# Quickstart: Desk Auth & RBAC (003)

## Pré-requisitos

- VM122 API: `curl http://10.10.10.122:8080/health`
- Feature 003 implementada e deployada
- `.env` com `JWT_SECRET` definido

---

## 1. Login (cada role)

```bash
API="http://10.10.10.122:8080"

login() {
  local user=$1 pass=$2
  curl -sf -X POST "$API/api/v1/auth/login" \
    -H "Content-Type: application/json" \
    -d "{\"username\":\"$user\",\"password\":\"$pass\"}" | python3 -m json.tool
}

login root 805353    # super_admin
login admin 805353   # ops_lead
login mini 805353    # technician
login noc 805353     # noc
```

---

## 2. API protegida

```bash
TOKEN=$(curl -sf -X POST "$API/api/v1/auth/login" \
  -H "Content-Type: application/json" \
  -d '{"username":"root","password":"805353"}' \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['access_token'])")

curl -sf -H "Authorization: Bearer $TOKEN" "$API/api/v1/desk/tickets" | python3 -m json.tool | head
```

---

## 3. Verificar bloqueio público

```bash
# Deve falhar (401)
curl -sf "https://api.ops.ligbox.com.br/api/v1/desk/tickets" && echo FAIL || echo "401 OK"

# Health continua público
curl -sf "https://api.ops.ligbox.com.br/health"
```

---

## 4. Webhook inalterado

```bash
curl -sf -X POST "$API/api/v1/webhooks/onboard" \
  -H "Content-Type: application/json" \
  -H "X-Webhook-Secret: ligbox-ops-dev-secret" \
  -d '{"event":"account.created","domain":"auth-test.ligbox","session_id":"auth-spec-003"}'
```

---

## 5. Testes RBAC por role

| Teste | root | admin | mini | noc |
|-------|------|-------|------|-----|
| GET tickets | ✅ | ✅ | ✅ | ✅ masked |
| PATCH ticket | ✅ | ✅ | ✅* | ❌ 403 |
| POST audit/run | ✅ | ✅ | ❌ 403 | ❌ 403 |
| GET audit/overview | ✅ | ✅ | ❌ 403 | ✅ masked |
| GET auth/users | ✅ | ❌ 403 | ❌ | ❌ |

\* mini: só se `assigned_to` null ou `mini`

Script automatizado:

```bash
bash /opt/ligbox-ops-platform/scripts/verify-auth.sh
```

---

## 6. UI

1. Abrir `https://desk.ligbox.com.br` → login
2. `root` / senha → dashboard
3. Ver sidebar: `Roger (super_admin)` + Sair
4. Login `noc` → sem botão fechar ticket; dados empresa mascarados

---

## 7. Deploy

```bash
cd /opt/ligbox-ops-platform

# Gerar secrets
echo "JWT_SECRET=$(openssl rand -hex 32)" >> .env
echo "OPS_INTERNAL_TOKEN=$(openssl rand -hex 32)" >> .env
echo "DESK_AUTH_ENABLED=true" >> .env

docker-compose -f docker-compose.mvp.yml up -d --build api frontend
bash scripts/verify-auth.sh
```

---

## 8. Rotação senha bootstrap

Após primeiro deploy:

1. Login `root` no Desk
2. `PATCH /api/v1/auth/users/root` com nova password (quando endpoint disponível)
3. Ou SQL: `UPDATE desk_users SET password_hash=...` via bcrypt
4. Alterar senhas SSH VM122 independentemente (`passwd root`)

**Nunca** manter `805353` em produção pública.

---

## 9. Rollback emergência

```bash
# .env
DESK_AUTH_ENABLED=false

docker-compose -f docker-compose.mvp.yml up -d --build api
```

API volta ao modo aberto — usar só em emergência.