From 62db8c81f3204087adb83b48791583ae0b64fd23 Mon Sep 17 00:00:00 2001 From: Keysat Date: Tue, 16 Jun 2026 18:56:09 -0500 Subject: [PATCH] Record merchant-onboard scoped-key role in Current state --- AGENTS.md | 25 +++++++++++++++++++++---- 1 file changed, 21 insertions(+), 4 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 565d0ab..1575501 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -131,6 +131,22 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/ end-to-end** (resolver was already complete; only the write path was missing). See `docs/guides/payments.md`. +- **Committed this session (`d5885d1`, pushed origin+gitea; NOT yet + version-bumped/released)** — **new `merchant-onboard` scoped-key role** for + least-privilege self-serve onboarding: read + `products:write` + + `policies:write` + `licenses:write` (create product → define policies/tiers → + issue licenses) without the master key. The catalog write scopes already + existed and were enforced; only the `Role::grants` expansion was missing, so + this is a new `Role` variant, not a scope-model change. `grants()` matches + scope strings **explicitly** (never by `:write` suffix) so it can't widen into + settings/payment/merchant-profile/webhook writes; every master-only op stays + behind `require_admin` and is unreachable; tier caps still bound it. Migration + 0023 rebuilds `scoped_api_keys` to widen the role CHECK (no FKs → plain + copy/drop/rename). **Caveat for the doc-onboarding harness/marketing**: this + credential covers catalog + manual license issuance fully, but **cannot connect + a payment provider** (master-only by design), so the buyer-paid purchase flow + still needs a one-time operator step. See `src/api/api_keys.rs`. + - **Work queue (next, in order)**: 1. 3 remaining multi-profile UIs (rail picker, per-profile SMTP, rail-pref editor). @@ -163,7 +179,8 @@ Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/ optional fmt/prettier standalone commit. - **Tests/build**: `cargo check` clean (1 intentional deprecation warning); full - suite green at `:56` — unit 10, api **56** (incl. the product→merchant-profile - write-path tests), subscriptions 7, upgrades 9, worker 3, crosscheck 4, - migrations 9. No new clippy warnings. FK enforcement **confirmed** — sqlx pool - sets `foreign_keys(true)` per connection (`db/mod.rs`). CI/fmt status is in Known debt. + suite green with the merchant-onboard role — unit 10, api **57** (incl. the + merchant-onboard onboard-chain + master-only-denial test), subscriptions 7, + upgrades 9, worker 3, crosscheck 4, migrations 9 (now through 0023). No new + clippy warnings. FK enforcement **confirmed** — sqlx pool sets + `foreign_keys(true)` per connection (`db/mod.rs`). CI/fmt status is in Known debt.