test: tighten shared policy helper coverage

src/shared/device-auth.test.ts

@@ -13,6 +13,7 @@ describe("shared/device-auth", () => {
       normalizeDeviceAuthScopes([" node.invoke ", "operator.read", "", "node.invoke", "a.scope"]),
     ).toEqual(["a.scope", "node.invoke", "operator.read"]);
     expect(normalizeDeviceAuthScopes(undefined)).toEqual([]);
+    expect(normalizeDeviceAuthScopes(null as unknown as string[])).toEqual([]);
     expect(normalizeDeviceAuthScopes(["   ", "\t", "\n"])).toEqual([]);
     expect(normalizeDeviceAuthScopes(["z.scope", "A.scope", "m.scope"])).toEqual([
       "A.scope",

src/shared/operator-scope-compat.test.ts

@@ -2,6 +2,16 @@ import { describe, expect, it } from "vitest";
 import { roleScopesAllow } from "./operator-scope-compat.js";
 
 describe("roleScopesAllow", () => {
+  it("allows empty requested scope lists regardless of granted scopes", () => {
+    expect(
+      roleScopesAllow({
+        role: "operator",
+        requestedScopes: [],
+        allowedScopes: [],
+      }),
+    ).toBe(true);
+  });
+
   it("treats operator.read as satisfied by read/write/admin scopes", () => {
     expect(
       roleScopesAllow({
@@ -85,6 +95,13 @@ describe("roleScopesAllow", () => {
         allowedScopes: ["operator.admin"],
       }),
     ).toBe(false);
+    expect(
+      roleScopesAllow({
+        role: " node ",
+        requestedScopes: [" system.run ", "system.run", "  "],
+        allowedScopes: ["system.run", "operator.admin"],
+      }),
+    ).toBe(true);
   });
 
   it("normalizes blank and duplicate scopes before evaluating", () => {