vultr/openclaw
1
0
Fork 0
mirror of https://github.com/openclaw/openclaw.git synced 2026-05-04 21:00:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: bound bootstrap handoff token scopes

Browse Source
This commit is contained in:
Peter Steinberger
2026-04-04 22:28:49 +09:00
parent 7c0752f834
commit 7d22a16adb
9 changed files with 127 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/shared/device-bootstrap-profile.ts
View File

@@ -10,11 +10,32 @@ export type DeviceBootstrapProfileInput = {
scopes?: readonly string[];
};
export const BOOTSTRAP_HANDOFF_OPERATOR_SCOPES = [
"operator.approvals",
"operator.read",
"operator.talk.secrets",
"operator.write",
] as const;
const BOOTSTRAP_HANDOFF_OPERATOR_SCOPE_SET = new Set<string>(BOOTSTRAP_HANDOFF_OPERATOR_SCOPES);
export const PAIRING_SETUP_BOOTSTRAP_PROFILE: DeviceBootstrapProfile = {
roles: ["node", "operator"],
scopes: ["operator.approvals", "operator.read", "operator.talk.secrets", "operator.write"],
scopes: [...BOOTSTRAP_HANDOFF_OPERATOR_SCOPES],
};
export function resolveBootstrapProfileScopesForRole(
role: string,
scopes: readonly string[],
): string[] {
const normalizedRole = normalizeDeviceAuthRole(role);
const normalizedScopes = normalizeDeviceAuthScopes(Array.from(scopes));
if (normalizedRole === "operator") {
return normalizedScopes.filter((scope) => BOOTSTRAP_HANDOFF_OPERATOR_SCOPE_SET.has(scope));
}
return [];
}
function normalizeBootstrapRoles(roles: readonly string[] | undefined): string[] {
if (!Array.isArray(roles)) {
return [];