Gateway: allow operator admin scope for pairing and approvals

2026-05-12 14:01:12 +00:00 · 2026-02-21 19:37:04 -08:00
parent 68cb4fc8a1
commit 55d492b4cd
3 changed files with 34 additions and 6 deletions
--- a/src/shared/operator-scope-compat.test.ts
+++ b/src/shared/operator-scope-compat.test.ts
@@ -43,6 +43,33 @@ describe("roleScopesAllow", () => {
    ).toBe(true);
  });

+  it("treats operator.approvals/operator.pairing as satisfied by operator.admin", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.approvals"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(true);
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["operator.pairing"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(true);
+  });
+
+  it("does not treat operator.admin as satisfying non-operator scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: ["system.run"],
+        allowedScopes: ["operator.admin"],
+      }),
+    ).toBe(false);
+  });
+
  it("uses strict matching for non-operator roles", () => {
    expect(
      roleScopesAllow({