Update default access for new accounts to read-only

Modify the default access level for newly created accounts from "none" to "read" and clarify access semantics in relay-accounts.ts. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 418bf6f8-212b-4bb0-a7a5-8231a061da4e Replit-Commit-Checkpoint-Type: full_checkpoint Replit-Commit-Event-Id: 0a15bba0-45a8-4d39-960b-683e2568bd77 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/9f85e954-647c-46a5-90a7-396e495a805a/418bf6f8-212b-4bb0-a7a5-8231a061da4e/Q83Uqvu Replit-Helium-Checkpoint-Created: true
2026-03-19 20:29:02 +00:00
parent 31a843a829
commit 01374375fb
1 changed files with 14 additions and 9 deletions
--- a/artifacts/api-server/src/lib/relay-accounts.ts
+++ b/artifacts/api-server/src/lib/relay-accounts.ts
@@ -2,19 +2,24 @@
 * relay-accounts.ts — Relay account whitelist + access management.
 *
 * Trust tier → access level defaults (env-overridable):
- *   new         → none  (RELAY_ACCESS_NEW,         default "none")
+ *   new         → read  (RELAY_ACCESS_NEW,         default "read")
 *   established → write (RELAY_ACCESS_ESTABLISHED,  default "write")
 *   trusted     → write (RELAY_ACCESS_TRUSTED,      default "write")
 *   elite       → write (RELAY_ACCESS_ELITE,        default "write")
 *
- * Only "write" access generates an "accept" from the relay policy.
- * "read" is reserved for future read-gated relays.
- * "none" = default deny.
+ * Access semantics:
+ *   "write" → relay policy returns "accept" (active write access)
+ *   "read"  → relay policy returns "reject" (read-only; no write permitted)
+ *   "none"  → relay policy returns "reject" (default deny; no access)
 *
- * Revocation:
- *   revoke() sets grantedBy = "manual-revoked". syncFromTrustTier() respects
- *   this marker and will never auto-reinstate a manually revoked account.
- *   Only an explicit admin grant() call can restore access after revocation.
+ * Revocation — grantedBy sentinel "manual-revoked":
+ *   The base contract for grantedBy is "manual" | "auto-tier".
+ *   revoke() additionally writes "manual-revoked" as a sentinel to prevent
+ *   syncFromTrustTier() from auto-reinstating the account on the next trust
+ *   update. This is intentional: admin revocation must be permanent until
+ *   an explicit grant() call restores access. The sentinel is an internal
+ *   implementation detail; callers should treat "manual-revoked" rows as
+ *   revoked and must not try to grant access by reusing the sentinel value.
 */

 import { db, nostrIdentities, relayAccounts } from "@workspace/db";
@@ -33,7 +38,7 @@ function envAccess(name: string, fallback: RelayAccessLevel): RelayAccessLevel {
 }

 const TIER_ACCESS: Record<TrustTier, RelayAccessLevel> = {
-  new:         envAccess("RELAY_ACCESS_NEW",         "none"),
+  new:         envAccess("RELAY_ACCESS_NEW",         "read"),
  established: envAccess("RELAY_ACCESS_ESTABLISHED",  "write"),
  trusted:     envAccess("RELAY_ACCESS_TRUSTED",      "write"),
  elite:       envAccess("RELAY_ACCESS_ELITE",        "write"),