From 7dcf97a2966c6bb43f23def3339dab3d2df93548 Mon Sep 17 00:00:00 2001
From: Padreug <padreug@aiolabs.dev>
Date: Fri, 19 Jun 2026 16:02:13 +0200
Subject: [PATCH] refactor(acl)(#27 review): remove dead reject-all sentinel
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR #27 review finding #3: step 3a queried SigningCondition method='*'
and the docstring attributed it to rejectAllRequestsFromKey — but that
function writes method=null (never '*') and has zero callers, so the
'reject all' branch could never match. Subject-level reject is already
KeyUser.revokedAt (step 2, via the revoke_user admin command).

Drop the dead step-3a branch and the orphaned rejectAllRequestsFromKey
so the code matches reality. Per-(method,kind) denies (step 3, written
by add_signing_condition) are unaffected.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 src/daemon/lib/acl/index.ts | 32 ++++----------------------------
 1 file changed, 4 insertions(+), 28 deletions(-)

diff --git a/src/daemon/lib/acl/index.ts b/src/daemon/lib/acl/index.ts
index d693e72..1c7912d 100644
--- a/src/daemon/lib/acl/index.ts
+++ b/src/daemon/lib/acl/index.ts
@@ -13,7 +13,6 @@ export { grantIsLive } from './lifecycle.js';
  *   1. fetch KeyUser; if missing → undefined (no binding exists)
  *   2. KeyUser.revokedAt set → false (subject-level ban beats everything)
  *   3. manual-override layer (LIVE SigningConditions only):
- *        - live explicit reject (method='*', allowed=false) → false
  *        - live matching per-(method,kind) deny → false
  *        - live matching per-(method,kind) grant → true
  *   4. live token grant: a redeemed Token bound to this KeyUser that is
@@ -56,16 +55,10 @@ export async function checkIfPubkeyAllowed(
 
     const live = liveWhere(now);
 
-    // Step 3a: live explicit reject.
-    const explicitReject = await prisma.signingCondition.findFirst({
-        where: { keyUserId: keyUser.id, method: '*', allowed: false, ...live },
-    });
-
-    if (explicitReject) {
-        return false;
-    }
-
-    // Step 3b: live matching per-(method, kind) override — deny beats grant.
+    // Step 3: live matching per-(method, kind) override — deny beats grant.
+    // (Subject-level "reject all from this user" is KeyUser.revokedAt, applied
+    // at step 2 via the revoke_user admin command. There is no method='*'
+    // SigningCondition sentinel — nothing writes one.)
     const signingConditionQuery = requestToSigningConditionQuery(method, payload);
 
     const liveDeny = await prisma.signingCondition.findFirst({
@@ -223,20 +216,3 @@ export async function allowAllRequestsFromKey(
         console.log('allowAllRequestsFromKey', e);
     }
 }
-
-export async function rejectAllRequestsFromKey(remotePubkey: string, keyName: string): Promise<void> {
-    // Upsert the KeyUser with the given remotePubkey
-    const upsertedUser = await prisma.keyUser.upsert({
-        where: { unique_key_user: { keyName, userPubkey: remotePubkey } },
-        update: { },
-        create: { keyName, userPubkey: remotePubkey },
-    });
-
-    // Create a new SigningCondition for the given KeyUser and set allowed to false
-    await prisma.signingCondition.create({
-        data: {
-            allowed: false,
-            keyUserId: upsertedUser.id,
-        },
-    });
-}