTH=${PANGOLIN_NO_AUTH:-false}
+    depends_on:
+      minio:
+        condition: service_healthy
+
+  tests:
+    image: python:3.11-slim
+    volumes:
+      - ./scripts:/app/scripts
+    working_dir: /app
+    environment:
+      - PANGOLIN_API_URL=http://pangolin-api:8080
+      - MINIO_URL=http://minio:9000
+      - AWS_ENDPOINT_URL=http://minio:9000
+      - AWS_ACCESS_KEY_ID=minioadmin
+      - AWS_SECRET_ACCESS_KEY=minioadmin
+      - AWS_REGION=us-east-1
+      - TEST_MODE=${TEST_MODE:-no-auth}
+    depends_on:
+      - pangolin-api
+    command: sh -c "pip install requests pyiceberg pyarrow && python scripts/test_release_v0.2.0.py"
+
+volumes:
+  minio_data_release:

docker-compose.release.yml

@@ -13,6 +13,7 @@ Instead of sharing long-term cloud credentials with clients (e.g., Spark jobs, D
 - ✅ Centralized audit trail of data access
 - ✅ Support for cross-account/cross-cloud access
 - ✅ **Multi-cloud support:** S3, Azure ADLS Gen2, Google Cloud Storage
+- ⚠️ **Local Filesystem:** Supported for dev/test (no credential vending involved)
 
 ---
 

docs/features/security_vending.md

@@ -0,0 +1,132 @@
+
+# Pangolin Authentication Guide
+
+This guide details how authentication works in Pangolin when the system is running in standard production mode (Auth Mode).
+
+## 1. The Root User
+
+The **Root User** is the super-administrator of the entire Pangolin system. This user exists outside of any specific tenant.
+
+- **Scope**: System-wide. No specific `tenant_id`.
+- **Capabilities**:
+  - Create and delete Tenants.
+  - Create the initial Tenant Admin for a Tenant.
+  - View global system statistics (e.g., total tenants, total tables).
+- **Limitations**:
+  - Cannot query data within a Tenant's catalogs unless explicitly granted permission (conceptually separate).
+  - Cannot be assigned to a specific Tenant.
+
+**Configuration**:
+You can define the initial credentials for the Root User using environment variables. This is critical for securing your production deployment.
+
+```bash
+# Default values if not specified: admin / password
+export PANGOLIN_ROOT_USER="super_admin"
+export PANGOLIN_ROOT_PASSWORD="complex_secure_password"
+```
+
+**Login Behavior**:
+- **API**: Login with `username` and `password`, leaving `tenant_id` null.
+- **UI**: Use the dedicated Root Login toggle or route (e.g., `/login` with "Root" checked).
+
+## 2. Authentication Flows
+
+### Generating Tokens (API/CLI)
+
+Authentication tokens (JWTs) act as your digital keys.
+
+**For Tenant Admins & Users**:
+You must provide the `tenant_id` along with credentials.
+
+```bash
+# Example Request
+POST /api/v1/users/login
+{
+  "username": "data_analyst",
+  "password": "secure_password",
+  "tenant_id": "123e4567-e89b-12d3..."
+}
+
+# Response
+{
+  "token": "eyJhbGciOiJIUz...",
+  "expires_in": 86400
+}
+```
+
+**For Root**:
+Omit the `tenant_id`.
+
+### Logging into the UI
+
+The UI login page adapts based on the user type:
+
+1.  **Tenant Login**:
+    - **Username**: Your username.
+    - **Password**: Your password.
+    - **Tenant ID**: The UUID of your organization/tenant.
+2.  **Root Login**:
+    - Click "Login as System Root".
+    - Enter only Username and Password.
+
+## 3. Testing with PyIceberg
+
+When running in Auth Mode, PyIceberg requires a valid token and the tenant context.
+
+```python
+from pyiceberg.catalog import load_catalog
+
+# 1. Obtain a token (e.g., via script or manually from UI)
+token = "YOUR_GENERATED_JWT_TOKEN"
+tenant_id = "YOUR_TENANT_UUID"
+
+# 2. Configure PyIceberg
+catalog = load_catalog(
+    "production",
+    **{
+        "type": "rest",
+        "uri": "http://localhost:8080/api/v1/catalogs/sales/iceberg",
+        "token": token,
+        # Required for Multi-tenancy routing
+        "header.X-Pangolin-Tenant": tenant_id
+    }
+)
+```
+
+## 4. Permissions Matrix
+
+Pangolin uses a hierarchical RBAC system.
+
+### Roles
+
+| Role | Scope | Description |
+| :--- | :--- | :--- |
+| **Root** | System | Manages Tenants. Cannot manage data inside a tenant directly without assuming a tenant context (if allowed). |
+| **Tenant Admin** | Tenant | Full control over a specific Tenant's resources (Users, Catalogs, Roles). |
+| **Tenant User** | Tenant | Zero access by default. Must be granted specific permissions. |
+
+### Permissions Granting
+
+Permissions are additive. A user can be granted specific Actions on specific Scopes.
+
+| Scope | Description | Implied Children |
+| :--- | :--- | :--- |
+| **Tenant** | Entire Tenant | All Catalogs, Namespaces, Tables |
+| **Catalog** | Specific Catalog | All Namespaces, Tables within |
+| **Namespace** | Specific Namespace | All Tables within |
+| **Table/Asset** | Specific Table | None |
+
+| Action | Description |
+| :--- | :--- |
+| **Read** | Read metadata and data. |
+| **Write** | Insert, update, delete data. |
+| **Create** | Create new resources (Tables, Namespaces). |
+| **Delete** | Drop resources. |
+| **List** | See that the resource exists (Discovery). |
+| **ManageDiscovery** | Mark assets as strictly discoverable (metadata visible, data locked). |
+
+### Common Scenarios
+
+- **Data Analyst**: Grant `Read` on specific `Namespace`.
+- **Data Engineer**: Grant `Read`, `Write`, `Create` on specific `Catalog`.
+- **Auditor**: Grant `List` (Discovery) on `Tenant` + `Read` on `audit_logs` (conceptually).

docs/getting-started/auth-mode.md

@@ -0,0 +1,100 @@
+
+# No Auth Mode
+
+Pangolin supports a specialized "No Auth" mode designed for local development, testing, and evaluation where setting up a full authentication provider (like OAuth/OIDC) is not feasible or desired.
+
+## Triggering No Auth Mode
+
+To enable No Auth mode, set the following environment variable before starting the `pangolin_api` server:
+
+```bash
+export PANGOLIN_NO_AUTH=true
+```
+
+## Behavior & Features
+
+### 1. Automatic Tenant Admin Access
+When accessing the API without any credentials, the system automatically treats the request as coming from the default **Tenant Admin** of the default tenant.
+
+- **Username**: `tenant_admin`
+- **Role**: `TenantAdmin`
+- **Tenant ID**: `00000000-0000-0000-0000-000000000000`
+
+This allows you to perform administrative tasks (create users, manage catalogs, etc.) immediately without logging in.
+
+### 2. "Easy Auth" (Selective Authentication)
+While No Auth mode defaults to Admin for unauthenticated requests, it **respects the `Authorization` header** if provided. This is crucial for verifying permissions:
+
+- **If you provide a token**: The system processes the request as that specific user.
+- **If you provide NO token**: The system processes the request as the default Tenant Admin.
+
+### 3. Password Bypass
+To facilitate logging in as specific users (e.g., `TenantUser` for testing access restrictions) without setting up true hashes:
+
+- The `.login()` endpoint bypasses password verification in this mode.
+- You can log in as *any* existing user with *any* password.
+
+## Usage Guide
+
+### Using the CLI
+Since the CLI handles authentication tokens automatically, you can mix modes:
+
+1. **Admin Mode (Default)**: Just run commands.
+   ```bash
+   pangolin-admin catalog list  # Works immediately
+   ```
+
+2. **User Mode**: Login as a specific user to switch context.
+   ```bash
+   pangolin-user login --username data_analyst --password any
+   # Now subsequent commands run as data_analyst
+   ```
+
+### Using the UI
+The UI will automatically detect No Auth mode and may auto-login as `tenant_admin`.
+
+To test different roles:
+1. **Logout** via the profile menu.
+2. **Login** with the username you created (e.g., `data_analyst`) and any password.
+3. You are now exploring the UI restricted by that user's permissions.
+
+### Using the API (cURL / Python)
+- **Admin Request**:
+  ```bash
+  curl http://localhost:8080/api/v1/catalogs
+  ```
+- **User Request** (after getting token via `/login`):
+  ```bash
+  curl -H "Authorization: Bearer <token>" http://localhost:8080/api/v1/catalogs
+  ```
+
+## Testing with PyIceberg
+
+The server prints a convenient configuration snippet on startup when in No Auth mode. This snippet works immediately because the token vended is for the default `tenant_admin`.
+
+### Configuration
+Use this snippet in your Python scripts to connect PyIceberg to your local Pangolin instance:
+
+```python
+from pyiceberg.catalog import load_catalog
+
+catalog = load_catalog(
+    "local",
+    **{
+        "type": "rest",
+        "uri": "http://127.0.0.1:8080/api/v1/catalogs/sales/iceberg",
+        # Default Admin Token (valid for 24h/until restart)
+        "token": "YOUR_TOKEN_FROM_SERVER_LOGS",
+        # Critical for No Auth mode routing
+        "header.X-Pangolin-Tenant": "00000000-0000-0000-0000-000000000000"
+    }
+)
+
+# Verify connection
+print(catalog.list_namespaces())
+```
+
+### Key Notes for PyIceberg
+1.  **Tenant Header**: You **MUST** include `"header.X-Pangolin-Tenant"` in the config properties. Without it, the server won't know which tenant context to use for the Iceberg REST endpoints, even with a valid token.
+2.  **Token**: The token printed in the logs is a valid JWT for the `tenant_admin` role. You can use it as-is.
+3.  **URI**: Point to the specific catalog's Iceberg endpoint (e.g., `.../catalogs/sales/iceberg`). Ensure the catalog exists first (e.g., via the seeding script).

docs/getting-started/no-auth-mode.md

@@ -30,4 +30,4 @@ Detailed configuration for different storage backends.
 To enable **Credential Vending**, PyIceberg must send the `X-Iceberg-Access-Delegation` header with the value `vended-credentials`. This tells Pangolin that the client expects temporary storage keys for its operations.
 
 ### Tenant Context
-Pangolin uses either a standard `token` or the custom `X-Pangolin-Tenant` header to determine the tenant context. For PyIceberg, use the `token` property for the best experience.
+While Pangolin extracts tenant context from the authentication token, we **strongly recommend** explicitly setting the `header.X-Pangolin-Tenant` property in your PyIceberg configuration. This ensures reliable routing for all operations, especially during initial connection.

docs/pyiceberg/README.md

@@ -228,6 +228,7 @@ The `use_sts` boolean field is deprecated. Use `vending_strategy` instead.
 | [AWS S3](s3.md) | ✅ Production | Most common, excellent performance |
 | [Azure Blob](azure.md) | ✅ Production | Azure-native deployments |
 | [Google Cloud Storage](gcs.md) | ✅ Production | GCP-native deployments |
+| [Local Filesystem](local.md) | ⚠️ Dev/Test | Local development & testing |
 
 ## Quick Start