keysat-root/AGENTS.md

# AGENTS.md — Keysat workspace

Self-hosted, Bitcoin-native software licensing service running as a StartOS 0.4.x
package, with four wire-compatible SDKs and a public landing/docs site.

This file holds whole-repo, every-session facts. Subsystem detail lives in scoped
guides under `docs/guides/` (symlinked to `.claude/rules/` so Claude Code
auto-loads each when you edit matching files). **Before editing a subsystem, read
its guide** — see the index below.

## Stack

- **Daemon**: Rust 1.88, `axum`, `sqlx` + SQLite, Ed25519 signing.
- **Wrapper**: TypeScript, `@start9labs/start-sdk ^1.3.2`, `@vercel/ncc` bundle, Node 22.
- **SDKs**: TS (npm), Rust (crates.io), Python (PyPI), Go (proxy.golang.org).
- **Platform**: StartOS 0.4.0.x (LXC under the hood — commands/paths reflect that, not Docker).
- **Payment providers**: BTCPay Server (required dep); Zaprite (optional, gated by `zaprite_payments`).

## Subsystem guides (read before editing the area)

- Before editing the daemon source, read `docs/guides/daemon-architecture.md`.
- Before editing payment / provider / merchant-profile code, the scoped-connect gate, or migrations 0020–0022 + 0024–0025, read `docs/guides/payments.md`.
- Before touching self-license or tier-gating code, read `docs/guides/licensing-tiers.md`.
- Before changing the LIC1 wire format, crypto, or crosscheck fixtures, read `docs/guides/crypto-wire-format.md`.
- Before building, bumping the version, or editing the StartOS wrapper, read `docs/guides/startos-packaging.md`.
- Before editing the admin SPA (`web/index.html`), read `docs/guides/admin-ui.md`.
- Before editing public site/docs copy, read `docs/guides/website-copy.md`.
- **Before building or changing any user-facing UI (landing, docs, admin SPA), read `design/DESIGN.md` and `design/tokens.tokens.json` and conform to them** — the brand contract; pull colors/type/space/radii/shadows from the tokens, never hardcode off-scale values.
- Before adding/altering tests or relying on lint/CI, read `docs/guides/testing.md`.

## Build / test / run (quick ref)

From `licensing-service-startos/`: `make x86` | `make arm` | `make universal` |
`make install` | `make clean` | `npm run check`. From
`licensing-service-startos/licensing-service/`: `cargo check` | `cargo build
--release` | `cargo test` | `cargo test --test <suite>` | `cargo test <name>`.
Details, the version-bump-before-build rule, and release scripts:
`docs/guides/startos-packaging.md`. Test suites, the no-CI / formatting-not-enforced
status, and known-failing tests: `docs/guides/testing.md`.

## Directory layout

```
licensing-service-startos/        daemon + StartOS wrapper (s9pk package source)
  licensing-service/src/          Rust daemon            → guides/daemon-architecture.md
  licensing-service/migrations/   SQLite migrations (numbered, additive)
  licensing-service/web/index.html  embedded admin SPA   → guides/admin-ui.md
  licensing-service/tests/        integration suites     → guides/testing.md
  startos/                        wrapper TS             → guides/startos-packaging.md
  onboarding-harness/             docs-onboarding test rig → onboarding-harness/README.md
  Dockerfile  Makefile  s9pk.mk   build pipeline
keysat-xyz-landing/ keysat-docs/ keysat-registry-landing/   public sites → guides/website-copy.md
licensing-client-{rust,ts,python,go}/  the four SDK source repos
activate-license-template/        Tauri desktop template for license activation
design/                           design contract (DESIGN.md + tokens.tokens.json) + brand/ assets; original Claude Design system archived in design/_imports/
plans/                            design specs (multi-provider-payment-model.md, keysat-smtp-emails.md)
tests/crosscheck/                 cross-language LIC1 verifier → guides/crypto-wire-format.md
```

Note: the daemon (`licensing-service-startos`, repo `keysat`), each SDK, and
`plans/` are **separate git repos** — commit code/plan changes in their own repo.
The root `Licensing` repo (`keysat-root`) tracks only `AGENTS.md` + `docs/guides/`
+ `.claude/rules/` + `EVALUATION.md` (the latest full-eval report; overwritten
each run, history in git log). **Remotes differ per repo**: the daemon's `main` tracks
**GitHub** (`origin`, the public upstream) with a `gitea` backup — plain `git push`
goes to GitHub, so also `git push gitea main`; root + plans are **Gitea-only**.
Run `git remote -v` (full) and check what the branch tracks before pushing.

## Conventions (whole-repo)

- Daemon licensed `LicenseRef-Keysat-1.0` (custom, source-available); SDKs MIT.
- Commits in imperative mood, body only when the "why" isn't obvious. **Sign as
  Keysat (Grant), not Claude** — git user is `Keysat`.
- Direct push to `main` + run `~/.keysat/publish.sh` is the authorized release flow
  until launch.
- Never rewrite user-facing copy outside the explicit scope of a request.

## Never

- **No AI co-authorship** on commits or PRs (no "Co-Authored-By", no "Generated with…").
- **Don't push `--no-verify`** or bypass hooks unless explicitly authorized.
- **Don't commit built artifacts** (`*.s9pk`, `keysat-*.s9pk`, `javascript/`) or
  **secrets** — reference env-var names; real values live in `~/.keysat/filebrowser.env`
  and `/data/keysat-license.txt` outside the repo.

## Memory references

Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-keysat/memory/`
(scan before a major change): `keysat_release_workflow.md`,
`no_unauthorized_copy_changes.md`, `keysat_admin_ui_pill_convention.md`,
`startos_lxc.md`, `startos_registry_icon_unrenderable.md`, `keysat_open_threads.md`.

## Open TODOs

- `riscv` build target is unverified and not declared in the manifest (so
  `make universal` excludes it); revisit only if a riscv StartOS target appears.
- StartOS Community Registry submission criteria — Start9 hasn't published the
  checklist; reach out directly when ready.
- Registry icon doesn't render in the StartOS marketplace (see `guides/startos-packaging.md`).
- Split `audit:read` out of the blanket `:read` scope into its own tier so a
  Read-only scoped key can read dashboards/licenses but NOT the full audit log
  (`api/api_keys.rs::Role::grants`). Deferred from the scoped-keys session.
- **Operator action (manual; needs the master admin key — a read-only key can't
  write):** grant `unlimited_merchant_profiles` to the **Pro and Patron** tiers on
  the live master. Confirmed 2026-06-16 against `licensing.keysat.xyz` that the slug
  is absent from all three keysat policies (Creator/Pro/Patron), from the master's
  own Patron self-license, and from the product `entitlements_catalog`. Steps: add
  the slug to the keysat product `entitlements_catalog`, then to the Pro + Patron
  policy entitlements (admin UI), then re-issue the master self-license so it takes
  effect.

## Current state (2026-06-17)

- **Live / canonical**: **`0.2.0:58`** published — registry + `files.keysat.xyz/keysat.s9pk`,
  GitHub `v0.2.0-58`, universal multi-arch (x86_64 + aarch64). Live box
  `immense-voyage.local` **confirmed on `:58`** (operator-verified in the StartOS UI). All
  three public sites deployed (`keysat.xyz`, `docs.keysat.xyz`, `registry.keysat.xyz`).
  Migrations through 0025; four SDKs published.

- **Shipped in `:58` — agent-payment-connect complete (slices 1–5).** A scoped key with the
  à-la-carte `payment_providers:write` scope connects a BTCPay provider over the API, but
  ONLY on a sandbox daemon (`KEYSAT_SANDBOX_MODE`) for a non-mainnet store;
  master/mainnet/production + disconnect stay master-only. The gate fails closed: the store's
  network is resolved from its on-chain receive address at callback, anything not provably
  non-mainnet is denied. Migrations 0024–0025. Three reviewer passes; live gate
  `validate-gate.sh` 10/10. Detail: `docs/guides/payments.md`, `plans/agent-payment-connect-scope.md`.

- **Onboarding doc-harness — BOTH stages `completed-clean`, AND validated as ONE combined run.**
  Stage 1 (SDK integration) + Stage 2 (regtest buyer-pays) prior sessions; **the combined
  operator-order journey (gate a paid product, then a buyer pays to unlock the gated feature)
  ran `completed-clean` on the first pass this session** and was independently re-verified end to
  end (gate shut 401/403 → BTCPay regtest connected by scoped key → 50k-sat regtest payment
  settled → purchased license opened the gate live, 200 + CSV). Rig: `onboarding-harness/stage2/`
  (`run-stage2.sh` now carries the four-step combined brief; `probe.sh` now actually mints
  `.live-env`). Walkthrough: `onboarding-harness/stage2/STAGE2-RESULT.md`. Doc fixes live on
  `keysat-docs` (agent.html/install.html); the served `openapi.rs` BTCPay paths reached the live
  spec as of `:58`.

- **Public sites refreshed this session** (via `~/.keysat/deploy-sites.sh`): `agent.html#connect-btcpay`
  gained the buyer-pays money path (`POST /v1/purchase` → poll → `license_key`, tied to the
  worked-example gate); `keysat-xyz-landing` agent section gained an "Example prompt" card (the
  one-liner an operator hands an agent). Note: `publish.sh` ships the **s9pk only** and is gated on
  a version bump — it does NOT touch the HTML sites; `deploy-sites.sh` is the tool for those.

- **Next (priority order)**:
  1. Operator data action (needs the master key): grant `unlimited_merchant_profiles` to
     Pro/Patron on the live master (confirmed-absent details in Open TODOs).
  2. 3 multi-profile UIs + split `audit:read` (ROADMAP / Open TODOs).

- **P2/P3 debt (unchanged, see ROADMAP)**: `set_product_entitlements_catalog` missing
  `rows_affected` guard; no rate-limit on purchase/redeem (spoofable XFF); `422`/`415`
  plain-text not JSON; `slug` unvalidated; dep advisories (`sqlx`→≥0.8.1,
  `rustls-webpki`→≥0.103.12); no CI / fmt-clippy unenforced; outbound webhook SSRF;
  design-contract conformance.

- **Tests/build**: full suite green — lib **18**, api **65**, subscriptions 7, upgrades 9,
  worker 3, crosscheck 4, migrations 9 (through **0025**); `cargo check` + `npm run check`
  clean (1 intentional deprecation warning); new code clippy-clean.