refactor(gateway): extract connect and role policy logic

2026-05-08 14:38:25 +00:00 · 2026-02-21 19:47:17 +01:00
parent f97c45c5b5
commit 51149fcaf1
7 changed files with 342 additions and 157 deletions
--- a/src/gateway/server-methods.ts
+++ b/src/gateway/server-methods.ts
@@ -1,11 +1,8 @@
 import { formatControlPlaneActor, resolveControlPlaneActor } from "./control-plane-audit.js";
 import { consumeControlPlaneWriteBudget } from "./control-plane-rate-limit.js";
-import {
-  ADMIN_SCOPE,
-  authorizeOperatorScopesForMethod,
-  isNodeRoleMethod,
-} from "./method-scopes.js";
+import { ADMIN_SCOPE, authorizeOperatorScopesForMethod } from "./method-scopes.js";
 import { ErrorCodes, errorShape } from "./protocol/index.js";
+import { isRoleAuthorizedForMethod, parseGatewayRole } from "./role-policy.js";
 import { agentHandlers } from "./server-methods/agent.js";
 import { agentsHandlers } from "./server-methods/agents.js";
 import { browserHandlers } from "./server-methods/browser.js";
@@ -42,19 +39,17 @@ function authorizeGatewayMethod(method: string, client: GatewayRequestOptions["c
  if (method === "health") {
    return null;
  }
-  const role = client.connect.role ?? "operator";
+  const roleRaw = client.connect.role ?? "operator";
+  const role = parseGatewayRole(roleRaw);
+  if (!role) {
+    return errorShape(ErrorCodes.INVALID_REQUEST, `unauthorized role: ${roleRaw}`);
+  }
  const scopes = client.connect.scopes ?? [];
-  if (isNodeRoleMethod(method)) {
-    if (role === "node") {
-      return null;
-    }
+  if (!isRoleAuthorizedForMethod(role, method)) {
    return errorShape(ErrorCodes.INVALID_REQUEST, `unauthorized role: ${role}`);
  }
  if (role === "node") {
-    return errorShape(ErrorCodes.INVALID_REQUEST, `unauthorized role: ${role}`);
-  }
-  if (role !== "operator") {
-    return errorShape(ErrorCodes.INVALID_REQUEST, `unauthorized role: ${role}`);
+    return null;
  }
  if (scopes.includes(ADMIN_SCOPE)) {
    return null;