fix: tenant membership on ledger invite + service auth#1680
Merged
popmechanic merged 4 commits intoselem/docker-for-allfrom Mar 10, 2026
Merged
fix: tenant membership on ledger invite + service auth#1680popmechanic merged 4 commits intoselem/docker-for-allfrom
popmechanic merged 4 commits intoselem/docker-for-allfrom
Conversation
redeemInvite adds users to LedgerUsers but not TenantUsers for ledger invites. This test verifies that after redemption, the user has tenant membership and ensureCloudToken produces a valid token.
redeemInvite called addUserToLedger but not addUserToTenant for ledger invites. The cloud backend's ensureTenantLedger validation requires selected.tenant to be in the token's tenants array, which only includes tenants with a TenantUsers row.
Promotes svc to describe scope and adds SERVICE_API_KEY to test env. Adds two tests: valid service auth (fails - type not recognized) and wrong key rejection (passes with existing error behavior).
Adds ServiceApiToken with compound token format (key|providerUserId|email). Opt-in via SERVICE_API_KEY env var. Enables external services like the Deploy API to call inviteUser without an OIDC token. - ServiceApiToken class in core/protocols/dashboard/token.ts - "service" type added to DashAuthType union - "service" case in coercedVerifiedAuthUser - Tests: valid service auth + wrong key rejection
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
redeemInvite tenant fix: When redeeming a ledger invite, also add the user to the ledger's parent tenant via
addUserToTenant. Without this,ensureCloudTokenproduces a cloud token whereselected.tenantisn't intenants[], and the Cloud Backend rejects all data operations.Service auth: Add
ServiceApiTokenclass for machine-to-machine API calls. Uses compound token format (key|providerUserId|email). Opt-in viaSERVICE_API_KEYenv var. Needed by the VibesOS Deploy API to create Connect invites for public link sharing.Test plan
Note: Pre-existing failure in "email-invite auto-redeemed on ensureUser" is unrelated (MAX_MEMBER_USERS limit hit from other tests in the suite).