fix(cli): #15 part 3 (fix-15b) — agentkeys scope command (#29)

* fix(cli): #15 part 3 (fix-15b) — agentkeys scope command

Closes part 3 of #15.

Adds `agentkeys scope <AGENT>` subcommand with `--add`/`--remove`/`--set`/`--list`
for editing a child agent's scope. Under the hood: new trait methods
`CredentialBackend::get_scope` + `update_scope` backed by a new mock-server
`PUT /session/scope` endpoint (owner-checked, updates all active sessions
for the target wallet).

Tests: 5 new CLI integration tests (list/add/remove/set/conflict). 62 total
tests across cli/core/mock-server, all green under --test-threads=1.

Minor: CommandContext::load_session made pub so integration tests can
access the current session token.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(cli/mock-server): #15b v2 — address codex P1+P2

Codex P1: update_scope handler allowed a master session to target its
own wallet, silently writing a restrictive scope_json onto the master's
session row. Subsequent credential/read calls would start failing for
services outside the accidental scope. Now rejects self-targeting with
a clear bad_request.

Codex P2 (URL encoding): cmd_scope's identity resolution built the
/identity/resolve query string via raw interpolation, breaking
aliases/emails with reserved characters ('+', '&', '=', '%', spaces).
Switched to reqwest's .query() builder which percent-encodes per RFC.

Codex P3 (--list exclusivity): --list now rejects combination with
--add/--remove/--set up front instead of silently dropping the mutation.

Deferred (tracked as follow-up): CBOR vs JSON parsing of ScopeChange
request_details in mint_scope_change_session — the scope CLI uses the
direct /session/scope endpoint, not the auth-request flow, so this
finding doesn't affect the CLI path. Will be addressed when
AuthRequest::ScopeChange approval is wired end-to-end.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(cli/mock-server): #29 v3 — claude P1+P2 review fixes after rebase

Post-rebase review (claude code-reviewer) flagged 3 P1 issues that map
directly to patterns in `.github/REVIEW_GUIDELINES.md`. All fixed in
this commit plus one P2 nit that was cheap.

**P1 — URL encoding via reqwest `.query()` on scope + list_credentials**
`get_scope` and `list_credentials` in `mock_client.rs` built queries with
raw `format!()` interpolation. Wallet strings with reserved characters
(`&`, `#`, `%`, `+`, spaces) would break the request or smuggle extra
params server-side. Switched both to `.get(self.url("/path")).query(&[...])`
so reqwest percent-encodes per RFC 3986. Same pattern as the fix on PR
#20 `aa0cc95` / PR #22 `ffdc908` / PR #29 `7aa9e70`.

**P1 — Case-insensitive self-target check in `update_scope`**
The self-target reject `session.wallet_address == target_wallet` was
string-equal, but the backend stores wallets in lowercase while EIP-55
checksummed input preserves case. A master passing its own wallet in
mixed-case form would bypass the self-target guard and silently
restrict its own scope (the exact failure the guard was designed to
prevent). Switched to `eq_ignore_ascii_case` matching the pattern
established in PR #18's self-revoke detection.

**P1 — Missing DENIED audit rows on scope endpoints**
`update_scope` and `get_session_scope` returned 403 on ownership
failure without inserting an audit row, breaking the
cross-agent-probing-visibility invariant established for
`list_credentials` / `read_credential` in PR #19. Added `'scope_update'
'DENIED'` and `'scope_read' 'DENIED'` inserts before the 403 return
in both handlers.

**P2 — `--add foo --remove foo` would no-op silently**
`cmd_scope` accepted combinations like `--add X --remove X`. The add
loop would push, then `retain(!remove.contains)` would cancel, and the
backend PUT would still fire with the original scope + misleading
"Scope updated" output. Added an up-front `add ∩ remove` check that
lists overlapping services and rejects.

**P2 — Narrow UPDATE to most-recent active session**
Write-side `update_scope` UPDATEd ALL active sessions for the target
wallet; read-side `get_session_scope` always returned the scope from
the most-recent session via `ORDER BY created_at DESC LIMIT 1`.
Read/write contract mismatched on wallets with multiple active
sessions (paired + recovered). Narrowed the UPDATE to use the same
ORDER/LIMIT subquery.

Test: cargo test -p agentkeys-core -p agentkeys-cli -p agentkeys-mock-server -- --test-threads=1
core: 22 passed; cli: 35 passed; mock-server: 56 passed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix(cli/mock-server): #29 v4 — claude re-review nits (dead sort, pct_encode consistency, test coverage)

Follow-up on the claude-code-action re-review posted against commit
57dc9fb. All 3 substantive findings addressed; the 4th (malformed `/`
doc-comments) was a false positive from pre-rebase state — grep for
`^\s*/ ` returns nothing in the current tree.

**Low — Redundant `sort_by` after `update_scope`**
`lib.rs:769` was re-sorting `new_scope.services` after the backend
call returned, but both the `--set` branch (line 749) and the
`--add`/`--remove` branch (line 760) sort before the `update_scope`
call. Dead op; removed. Added a comment so a future reader doesn't
re-add it.

**Low — `InProcessBackend::get_scope` raw URL concat**
`test_client.rs:725` built the query string via `format!()` while the
`resolve_identity` method right above uses `pct_encode`. Wallet
strings are hex so this was safe in practice, but the inconsistency
violates the URL-encoding invariant documented in
`.github/REVIEW_GUIDELINES.md` pattern #3. Swapped to `pct_encode`.

**Low — Missing test for `--list + --add` conflict**
Added `cmd_scope_list_and_add_conflict_errors`. Also added
`cmd_scope_add_remove_overlap_errors` (covering the P2 overlap guard
from v3) that wasn't yet under test.

Test: cargo test -p agentkeys-core -p agentkeys-cli -p agentkeys-mock-server -- --test-threads=1
core: 22 passed; cli: 37 passed (+2 new); mock-server: 56 passed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hanwencheng

crates/agentkeys-cli/src/lib.rs

@@ -3,7 +3,9 @@ use std::sync::Arc;
 use agentkeys_core::backend::{BackendError, CredentialBackend};
 use agentkeys_core::mock_client::MockHttpClient;
 pub use agentkeys_core::session_store;
-use agentkeys_types::{AuditEvent, AuditFilter, AuthToken, ServiceName, Session, WalletAddress};
+use agentkeys_types::{
+    AuditEvent, AuditFilter, AuthToken, Scope, ServiceName, Session, WalletAddress,
+};
 use anyhow::{anyhow, Context, Result};
 use serde_json::json;
 
@@ -68,7 +70,7 @@ impl CommandContext {
         self
     }
 
-    fn load_session(&self) -> Result<Session> {
+    pub fn load_session(&self) -> Result<Session> {
         if let Some(ref s) = self.session_override {
             return Ok(s.clone());
         }
@@ -629,6 +631,152 @@ pub async fn cmd_approve(ctx: &CommandContext, pair_code: &str, auto_yes: bool)
     Ok("Approved. Agent paired successfully.".to_string())
 }
 
+async fn resolve_agent_to_wallet(
+    ctx: &CommandContext,
+    session: &Session,
+    agent: &str,
+) -> Result<String> {
+    if agent.starts_with("0x") {
+        return Ok(agent.to_string());
+    }
+    // Resolve alias or email via /identity/resolve
+    let (identity_type, identity_value) = if agent.contains('@') {
+        ("email", agent)
+    } else {
+        ("alias", agent)
+    };
+    // reqwest's .query() builder percent-encodes per RFC 3986 so identities
+    // containing '+', '&', '=', '%', spaces (e.g. plus-addressed emails like
+    // "bot+prod@example.com") are sent intact to the server.
+    let http_client = reqwest::Client::new();
+    let resp = http_client
+        .get(format!("{}/identity/resolve", ctx.backend_url))
+        .query(&[("identity_type", identity_type), ("identity_value", identity_value)])
+        .header("authorization", format!("Bearer {}", session.token))
+        .send()
+        .await
+        .context("GET /identity/resolve")?;
+    if !resp.status().is_success() {
+        let status = resp.status();
+        let body: serde_json::Value = resp.json().await.unwrap_or(serde_json::Value::Null);
+        let msg = body["message"].as_str().unwrap_or("not found");
+        return Err(anyhow!("Error: HTTP {}: {}", status, msg));
+    }
+    let body: serde_json::Value = resp.json().await.context("parse identity/resolve response")?;
+    let wallet = body["wallet_address"]
+        .as_str()
+        .ok_or_else(|| anyhow!("identity/resolve returned no wallet_address"))?
+        .to_string();
+    Ok(wallet)
+}
+
+pub async fn cmd_scope(
+    ctx: &CommandContext,
+    agent: &str,
+    add: &[String],
+    remove: &[String],
+    set: Option<&str>,
+    list: bool,
+) -> Result<String> {
+    if set.is_some() && (!add.is_empty() || !remove.is_empty()) {
+        return Err(anyhow!(
+            "Error: --set is mutually exclusive with --add and --remove. Use one or the other."
+        ));
+    }
+
+    // --list is read-only. Combining it with mutating flags would silently
+    // drop the mutation (the --list early-return happens before the update
+    // path), so reject the combo up front with a clear error.
+    if list && (set.is_some() || !add.is_empty() || !remove.is_empty()) {
+        return Err(anyhow!(
+            "Error: --list is mutually exclusive with --add, --remove, and --set. Use --list alone to read the current scope."
+        ));
+    }
+
+    // `--add foo --remove foo` would silently no-op after mutation
+    // (retain after push cancels) yet still issue a backend write with a
+    // misleading "Scope updated" message. Reject up front (codex PR #29
+    // v2 P2).
+    if !add.is_empty() && !remove.is_empty() {
+        let add_set: std::collections::HashSet<&str> = add.iter().map(|s| s.as_str()).collect();
+        let overlap: Vec<&str> = remove
+            .iter()
+            .map(|s| s.as_str())
+            .filter(|s| add_set.contains(s))
+            .collect();
+        if !overlap.is_empty() {
+            return Err(anyhow!(
+                "Error: the following services appear in both --add and --remove: {}. Pass each service to only one flag.",
+                overlap.join(", ")
+            ));
+        }
+    }
+
+    if !list && set.is_none() && add.is_empty() && remove.is_empty() {
+        return Err(anyhow!(
+            "No action specified. Use --add, --remove, --set, or --list.\nRun `agentkeys scope --help` for usage."
+        ));
+    }
+
+    let session = ctx.load_session().context("load session (run `agentkeys init` first)")?;
+    let target_wallet = WalletAddress(resolve_agent_to_wallet(ctx, &session, agent).await?);
+    let backend = ctx.backend();
+
+    let current_scope = backend
+        .get_scope(&session, &target_wallet)
+        .await
+        .map_err(wrap_backend_error)?
+        .unwrap_or(Scope { services: vec![], read_only: false });
+
+    if list {
+        let service_names: Vec<&str> =
+            current_scope.services.iter().map(|s| s.0.as_str()).collect();
+        return Ok(format!(
+            "Scope for agent {}:\n  services: [{}]\n  read_only: {}",
+            target_wallet.0,
+            service_names.join(", "),
+            current_scope.read_only
+        ));
+    }
+
+    let mut new_scope = if let Some(set_val) = set {
+        let mut services: Vec<ServiceName> = set_val
+            .split(',')
+            .map(|s| s.trim())
+            .filter(|s| !s.is_empty())
+            .map(|s| ServiceName(s.to_string()))
+            .collect();
+        services.sort_by(|a, b| a.0.cmp(&b.0));
+        Scope { services, read_only: current_scope.read_only }
+    } else {
+        let mut services: Vec<ServiceName> = current_scope.services.clone();
+        for svc in add {
+            let name = ServiceName(svc.clone());
+            if !services.contains(&name) {
+                services.push(name);
+            }
+        }
+        services.retain(|s| !remove.contains(&s.0));
+        services.sort_by(|a, b| a.0.cmp(&b.0));
+        Scope { services, read_only: current_scope.read_only }
+    };
+
+    backend
+        .update_scope(&session, &target_wallet, &new_scope)
+        .await
+        .map_err(wrap_backend_error)?;
+
+    // `new_scope.services` is already sorted — both the --set branch
+    // (line 749) and the --add/--remove branch (line 760) sort before
+    // the update_scope call.
+    let service_names: Vec<&str> = new_scope.services.iter().map(|s| s.0.as_str()).collect();
+    Ok(format!(
+        "Scope updated for agent {}. New services: [{}]",
+        target_wallet.0,
+        service_names.join(", ")
+    ))
+}
+
 pub fn cmd_feedback() -> String {
     let url = "https://github.com/agentkeys/agentkeys/discussions";
     let opened = std::process::Command::new("open").arg(url).status().is_ok()

crates/agentkeys-cli/src/main.rs

@@ -1,6 +1,6 @@
 use agentkeys_cli::{
     cmd_approve, cmd_feedback, cmd_init, cmd_link, cmd_read, cmd_recover, cmd_revoke, cmd_run,
-    cmd_store, cmd_teardown, cmd_usage, CommandContext,
+    cmd_scope, cmd_store, cmd_teardown, cmd_usage, CommandContext,
 };
 
 
@@ -139,6 +139,23 @@ enum Commands {
         yes: bool,
     },
 
+    #[command(
+        about = "Edit or list the scope of a child agent",
+        long_about = "Add, remove, replace, or list the services in a child agent's scope.\n\nExamples:\n  agentkeys scope 0xAGENT --add openrouter\n  agentkeys scope 0xAGENT --remove anthropic\n  agentkeys scope 0xAGENT --set openrouter,anthropic\n  agentkeys scope 0xAGENT --list"
+    )]
+    Scope {
+        #[arg(help = "Agent wallet address, alias, or email")]
+        agent: String,
+        #[arg(long, help = "Add a service to the scope (repeatable)")]
+        add: Vec<String>,
+        #[arg(long, help = "Remove a service from the scope (repeatable)")]
+        remove: Vec<String>,
+        #[arg(long, help = "Replace the entire scope with a comma-separated list of services")]
+        set: Option<String>,
+        #[arg(long, help = "List the current scope without making changes")]
+        list: bool,
+    },
+
     #[command(
         about = "Open the feedback forum in your browser",
         long_about = "Open https://github.com/agentkeys/agentkeys/discussions in the default browser.\n\nExamples:\n  agentkeys feedback"
@@ -168,6 +185,9 @@ async fn main() {
         }
         Commands::Recover { identity, method } => cmd_recover(&ctx, identity, method).await,
         Commands::Approve { pair_code, yes } => cmd_approve(&ctx, pair_code, *yes).await,
+        Commands::Scope { agent, add, remove, set, list } => {
+            cmd_scope(&ctx, agent, add, remove, set.as_deref(), *list).await
+        }
         Commands::Feedback => Ok(cmd_feedback()),
     };