feat: Identify root users by configurable email instead of hardcoded username for privileged actions.

.env.example

@@ -16,3 +16,7 @@ INTERNAL_SERVICE_TOKEN=
 CLOUDFLARE_API_TOKEN=
 CLOUDFLARE_ACCOUNT_ID=
 CLOUDFLARE_WEB_ANALYTICS_SITE_TAG=
+
+# Root email whitelist for privileged user-creation actions (comma-separated)
+# Default: admin@svc.plus
+ROOT_EMAIL_WHITELIST=admin@svc.plus

src/app/api/admin/users/route.ts

@@ -48,8 +48,8 @@ function normalizeGroups(value: unknown): string[] | null {
   return Array.from(new Set(result))
 }
 
-function isRootUser(username?: string): boolean {
-  return username?.trim().toLowerCase() === 'root'
+function isAllowedRootEmail(email?: string): boolean {
+  return email?.trim().toLowerCase() === 'admin@svc.plus'
 }
 
 export async function POST(request: NextRequest) {
@@ -64,7 +64,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json<ErrorPayload>({ error: 'forbidden' }, { status: 403 })
   }
 
-  if (!isRootUser(user.username)) {
+  if (!isAllowedRootEmail(user.email)) {
     return NextResponse.json<ErrorPayload>({ error: 'root_only' }, { status: 403 })
   }
 

src/modules/extensions/builtin/user-center/routes/management.tsx

@@ -67,7 +67,7 @@ export default function UserCenterManagementRoute() {
   const canAccess = accessDecision.allowed
   const canEditPermissions = Boolean(user?.isAdmin)
   const canEditRoles = Boolean(user?.isAdmin)
-  const canCreateCustomUser = Boolean(user?.isAdmin && user?.username?.trim().toLowerCase() === 'root')
+  const canCreateCustomUser = Boolean(user?.isAdmin && user?.email?.trim().toLowerCase() === 'admin@svc.plus')
 
   const [matrixDraft, setMatrixDraft] = useState<PermissionMatrix>({})
   const [matrixVersion, setMatrixVersion] = useState<number>(0)