refactor(gateway): extract connect and role policy logic

src/gateway/role-policy.ts

@@ -0,0 +1,23 @@
+import { isNodeRoleMethod } from "./method-scopes.js";
+
+export const GATEWAY_ROLES = ["operator", "node"] as const;
+
+export type GatewayRole = (typeof GATEWAY_ROLES)[number];
+
+export function parseGatewayRole(roleRaw: unknown): GatewayRole | null {
+  if (roleRaw === "operator" || roleRaw === "node") {
+    return roleRaw;
+  }
+  return null;
+}
+
+export function roleCanSkipDeviceIdentity(role: GatewayRole, sharedAuthOk: boolean): boolean {
+  return role === "operator" && sharedAuthOk;
+}
+
+export function isRoleAuthorizedForMethod(role: GatewayRole, method: string): boolean {
+  if (isNodeRoleMethod(method)) {
+    return role === "node";
+  }
+  return role === "operator";
+}