@abraca/dabra 2.5.0 → 2.6.0

package/dist/index.d.ts

@@ -821,6 +821,62 @@ declare class AbracadabraClient {
       role: string | null;
     }>;
   }>;
+  /**
+   * List `service`-role users (runners, demo seeders, automation
+   * identities). Requires Service role. Admins can see service users via
+   * `/admin/users` too but cannot mint or rotate them.
+   */
+  adminListServiceAccounts(): Promise<{
+    items: Array<{
+      id: string;
+      username: string;
+      public_key: string | null;
+      revoked: boolean;
+      display_name: string | null;
+    }>;
+  }>;
+  /**
+   * Create a new `service`-role user. When `public_key` is omitted the
+   * server generates a keypair and returns the private half in the
+   * response — show it to the operator **once** and discard; the server
+   * never persists it. Requires Service role.
+   */
+  adminCreateServiceAccount(body: {
+    username: string;
+    public_key?: string;
+  }): Promise<{
+    id: string;
+    username: string;
+    public_key: string;
+    role: string;
+    private_key?: string;
+  }>;
+  /**
+   * Rotate the active keypair on a service account. Old JWTs are
+   * invalidated; old device keys are marked revoked; the canonical
+   * `users.public_key` swaps to the new value. `users.id` stays put so
+   * existing permission rows keep matching. Returns the new pubkey (and
+   * private half when the server generated it). Requires Service role.
+   */
+  adminRotateServiceAccountKey(userId: string, body?: {
+    public_key?: string;
+  }): Promise<{
+    id: string;
+    public_key: string;
+    private_key?: string;
+  }>;
+  /**
+   * Lock a service account and revoke all of its device keys. Idempotent.
+   * Refuses targets whose `users.role` isn't `"service"`. Requires
+   * Service role.
+   */
+  adminRevokeServiceAccount(userId: string): Promise<void>;
+  /**
+   * Revoke a single device key on a user (any role). Bumps
+   * `tokens_invalid_before` so open WS sessions tied to the key must
+   * re-auth. Requires elevated role (Service or Admin@root).
+   */
+  adminRevokeDeviceKey(userId: string, keyId: string): Promise<void>;
   /**
    * Page through the audit log. Filters AND-combine; `limit` defaults to
    * 100 server-side. Requires elevated role.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@abraca/dabra",
-  "version": "2.5.0",
+  "version": "2.6.0",
   "description": "abracadabra provider",
   "keywords": [
     "abracadabra",
@@ -41,7 +41,7 @@
     "yjs": "^13.6.8"
   },
   "devDependencies": {
-    "@abraca/schema": "2.5.0"
+    "@abraca/schema": "2.6.0"
   },
   "scripts": {
     "test": "node --no-warnings --conditions=source --experimental-transform-types --test 'tests/*.test.ts'"

package/src/AbracadabraClient.ts

@@ -1194,6 +1194,84 @@ export class AbracadabraClient {
 		);
 	}
 
+	/**
+	 * List `service`-role users (runners, demo seeders, automation
+	 * identities). Requires Service role. Admins can see service users via
+	 * `/admin/users` too but cannot mint or rotate them.
+	 */
+	async adminListServiceAccounts(): Promise<{
+		items: Array<{
+			id: string;
+			username: string;
+			public_key: string | null;
+			revoked: boolean;
+			display_name: string | null;
+		}>;
+	}> {
+		return this.request("GET", "/admin/service-accounts");
+	}
+
+	/**
+	 * Create a new `service`-role user. When `public_key` is omitted the
+	 * server generates a keypair and returns the private half in the
+	 * response — show it to the operator **once** and discard; the server
+	 * never persists it. Requires Service role.
+	 */
+	async adminCreateServiceAccount(body: {
+		username: string;
+		public_key?: string;
+	}): Promise<{
+		id: string;
+		username: string;
+		public_key: string;
+		role: string;
+		private_key?: string;
+	}> {
+		return this.request("POST", "/admin/service-accounts", { body });
+	}
+
+	/**
+	 * Rotate the active keypair on a service account. Old JWTs are
+	 * invalidated; old device keys are marked revoked; the canonical
+	 * `users.public_key` swaps to the new value. `users.id` stays put so
+	 * existing permission rows keep matching. Returns the new pubkey (and
+	 * private half when the server generated it). Requires Service role.
+	 */
+	async adminRotateServiceAccountKey(
+		userId: string,
+		body: { public_key?: string } = {},
+	): Promise<{ id: string; public_key: string; private_key?: string }> {
+		return this.request(
+			"POST",
+			`/admin/service-accounts/${encodeURIComponent(userId)}/rotate-key`,
+			{ body },
+		);
+	}
+
+	/**
+	 * Lock a service account and revoke all of its device keys. Idempotent.
+	 * Refuses targets whose `users.role` isn't `"service"`. Requires
+	 * Service role.
+	 */
+	async adminRevokeServiceAccount(userId: string): Promise<void> {
+		await this.request(
+			"DELETE",
+			`/admin/service-accounts/${encodeURIComponent(userId)}`,
+		);
+	}
+
+	/**
+	 * Revoke a single device key on a user (any role). Bumps
+	 * `tokens_invalid_before` so open WS sessions tied to the key must
+	 * re-auth. Requires elevated role (Service or Admin@root).
+	 */
+	async adminRevokeDeviceKey(userId: string, keyId: string): Promise<void> {
+		await this.request(
+			"POST",
+			`/admin/users/${encodeURIComponent(userId)}/device-keys/${encodeURIComponent(keyId)}/revoke`,
+		);
+	}
+
 	/**
 	 * Page through the audit log. Filters AND-combine; `limit` defaults to
 	 * 100 server-side. Requires elevated role.