fix: per-persona session/file isolation + onboarding route order

- session_store: store sessions under home/{user}/persona/{name}/session_data/ instead of the shared cortex/data/sessions/ bucket - chat endpoints: add user/persona query params to /sessions, /history/*, /sessions/*, /note so they resolve the correct persona context - files router: add user/persona query params to /files and /files/{name} so the file browser loads the right persona's files - app.js: pass user/persona on all session, history, and file fetches; move _fileParams to top-level scope so it is available everywhere - onboarding: fix FastAPI route ordering — register /persona before /{token} so the literal path wins and does not get captured as a token value - ui.py: read Emoji field from IDENTITY.md and inject into CORTEX_CONFIG so the header icon reflects each persona's chosen emoji - .gitignore: exclude home/**/session_data/ (runtime state) - migrate scott/inara sessions from cortex/data/sessions/ to session_data/ Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:01:07 -04:00
parent 99f8961bec
commit c01ef663f5
8 changed files with 197 additions and 187 deletions
--- a/cortex/routers/onboarding.py
+++ b/cortex/routers/onboarding.py
@@ -41,79 +41,9 @@ def _setup_page(error: str = "", step: int = 1) -> str:
    return html


-# ---------------------------------------------------------------------------
-# Step 1 — invite token → set password
-# ---------------------------------------------------------------------------
-
-@router.get("/{token}", include_in_schema=False)
-async def setup_page(token: str, request: Request):
-    """Show the password setup page for a valid invite token."""
-    username = validate_invite(token)
-    if not username:
-        return HTMLResponse(
-            "<h1 style='font-family:sans-serif;padding:2rem'>This link is invalid or has expired.</h1>",
-            status_code=400,
-        )
-    return HTMLResponse(_setup_page())
-
-
-@router.post("/{token}", include_in_schema=False)
-async def setup_submit(
-    token: str,
-    step: str = Form(...),
-    password: str = Form(default=""),
-    confirm: str = Form(default=""),
-    persona_name: str = Form(default=""),
-    display_name: str = Form(default=""),
-    user_real_name: str = Form(default=""),
-    emoji: str = Form(default="✨"),
-    description: str = Form(default=""),
-):
-    username = validate_invite(token)
-    if not username:
-        return HTMLResponse(
-            "<h1 style='font-family:sans-serif;padding:2rem'>This link is invalid or has expired.</h1>",
-            status_code=400,
-        )
-
-    if step == "password":
-        if len(password) < 8:
-            return HTMLResponse(_setup_page("Password must be at least 8 characters."))
-        if password != confirm:
-            return HTMLResponse(_setup_page("Passwords do not match."))
-
-        set_password(username, password)
-        consume_invite(username)
-        logger.info("setup complete (password): %s", username)
-
-        # Log them in and move to persona step
-        resp = RedirectResponse(f"/setup/{token}/persona", status_code=302)
-        resp.set_cookie(
-            COOKIE_NAME,
-            create_token(username),
-            max_age=30 * 86400,
-            httponly=True,
-            samesite="lax",
-            secure=False,
-        )
-        return resp
-
-    return HTMLResponse(_setup_page("Unknown step."), status_code=400)
-
-
-# ---------------------------------------------------------------------------
-# Intermediate redirect so the token doesn't need to live in the persona URL
-# ---------------------------------------------------------------------------
-
-@router.get("/{token}/persona", include_in_schema=False)
-async def setup_persona_via_token(token: str, request: Request):
-    """After password setup, redirect to the generic /setup/persona page."""
-    # Cookie is already set — just redirect. Token is consumed so this is safe.
-    return RedirectResponse("/setup/persona", status_code=302)
-
-
 # ---------------------------------------------------------------------------
 # Step 2 — persona creation (requires active session)
+# IMPORTANT: must be registered before /{token} so "/persona" literal wins
 # ---------------------------------------------------------------------------

@router.get("/persona", include_in_schema=False)
@@ -185,3 +115,66 @@ async def persona_submit(
    )
    logger.info("persona created: %s/%s", username, persona_name)
    return RedirectResponse(f"/{username}/{persona_name}", status_code=302)
+
+
+# ---------------------------------------------------------------------------
+# Step 1 — invite token → set password
+# IMPORTANT: registered after /persona so the literal path wins above
+# ---------------------------------------------------------------------------
+
+@router.get("/{token}", include_in_schema=False)
+async def setup_page(token: str, request: Request):
+    """Show the password setup page for a valid invite token."""
+    username = validate_invite(token)
+    if not username:
+        return HTMLResponse(
+            "<h1 style='font-family:sans-serif;padding:2rem'>This link is invalid or has expired.</h1>",
+            status_code=400,
+        )
+    return HTMLResponse(_setup_page())
+
+
+@router.get("/{token}/persona", include_in_schema=False)
+async def setup_persona_via_token(token: str, request: Request):
+    """After password setup, redirect to the generic /setup/persona page."""
+    # Cookie is already set — just redirect. Token is consumed so this is safe.
+    return RedirectResponse("/setup/persona", status_code=302)
+
+
+@router.post("/{token}", include_in_schema=False)
+async def setup_submit(
+    token: str,
+    step: str = Form(...),
+    password: str = Form(default=""),
+    confirm: str = Form(default=""),
+):
+    username = validate_invite(token)
+    if not username:
+        return HTMLResponse(
+            "<h1 style='font-family:sans-serif;padding:2rem'>This link is invalid or has expired.</h1>",
+            status_code=400,
+        )
+
+    if step == "password":
+        if len(password) < 8:
+            return HTMLResponse(_setup_page("Password must be at least 8 characters."))
+        if password != confirm:
+            return HTMLResponse(_setup_page("Passwords do not match."))
+
+        set_password(username, password)
+        consume_invite(username)
+        logger.info("setup complete (password): %s", username)
+
+        # Log them in and move to persona step
+        resp = RedirectResponse(f"/setup/{token}/persona", status_code=302)
+        resp.set_cookie(
+            COOKIE_NAME,
+            create_token(username),
+            max_age=30 * 86400,
+            httponly=True,
+            samesite="lax",
+            secure=False,
+        )
+        return resp
+
+    return HTMLResponse(_setup_page("Unknown step."), status_code=400)