mirror of
https://github.com/openclaw/openclaw.git
synced 2026-07-13 05:26:06 +00:00
* docs: document markdown marker renderer * docs: document rendered markdown chunking * docs: document markdown text chunking * docs: document shared text chunking * docs: document plugin text chunking exports * docs: document avatar policy constants * docs: document node match candidates * docs: document scoped expiring id cache * docs: document runtime import normalization * docs: document string sample summaries * docs: document session usage timeseries types * docs: document session usage response types * docs: document manifest frontmatter shapes * docs: document channel route input metadata * docs: document pair loop guard settings * docs: document migration config patch helpers * docs: document api provider registry * docs: document tool call repair payloads * docs: document plugin tool payload helpers * docs: document lazy promise loader * docs: document store writer queue state * docs: document thread binding lifecycle * docs: document concurrency helper contract * docs: document gateway client info contract * docs: document delivery context contracts * docs: document secret ref defaults contract * docs: document command gating contract * docs: document avatar policy contract * docs: document node match policy * docs: document message channel normalization * docs: document boolean parsing contract * docs: document zod parse helpers * docs: document direct dm guard policy * docs: document fixed window limiter contract * docs: document node presence event contract * docs: document secret normalization contract * docs: document progress draft line removal * docs: document usage formatting contracts * docs: document agent run status contract * docs: document runtime import helpers * docs: document provider utility ownership * docs: document invalid config helpers * docs: document json compat parser * docs: document channel config metadata ownership * docs: document channel logging helpers * docs: document sender identity validation ownership * docs: document string sampling helper * docs: document global singleton helpers * docs: document transcript tool helpers * docs: document exec safe-bin normalization * docs: document reaction level resolver * docs: document account snapshot redaction boundary * docs: document messaging target helpers * docs: document thread binding messages * docs: document conversation binding context * docs: document conversation resolution helper * docs: document owner display secret retention * docs: document provider request config types * docs: document skills config types * docs: document memory config types * docs: document imessage config types * docs: document crestodian config types * docs: document tools config policies * docs: document shared config base types * docs: document channel config contracts * docs: document openclaw config state types * docs: document model config contracts * docs: document shared agent config types * docs: document agent defaults config types * docs: document secret input contracts * docs: document auth config contracts * docs: document gateway config contracts * docs: document tool call stream repair contracts * docs: document memory host facades * docs: document llm core contracts * docs: document markdown core contracts * docs: document gateway connect error contracts * docs: document gateway protocol primitives * docs: document gateway frame schemas * docs: document gateway device schemas * docs: document gateway environment schemas * docs: document gateway push schemas * docs: document gateway plugin schemas * docs: document gateway artifact schemas * docs: document gateway command schemas * docs: document gateway task schemas * docs: document gateway exec approval schemas * docs: document gateway secret schemas * docs: document gateway config schemas * docs: document gateway snapshot schemas * docs: document gateway chat schemas * docs: document gateway wizard schemas * docs: document gateway node schemas * docs: document gateway plugin approval schemas * docs: document gateway talk schemas * docs: document gateway agent schemas * docs: document gateway session schemas * docs: document gateway cron schemas * docs: document gateway agent model skill schemas * docs: document gateway skill proposal tool schemas * docs: document gateway protocol registry * docs: document gateway channel status schemas * docs: document gateway schema regression tests * docs: document gateway schema barrel * docs: document gateway validator tests * docs: document gateway primitive push tests * docs: document gateway contract tests * docs: document native protocol guard * docs: document channel schema tests * docs: document gateway protocol smoke tests * docs: document gateway protocol entrypoint * docs: document gateway protocol type exports * docs: document gateway error codes * docs: document protocol schema registry * docs: document talk audio codec * docs: document talk activation names * docs: document talk consult questions * docs: document talk consult tool * docs: document talk run control contracts * docs: document talk run control adapter * docs: document talkback consult queue * docs: document talk consult transcript guard * docs: document talk fast context runtime * docs: document forced talk consult coordinator * docs: document talk output activity tracker * docs: document talk event metrics * docs: document talk diagnostics * docs: document talk observability hook * docs: document talk provider resolver * docs: document talk provider registry * docs: document talk runtime primitives * docs: document talk consult controller logs * docs: document channel identity helpers * docs: document channel account allowlist helpers * docs: document channel metadata draft controls * docs: document channel ingress policy * docs: document channel sender access gates * docs: document channel catalog message contracts * docs: document channel account plugin helpers * docs: document configured binding helpers * docs: document channel acp approval config helpers * docs: document channel bundled config write helpers * docs: document channel plugin utility contracts * docs: document channel config access helpers * docs: document channel message action helpers * docs: document channel outbound runtime helpers * docs: document channel pairing promotion helpers * docs: document channel registry helpers * docs: document channel setup wizard helpers * docs: document channel lifecycle status helpers * docs: document channel target thread helpers * docs: document channel session binding helpers * docs: document channel package module probes * docs: document channel setup wizard contracts * docs: document channel plugin API barrels * docs: document channel contract test helpers * docs: document channel core helpers * docs: document small core facades * docs: document provider runtime helpers * docs: document persistence and realtime helpers * docs: document mcp and state helpers * docs: document tool planner contracts * docs: document music generation runtime * docs: document crestodian command flow * docs: document utility helpers * docs: document node host helpers * docs: document transcript contracts * docs: document trajectory export contracts * docs: document image generation contracts * docs: document routing helper contracts * docs: document session helper contracts * docs: document video generation contracts * docs: document model catalog contracts * docs: document proxy capture contracts * docs: document status rendering contracts * docs: document test helper contracts * docs: document wizard setup contracts * docs: document process contracts * docs: document memory host sdk contracts * docs: document tts contracts * docs: document secrets runtime contracts * docs: document shared helper contracts * docs: document hook runtime contracts * docs: document security audit contracts * docs: document flow contracts * docs: document media understanding contracts * docs: document tui contracts * docs: document logging contracts * docs: document llm contracts * docs: document cron contracts * docs: document daemon contracts * docs: document task contracts * docs: document acp contracts * docs: document test utility contracts * docs: document skill contracts * docs: document config contracts * docs: document outbound infra contracts * docs: document command analysis contracts * docs: document provider usage infra contracts * docs: document file safety infra contracts * docs: document exec approval infra contracts * docs: document gateway runtime infra contracts * docs: document infra utility contracts * docs: document infra queue storage contracts * docs: document heartbeat infra contracts * docs: document remaining infra contracts * docs: document gateway auth contracts * docs: document gateway display helpers * docs: document gateway http helpers * docs: document gateway node helpers * docs: document gateway mcp helpers * docs: document gateway support helpers * docs: document gateway server runtime helpers * docs: document gateway runtime bootstrap helpers * docs: document gateway session events * docs: document gateway utility helpers * docs: document gateway talk helpers * docs: document gateway helper contracts * docs: document gateway server method helpers * docs: document gateway server auth helpers * docs: document gateway server tests * docs: document gateway test helpers * docs: document gateway node tests * docs: document gateway channel tests * docs: document gateway session tests * docs: document gateway server startup tests * docs: document gateway tool test helpers * docs: document gateway server test helpers * docs: document gateway server method tests * docs: document remaining gateway tests * docs: document plugin sdk public subpaths * docs: document plugin sdk runtime helpers * docs: document plugin sdk memory provider helpers * docs: document plugin sdk runtime facades * docs: document plugin sdk command approval helpers * docs: document plugin sdk runtime types * docs: document plugin sdk browser account helpers * docs: document plugin sdk media memory helpers * docs: document plugin sdk core tests * docs: document plugin sdk contract helpers * docs: document plugin sdk test helpers * docs: document remaining plugin sdk tests * docs: document cli utility helpers * docs: document cli runtime helpers * docs: document cli command registration helpers * docs: document node cli helpers * docs: document cli program registration * docs: document message cli registration * docs: document daemon cli helpers * docs: document cli route parsers
434 lines
15 KiB
TypeScript
434 lines
15 KiB
TypeScript
/**
|
|
* Gateway method-scope policy tests.
|
|
*/
|
|
import { afterEach, describe, expect, it } from "vitest";
|
|
import { createEmptyPluginRegistry } from "../plugins/registry-empty.js";
|
|
import { setActivePluginRegistry } from "../plugins/runtime.js";
|
|
import {
|
|
authorizeOperatorScopesForMethod,
|
|
isGatewayMethodClassified,
|
|
resolveLeastPrivilegeOperatorScopesForMethod,
|
|
} from "./method-scopes.js";
|
|
import { createPluginGatewayMethodDescriptor } from "./methods/registry.js";
|
|
import { listGatewayMethods } from "./server-methods-list.js";
|
|
import { coreGatewayHandlers } from "./server-methods.js";
|
|
import type { GatewayRequestHandler } from "./server-methods/types.js";
|
|
|
|
const RESERVED_ADMIN_PLUGIN_METHOD = "config.plugin.inspect";
|
|
const pluginHandler: GatewayRequestHandler = ({ respond }) => respond(true, {});
|
|
|
|
function setPluginGatewayMethodScope(
|
|
method: string,
|
|
scope: "operator.read" | "operator.write" | "operator.admin",
|
|
) {
|
|
const registry = createEmptyPluginRegistry();
|
|
registry.gatewayHandlers[method] = pluginHandler;
|
|
registry.gatewayMethodDescriptors.push(
|
|
createPluginGatewayMethodDescriptor({
|
|
pluginId: "test",
|
|
name: method,
|
|
handler: pluginHandler,
|
|
scope,
|
|
}),
|
|
);
|
|
setActivePluginRegistry(registry);
|
|
}
|
|
|
|
afterEach(() => {
|
|
setActivePluginRegistry(createEmptyPluginRegistry());
|
|
});
|
|
|
|
describe("method scope resolution", () => {
|
|
it.each([
|
|
["sessions.resolve", ["operator.read"]],
|
|
["tasks.list", ["operator.read"]],
|
|
["tasks.get", ["operator.read"]],
|
|
["config.schema.lookup", ["operator.read"]],
|
|
["sessions.create", ["operator.write"]],
|
|
["sessions.send", ["operator.write"]],
|
|
["sessions.abort", ["operator.write"]],
|
|
["tasks.cancel", ["operator.write"]],
|
|
["tools.invoke", ["operator.write"]],
|
|
["sessions.messages.subscribe", ["operator.read"]],
|
|
["sessions.messages.unsubscribe", ["operator.read"]],
|
|
["environments.list", ["operator.read"]],
|
|
["environments.status", ["operator.read"]],
|
|
["diagnostics.stability", ["operator.read"]],
|
|
["node.pair.approve", ["operator.pairing"]],
|
|
["poll", ["operator.write"]],
|
|
["talk.client.create", ["operator.write"]],
|
|
["talk.client.toolCall", ["operator.write"]],
|
|
["talk.client.steer", ["operator.write"]],
|
|
["talk.session.create", ["operator.write"]],
|
|
["talk.session.join", ["operator.write"]],
|
|
["talk.session.appendAudio", ["operator.write"]],
|
|
["talk.session.startTurn", ["operator.write"]],
|
|
["talk.session.endTurn", ["operator.write"]],
|
|
["talk.session.cancelTurn", ["operator.write"]],
|
|
["talk.session.cancelOutput", ["operator.write"]],
|
|
["talk.session.submitToolResult", ["operator.write"]],
|
|
["talk.session.steer", ["operator.write"]],
|
|
["talk.session.close", ["operator.write"]],
|
|
["update.status", ["operator.admin"]],
|
|
["config.schema", ["operator.admin"]],
|
|
["config.patch", ["operator.admin"]],
|
|
["nativeHook.invoke", ["operator.admin"]],
|
|
["wizard.start", ["operator.admin"]],
|
|
["update.run", ["operator.admin"]],
|
|
["exec.approvals.get", ["operator.admin"]],
|
|
["exec.approvals.set", ["operator.admin"]],
|
|
["exec.approvals.node.get", ["operator.admin"]],
|
|
["exec.approvals.node.set", ["operator.admin"]],
|
|
])("resolves least-privilege scopes for %s", (method, expected) => {
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(expected);
|
|
});
|
|
|
|
it("leaves node-only pending drain outside operator scopes", () => {
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod("node.pending.drain")).toStrictEqual([]);
|
|
});
|
|
|
|
it("classifies plugin session actions with a CLI-safe default operator scope", () => {
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction")).toEqual([
|
|
"operator.write",
|
|
]);
|
|
expect(isGatewayMethodClassified("plugins.sessionAction")).toBe(true);
|
|
expect(authorizeOperatorScopesForMethod("plugins.sessionAction", ["operator.read"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.write",
|
|
});
|
|
});
|
|
|
|
it("derives least-privilege scopes from registered plugin session action params", () => {
|
|
const registry = createEmptyPluginRegistry();
|
|
registry.sessionActions = [
|
|
{
|
|
pluginId: "scope-plugin",
|
|
pluginName: "Scope Plugin",
|
|
source: "test",
|
|
action: {
|
|
id: "approve",
|
|
requiredScopes: ["operator.approvals"],
|
|
handler: () => ({ result: { ok: true } }),
|
|
},
|
|
},
|
|
{
|
|
pluginId: "scope-plugin",
|
|
pluginName: "Scope Plugin",
|
|
source: "test",
|
|
action: {
|
|
id: "view",
|
|
requiredScopes: ["operator.read"],
|
|
handler: () => ({ result: { ok: true } }),
|
|
},
|
|
},
|
|
{
|
|
pluginId: "scope-plugin",
|
|
pluginName: "Scope Plugin",
|
|
source: "test",
|
|
action: {
|
|
id: "default-write",
|
|
handler: () => ({ result: { ok: true } }),
|
|
},
|
|
},
|
|
];
|
|
setActivePluginRegistry(registry);
|
|
|
|
expect(
|
|
resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction", {
|
|
pluginId: "scope-plugin",
|
|
actionId: "approve",
|
|
}),
|
|
).toEqual(["operator.approvals"]);
|
|
expect(
|
|
resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction", {
|
|
pluginId: " scope-plugin ",
|
|
actionId: " view ",
|
|
}),
|
|
).toEqual(["operator.read"]);
|
|
expect(
|
|
resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction", {
|
|
pluginId: "scope-plugin",
|
|
actionId: "default-write",
|
|
}),
|
|
).toEqual(["operator.write"]);
|
|
expect(
|
|
resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction", {
|
|
pluginId: "scope-plugin",
|
|
actionId: "missing",
|
|
}),
|
|
).toEqual([
|
|
"operator.admin",
|
|
"operator.read",
|
|
"operator.write",
|
|
"operator.approvals",
|
|
"operator.pairing",
|
|
"operator.talk.secrets",
|
|
]);
|
|
expect(
|
|
authorizeOperatorScopesForMethod("plugins.sessionAction", ["operator.approvals"], {
|
|
pluginId: "scope-plugin",
|
|
actionId: "approve",
|
|
}),
|
|
).toEqual({ allowed: true });
|
|
expect(
|
|
authorizeOperatorScopesForMethod("plugins.sessionAction", ["operator.write"], {
|
|
pluginId: "scope-plugin",
|
|
actionId: "approve",
|
|
}),
|
|
).toEqual({ allowed: false, missingScope: "operator.approvals" });
|
|
});
|
|
|
|
it("falls back to broad operator scopes when a dynamic session action is not locally registered", () => {
|
|
expect(
|
|
resolveLeastPrivilegeOperatorScopesForMethod("plugins.sessionAction", {
|
|
pluginId: "remote-plugin",
|
|
actionId: "approve",
|
|
}),
|
|
).toEqual([
|
|
"operator.admin",
|
|
"operator.read",
|
|
"operator.write",
|
|
"operator.approvals",
|
|
"operator.pairing",
|
|
"operator.talk.secrets",
|
|
]);
|
|
});
|
|
|
|
it("returns empty scopes for unknown methods", () => {
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod("totally.unknown.method")).toStrictEqual(
|
|
[],
|
|
);
|
|
});
|
|
|
|
it("reads plugin-registered gateway method scopes from the active plugin registry", () => {
|
|
const registry = createEmptyPluginRegistry();
|
|
registry.gatewayHandlers["browser.request"] = pluginHandler;
|
|
registry.gatewayMethodDescriptors.push(
|
|
createPluginGatewayMethodDescriptor({
|
|
pluginId: "browser",
|
|
name: "browser.request",
|
|
handler: pluginHandler,
|
|
scope: "operator.admin",
|
|
}),
|
|
);
|
|
setActivePluginRegistry(registry);
|
|
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod("browser.request")).toEqual([
|
|
"operator.admin",
|
|
]);
|
|
});
|
|
|
|
it("keeps reserved admin namespaces admin-only even if a plugin scope is narrower", () => {
|
|
setPluginGatewayMethodScope(RESERVED_ADMIN_PLUGIN_METHOD, "operator.read");
|
|
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod(RESERVED_ADMIN_PLUGIN_METHOD)).toEqual([
|
|
"operator.admin",
|
|
]);
|
|
});
|
|
});
|
|
|
|
describe("operator scope authorization", () => {
|
|
it.each([
|
|
["health", ["operator.read"], { allowed: true }],
|
|
["health", ["operator.write"], { allowed: true }],
|
|
["config.schema.lookup", ["operator.read"], { allowed: true }],
|
|
["config.schema", ["operator.read"], { allowed: false, missingScope: "operator.admin" }],
|
|
["config.patch", ["operator.admin"], { allowed: true }],
|
|
])("authorizes %s for scopes %j", (method, scopes, expected) => {
|
|
expect(authorizeOperatorScopesForMethod(method, scopes)).toEqual(expected);
|
|
});
|
|
|
|
it("requires operator.write for write methods", () => {
|
|
expect(authorizeOperatorScopesForMethod("send", ["operator.read"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.write",
|
|
});
|
|
});
|
|
|
|
it("allows operator.write clients to use unified Talk sessions", () => {
|
|
for (const method of [
|
|
"talk.client.create",
|
|
"talk.client.toolCall",
|
|
"talk.client.steer",
|
|
"talk.session.create",
|
|
"talk.session.join",
|
|
"talk.session.appendAudio",
|
|
"talk.session.startTurn",
|
|
"talk.session.endTurn",
|
|
"talk.session.cancelTurn",
|
|
"talk.session.cancelOutput",
|
|
"talk.session.submitToolResult",
|
|
"talk.session.steer",
|
|
"talk.session.close",
|
|
]) {
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.write"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.read"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.write",
|
|
});
|
|
}
|
|
});
|
|
|
|
it("requires admin for browser.request", () => {
|
|
setPluginGatewayMethodScope("browser.request", "operator.admin");
|
|
|
|
expect(authorizeOperatorScopesForMethod("browser.request", ["operator.write"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.admin",
|
|
});
|
|
expect(authorizeOperatorScopesForMethod("browser.request", ["operator.admin"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
});
|
|
|
|
it("requires pairing scope for node pairing approvals", () => {
|
|
expect(authorizeOperatorScopesForMethod("node.pair.approve", ["operator.pairing"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
expect(authorizeOperatorScopesForMethod("node.pair.approve", ["operator.write"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.pairing",
|
|
});
|
|
});
|
|
|
|
it.each(["exec.approval.get", "exec.approval.list", "exec.approval.resolve"])(
|
|
"requires approvals scope for %s",
|
|
(method) => {
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.write"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.approvals",
|
|
});
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.approvals"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
},
|
|
);
|
|
|
|
it.each([
|
|
"exec.approvals.get",
|
|
"exec.approvals.set",
|
|
"exec.approvals.node.get",
|
|
"exec.approvals.node.set",
|
|
])("requires admin scope for exec approval policy method %s", (method) => {
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.approvals"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.admin",
|
|
});
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.admin"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
});
|
|
|
|
it.each([
|
|
"plugin.approval.list",
|
|
"plugin.approval.request",
|
|
"plugin.approval.waitDecision",
|
|
"plugin.approval.resolve",
|
|
])("requires approvals scope for %s", (method) => {
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.write"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.approvals",
|
|
});
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.approvals"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
});
|
|
|
|
it("requires admin for unknown methods", () => {
|
|
expect(authorizeOperatorScopesForMethod("unknown.method", ["operator.read"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.admin",
|
|
});
|
|
});
|
|
|
|
it("requires admin for reserved admin namespaces even if a plugin registered a narrower scope", () => {
|
|
setPluginGatewayMethodScope(RESERVED_ADMIN_PLUGIN_METHOD, "operator.read");
|
|
|
|
expect(
|
|
authorizeOperatorScopesForMethod(RESERVED_ADMIN_PLUGIN_METHOD, ["operator.read"]),
|
|
).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.admin",
|
|
});
|
|
});
|
|
});
|
|
|
|
describe("plugin approval method registration", () => {
|
|
it("lists all plugin approval methods", () => {
|
|
const methods = listGatewayMethods();
|
|
expect(methods).toContain("plugin.approval.list");
|
|
expect(methods).toContain("plugin.approval.request");
|
|
expect(methods).toContain("plugin.approval.waitDecision");
|
|
expect(methods).toContain("plugin.approval.resolve");
|
|
});
|
|
|
|
it("classifies plugin approval methods", () => {
|
|
expect(isGatewayMethodClassified("plugin.approval.list")).toBe(true);
|
|
expect(isGatewayMethodClassified("plugin.approval.request")).toBe(true);
|
|
expect(isGatewayMethodClassified("plugin.approval.waitDecision")).toBe(true);
|
|
expect(isGatewayMethodClassified("plugin.approval.resolve")).toBe(true);
|
|
});
|
|
});
|
|
|
|
describe("core gateway method classification", () => {
|
|
it("treats node-role methods as classified even without operator scopes", () => {
|
|
expect(isGatewayMethodClassified("node.pending.drain")).toBe(true);
|
|
expect(isGatewayMethodClassified("node.pending.pull")).toBe(true);
|
|
expect(isGatewayMethodClassified("node.pluginSurface.refresh")).toBe(true);
|
|
});
|
|
|
|
it("classifies every exposed core gateway handler method", () => {
|
|
const unclassified = Object.keys(coreGatewayHandlers).filter(
|
|
(method) => !isGatewayMethodClassified(method),
|
|
);
|
|
expect(unclassified).toStrictEqual([]);
|
|
});
|
|
|
|
it("classifies every listed gateway method name", () => {
|
|
const unclassified = listGatewayMethods().filter(
|
|
(method) => !isGatewayMethodClassified(method),
|
|
);
|
|
expect(unclassified).toStrictEqual([]);
|
|
});
|
|
|
|
it("exposes skill proposal methods through the core gateway registry", () => {
|
|
for (const method of ["skills.proposals.list", "skills.proposals.inspect"]) {
|
|
expect(listGatewayMethods()).toContain(method);
|
|
expect(coreGatewayHandlers).toHaveProperty(method);
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(["operator.read"]);
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.read"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
}
|
|
|
|
for (const method of [
|
|
"skills.proposals.create",
|
|
"skills.proposals.update",
|
|
"skills.proposals.revise",
|
|
"skills.proposals.apply",
|
|
"skills.proposals.reject",
|
|
"skills.proposals.quarantine",
|
|
]) {
|
|
expect(listGatewayMethods()).toContain(method);
|
|
expect(coreGatewayHandlers).toHaveProperty(method);
|
|
expect(resolveLeastPrivilegeOperatorScopesForMethod(method)).toEqual(["operator.admin"]);
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.write"])).toEqual({
|
|
allowed: false,
|
|
missingScope: "operator.admin",
|
|
});
|
|
expect(authorizeOperatorScopesForMethod(method, ["operator.admin"])).toEqual({
|
|
allowed: true,
|
|
});
|
|
}
|
|
});
|
|
});
|
|
|
|
describe("CLI default operator scopes", () => {
|
|
it("includes operator.talk.secrets for node-role device pairing approvals", async () => {
|
|
const { CLI_DEFAULT_OPERATOR_SCOPES } = await import("./method-scopes.js");
|
|
expect(CLI_DEFAULT_OPERATOR_SCOPES).toContain("operator.talk.secrets");
|
|
});
|
|
});
|