feat: wire role-scoped device creds

2026-05-08 10:31:24 +00:00 · 2026-01-20 11:35:08 +00:00
parent dfbf6ac263
commit d8cc7db5e6
17 changed files with 633 additions and 26 deletions
--- a/src/gateway/server-methods/devices.ts
+++ b/src/gateway/server-methods/devices.ts
@@ -19,7 +19,9 @@ import {
 } from "../protocol/index.js";
 import type { GatewayRequestHandlers } from "./types.js";

-function redactPairedDevice(device: { tokens?: Record<string, DeviceAuthToken> } & Record<string, unknown>) {
+function redactPairedDevice(
+  device: { tokens?: Record<string, DeviceAuthToken> } & Record<string, unknown>,
+) {
  const { tokens, ...rest } = device;
  return {
    ...rest,
@@ -72,6 +74,9 @@ export const deviceHandlers: GatewayRequestHandlers = {
      respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown requestId"));
      return;
    }
+    context.logGateway.info(
+      `device pairing approved device=${approved.device.deviceId} role=${approved.device.role ?? "unknown"}`,
+    );
    context.broadcast(
      "device.pair.resolved",
      {
@@ -79,7 +84,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
        deviceId: approved.device.deviceId,
        decision: "approved",
        ts: Date.now(),
-        },
+      },
      { dropIfSlow: true },
    );
    respond(true, { requestId, device: redactPairedDevice(approved.device) }, undefined);
@@ -116,7 +121,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
    );
    respond(true, rejected, undefined);
  },
-  "device.token.rotate": async ({ params, respond }) => {
+  "device.token.rotate": async ({ params, respond, context }) => {
    if (!validateDeviceTokenRotateParams(params)) {
      respond(
        false,
@@ -140,6 +145,9 @@ export const deviceHandlers: GatewayRequestHandlers = {
      respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown deviceId/role"));
      return;
    }
+    context.logGateway.info(
+      `device token rotated device=${deviceId} role=${entry.role} scopes=${entry.scopes.join(",")}`,
+    );
    respond(
      true,
      {
@@ -152,7 +160,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
      undefined,
    );
  },
-  "device.token.revoke": async ({ params, respond }) => {
+  "device.token.revoke": async ({ params, respond, context }) => {
    if (!validateDeviceTokenRevokeParams(params)) {
      respond(
        false,
@@ -172,6 +180,7 @@ export const deviceHandlers: GatewayRequestHandlers = {
      respond(false, undefined, errorShape(ErrorCodes.INVALID_REQUEST, "unknown deviceId/role"));
      return;
    }
+    context.logGateway.info(`device token revoked device=${deviceId} role=${entry.role}`);
    respond(
      true,
      { deviceId, role: entry.role, revokedAtMs: entry.revokedAtMs ?? Date.now() },
--- a/src/gateway/server-methods/types.ts
+++ b/src/gateway/server-methods/types.ts
@@ -8,6 +8,9 @@ import type { NodeRegistry } from "../node-registry.js";
 import type { ConnectParams, ErrorShape, RequestFrame } from "../protocol/index.js";
 import type { ChannelRuntimeSnapshot } from "../server-channels.js";
 import type { DedupeEntry } from "../server-shared.js";
+import type { createSubsystemLogger } from "../../logging/subsystem.js";
+
+type SubsystemLogger = ReturnType<typeof createSubsystemLogger>;

 export type GatewayClient = {
  connect: ConnectParams;
@@ -28,7 +31,7 @@ export type GatewayRequestContext = {
  getHealthCache: () => HealthSummary | null;
  refreshHealthSnapshot: (opts?: { probe?: boolean }) => Promise<HealthSummary>;
  logHealth: { error: (message: string) => void };
-  logGateway: { warn: (message: string) => void };
+  logGateway: SubsystemLogger;
  incrementPresenceVersion: () => number;
  getHealthVersion: () => number;
  broadcast: (