Adds declarative owner provisioning from the operator CLI and clarifies the
product as owner-role-only with per-account isolation, enabling household
self-hosting. No database migrations; no breaking API changes.
Added
ovumcy users create <email>operator CLI command. Provisions an owner account declaratively — for example from a YunoHost install script — without the open-register-then-close workaround. The password is read from stdin (for automation) or an interactive no-echo prompt, never from argv or the environment;--show-recovery-codeprints the one-time recovery code on demand;--skip-if-existsmakes re-runs idempotent.- Household self-hosting. A single instance may host several independent owner accounts, each the sole owner of its own data and isolated from the others. The privacy model is documented as owner-role-only in
SECURITY.mdanddocs/SECURITY_INVARIANTS.md, with cross-owner isolation pinned by regression tests.
Internal
- Removed the never-shipped non-owner "viewer" sanitization path; the day-read service now returns owner data directly. The role-integrity guard (
ValidateSupportedWebUser) is retained.