feat: wire role-scoped device creds

2026-01-20 11:35:08 +00:00
parent dfbf6ac263
commit d8cc7db5e6
17 changed files with 633 additions and 26 deletions
--- a/docs/refactor/clawnet.md
+++ b/docs/refactor/clawnet.md
@@ -290,7 +290,7 @@ Same `deviceId` across roles → single “Instance” row:

 # Execution checklist (ship order)
 - [x] **Device‑bound auth (PoP):** nonce challenge + signature verify on connect; remove bearer‑only for non‑local.
- [ ] **Role‑scoped creds:** issue per‑role tokens, rotate, revoke, list; UI/CLI surfaced; audit log entries.
+- [x] **Role‑scoped creds:** issue per‑role tokens, rotate, revoke, list; UI/CLI surfaced; audit log entries.
 - [ ] **Scope enforcement:** keep paired scopes in sync on rotation; reject/upgrade flows explicit; tests.
 - [ ] **Approvals routing:** gateway‑hosted approvals; operator UI prompt/resolve; node stops prompting.
 - [ ] **TLS pinning for WS:** reuse bridge TLS runtime; discovery advertises fingerprint; client validation.