grant/keysat-root
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc37b2d46bf8c835eeb03a7ef7daeaba605ba2d6
keysat-root/AGENTS.md
T
Keysat fc37b2d46b Mark 0.2.0:55 shipped; record refund scrub; clear resolved StartOS-blocker debt 
Registry now publishes :55 (universal multi-arch, verified). Public docs
scrubbed of refund copy (Keysat has no refund feature). All 4 StartOS
submission blockers resolved and shipped.
2026-06-13 07:00:08 -05:00

185 lines
11 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# AGENTS.md — Keysat workspace
Self-hosted, Bitcoin-native software licensing service running as a StartOS 0.4.x
package, with four wire-compatible SDKs and a public landing/docs site.
This file holds whole-repo, every-session facts. Subsystem detail lives in scoped
guides under `docs/guides/` (symlinked to `.claude/rules/` so Claude Code
auto-loads each when you edit matching files). **Before editing a subsystem, read
its guide** — see the index below.
## Stack
- **Daemon**: Rust 1.88, `axum`, `sqlx` + SQLite, Ed25519 signing.
- **Wrapper**: TypeScript, `@start9labs/start-sdk ^1.3.2`, `@vercel/ncc` bundle, Node 22.
- **SDKs**: TS (npm), Rust (crates.io), Python (PyPI), Go (proxy.golang.org).
- **Platform**: StartOS 0.4.0.x (LXC under the hood — commands/paths reflect that, not Docker).
- **Payment providers**: BTCPay Server (required dep); Zaprite (optional, gated by `zaprite_payments`).
## Subsystem guides (read before editing the area)
- Before editing the daemon source, read `docs/guides/daemon-architecture.md`.
- Before editing payment / provider / merchant-profile code or migrations 00200022, read `docs/guides/payments.md`.
- Before touching self-license or tier-gating code, read `docs/guides/licensing-tiers.md`.
- Before changing the LIC1 wire format, crypto, or crosscheck fixtures, read `docs/guides/crypto-wire-format.md`.
- Before building, bumping the version, or editing the StartOS wrapper, read `docs/guides/startos-packaging.md`.
- Before editing the admin SPA (`web/index.html`), read `docs/guides/admin-ui.md`.
- Before editing public site/docs copy, read `docs/guides/website-copy.md`.
- Before adding/altering tests or relying on lint/CI, read `docs/guides/testing.md`.
## Build / test / run (quick ref)
From `licensing-service-startos/`: `make x86` | `make arm` | `make universal` |
`make install` | `make clean` | `npm run check`. From
`licensing-service-startos/licensing-service/`: `cargo check` | `cargo build
--release` | `cargo test` | `cargo test --test <suite>` | `cargo test <name>`.
Details, the version-bump-before-build rule, and release scripts:
`docs/guides/startos-packaging.md`. Test suites, the no-CI / formatting-not-enforced
status, and known-failing tests: `docs/guides/testing.md`.
## Directory layout
```
licensing-service-startos/ daemon + StartOS wrapper (s9pk package source)
licensing-service/src/ Rust daemon → guides/daemon-architecture.md
licensing-service/migrations/ SQLite migrations (numbered, additive)
licensing-service/web/index.html embedded admin SPA → guides/admin-ui.md
licensing-service/tests/ integration suites → guides/testing.md
startos/ wrapper TS → guides/startos-packaging.md
Dockerfile Makefile s9pk.mk build pipeline
keysat-xyz-landing/ keysat-docs/ keysat-registry-landing/ public sites → guides/website-copy.md
licensing-client-{rust,ts,python,go}/ the four SDK source repos
activate-license-template/ Tauri desktop template for license activation
keysat-design-system/ design tokens / brand assets
plans/ design specs (multi-provider-payment-model.md, keysat-smtp-emails.md)
tests/crosscheck/ cross-language LIC1 verifier → guides/crypto-wire-format.md
```
Note: the daemon (`licensing-service-startos`, repo `keysat`), each SDK, and
`plans/` are **separate git repos** — commit code/plan changes in their own repo.
The root `Licensing` repo (`keysat-root`) tracks only `AGENTS.md` + `docs/guides/`
+ `.claude/rules/` + `EVALUATION.md` (the latest full-eval report; overwritten
each run, history in git log). **Remotes differ per repo**: the daemon's `main` tracks
**GitHub** (`origin`, the public upstream) with a `gitea` backup — plain `git push`
goes to GitHub, so also `git push gitea main`; root + plans are **Gitea-only**.
Run `git remote -v` (full) and check what the branch tracks before pushing.
## Conventions (whole-repo)
- Daemon licensed `LicenseRef-Keysat-1.0` (custom, source-available); SDKs MIT.
- Commits in imperative mood, body only when the "why" isn't obvious. **Sign as
Keysat (Grant), not Claude** — git user is `Keysat`.
- Direct push to `main` + run `~/.keysat/publish.sh` is the authorized release flow
until launch.
- Never rewrite user-facing copy outside the explicit scope of a request.
## Never
- **No AI co-authorship** on commits or PRs (no "Co-Authored-By", no "Generated with…").
- **Don't push `--no-verify`** or bypass hooks unless explicitly authorized.
- **Don't commit built artifacts** (`*.s9pk`, `keysat-*.s9pk`, `javascript/`) or
**secrets** — reference env-var names; real values live in `~/.keysat/filebrowser.env`
and `/data/keysat-license.txt` outside the repo.
## Memory references
Operator-specific memories at `~/.claude/projects/-Users-macpro-Projects-licensing-Licensing/memory/`
(scan before a major change): `keysat_release_workflow.md`,
`no_unauthorized_copy_changes.md`, `keysat_admin_ui_pill_convention.md`,
`startos_lxc.md`, `startos_registry_icon_unrenderable.md`, `keysat_open_threads.md`.
## Open TODOs
- `riscv` build target is unverified and not declared in the manifest (so
`make universal` excludes it); revisit only if a riscv StartOS target appears.
- StartOS Community Registry submission criteria — Start9 hasn't published the
checklist; reach out directly when ready.
- Registry icon doesn't render in the StartOS marketplace (see `guides/startos-packaging.md`).
- Split `audit:read` out of the blanket `:read` scope into its own tier so a
Read-only scoped key can read dashboards/licenses but NOT the full audit log
(`api/api_keys.rs::Role::grants`). Deferred from the scoped-keys session.
- Build the admin SPA "API keys" management panel (create w/ role picker, list,
revoke) — backend is wired; UI deferred to a design-focused session.
## Current state (2026-06-13)
- **Live**: registry `registry.keysat.xyz` now publishes **`0.2.0:55`** — universal
multi-arch (x86_64 + aarch64, verified via the registry index + s9pk header),
GitHub release `v0.2.0-55`, canonical s9pk at `files.keysat.xyz/keysat.s9pk`.
Migrations 00200022; four SDKs published; `keysat.xyz` + `docs.keysat.xyz`
deployed (docs redeployed this session). **The live server `immense-voyage.local`
still runs `:54` until updated from the registry.** `:55` ships the two
prior-session P1s (scoped keys, settle-amount tripwire) + this session's packaging
work.
- **Shipped this session (`:55` published; all committed + pushed)** — doc-auditor +
start9-spec-checker + reviewer passes, all approved/no blockers; `tsc`/`bash -n`
clean. Landed: **all 4 StartOS submission blockers** (new `instructions.md`;
manifest `packageRepo`/`docsUrls` dead-link fixes; **universal multi-arch publish**
`publish.sh``make universal`, registry entry carries both arches with no arch
restriction); enforce-mode drift cleaned from `activateLicense.ts`/`showCredentials.ts`
(enforce retired, `self_license.rs:15`); 5 doc-drift fixes (api 47→54; FK confirmed
`db/mod.rs:29`; `integrate.html` phantom `GET /v1/licenses/{id}/status``POST
/v1/validate`; `v0.2.0.ts` stale header; go README v0.2); **refunds scrubbed from
public docs** (Keysat has no refund feature — out-of-band only, v0.3 revoke-on-refund
hook is a no-op; admin-UI "handle out of band" disclaimers kept). Remotes: keysat-root
→ gitea-only; keysat-docs, daemon, go SDK → GitHub `origin` + gitea backup.
- **`:52`/`:53` = multi-provider/merchant-profile model**: data model + backend
resolution shipped and audited sound; resolution/CRUD query surface has tests.
Both `:54` P0s (provider-injection test seam; Zaprite webhook-forgery re-confirm)
remain fixed; live purchase + settle paths sound.
- **Shipped in `:55` (was the prior session's unshipped P1s)**:
1. **Settle-amount tripwire.** `get_invoice_status` now returns
`ProviderInvoiceSnapshot { status, amount }`; `audit_settle_amount` (shared by
webhook + reconcile issue paths) WARNs + writes an `invoice.amount_mismatch`
audit row on drift, then **issues anyway** (advisory, not a gate — a hard gate
would fight BTCPay payment tolerance). SAT-only: skips non-SAT (fiat sub
renewals) and `None`. Reviewed (caught + fixed a fiat-renewal false-positive).
See `docs/guides/payments.md`.
2. **Scoped API keys wired.** 58 admin endpoints migrated `require_admin`
`require_scope`; 12 sensitive ones stay master-only (issuer key, provider
connect/disconnect, set-password, api-key CRUD, db-info, operator-name,
per-license tier change). `require_scope` re-exported from `api::admin`. Role
boundary tests added. Boundary documented in `api/api_keys.rs` module doc.
- **GAP — multi-profile still non-functional end-to-end**: nothing writes
`products.merchant_profile_id` (INSERT in `create_product_with_currency` omits
it; `update_product_with_currency` has no field; `Product` in `models.rs` lacks
it). Resolver fully supports it; only the product→profile **write path** is
missing. **Gating piece for multi-profile.**
- **Work queue (next, in order)**:
1. **product→merchant-profile picker** (the GAP — add `merchant_profile_id` to
`Product` + `repo.rs` SELECT; `set_product_merchant_profile` writer mirroring
`set_product_entitlements_catalog`; field on `CreateProductReq`/
`UpdateProductReq` applied post-write; profile `<select>` from
`GET /v1/admin/merchant-profiles`, shown only when >1 profile; no migration).
2. 3 other deferred UIs (rail picker, per-profile SMTP, rail-pref editor);
`unlimited_merchant_profiles` on master Pro/Patron policies.
3. Deferred this session (now in Open TODOs): split `audit:read` out of the
blanket `:read` scope; build the admin "API keys" management SPA panel.
- **Known debt (P2 — schedule, not urgent)**: no rate-limit on `/v1/purchase` +
`/v1/redeem`; rate-limit bucket keys on spoofable `X-Forwarded-For` (bypass
conditional on whether the StartOS proxy rewrites XFF — unverified); `422`/`415`
errors return plain-text not JSON (breaks SDK `JSON.parse`); product `slug` has
no validation (empty/300-char/meta chars stored); `GET /v1/admin/products`
returns 405 though OpenAPI documents it; dep advisories (`sqlx`→≥0.8.1
RUSTSEC-2024-0363, `rustls-webpki`→≥0.103.12); no CI + fmt/clippy/prettier
unenforced. (The 4 StartOS submission blockers are resolved and shipped in `:55`.)
- **Deferred (P3+ — bulk or later decision)**: `/v1/purchase` 400 vs
`/v1/btcpay/webhook` 503 for the same no-provider cause; undocumented required
`kind` on discount-codes; field-naming drift (`license_id`/`id`, machines `key`
vs `license_key`, `redeem`/`purchase` `product` vs `validate` `product_slug`);
migration self-heal `_sqlx_migrations` allowlist foot-gun; 2 KB unauth Zaprite
payload WARN-log; outbound-webhook SSRF (operator-only); re-register the master
Zaprite webhook at the path-keyed URL; registry icon non-render (known platform limit);
optional fmt/prettier standalone commit.
- **Tests/build**: `cargo check` clean (1 intentional deprecation warning); full
suite green — api **54** (incl. new settle-tripwire + scoped-key role-boundary
tests), subscriptions 7, upgrades 9, worker 3, crosscheck 4, migrations 9. No new
clippy warnings. FK enforcement **confirmed** — sqlx pool sets `foreign_keys(true)`
per connection (`db/mod.rs`). CI/fmt status is in Known debt.
Reference in New Issue View Git Blame Copy Permalink