Gateway: align pairing scope checks for read access

2026-05-11 15:23:43 +00:00 · 2026-02-20 04:51:36 +00:00
parent 86f207adb0
commit 525d6e0671
8 changed files with 256 additions and 16 deletions
--- a/src/shared/operator-scope-compat.test.ts
+++ b/src/shared/operator-scope-compat.test.ts
@@ -0,0 +1,55 @@
+import { describe, expect, it } from "vitest";
+import { roleScopesAllow } from "./operator-scope-compat.js";
+
+describe("roleScopesAllow", () => {
+  it("treats operator.read as satisfied by read/write/admin scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.read"],
+        allowedScopes: ["operator.read"],
+      }),
+    ).toBe(true);
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.read"],
+        allowedScopes: ["operator.write"],
+      }),
+    ).toBe(true);
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.read"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(true);
+  });
+
+  it("keeps non-read operator scopes explicit", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.write"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(false);
+  });
+
+  it("uses strict matching for non-operator roles", () => {
+    expect(
+      roleScopesAllow({
+        role: "node",
+        requestedScopes: ["system.run"],
+        allowedScopes: ["operator.admin", "system.run"],
+      }),
+    ).toBe(true);
+    expect(
+      roleScopesAllow({
+        role: "node",
+        requestedScopes: ["system.run"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(false);
+  });
+});