Slices 3-4 of agent-payment-connect: a scoped key carrying the a-la-carte
payment_providers:write scope may connect a BTCPay provider, but only on a
sandbox daemon (KEYSAT_SANDBOX_MODE) and only for a non-mainnet
(regtest/testnet/signet) store. Master may connect any network; disconnect and
production/mainnet reconnect stay master-only. A credential that can repoint
settlement is a fund-redirection key, so the gate is deliberately narrow and
fails closed.
- require_provider_connect: outer gate (sandbox flag) at start_connect
- btcpay/network.rs classify_address_network + client::fetch_onchain_network:
resolve the store network at finish_connect, fail-closed to mainnet on any
ambiguity (no on-chain method, non-2xx, non-JSON, unknown prefix), before any
webhook/persist side effect
- initiator carried across the OAuth round-trip via btcpay_authorize_state
(migration 0025: scoped_initiator + initiator_actor_hash); scoped connects
are audited
- the GET callback now returns the error's HTTP status (was a misleading 200 on
a denied connect)
- openapi.rs documents the BTCPay connect/callback/status/disconnect paths and
the key-creation scopes field
Validated end-to-end against a live regtest BTCPay. Full suite green; adds gate
+ network unit/integration tests.
Grant
8eb4a97c6f