From 52900b48ad375cf1c2e976e546164eca6b920123 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Fri, 13 Mar 2026 21:53:11 +0000
Subject: [PATCH] test: tighten shared policy helper coverage

---
 src/shared/device-auth.test.ts           |  1 +
 src/shared/operator-scope-compat.test.ts | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/src/shared/device-auth.test.ts b/src/shared/device-auth.test.ts
index a3bc6fa3956..d3018f5ba0a 100644
--- a/src/shared/device-auth.test.ts
+++ b/src/shared/device-auth.test.ts
@@ -13,6 +13,7 @@ describe("shared/device-auth", () => {
       normalizeDeviceAuthScopes([" node.invoke ", "operator.read", "", "node.invoke", "a.scope"]),
     ).toEqual(["a.scope", "node.invoke", "operator.read"]);
     expect(normalizeDeviceAuthScopes(undefined)).toEqual([]);
+    expect(normalizeDeviceAuthScopes(null as unknown as string[])).toEqual([]);
     expect(normalizeDeviceAuthScopes(["   ", "\t", "\n"])).toEqual([]);
     expect(normalizeDeviceAuthScopes(["z.scope", "A.scope", "m.scope"])).toEqual([
       "A.scope",
diff --git a/src/shared/operator-scope-compat.test.ts b/src/shared/operator-scope-compat.test.ts
index e48a17ad398..44236ca7341 100644
--- a/src/shared/operator-scope-compat.test.ts
+++ b/src/shared/operator-scope-compat.test.ts
@@ -2,6 +2,16 @@ import { describe, expect, it } from "vitest";
 import { roleScopesAllow } from "./operator-scope-compat.js";
 
 describe("roleScopesAllow", () => {
+  it("allows empty requested scope lists regardless of granted scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: [],
+        allowedScopes: [],
+      }),
+    ).toBe(true);
+  });
+
   it("treats operator.read as satisfied by read/write/admin scopes", () => {
     expect(
       roleScopesAllow({
@@ -85,6 +95,13 @@ describe("roleScopesAllow", () => {
         allowedScopes: ["operator.admin"],
       }),
     ).toBe(false);
+    expect(
+      roleScopesAllow({
+        role: " node ",
+        requestedScopes: [" system.run ", "system.run", "  "],
+        allowedScopes: ["system.run", "operator.admin"],
+      }),
+    ).toBe(true);
   });
 
   it("normalizes blank and duplicate scopes before evaluating", () => {