F151: Lens mint-endpoint + read-only write-guard#4
Merged
Conversation
…ard (F151) Fleet mintEndpoint standard (cardmem F098.1 / F074.13): Lens mints a short-lived, read-only session on demand to capture authed surfaces — no long-lived prod cookie rotting on disk. cms uses custom JWT (jose/HS256), cookie cms-session, so the mint signs the same cookie shape cms's own getSession validates. - src/app/api/lens-session/route.ts: POST mints a ~10-min cms-session JWT for lens@webhouse.app (role admin, claim lens:true) when Bearer == LENS_MINT_SECRET (else 401); returns a Playwright storageState. Cookie domain from Host header (never 0.0.0.0). GET → 405. - proxy.ts: /api/lens-session is public (it mints the session); write-guard rejects any mutating method (POST/PUT/PATCH/DELETE) from a lens:true session with 403 — the read-only boundary (no-op for all real users). - require-role.ts: getSiteRole returns the JWT role for sub "lens" (like dev/service tokens) so the lens principal renders every surface. Plan-doc: docs/features/F151-lens-mint-endpoint.md (on main via cardmem). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Implements the fleet mintEndpoint standard (cardmem F098.1 / F074.13) for cms (epic cms-F151, story cms-F151.1). Lens mints a short-lived, read-only session on demand to capture authed surfaces — no long-lived prod cookie rotting on disk.
How (cms = custom JWT / jose HS256)
POST /api/lens-session—Authorization: Bearer <LENS_MINT_SECRET>→ 401 on missing/wrong. On valid bearer, signs a ~10-mincms-sessionJWT forlens@webhouse.app(role admin, claimlens:true) withCMS_JWT_SECRET— the same cookie shape cms's owngetSessionvalidates (avoids the upmetrics false-green). Returns a PlaywrightstorageState. Cookiedomainfrom theHostheader (never0.0.0.0). GET → 405.proxy.ts—/api/lens-sessionis public (it mints the session, so it predates the cookie); write-guard rejects any mutating method (POST/PUT/PATCH/DELETE) from alens:truesession with 403. This is the read-only boundary — a no-op for every real user.require-role.ts—getSiteRolereturns the JWT role forsub "lens"(like dev/service tokens) so the lens principal renders every surface (it has no team membership).Rollout (after merge)
openssl rand -hex 32→LENS_MINT_SECRET: Fly secret onwebhouse-app+ gitignored.lens/mint-secret(same value).lens:true+ ~10-min exp; write attempt with the minted cookie → 403.mintEndpointis deferred for cms's localhost Lens (needs the secret in the dev server's env + a PM2 restart — not done unprompted; won't regress the current green storageState run).Verification
tsc --noEmit: no new errors (my files clean; only the 12 pre-existing mcp/webhook-dispatch errors remain).Plan-doc:
docs/features/F151-lens-mint-endpoint.md(on main via cardmem). Contract:broberg-ai/cardmem/docs/LENS-MINT-ENDPOINT.md.🤖 Generated with Claude Code