# AGENTS.md — Keysat workspace

Self-hosted, Bitcoin-native software licensing service running as a StartOS 0.4.x
package, with four wire-compatible SDKs and a public landing/docs site.

This file holds whole-repo, every-session facts. Subsystem detail lives in scoped
guides under `docs/guides/` (symlinked to `.claude/rules/` so Claude Code
auto-loads each when you edit matching files). **Before editing a subsystem, read
its guide** — see the index below.

## Stack

- **Daemon**: Rust 1.88, `axum`, `sqlx` + SQLite, Ed25519 signing.
- **Wrapper**: TypeScript, `@start9labs/start-sdk ^1.3.2`, `@vercel/ncc` bundle, Node 22.
- **SDKs**: TS (npm), Rust (crates.io), Python (PyPI), Go (proxy.golang.org).
- **Platform**: StartOS 0.4.0.x (LXC under the hood — commands/paths reflect that, not Docker).
- **Payment providers**: BTCPay Server (required dep); Zaprite (optional, gated by `zaprite_payments`).

## Subsystem guides (read before editing the area)

- Before editing the daemon source, read `docs/guides/daemon-architecture.md`.
- Before editing payment / provider / merchant-profile code or migrations 0020–0022, read `docs/guides/payments.md`.
- Before touching self-license or tier-gating code, read `docs/guides/licensing-tiers.md`.
- Before changing the LIC1 wire format, crypto, or crosscheck fixtures, read `docs/guides/crypto-wire-format.md`.
- Before building, bumping the version, or editing the StartOS wrapper, read `docs/guides/startos-packaging.md`.
- Before editing the admin SPA (`web/index.html`), read `docs/guides/admin-ui.md`.
- Before editing public site/docs copy, read `docs/guides/website-copy.md`.
- Before adding/altering tests or relying on lint/CI, read `docs/guides/testing.md`.

## Build / test / run (quick ref)

From `licensing-service-startos/`: `make x86` | `make arm` | `make universal` |
`make install` | `make clean` | `npm run check`. From
`licensing-service-startos/licensing-service/`: `cargo check` | `cargo build
--release` | `cargo test` | `cargo test --test <suite>` | `cargo test <name>`.
Details, the version-bump-before-build rule, and release scripts:
`docs/guides/startos-packaging.md`. Test suites, the no-CI / formatting-not-enforced
status, and known-failing tests: `docs/guides/testing.md`.

## Directory layout

```
licensing-service-startos/        daemon + StartOS wrapper (s9pk package source)
  licensing-service/src/          Rust daemon            → guides/daemon-architecture.md
  licensing-service/migrations/   SQLite migrations (numbered, additive)
  licensing-service/web/index.html  embedded admin SPA   → guides/admin-ui.md
  licensing-service/tests/        integration suites     → guides/testing.md
  startos/                        wrapper TS             → guides/startos-packaging.md
  Dockerfile  Makefile  s9pk.mk   build pipeline
keysat-xyz-landing/ keysat-docs/ keysat-registry-landing/   public sites → guides/website-copy.md
licensing-client-{rust,ts,python,go}/  the four SDK source repos
activate-license-template/        Tauri desktop template for license activation
keysat-design-system/             design tokens / brand assets
plans/                            design specs (multi-provider-payment-model.md, keysat-smtp-emails.md)
tests/crosscheck/                 cross-language LIC1 verifier → guides/crypto-wire-format.md
```

Note: the daemon (`licensing-service-startos`, repo `keysat`), each SDK, and
`plans/` are **separate git repos** — commit code/plan changes in their own repo.
The root `Licensing` repo (`keysat-root`) tracks only `AGENTS.md` + `docs/guides/`
+ `.claude/rules/` + `EVALUATION.md` (the latest full-eval report; overwritten
each run, history in git log). **Remotes differ per repo**: the daemon's `main` tracks
**GitHub** (`origin`, the public upstream) with a `gitea` backup — plain `git push`
goes to GitHub, so also `git push gitea main`; root + plans are **Gitea-only**.
Run `git remote -v` (full) and check what the branch tracks before pushing.

## Conventions (whole-repo)

- Daemon licensed `LicenseRef-Keysat-1.0` (custom, source-available); SDKs MIT.
- Commits in imperative mood, body only when the "why" isn't obvious. **Sign as
  Keysat (Grant), not Claude** — git user is `Keysat`.
- Direct push to `main` + run `~/.keysat/publish.sh` is the authorized release flow
  until launch.
- Never rewrite user-facing copy outside the explicit scope of a request.

## Never

- **No AI co-authorship** on commits or PRs (no "Co-Authored-By", no "Generated with…").
- **Don't push `--no-verify`** or bypass hooks unless explicitly authorized.
- **Don't commit built artifacts** (`*.s9pk`, `keysat-*.s9pk`, `javascript/`) or
  **secrets** — reference env-var names; real values live in `~/.keysat/filebrowser.env`
  and `/data/keysat-license.txt` outside the repo.

## Memory references

Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/memory/`
(scan before a major change): `keysat_release_workflow.md`,
`no_unauthorized_copy_changes.md`, `keysat_admin_ui_pill_convention.md`,
`startos_lxc.md`, `startos_registry_icon_unrenderable.md`, `keysat_open_threads.md`.

## Open TODOs

- `riscv` build target is unverified and not declared in the manifest (so
  `make universal` excludes it); revisit only if a riscv StartOS target appears.
- StartOS Community Registry submission criteria — Start9 hasn't published the
  checklist; reach out directly when ready.
- Registry icon doesn't render in the StartOS marketplace (see `guides/startos-packaging.md`).
- Split `audit:read` out of the blanket `:read` scope into its own tier so a
  Read-only scoped key can read dashboards/licenses but NOT the full audit log
  (`api/api_keys.rs::Role::grants`). Deferred from the scoped-keys session.
- Build the admin SPA "API keys" management panel (create w/ role picker, list,
  revoke) — backend is wired; UI deferred to a design-focused session.

## Current state (2026-06-13)

- **Live**: registry `registry.keysat.xyz` now publishes **`0.2.0:55`** — universal
  multi-arch (x86_64 + aarch64, verified via the registry index + s9pk header),
  GitHub release `v0.2.0-55`, canonical s9pk at `files.keysat.xyz/keysat.s9pk`.
  Migrations 0020–0022; four SDKs published; `keysat.xyz` + `docs.keysat.xyz`
  deployed (docs redeployed this session). **The live server `immense-voyage.local`
  still runs `:54` until updated from the registry.** `:55` ships the two
  prior-session P1s (scoped keys, settle-amount tripwire) + this session's packaging
  work.
- **Shipped this session (`:55` published; all committed + pushed)** — doc-auditor +
  start9-spec-checker + reviewer passes, all approved/no blockers; `tsc`/`bash -n`
  clean. Landed: **all 4 StartOS submission blockers** (new `instructions.md`;
  manifest `packageRepo`/`docsUrls` dead-link fixes; **universal multi-arch publish**
  — `publish.sh` → `make universal`, registry entry carries both arches with no arch
  restriction); enforce-mode drift cleaned from `activateLicense.ts`/`showCredentials.ts`
  (enforce retired, `self_license.rs:15`); 5 doc-drift fixes (api 47→54; FK confirmed
  `db/mod.rs:29`; `integrate.html` phantom `GET /v1/licenses/{id}/status` → `POST
  /v1/validate`; `v0.2.0.ts` stale header; go README v0.2); **refunds scrubbed from
  public docs** (Keysat has no refund feature — out-of-band only, v0.3 revoke-on-refund
  hook is a no-op; admin-UI "handle out of band" disclaimers kept). Remotes: keysat-root
  → gitea-only; keysat-docs, daemon, go SDK → GitHub `origin` + gitea backup.
- **`:52`/`:53` = multi-provider/merchant-profile model**: data model + backend
  resolution shipped and audited sound; resolution/CRUD query surface has tests.
  Both `:54` P0s (provider-injection test seam; Zaprite webhook-forgery re-confirm)
  remain fixed; live purchase + settle paths sound.

- **Shipped in `:55` (was the prior session's unshipped P1s)**:
  1. **Settle-amount tripwire.** `get_invoice_status` now returns
     `ProviderInvoiceSnapshot { status, amount }`; `audit_settle_amount` (shared by
     webhook + reconcile issue paths) WARNs + writes an `invoice.amount_mismatch`
     audit row on drift, then **issues anyway** (advisory, not a gate — a hard gate
     would fight BTCPay payment tolerance). SAT-only: skips non-SAT (fiat sub
     renewals) and `None`. Reviewed (caught + fixed a fiat-renewal false-positive).
     See `docs/guides/payments.md`.
  2. **Scoped API keys wired.** 58 admin endpoints migrated `require_admin`→
     `require_scope`; 12 sensitive ones stay master-only (issuer key, provider
     connect/disconnect, set-password, api-key CRUD, db-info, operator-name,
     per-license tier change). `require_scope` re-exported from `api::admin`. Role
     boundary tests added. Boundary documented in `api/api_keys.rs` module doc.

- **GAP — multi-profile still non-functional end-to-end**: nothing writes
  `products.merchant_profile_id` (INSERT in `create_product_with_currency` omits
  it; `update_product_with_currency` has no field; `Product` in `models.rs` lacks
  it). Resolver fully supports it; only the product→profile **write path** is
  missing. **Gating piece for multi-profile.**

- **Work queue (next, in order)**:
  1. **product→merchant-profile picker** (the GAP — add `merchant_profile_id` to
     `Product` + `repo.rs` SELECT; `set_product_merchant_profile` writer mirroring
     `set_product_entitlements_catalog`; field on `CreateProductReq`/
     `UpdateProductReq` applied post-write; profile `<select>` from
     `GET /v1/admin/merchant-profiles`, shown only when >1 profile; no migration).
  2. 3 other deferred UIs (rail picker, per-profile SMTP, rail-pref editor);
     `unlimited_merchant_profiles` on master Pro/Patron policies.
  3. Deferred this session (now in Open TODOs): split `audit:read` out of the
     blanket `:read` scope; build the admin "API keys" management SPA panel.

- **Known debt (P2 — schedule, not urgent)**: no rate-limit on `/v1/purchase` +
  `/v1/redeem`; rate-limit bucket keys on spoofable `X-Forwarded-For` (bypass
  conditional on whether the StartOS proxy rewrites XFF — unverified); `422`/`415`
  errors return plain-text not JSON (breaks SDK `JSON.parse`); product `slug` has
  no validation (empty/300-char/meta chars stored); `GET /v1/admin/products`
  returns 405 though OpenAPI documents it; dep advisories (`sqlx`→≥0.8.1
  RUSTSEC-2024-0363, `rustls-webpki`→≥0.103.12); no CI + fmt/clippy/prettier
  unenforced. (The 4 StartOS submission blockers are resolved and shipped in `:55`.)

- **Deferred (P3+ — bulk or later decision)**: `/v1/purchase` 400 vs
  `/v1/btcpay/webhook` 503 for the same no-provider cause; undocumented required
  `kind` on discount-codes; field-naming drift (`license_id`/`id`, machines `key`
  vs `license_key`, `redeem`/`purchase` `product` vs `validate` `product_slug`);
  migration self-heal `_sqlx_migrations` allowlist foot-gun; 2 KB unauth Zaprite
  payload WARN-log; outbound-webhook SSRF (operator-only); re-register the master
  Zaprite webhook at the path-keyed URL; registry icon non-render (known platform limit);
  optional fmt/prettier standalone commit.

- **Tests/build**: `cargo check` clean (1 intentional deprecation warning); full
  suite green — api **54** (incl. new settle-tripwire + scoped-key role-boundary
  tests), subscriptions 7, upgrades 9, worker 3, crosscheck 4, migrations 9. No new
  clippy warnings. FK enforcement **confirmed** — sqlx pool sets `foreign_keys(true)`
  per connection (`db/mod.rs`). CI/fmt status is in Known debt.