Protected Registry Customer Management And Login
Protected Registry Customer Management And Login
Section titled “Protected Registry Customer Management And Login”This note captures the customer management and non-OIDC customer login layer for Protected Registry.
Current State
Section titled “Current State”Internal FractalOps users use OIDC.
FractalOps employee -> OIDC login -> package policy -> install | publish | build | deliverCustomers do not use FractalOps OIDC.
Customer -> customer_slug + package_name + version + grant_token -> POST /v1/packages/registry/customer-tokens/npm -> install-only short-lived npm token -> npm install <package>@<version>Implemented customer install and activation proof:
protected_registry_customersprotected_registry_customer_contactsprotected_registry_customer_entitlementsprotected_registry_customer_activation_codesprotected_registry_customer_sessionsprotected_registry_customer_devicesprotected_registry_customer_grantsPOST/GET/PUT /v1/packages/customers...POST /v1/packages/registry/customer-activationsGET /v1/packages/registry/customer-sessionPOST /v1/packages/registry/customer-tokens/npmPOST /v1/packages/registry/customer-logoutprotected-registry customer-activateprotected-registry customer-sessionprotected-registry customer-logoutprotected-registry customer-install <package>Desktop customer install formDesktop customer activation formNexus package/version claim enforcementGrant token install remains as a backward-compatible bridge. The preferred customer flow is activation code plus device/session, then package/version entitlement checks for each short-lived npm token.
Required Target
Section titled “Required Target”Company staff must be able to register customers and configure package entitlements for them.
Customers need a login or activation flow that does not require FractalOps OIDC.
Recommended target:
Company staff -> FractalOps OIDC -> create customer -> add customer contact/user -> configure package/version entitlements -> issue activation code
Customer -> Protected Registry Desktop -> enter activation code once -> device/session registered -> install entitled package versionsStaff Management Model
Section titled “Staff Management Model”Staff authentication remains FractalOps OIDC.
Staff authorization should use a dedicated customer administration action, not only broad project ownership.
Minimum roles:
customer_admincustomer_supportpackage_delivery_operatorRecommended permission split:
customer_admin -> create/update customers, contacts, entitlements, activationscustomer_support -> view customer state, reissue activation, revoke sessionspackage_delivery_operator -> create delivery bundles/grants for package versionsCustomer Records
Section titled “Customer Records”Required tables:
protected_registry_customersprotected_registry_customer_contactsprotected_registry_customer_entitlementsprotected_registry_customer_activation_codesprotected_registry_customer_sessionsprotected_registry_customer_devicesExisting table:
protected_registry_customer_grantsUse protected_registry_customer_grants as the current install-only bridge.
Longer term, split long-lived entitlement from one-time activation/session.
Customer Entitlement Shape
Section titled “Customer Entitlement Shape”Customer entitlement is version-level, not just package-level.
tenant_idcustomer_slugproject_slugpackage_namepackage_scopeallowed_versions[]allowed_dist_tags[]statusstarts_atexpires_atmax_downloadsmetadata_jsoncreated_byupdated_byRules:
customer can install only allowed package versionscustomer cannot publishcustomer cannot buildcustomer cannot create delivery bundles/grantsdisabled customer denies all customer sessions and token mintingexpired entitlement denies new npm tokensActivation Login
Section titled “Activation Login”Recommended customer login is activation code plus device/session.
First run:
1. Customer opens Protected Registry Desktop.2. Customer enters activation code.3. Desktop computes device_id.4. POST /v1/packages/registry/customer-activations5. Server validates activation code and entitlement.6. Server registers device/session.7. Server returns customer_session_token.8. Desktop stores customer_session_token in secure store.Subsequent install:
1. Desktop loads customer_session_token.2. Customer selects package/version.3. POST /v1/packages/registry/customer-tokens/npm4. Server checks customer session and package/version entitlement.5. Server returns short-lived npm token.6. Desktop writes temp .npmrc and runs package manager.7. Desktop deletes temp .npmrc.API Plan
Section titled “API Plan”Staff APIs:
POST /v1/packages/customersGET /v1/packages/customersGET /v1/packages/customers/{customer_slug}PUT /v1/packages/customers/{customer_slug}
POST /v1/packages/customers/{customer_slug}/contactsPUT /v1/packages/customers/{customer_slug}/entitlementsPOST /v1/packages/customers/{customer_slug}/activation-codesPOST /v1/packages/customers/{customer_slug}/revokeCustomer APIs:
POST /v1/packages/registry/customer-activationsGET /v1/packages/registry/customer-sessionPOST /v1/packages/registry/customer-tokens/npmPOST /v1/packages/registry/customer-logoutExisting customer token route should evolve:
current: customer_slug + package_name + version + grant_token
target: customer_session_token + package_name + versionDesktop Plan
Section titled “Desktop Plan”First screen should support two modes:
FractalOps staff loginCustomer activationStaff mode:
Login with FractalOpsPackagesBuildsDeliverySessionCustomer adminCustomer mode:
ActivateInstalled packagesInstall entitled packageRepair installSessionAfter customer install, Desktop must show usage guidance:
installed package/versionreinstall commandproject .npmrc routingdo not commit auth tokensrun Desktop again to refresh short-lived npm tokenProject .npmrc Policy
Section titled “Project .npmrc Policy”Persist registry routing in the customer project.
@yamon:registry=https://r.yamon.io/always-auth=truereplace-registry-host=alwaysDo not persist npm auth tokens in the project.
//r.yamon.io/:_authToken=<token>That token belongs only in a temp .npmrc or secure user-level flow.
Package Install Behavior
Section titled “Package Install Behavior”Customer install should run a package manager command:
npm install @yamon/example@1.4.2 --userconfig <temp .npmrc>pnpm add @yamon/example@1.4.2 --config.userconfig=<temp .npmrc>yarn add @yamon/example@1.4.2Default package manager behavior updates package.json.
Expected:
{ "dependencies": { "@yamon/example": "^1.4.2" }}If the customer deletes node_modules, project .npmrc keeps scoped packages
pointed at the protected registry. A fresh customer session/token is still
needed for install.
Security Boundaries
Section titled “Security Boundaries”Do:
hash activation codes and grant tokens at restuse short-lived npm tokensbind customer sessions to customer_slug and device_idrecord audit/evidence for activation and token mintingenforce package_name and package_version in JWT and Nexussupport session revokeDo not:
store raw grant_tokencommit npm auth token to project .npmrclet customer tokens publish/build/deliveruse URL hiding as securitylet package-level entitlement imply all versionsGrill Decisions
Section titled “Grill Decisions”Question 1: Should customers use FractalOps OIDC?
Recommended answer: No. Use activation code plus customer session. OIDC for customers creates account lifecycle and IdP support burden.
Question 2: Should activation code be reusable?
Recommended answer: Default one-time. Allow limited reuse only when
max_activations is explicitly set for a customer rollout.
Question 3: Should entitlement be package-level or version-level?
Recommended answer: Version-level. Package-level is too broad for customer delivery.
Question 4: Should project .npmrc contain auth tokens?
Recommended answer: No. Project .npmrc should contain registry routing only.
Auth tokens stay short-lived.
Question 5: Should customer session mint npm tokens directly?
Recommended answer: Yes, but only install tokens, only for entitled package versions, and only with short TTL.
Question 6: Should delivery mean customer install permission?
Recommended answer: No. delivery is internal permission to prepare customer
delivery artifacts and grants. Customer install is customer entitlement.
Implementation Status
Section titled “Implementation Status”Done:
customer/contact/entitlement/activation/session/device models and migrationstaff customer management APIs behind FractalOps OIDC/customer_admin guardcustomer activation/session/logout APIscustomer session token mint path for install-only npm tokensDesktop customer activation command and formDesktop customer install uses stored customer session before grant fallbackinstall guidance shows package/version, reinstall command, and .npmrc routingaudit events for customer upsert/contact/entitlement/activation/revoke/session logoutNexus tarball enforcement for package_version and allowed_versions claimsStill recommended:
dedicated Customer Admin UI for staff-side customer/contact/entitlement managementproject .npmrc writer/repair action instead of only showing guidanceNexus metadata filtering if version list leakage becomes a product concernAcceptance Criteria
Section titled “Acceptance Criteria”- Staff can create a customer.
- Staff can assign package/version entitlement to that customer.
- Staff can issue and revoke activation codes.
- Customer can activate without FractalOps OIDC.
- Customer session is stored in OS secure store.
- Customer can install only entitled package versions.
- Customer cannot publish/build/deliver.
node_modulesdelete plus reinstall still routes@yamon/*to protected registry.- Project
.npmrccontains no auth token. - Nexus denies tarball downloads outside
allowed_versions. - Customer logout/revoke blocks future npm token minting.