openclaw/src/gateway/method-scopes.test.ts

import { describe, expect, it } from "vitest";
import {
  authorizeOperatorScopesForMethod,
  resolveLeastPrivilegeOperatorScopesForMethod,
} from "./method-scopes.js";

describe("method scope resolution", () => {
  it("classifies sessions.resolve as read and poll as write", () => {
    expect(resolveLeastPrivilegeOperatorScopesForMethod("sessions.resolve")).toEqual([
      "operator.read",
    ]);
    expect(resolveLeastPrivilegeOperatorScopesForMethod("poll")).toEqual(["operator.write"]);
  });

  it("returns empty scopes for unknown methods", () => {
    expect(resolveLeastPrivilegeOperatorScopesForMethod("totally.unknown.method")).toEqual([]);
  });
});

describe("operator scope authorization", () => {
  it("allows read methods with operator.read or operator.write", () => {
    expect(authorizeOperatorScopesForMethod("health", ["operator.read"])).toEqual({
      allowed: true,
    });
    expect(authorizeOperatorScopesForMethod("health", ["operator.write"])).toEqual({
      allowed: true,
    });
  });

  it("requires operator.write for write methods", () => {
    expect(authorizeOperatorScopesForMethod("send", ["operator.read"])).toEqual({
      allowed: false,
      missingScope: "operator.write",
    });
  });

  it("requires approvals scope for approval methods", () => {
    expect(authorizeOperatorScopesForMethod("exec.approval.resolve", ["operator.write"])).toEqual({
      allowed: false,
      missingScope: "operator.approvals",
    });
  });

  it("requires admin for unknown methods", () => {
    expect(authorizeOperatorScopesForMethod("unknown.method", ["operator.read"])).toEqual({
      allowed: false,
      missingScope: "operator.admin",
    });
  });
});
refactor(security): unify gateway scope authorization flows 2026-02-19 15:06:28 +01:00			`import { describe, expect, it } from "vitest";`
			`import {`
			`authorizeOperatorScopesForMethod,`
			`resolveLeastPrivilegeOperatorScopesForMethod,`
			`} from "./method-scopes.js";`

			`describe("method scope resolution", () => {`
			`it("classifies sessions.resolve as read and poll as write", () => {`
			`expect(resolveLeastPrivilegeOperatorScopesForMethod("sessions.resolve")).toEqual([`
			`"operator.read",`
			`]);`
			`expect(resolveLeastPrivilegeOperatorScopesForMethod("poll")).toEqual(["operator.write"]);`
			`});`

			`it("returns empty scopes for unknown methods", () => {`
			`expect(resolveLeastPrivilegeOperatorScopesForMethod("totally.unknown.method")).toEqual([]);`
			`});`
			`});`

			`describe("operator scope authorization", () => {`
			`it("allows read methods with operator.read or operator.write", () => {`
			`expect(authorizeOperatorScopesForMethod("health", ["operator.read"])).toEqual({`
			`allowed: true,`
			`});`
			`expect(authorizeOperatorScopesForMethod("health", ["operator.write"])).toEqual({`
			`allowed: true,`
			`});`
			`});`

			`it("requires operator.write for write methods", () => {`
			`expect(authorizeOperatorScopesForMethod("send", ["operator.read"])).toEqual({`
			`allowed: false,`
			`missingScope: "operator.write",`
			`});`
			`});`

			`it("requires approvals scope for approval methods", () => {`
			`expect(authorizeOperatorScopesForMethod("exec.approval.resolve", ["operator.write"])).toEqual({`
			`allowed: false,`
			`missingScope: "operator.approvals",`
			`});`
			`});`

			`it("requires admin for unknown methods", () => {`
			`expect(authorizeOperatorScopesForMethod("unknown.method", ["operator.read"])).toEqual({`
			`allowed: false,`
			`missingScope: "operator.admin",`
			`});`
			`});`
			`});`