test: tighten shared policy helper coverage

2026-03-13 21:53:11 +00:00 · 2026-03-13 21:53:11 +00:00 · 52900b48ad
parent 4de268587c
commit 52900b48ad
2 changed files with 18 additions and 0 deletions
--- a/src/shared/device-auth.test.ts
+++ b/src/shared/device-auth.test.ts
@ -13,6 +13,7 @@ describe("shared/device-auth", () => {
      normalizeDeviceAuthScopes([" node.invoke ", "operator.read", "", "node.invoke", "a.scope"]),
    ).toEqual(["a.scope", "node.invoke", "operator.read"]);
    expect(normalizeDeviceAuthScopes(undefined)).toEqual([]);
+    expect(normalizeDeviceAuthScopes(null as unknown as string[])).toEqual([]);
    expect(normalizeDeviceAuthScopes(["   ", "\t", "\n"])).toEqual([]);
    expect(normalizeDeviceAuthScopes(["z.scope", "A.scope", "m.scope"])).toEqual([
      "A.scope",
--- a/src/shared/operator-scope-compat.test.ts
+++ b/src/shared/operator-scope-compat.test.ts
@ -2,6 +2,16 @@ import { describe, expect, it } from "vitest";
 import { roleScopesAllow } from "./operator-scope-compat.js";

 describe("roleScopesAllow", () => {
+  it("allows empty requested scope lists regardless of granted scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: [],
+        allowedScopes: [],
+      }),
+    ).toBe(true);
+  });
+
  it("treats operator.read as satisfied by read/write/admin scopes", () => {
    expect(
      roleScopesAllow({
@ -85,6 +95,13 @@ describe("roleScopesAllow", () => {
        allowedScopes: ["operator.admin"],
      }),
    ).toBe(false);
+    expect(
+      roleScopesAllow({
+        role: " node ",
+        requestedScopes: [" system.run ", "system.run", "  "],
+        allowedScopes: ["system.run", "operator.admin"],
+      }),
+    ).toBe(true);
  });

  it("normalizes blank and duplicate scopes before evaluating", () => {