unibus

dataforge/unibus

Fork 0

Commit Graph

Author	SHA1	Message	Date
egutierrez	d64b0c052d	feat(membership): single-use invites + hard-delete in the Store (SQLite + KV) Add the data layer for WhatsApp-style accounts on the wallet model: the admin mints a single-use invitation link, the new user redeems it by publishing only its public keys, and the admin can hard-delete a user. - Invite type and lifecycle (invites.go): 32-byte crypto/rand hex token, 7-day default TTL, fail-closed expiry parsing. Methods CreateInvite/GetInvite/ ListInvites/ConsumeInvite/CancelInvite on both backends. ConsumeInvite is atomic and single-use: SQLite uses a transaction guarded by `used = 0`, the KV store uses a compare-and-swap on the entry revision (mark-first). Both burn the token on claim, so an already-registered key surfaces ErrUserExists with the invite spent — identical semantics across backends. - DeleteUser (users.go + jetstream_store.go): hard-delete of the allowlist row, distinct from RevokeUser's status flip. Room memberships of the ex-user are intentionally left inert (they can no longer authenticate); no partial cleanup. - Migration 003_invites.sql (root + embedded copy, byte-identical): additive `invites` table with audit columns, per db_migrations rules. - Store interface gains DeleteUser, CreateInvite, GetInvite, ListInvites, ConsumeInvite, CancelInvite. New UNIBUS_invites KV bucket. - Consistency fix: SQLite GetUser now maps sql.ErrNoRows to ErrNotFound, matching the KV backend and the storage-agnostic contract documented in store.go. - ValidateKexPubHex added alongside ValidateSignPubHex for /register key checks. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 22:14:25 +02:00
egutierrez	c5387028e0	feat(membership): add 002_users.sql migration and user CRUD store Bus-level user allowlist (issue 0001a): the authoritative directory of Ed25519 signing identities permitted to use the bus, independent of room membership. Migration is additive and mirrored byte-for-byte between the module-root migrations/ and the embedded pkg/membership/migrations/. Store adds AddUser/GetUser/ListUsers/RevokeUser/IsAuthorized/HasAdmin. IsAuthorized is the single fail-closed predicate both the control plane and the NATS data plane will consult, so revocation is a status flip that denies access on both without a restart. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-07 12:23:11 +02:00
agent	cd02a52191	feat: initial scaffold of unibus message bus (membership service + client lib + demo peers)	2026-06-03 19:47:32 +02:00

Author

SHA1

Message

Date

egutierrez

d64b0c052d

feat(membership): single-use invites + hard-delete in the Store (SQLite + KV)

Add the data layer for WhatsApp-style accounts on the wallet model: the admin
mints a single-use invitation link, the new user redeems it by publishing only
its public keys, and the admin can hard-delete a user.

- Invite type and lifecycle (invites.go): 32-byte crypto/rand hex token, 7-day
  default TTL, fail-closed expiry parsing. Methods CreateInvite/GetInvite/
  ListInvites/ConsumeInvite/CancelInvite on both backends. ConsumeInvite is
  atomic and single-use: SQLite uses a transaction guarded by `used = 0`, the KV
  store uses a compare-and-swap on the entry revision (mark-first). Both burn the
  token on claim, so an already-registered key surfaces ErrUserExists with the
  invite spent — identical semantics across backends.
- DeleteUser (users.go + jetstream_store.go): hard-delete of the allowlist row,
  distinct from RevokeUser's status flip. Room memberships of the ex-user are
  intentionally left inert (they can no longer authenticate); no partial cleanup.
- Migration 003_invites.sql (root + embedded copy, byte-identical): additive
  `invites` table with audit columns, per db_migrations rules.
- Store interface gains DeleteUser, CreateInvite, GetInvite, ListInvites,
  ConsumeInvite, CancelInvite. New UNIBUS_invites KV bucket.
- Consistency fix: SQLite GetUser now maps sql.ErrNoRows to ErrNotFound, matching
  the KV backend and the storage-agnostic contract documented in store.go.
- ValidateKexPubHex added alongside ValidateSignPubHex for /register key checks.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 22:14:25 +02:00

egutierrez

c5387028e0

feat(membership): add 002_users.sql migration and user CRUD store

Bus-level user allowlist (issue 0001a): the authoritative directory of
Ed25519 signing identities permitted to use the bus, independent of room
membership. Migration is additive and mirrored byte-for-byte between the
module-root migrations/ and the embedded pkg/membership/migrations/.

Store adds AddUser/GetUser/ListUsers/RevokeUser/IsAuthorized/HasAdmin.
IsAuthorized is the single fail-closed predicate both the control plane and
the NATS data plane will consult, so revocation is a status flip that denies
access on both without a restart.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

2026-06-07 12:23:11 +02:00

agent

cd02a52191

feat: initial scaffold of unibus message bus (membership service + client lib + demo peers)

2026-06-03 19:47:32 +02:00

3 Commits