From 5b3322413ffe54e09fb0084e3c010afe25cb7a85 Mon Sep 17 00:00:00 2001
From: Keysat <licensing@keysat.xyz>
Date: Tue, 16 Jun 2026 13:05:28 -0500
Subject: [PATCH] Fix scoped-API-key panel doc drift; add
 unlimited_merchant_profiles operator TODO

---
 AGENTS.md | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/AGENTS.md b/AGENTS.md
index 20f3b74..fe5c221 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -99,8 +99,14 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
 - Split `audit:read` out of the blanket `:read` scope into its own tier so a
   Read-only scoped key can read dashboards/licenses but NOT the full audit log
   (`api/api_keys.rs::Role::grants`). Deferred from the scoped-keys session.
-- Build the admin SPA "API keys" management panel (create w/ role picker, list,
-  revoke) — backend is wired; UI deferred to a design-focused session.
+- **Operator action (manual; needs the master admin key — a read-only key can't
+  write):** grant `unlimited_merchant_profiles` to the **Pro and Patron** tiers on
+  the live master. Confirmed 2026-06-16 against `licensing.keysat.xyz` that the slug
+  is absent from all three keysat policies (Creator/Pro/Patron), from the master's
+  own Patron self-license, and from the product `entitlements_catalog`. Steps: add
+  the slug to the keysat product `entitlements_catalog`, then to the Pro + Patron
+  policy entitlements (admin UI), then re-issue the master self-license so it takes
+  effect.
 
 ## Current state (2026-06-16)
 
@@ -125,11 +131,12 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
 
 - **Work queue (next, in order)**:
   1. 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref
-     editor); `unlimited_merchant_profiles` on master Pro/Patron policies.
+     editor). (`unlimited_merchant_profiles` for Pro/Patron is now an operator
+     TODO above.)
   2. Cut `:56` to ship this session's write path to the registry (bump manifest →
      `make universal` → `publish.sh`) — bundle with the UIs above if landing soon.
   3. Deferred (now in Open TODOs): split `audit:read` out of the blanket `:read`
-     scope; build the admin "API keys" management SPA panel.
+     scope into its own tier.
 
 - **Discovered this session (P2, unfixed)**: `set_product_entitlements_catalog`
   has no `rows_affected` guard — a bad product-id silently 200s with stale data