feat(broker+cli): apikey create/list/revoke verbs (v0.2.0 #71)

Issuance flow over WS for now (REST endpoints come next slice). Plaintext secret returned ONCE on create — never recoverable. - broker: 3 WS handlers (apikey_create/list/revoke), wire types in union, audit log on issuance + revoke - ws-client: apiKeyCreate/List/Revoke with resolver maps, response dispatch - CLI: claudemesh apikey create <label> [--cap a,b] [--topic c,d] [--expires ISO]; list shows status, scope, last-used; revoke by id - policy: apikey create + revoke prompt by default (issuing or disabling a credential is meaningful) Default capability set is "send,read" — least privilege for unscoped keys (admin must explicitly opt-in). Spec: .artifacts/specs/2026-05-02-v0.2.0-scope.md Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 02:13:12 +01:00
parent f45380d231
commit 13d691980a
7 changed files with 350 additions and 0 deletions
--- a/apps/cli/src/services/policy/index.ts
+++ b/apps/cli/src/services/policy/index.ts
@@ -77,6 +77,8 @@ export const DEFAULT_POLICY: Policy = {
    { resource: "sql",     verb: "execute",    decision: "prompt", reason: "raw SQL write to mesh DB" },
    { resource: "graph",   verb: "execute",    decision: "prompt", reason: "graph mutation" },
    { resource: "mesh",    verb: "delete",     decision: "prompt", reason: "deletes the mesh for everyone" },
+    { resource: "apikey",  verb: "create",     decision: "prompt", reason: "issues a long-lived credential" },
+    { resource: "apikey",  verb: "revoke",     decision: "prompt", reason: "irreversibly disables a credential" },
  ],
 };