Archive/screentinker

Fork 0

mirror of https://github.com/screentinker/screentinker.git synced 2026-06-17 03:32:32 -06:00

Commit graph

Author	SHA1	Message	Date
ScreenTinker	40102b2b41	feat(api): agency portal endpoints + router.param target seam (#73 ) The agency capability behind the proven off-ladder/agencyGate primitive: - agencyGate is now SCOPE-only at the mount; the per-target check is router.param ('playlistId') in routes/agency.js - it fires WITH the param before the handler, so no :playlistId route can skip it (drift-proof). A mount-level target check was silently bypassed (Express populates req.params only at route match); the integration bite-suite caught it - this is the fix. - routes/agency.js: POST /content (shared ingest) + POST /playlists/:id/items (date-bounded #74/#75 item; lands as draft so the admin's re-publish is the approval gate). - tokens.js: issue scope='agency' tokens bound to a non-empty in-workspace playlist allowlist (atomic); PUT /:id/targets re-designates (JWT-only -> can't self-widen). - server.js: AGENCY_ROUTERS mounted bearerAuth + resolveTenancy + agencyGate. Full bite-suite (test/agency.test.js) GREEN and re-proven to bite on the SHIPPING path: neutralizing the router.param check makes non-designated->403 go red. Four assertions at three seams: target (router.param), off-ladder (tokenScopeGate), can't-widen (tokens JWT-only), issuance cross-workspace (create validation). 139 suite green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 22:48:42 -05:00
ScreenTinker	c8a24d2243	feat(api): agency-token security primitive - off-ladder scope + agencyGate (#73 ) The capability/target-restricted token model for the agency portal (#73 option B), proven before any endpoint sits on it: - 'agency' scope value is OFF the read/write/full ladder, so the existing tokenScopeGate rejects it on every public router by construction (auto-confinement, no new code). - api_token_targets join table: which playlists an agency token may act on. - agencyGate: THE single seam - agency-scope-only + (playlist in this token's allowlist AND in the bound workspace), one query enforcing target + cross-workspace isolation. - AGENCY_ROUTERS category in config/api-surface.js (mounted with agencyGate, not tokenScopeGate) - declared; router/mount land with the endpoints. Both bite-tested: spine (agency 403s on tokenScopeGate; read/write still pass) and the gate (non-designated/cross-workspace/non-agency/JWT -> 403; neutralizing the target check goes red). NARROW - not the general capability-scope system. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-13 21:30:38 -05:00

Author

SHA1

Message

Date

ScreenTinker

40102b2b41

feat(api): agency portal endpoints + router.param target seam (#73 )

The agency capability behind the proven off-ladder/agencyGate primitive:
- agencyGate is now SCOPE-only at the mount; the per-target check is router.param
  ('playlistId') in routes/agency.js - it fires WITH the param before the handler, so no
  :playlistId route can skip it (drift-proof). A mount-level target check was silently
  bypassed (Express populates req.params only at route match); the integration bite-suite
  caught it - this is the fix.
- routes/agency.js: POST /content (shared ingest) + POST /playlists/:id/items (date-bounded
  #74/#75 item; lands as draft so the admin's re-publish is the approval gate).
- tokens.js: issue scope='agency' tokens bound to a non-empty in-workspace playlist
  allowlist (atomic); PUT /:id/targets re-designates (JWT-only -> can't self-widen).
- server.js: AGENCY_ROUTERS mounted bearerAuth + resolveTenancy + agencyGate.

Full bite-suite (test/agency.test.js) GREEN and re-proven to bite on the SHIPPING path:
neutralizing the router.param check makes non-designated->403 go red. Four assertions at
three seams: target (router.param), off-ladder (tokenScopeGate), can't-widen (tokens
JWT-only), issuance cross-workspace (create validation). 139 suite green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 22:48:42 -05:00

ScreenTinker

c8a24d2243

feat(api): agency-token security primitive - off-ladder scope + agencyGate (#73 )

The capability/target-restricted token model for the agency portal (#73 option B),
proven before any endpoint sits on it:
- 'agency' scope value is OFF the read/write/full ladder, so the existing tokenScopeGate
  rejects it on every public router by construction (auto-confinement, no new code).
- api_token_targets join table: which playlists an agency token may act on.
- agencyGate: THE single seam - agency-scope-only + (playlist in this token's allowlist
  AND in the bound workspace), one query enforcing target + cross-workspace isolation.
- AGENCY_ROUTERS category in config/api-surface.js (mounted with agencyGate, not
  tokenScopeGate) - declared; router/mount land with the endpoints.

Both bite-tested: spine (agency 403s on tokenScopeGate; read/write still pass) and the
gate (non-designated/cross-workspace/non-agency/JWT -> 403; neutralizing the target check
goes red). NARROW - not the general capability-scope system.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-13 21:30:38 -05:00

2 commits