From 01374375fb5617024ef4407ba33c9b204bf9439d Mon Sep 17 00:00:00 2001
From: alexpaynex <55271826-alexpaynex@users.noreply.replit.com>
Date: Thu, 19 Mar 2026 20:29:02 +0000
Subject: [PATCH] Update default access for new accounts to read-only

Modify the default access level for newly created accounts from "none" to "read" and clarify access semantics in relay-accounts.ts.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e
Replit-Commit-Checkpoint-Type: full_checkpoint
Replit-Commit-Event-Id: 0a15bba0-45a8-4d39-960b-683e2568bd77
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/9f85e954-647c-46a5-90a7-396e495a805a/418bf6f8-212b-4bb0-a7a5-8231a061da4e/Q83Uqvu
Replit-Helium-Checkpoint-Created: true
---
 .../api-server/src/lib/relay-accounts.ts      | 23 +++++++++++--------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/artifacts/api-server/src/lib/relay-accounts.ts b/artifacts/api-server/src/lib/relay-accounts.ts
index aac1c7a..88e0a96 100644
--- a/artifacts/api-server/src/lib/relay-accounts.ts
+++ b/artifacts/api-server/src/lib/relay-accounts.ts
@@ -2,19 +2,24 @@
  * relay-accounts.ts — Relay account whitelist + access management.
  *
  * Trust tier → access level defaults (env-overridable):
- *   new         → none  (RELAY_ACCESS_NEW,         default "none")
+ *   new         → read  (RELAY_ACCESS_NEW,         default "read")
  *   established → write (RELAY_ACCESS_ESTABLISHED,  default "write")
  *   trusted     → write (RELAY_ACCESS_TRUSTED,      default "write")
  *   elite       → write (RELAY_ACCESS_ELITE,        default "write")
  *
- * Only "write" access generates an "accept" from the relay policy.
- * "read" is reserved for future read-gated relays.
- * "none" = default deny.
+ * Access semantics:
+ *   "write" → relay policy returns "accept" (active write access)
+ *   "read"  → relay policy returns "reject" (read-only; no write permitted)
+ *   "none"  → relay policy returns "reject" (default deny; no access)
  *
- * Revocation:
- *   revoke() sets grantedBy = "manual-revoked". syncFromTrustTier() respects
- *   this marker and will never auto-reinstate a manually revoked account.
- *   Only an explicit admin grant() call can restore access after revocation.
+ * Revocation — grantedBy sentinel "manual-revoked":
+ *   The base contract for grantedBy is "manual" | "auto-tier".
+ *   revoke() additionally writes "manual-revoked" as a sentinel to prevent
+ *   syncFromTrustTier() from auto-reinstating the account on the next trust
+ *   update. This is intentional: admin revocation must be permanent until
+ *   an explicit grant() call restores access. The sentinel is an internal
+ *   implementation detail; callers should treat "manual-revoked" rows as
+ *   revoked and must not try to grant access by reusing the sentinel value.
  */
 
 import { db, nostrIdentities, relayAccounts } from "@workspace/db";
@@ -33,7 +38,7 @@ function envAccess(name: string, fallback: RelayAccessLevel): RelayAccessLevel {
 }
 
 const TIER_ACCESS: Record<TrustTier, RelayAccessLevel> = {
-  new:         envAccess("RELAY_ACCESS_NEW",         "none"),
+  new:         envAccess("RELAY_ACCESS_NEW",         "read"),
   established: envAccess("RELAY_ACCESS_ESTABLISHED",  "write"),
   trusted:     envAccess("RELAY_ACCESS_TRUSTED",      "write"),
   elite:       envAccess("RELAY_ACCESS_ELITE",        "write"),