# WBS Public API

Minimal authenticated proxy serving the WBS dashboard and forwarding DML SQL to Turso.

## Architecture
- Cloudflare Tunnel → 127.0.0.1:7003 → FastAPI → Turso HTTP API
- Cloudflare Access enforces email/OAuth auth at the edge
- JWT verified again in app.py (defense in depth)
- SQL allowlist: only SELECT/INSERT/UPDATE/DELETE permitted

## Files
- `app.py` — FastAPI service
- `static/index.html` — WBS dashboard (copy of /home/ubuntu/second-brain/wbs_dashboard.html)
- `.env` — secrets (not committed)
- `requirements.txt` — pinned deps

## Run
Managed by systemd: `sudo systemctl {start|stop|restart|status} wbs-public`
Logs: `journalctl -u wbs-public -f`

## Update dashboard
```bash
cp ../wbs_dashboard.html static/index.html
sudo systemctl restart wbs-public
```

## Stakeholder sign-off log
- 2026-05-10: Initial deploy. DivaDumbDumb approved Option A (pass-through /turso with DDL allowlist), FastAPI, systemd, read-write Turso token + JWT verification.
