// AccountService: account and role CRUD. All RPCs require admin role. // CredentialService: Postgres credential management. syntax = "proto3"; package mcias.v1; option go_package = "git.wntrmute.dev/mc/mcias/gen/mcias/v1;mciasv1"; import "mcias/v1/common.proto"; // --- Account CRUD --- // ListAccountsRequest carries no parameters. message ListAccountsRequest {} // ListAccountsResponse returns all accounts. Credential fields are absent. message ListAccountsResponse { repeated Account accounts = 1; } // CreateAccountRequest specifies a new account to create. message CreateAccountRequest { string username = 1; string password = 2; // required for human accounts; security: never logged string account_type = 3; // "human" or "system" } // CreateAccountResponse returns the created account record. message CreateAccountResponse { Account account = 1; } // GetAccountRequest identifies an account by UUID. message GetAccountRequest { string id = 1; // UUID } // GetAccountResponse returns the account record. message GetAccountResponse { Account account = 1; } // UpdateAccountRequest updates mutable fields. Only non-empty fields are applied. message UpdateAccountRequest { string id = 1; // UUID string status = 2; // "active" or "inactive" (omit to leave unchanged) } // UpdateAccountResponse confirms the update. message UpdateAccountResponse {} // DeleteAccountRequest soft-deletes an account and revokes its tokens. message DeleteAccountRequest { string id = 1; // UUID } // DeleteAccountResponse confirms deletion. message DeleteAccountResponse {} // --- Role management --- // GetRolesRequest identifies an account by UUID. message GetRolesRequest { string id = 1; // UUID } // GetRolesResponse lists the current roles. message GetRolesResponse { repeated string roles = 1; } // SetRolesRequest replaces the role set for an account. message SetRolesRequest { string id = 1; // UUID repeated string roles = 2; } // SetRolesResponse confirms the update. message SetRolesResponse {} // GrantRoleRequest adds a single role to an account. message GrantRoleRequest { string id = 1; // UUID string role = 2; // role name } // GrantRoleResponse confirms the grant. message GrantRoleResponse {} // RevokeRoleRequest removes a single role from an account. message RevokeRoleRequest { string id = 1; // UUID string role = 2; // role name } // RevokeRoleResponse confirms the revocation. message RevokeRoleResponse {} // AccountService manages accounts and roles. All RPCs require admin role. service AccountService { rpc ListAccounts(ListAccountsRequest) returns (ListAccountsResponse); rpc CreateAccount(CreateAccountRequest) returns (CreateAccountResponse); rpc GetAccount(GetAccountRequest) returns (GetAccountResponse); rpc UpdateAccount(UpdateAccountRequest) returns (UpdateAccountResponse); rpc DeleteAccount(DeleteAccountRequest) returns (DeleteAccountResponse); rpc GetRoles(GetRolesRequest) returns (GetRolesResponse); rpc SetRoles(SetRolesRequest) returns (SetRolesResponse); rpc GrantRole(GrantRoleRequest) returns (GrantRoleResponse); rpc RevokeRole(RevokeRoleRequest) returns (RevokeRoleResponse); } // --- PG credentials --- // GetPGCredsRequest identifies an account by UUID. message GetPGCredsRequest { string id = 1; // UUID } // GetPGCredsResponse returns decrypted Postgres credentials. // Security: password is present only in this response; never in list output. message GetPGCredsResponse { PGCreds creds = 1; } // SetPGCredsRequest stores Postgres credentials for an account. message SetPGCredsRequest { string id = 1; // UUID PGCreds creds = 2; } // SetPGCredsResponse confirms the update. message SetPGCredsResponse {} // CredentialService manages Postgres credentials for system accounts. // All RPCs require admin role. service CredentialService { rpc GetPGCreds(GetPGCredsRequest) returns (GetPGCredsResponse); rpc SetPGCreds(SetPGCredsRequest) returns (SetPGCredsResponse); }