LocalUser
SQL-backed user for Indie mode (Mode A).
Stores credentials and profile information locally.Default implementation for rapid development.
Attributes: email: Unique email address (login identifier) password_hash: Argon2 hash of password (excluded from serialization) full_name: Optional display name is_active: Whether user can log in (default True) roles: List of assigned roles used for RBAC checks
Security: - password_hash is excluded from model_dump() and model_dump_json() - Never store plaintext passwords - Use argon2 for hashing (see LocalIdentityAdapter)
Example: user = LocalUser( email="john@example.com", password_hash="$argon2id$v=19$...", full_name="John Doe", )Source: user.py
Fields
Section titled “Fields”| Field | Type | Required | Description | Validators |
|---|---|---|---|---|
| str | Unique email address | - | ||
| password_hash | str | password hash | - | |
| full_name | None | User’s display name | - | |
| is_active | bool | Whether user can log in | - | |
| roles | list[str] | Assigned RBAC roles | - | |
| tenants | list[str] | ( |
"Tenant binds this user may access. Empty means unscoped: combined with " "the 'System' role it yields a trustee/back-office view across every " "registered tenant; without 'System' an empty list grants no tenant data.") | - |Configuration
Section titled “Configuration”| Setting | Value |
|---|---|
| Submittable | False |
| Track Changes | True |
Controller
Section titled “Controller”Controller hooks are implemented in *_controller.py files.
Available lifecycle hooks:
validate()- Called before save, raise exceptions for validation errorsbefore_insert()- Called before inserting a new documentafter_insert()- Called after successfully insertingbefore_save()- Called before saving (insert or update)after_save()- Called after savingbefore_delete()- Called before deletingafter_delete()- Called after deleting