When backend SSO_ENABLED=false, regular API endpoints skip auth, but the
admin panel still needs to identify the caller. Now Bearer token is always
validated first; mock dev@localhost fallback only kicks in when no token is
present AND SSO is disabled (local dev).
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Add runtime_config.php: credential store backed by runtime_config.json
(gitignored). Falls back to .env values so existing envs need no migration.
- Add admin_api.php: status / test_kling / update_kling endpoints gated
behind ADMIN_EMAILS allowlist. Accepts Bearer idToken when SSO enabled;
uses mock dev@localhost when SSO disabled.
- config.php: replace KLING_ACCESS_KEY/SECRET_KEY defines with ADMIN_EMAILS
- kling_api.php: read credentials via getKlingCredentials() on every request
so rotations take effect immediately without a server restart
- All .env templates: add ADMIN_EMAILS= (dev@localhost populated in .env.local)
- AdminSettings.jsx: modal with masked status, Test Connection, Save Credentials
- AppContent.jsx: admin status check on mount; Settings gear shown to admins
- Fix production URL in .env.production/.env.example (optical-prod.oliver.solutions)
- .gitignore: exclude backend/runtime_config.json
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
