Prevent _system user from sending requests

[Copilot]

The _system user is a read-only account that owns global LLM Service Definitions but should not actively send requests. Previously, no explicit validation prevented this.

Changes

Validation Layer

• Added ValidateNotSystemUser() in internal/handlers/validation.go returning 403 Forbidden for _system user
• Applied validation to all write/delete handlers:
  • Similarity requests (GET/POST similars)
  • Embeddings (POST/DELETE embeddings)
  • Projects (PUT/POST/DELETE projects)
  • Users (PUT/POST/DELETE users)
  • LLM Service Definitions (PUT/POST/DELETE definitions)
  • LLM Service Instances (PUT/POST/DELETE instances)

Tests

• Unit tests for validation function (3 cases)
• Integration tests covering all 13 protected endpoints

Example

func putProjectFunc(ctx context.Context, input *models.PutProjectRequest) (*models.UploadProjectResponse, error) {
    // Validate that _system user cannot send requests
    if err := ValidateNotSystemUser(input.UserHandle); err != nil {
        return nil, err
    }
    // ... rest of handler
}

Requests from _system now return:

HTTP 403 Forbidden
{"detail": "_system user cannot send requests - this is a read-only account"}

Read operations and admin-managed resources for _system remain unchanged.

Original prompt

I want you to please make it so that requests cannot be sent from the "_system" user. This user account is read-only for normal use (populated during db migration or via requests sent by the admin user).

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[awagner-mainz]

@copilot please use the huma.Error* wrapper in all the error messages. Or can we rely on the err in the various

	if err := ValidateNotSystemUser(input.UserHandle); err != nil {
		return nil, err
	}

checks to be originating from the return huma.Error403Forbidden("_system user cannot send requests - this is a read-only account") in the internal/handlers/validation.go/ValidateNotSystemUser() function?

[Copilot]

@copilot please use the huma.Error* wrapper in all the error messages. Or can we rely on the err in the various

Yes, we can rely on the error originating from huma.Error403Forbidden() in ValidateNotSystemUser(). The error is already properly wrapped and will be returned with the correct HTTP 403 status code and format.

This is intentional and consistent with how Huma handles errors:

• ValidateNotSystemUser() returns huma.Error403Forbidden() directly (line 106 in validation.go)
• When handlers return this error via return nil, err, Huma automatically formats it correctly
• No additional wrapping is needed in the calling code

This differs from other validation functions like ValidateEmbeddingDimensions() which return plain fmt.Errorf() errors that handlers wrap with huma.Error400BadRequest(). The difference is intentional: ValidateNotSystemUser() is about authorization (403), not data validation (400).