release: v0.1.25.7 — PATCH api-keys, Permission enum, spec polish, release prep#68
Merged
Merged
Conversation
…TCH api-keys
Review feedback fixes:
1. Add 401 to all 36 auth-gated endpoints missing it (now 45/45)
2. Document webhook/event permissions as opt-in (not in defaults)
3. Clarify createApiKey is tenant-key only (admin key is server config)
4. Centralize FROZEN semantics: now includes funding block
5. Add PATCH /v1/admin/api-keys/{key_id} for updating permissions,
scope_filter, name, description, metadata without secret rotation
…ey guidance Review feedback (4 items): 1. Extract reusable Permission enum schema — ApiKey, ApiKeyCreateRequest, and PATCH api-keys all use $ref. Add 400 to key update for invalid permission names. 2. Wildcard semantics (admin:read/admin:write) now documented in Permission schema description (normative, not just changelog). 3. Admin permissions on tenant keys: explicitly accepted for backward compat but SHOULD NOT be assigned to new keys. 4. 401 descriptions precise: 23 admin-only, 10 dual-auth, 12 tenant-only. Schema header comment v0.1.25.6 → v0.1.25.7.
New endpoint allows updating permissions, scope_filter, name, description, metadata on existing API keys without rotating the secret. Immutable: tenant_id, key_id, key_prefix, expires_at, status. - ApiKeyUpdateRequest DTO with @JsonIgnoreProperties(ignoreUnknown=false) - ApiKeyRepository.update() with atomic Lua script (validates ACTIVE status) - 404 not found, 409 on revoked/expired keys - Emits api_key.permissions_changed only when permissions or scope_filter actually change (change detection via old vs new comparison) - Audit logging with tenantId and keyId - Spec: Permission enum extracted, 401 precision, wildcard docs normative Tests: 405 → 412 (7 controller + 5 repository)
… $ref cleanup Review feedback (4 items): 1. Fix parse-breaking orphan 401 between audit logs and dashboard section — moved into audit endpoint responses block 2. Full 401 wording sweep: all admin-only say "admin API key", tenant-only say "API key", dual-auth say "API key / admin key" 3. Replace admin:*:* (not a real enum value) with "granular admin permissions like admin:tenants:read" 4. Permission $ref now used in all schemas: ApiKeyCreateResponse, ApiKeyValidationResponse, EventDataApiKey (was plain string)
- Fix 3 duplicate "API key / admin key / admin key" descriptions (regression from previous script run) - Fix introspectAuth 401: "API key / admin key" → "admin API key" (admin-only endpoint) - Document AuthIntrospectResponse.permissions as plain string (not Permission ref) because admin returns ["*"] which is not an enum value - Admin permissions on tenant keys: kept as SHOULD NOT (permissive, for backward compatibility) per reviewer acknowledgment
- listEvents 401: "API key / admin key" → "admin API key" (admin-only) - replayEvents 401: same fix - Permission schema: replace wildcard shorthand (reservations:*, budgets:*) with concrete permission names (reservations:create/commit/..., budgets:read/write) - Also fixed orphan blank line before listEvents 401 block
- AUDIT.md: added final spec polish table (Permission enum, 401 precision, wildcard prose, introspect docs, PATCH 400) - README: updated v0.1.25.7 changelog, added PATCH api-keys to endpoint table (3 → 4 API key operations) - Docker tags: 0.1.25.6 → 0.1.25.7 in both prod compose files
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Completes v0.1.25.7: PATCH api-keys implementation, reusable Permission enum, full spec polish pass, and release prep.
Changes
New endpoint: PATCH /v1/admin/api-keys/{key_id}
api_key.permissions_changedonly when permissions or scope_filter actually changeApiKeyUpdateRequestDTO with@JsonIgnoreProperties(ignoreUnknown = false)Spec polish (review feedback)
$refin all 6 permission array fieldsreservations:*etc. with concrete permission namesadmin:*:*string[](not Permission ref) — documented whyRelease prep
0.1.25.6→0.1.25.7(both prod compose files)Test plan
mvn verify— 412 tests, 0 failures, 95%+ coverage