fix: report shared auth scopes in hello-ok (#67810) thanks @BunsDev

Co-authored-by: Val Alexander <bunsthedev@gmail.com>
2026-05-06 16:01:01 +00:00 · 2026-04-17 02:48:30 -05:00
parent 3ea1bf4232
commit 0b6c39be18
7 changed files with 80 additions and 14 deletions
--- a/docs/gateway/protocol.md
+++ b/docs/gateway/protocol.md
@@ -89,7 +89,21 @@ Gateway → Client:
 ```

 `server`, `features`, `snapshot`, and `policy` are all required by the schema
-(`src/gateway/protocol/schema/frames.ts`). `auth` and `canvasHostUrl` are optional.
+(`src/gateway/protocol/schema/frames.ts`). `canvasHostUrl` is optional. `auth`
+reports the negotiated role/scopes when available, and includes `deviceToken`
+when the gateway issues one.
+
+When no device token is issued, `hello-ok.auth` can still report the negotiated
+permissions:
+
+```json
+{
+  "auth": {
+    "role": "operator",
+    "scopes": ["operator.read", "operator.write"]
+  }
+}
+```

 When a device token is issued, `hello-ok` also includes: