A new system-token-authed admin RPC: resolves user ids to display names with NO
PII (email/phone), authorized by a shared system token alone (no actor). Lets
internal services label "who did this" (e.g. CMS content history) without the
end-user's credentials and without a vector to harvest contact info. Adds the
proto messages + the AdminClient::get_users_data wrapper.
The service-credential seam: VerifyApiKey returns the key's owning
service user + roles (same AuthenticationResponse shape), so consumers
build their Ctx identically to a session. Cached ~60s per key,
namespaced away from token cache entries. Rust additionally wraps
CreateApiKey/ListApiKeys/RevokeApiKey. Versioning note: client patch
releases may lead the server within a minor line when only exposing
existing server surface.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
- Vendor st-peter-admin.proto (sync-protos.sh now syncs both; health.proto
remains excluded). Stubs generated for Rust/Go/TS.
- Rust: AdminClient — actor-credentialed wrappers over the admin surface
(assign_role/unassign_role with target + expiry, get_assignable_roles/
targets, get_user_with_roles, search_users, get_users_by_role,
create/delete/restore_user, get/clear_user_sessions), Actor type,
Error::Rejected for success=false responses, raw() escape hatch.
- All languages: verify_token_scoped(token, scopes) — roles filtered by
role_scopes (e.g. ["cms"]); cache keyed per (token, scopes) so filtered
and unfiltered verifications never share an entry. verify_token now
delegates to the scoped variant with no filter.
- README: shared-vs-local role rule replaces 'authorization local';
admin surface documented; examples bumped.
Tagged v0.2.1 in lockstep with the st-peter server line.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Polyglot client for st-peter (aura-users) — Rust / Go / TypeScript, one
vendored auth proto, versioned in lockstep with the st-peter server (v0.2.0).
Mirrors waymaker-client's layout: proto/ + scripts/ + per-language packages.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Michael Netshipise