Slices 3-4 of agent-payment-connect: a scoped key carrying the a-la-carte
payment_providers:write scope may connect a BTCPay provider, but only on a
sandbox daemon (KEYSAT_SANDBOX_MODE) and only for a non-mainnet
(regtest/testnet/signet) store. Master may connect any network; disconnect and
production/mainnet reconnect stay master-only. A credential that can repoint
settlement is a fund-redirection key, so the gate is deliberately narrow and
fails closed.
- require_provider_connect: outer gate (sandbox flag) at start_connect
- btcpay/network.rs classify_address_network + client::fetch_onchain_network:
resolve the store network at finish_connect, fail-closed to mainnet on any
ambiguity (no on-chain method, non-2xx, non-JSON, unknown prefix), before any
webhook/persist side effect
- initiator carried across the OAuth round-trip via btcpay_authorize_state
(migration 0025: scoped_initiator + initiator_actor_hash); scoped connects
are audited
- the GET callback now returns the error's HTTP status (was a misleading 200 on
a denied connect)
- openapi.rs documents the BTCPay connect/callback/status/disconnect paths and
the key-creation scopes field
Validated end-to-end against a live regtest BTCPay. Full suite green; adds gate
+ network unit/integration tests.
- GET /v1/admin/licenses requires product_id (uuid), not a slug
- add the /v1/admin/licenses/search path (was referenced, never defined)
- drop the phantom GET /v1/admin/products (only POST exists; list is
the public GET /v1/products)
- clarify product price_value (write field) vs legacy price_sats
New scoped API-key role granting read + products:write + policies:write +
licenses:write — the least-privilege credential for end-to-end catalog
setup and license issuance (create product, define policies/tiers, issue
licenses against them) without holding the master key.
The catalog write scopes already existed and were enforced on the
endpoints; only the role->scope expansion was missing. So this is a new
Role variant, not a scope-model change. grants() matches scope strings
explicitly (never by :write suffix) so the role can't widen into
settings / payment / merchant-profile / webhook writes, and every
master-only operation stays behind require_admin and so is structurally
unreachable. Existing tier caps still bound it (Creator: 5 products /
5 policies per product).
Migration 0023 rebuilds scoped_api_keys to widen the role CHECK (SQLite
can't alter a CHECK in place); the table has no FKs, so it's a plain
copy/drop/rename. Test covers the full onboard chain under the key's own
credential plus denial of master-only gates and support-only writes.
Grant