grant/keysat-root
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix scoped-API-key panel doc drift; add unlimited_merchant_profiles operator TODO

Browse Source
This commit is contained in:
Keysat
2026-06-16 13:05:28 -05:00
parent 532229d488
commit 5b3322413f
1 changed files with 11 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+11 -4
View File
@@ -99,8 +99,14 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
- Split `audit:read` out of the blanket `:read` scope into its own tier so a
Read-only scoped key can read dashboards/licenses but NOT the full audit log
(`api/api_keys.rs::Role::grants`). Deferred from the scoped-keys session.
- Build the admin SPA "API keys" management panel (create w/ role picker, list,
revoke) — backend is wired; UI deferred to a design-focused session.
- **Operator action (manual; needs the master admin key — a read-only key can't
write):** grant `unlimited_merchant_profiles` to the **Pro and Patron** tiers on
the live master. Confirmed 2026-06-16 against `licensing.keysat.xyz` that the slug
is absent from all three keysat policies (Creator/Pro/Patron), from the master's
own Patron self-license, and from the product `entitlements_catalog`. Steps: add
the slug to the keysat product `entitlements_catalog`, then to the Pro + Patron
policy entitlements (admin UI), then re-issue the master self-license so it takes
effect.
## Current state (2026-06-16)
@@ -125,11 +131,12 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
- **Work queue (next, in order)**:
1. 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref
editor); `unlimited_merchant_profiles` on master Pro/Patron policies.
editor). (`unlimited_merchant_profiles` for Pro/Patron is now an operator
TODO above.)
2. Cut `:56` to ship this session's write path to the registry (bump manifest →
`make universal``publish.sh`) — bundle with the UIs above if landing soon.
3. Deferred (now in Open TODOs): split `audit:read` out of the blanket `:read`
scope; build the admin "API keys" management SPA panel.
scope into its own tier.
- **Discovered this session (P2, unfixed)**: `set_product_entitlements_catalog`
has no `rows_affected` guard — a bad product-id silently 200s with stale data