This commit is contained in:
Dobromir Popov
2026-07-04 23:02:54 +02:00
parent de52ad7aa0
commit 69b0e726b8
13 changed files with 66 additions and 39 deletions

View File

@@ -4,7 +4,7 @@ Status: ready-for-agent
## What to build
Define and implement a **validator service token** distinct from client API keys and admin sessions. The validator process must authenticate when calling `POST /v1/billing/forfeit`; arbitrary Bearer strings and client API keys must be rejected.
Define and implement a **validator service token** distinct from client API keys and admin sessions. The validator process must authenticate when calling `POST /v1/billing/forfeit`; arbitrary Bearer strings and client API keys must be rejected. This is a checklist subtask for issue 02 and should normally land in the same PR as the unified auth middleware.
Per [ADR-0017 §4](../../docs/adr/0017-tracker-authentication-and-authorization.md): forfeit accepts **validator service identity or admin session** only.