@shamsharoondraftchecks…feat/route-level-key-permissions → master101 files · +1582 −444updated 1d agoReplaces the central scoped-key permission catalog with per-route declarations (PLEN-2649). Every createAuthRoute call whose authModes includes PROJECT_API_KEY must now declare projectKeyPermission: { preset, access } or 'scoped_keys_denied' — enforced at compile time (type union) and at module load (throw). Forgetting to catalog a route (the PLEN-2623 failure mode) becomes impossible by construction.
registry.ts — declarations registered at route creation, derived from config.path; match.ts reads the registry instead of the static catalogcatalog.ts shrinks to preset metadata only (dashboard surface unchanged)'scoped_keys_denied'app_router_route_permissions.ts, imported by their auth middlewaresfiles/upload/response.ts registers explicitly (dual-auth route: getAuthRouter accepts project keys but authModes documents ADMIN)createRPCToolRoute plumbs the option throughscripts/check-project-key-permissions.ts (pnpm check:key-permissions) auto-discovers all v3/v3.1 route modules and asserts registered grants exactly match the frozen route_permission_snapshot.jsonPOST /tools/scopes/required + POST /tools/get_scopes_required (v3 + v3.1): old catalog listed these as GET, but the routes are POST — the entries were dead and scoped keys were silently denied. Now granted tools:read as originally intended. Everything else is grant-for-grant identical (108 grants).pnpm check:key-permissions — 108 registered grants match the frozen snapshotpnpm check-types clean; oxlint/oxfmt clean on all changed filesgetAvailableToolkits.unit.test.ts otel mock drift, unrelated)🤖 Generated with Claude Code