grant/keysat-root
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Record merchant-onboard scoped-key role in Current state

Browse Source
This commit is contained in:
Keysat
2026-06-16 18:56:09 -05:00
parent a257394c01
commit 62db8c81f3
1 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
AGENTS.md
+21 -4
View File
@@ -131,6 +131,22 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
end-to-end** (resolver was already complete; only the write path was missing).
See `docs/guides/payments.md`.
- **Committed this session (`d5885d1`, pushed origin+gitea; NOT yet
version-bumped/released)** — **new `merchant-onboard` scoped-key role** for
least-privilege self-serve onboarding: read + `products:write` +
`policies:write` + `licenses:write` (create product → define policies/tiers →
issue licenses) without the master key. The catalog write scopes already
existed and were enforced; only the `Role::grants` expansion was missing, so
this is a new `Role` variant, not a scope-model change. `grants()` matches
scope strings **explicitly** (never by `:write` suffix) so it can't widen into
settings/payment/merchant-profile/webhook writes; every master-only op stays
behind `require_admin` and is unreachable; tier caps still bound it. Migration
0023 rebuilds `scoped_api_keys` to widen the role CHECK (no FKs → plain
copy/drop/rename). **Caveat for the doc-onboarding harness/marketing**: this
credential covers catalog + manual license issuance fully, but **cannot connect
a payment provider** (master-only by design), so the buyer-paid purchase flow
still needs a one-time operator step. See `src/api/api_keys.rs`.
- **Work queue (next, in order)**:
1. 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref
editor).
@@ -163,7 +179,8 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/
optional fmt/prettier standalone commit.
- **Tests/build**: `cargo check` clean (1 intentional deprecation warning); full
suite green at `:56` — unit 10, api **56** (incl. the product→merchant-profile
write-path tests), subscriptions 7, upgrades 9, worker 3, crosscheck 4,
migrations 9. No new clippy warnings. FK enforcement **confirmed** — sqlx pool
sets `foreign_keys(true)` per connection (`db/mod.rs`). CI/fmt status is in Known debt.
suite green with the merchant-onboard role — unit 10, api **57** (incl. the
merchant-onboard onboard-chain + master-only-denial test), subscriptions 7,
upgrades 9, worker 3, crosscheck 4, migrations 9 (now through 0023). No new
clippy warnings. FK enforcement **confirmed** — sqlx pool sets
`foreign_keys(true)` per connection (`db/mod.rs`). CI/fmt status is in Known debt.