admin: GetUsersData — system-token user lookup (id + name only)

A new system-token-authed admin RPC: resolves user ids to display names with NO
PII (email/phone), authorized by a shared system token alone (no actor). Lets
internal services label "who did this" (e.g. CMS content history) without the
end-user's credentials and without a vector to harvest contact info. Adds the
proto messages + the AdminClient::get_users_data wrapper.

VERSION

@@ -1 +1 @@
-0.2.2
+0.2.3

proto/st-peter-admin.proto

@@ -12,6 +12,10 @@ message Date {
 service AuthAdminService {
   rpc GetUser (GetUserRequest) returns (UserResponse);
   rpc GetUsers (GetUsersRequest) returns (UsersResponse);
+  // System-token-authed minimal lookup: id + display name ONLY (no PII).
+  // Auth is the shared system token alone (no actor) — internal services only,
+  // so viewing content (e.g. history) can't be used to harvest user info.
+  rpc GetUsersData (GetUsersDataRequest) returns (GetUsersDataResponse);
   rpc GetUsersByUsernames(GetUsersByUsernamesRequest) returns (UsersResponse);
   rpc DeleteUser (DeleteUserRequest) returns (OperationResponse);
   rpc RestoreUser (RestoreUserRequest) returns (OperationResponse);
@@ -306,6 +310,24 @@ message UsersResponse {
   repeated User users = 4;
 }
 
+// GetUsersData — system-token-only, returns the MINIMUM for display: id + a
+// resolved display name. Deliberately omits email/phone/PII so even a trusted
+// internal caller can't harvest contact info through it.
+message GetUsersDataRequest {
+  string system_token = 1;
+  repeated string user_ids = 2;
+}
+
+message UserData {
+  string id = 1;
+  string name = 2;
+}
+
+message GetUsersDataResponse {
+  bool success = 1;
+  repeated UserData users = 2;
+}
+
 message GetAssignableRolesRequest {
   string actor_id = 1;
   string actor_token = 2;

rust/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "st-peter-client"
-version = "0.2.2"
+version = "0.2.3"
 edition = "2021"
 description = "Official Rust client for st-peter (aura-users) — authentication over gRPC with a token-verify cache"
 repository = "https://git.awesomike.com/pub/st-peter-client"

rust/src/lib.rs

@@ -405,6 +405,28 @@ impl AdminClient {
         self.inner.clone()
     }
 
+    /// System-token user lookup — returns ONLY id + display name (no PII).
+    /// Authorizes on the shared `system_token` alone (no actor), so an internal
+    /// service can label "who did this" (e.g. content history) without the
+    /// end-user's credentials and without exposing contact info. The token must
+    /// be one registered in st-peter's `system-tokens`.
+    pub async fn get_users_data(
+        &self,
+        system_token: &str,
+        user_ids: Vec<String>,
+    ) -> Result<Vec<adminpb::UserData>> {
+        let resp = self
+            .inner
+            .clone()
+            .get_users_data(adminpb::GetUsersDataRequest {
+                system_token: system_token.to_string(),
+                user_ids,
+            })
+            .await?
+            .into_inner();
+        Ok(resp.users)
+    }
+
     /// Assign a role to a user — targeted when `target_id` is set (the
     /// multi-tenancy device: e.g. `cms-content-editor` for one organization),
     /// optionally time-bound via `expires_at`.