Hynes/Void-Homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(auth): capability check — user/cron/worker allow; agents tiered allow/suggest/deny

Browse Source
This commit is contained in:
root
2026-05-31 11:06:00 +10:00
parent 10902bc6ac
commit cd71d64523
3 changed files with 112 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
tests/auth/capability.test.js Normal file
View File

@@ -0,0 +1,55 @@
import { describe, it, expect } from 'vitest';
import { canAct } from '../../lib/auth/capability.js';
const ownerActor = { kind: 'user', id: null };
const readAgent = {
kind: 'agent', id: 'a1',
capabilities: { read: true, suggest: true, write: false },
scopes: {}
};
const writeAgent = {
kind: 'agent', id: 'a2',
capabilities: { read: true, suggest: true, write: true },
scopes: { page: true }
};
describe('canAct', () => {
it('owner can do anything', () => {
expect(canAct(ownerActor, 'create', 'page')).toBe('allow');
expect(canAct(ownerActor, 'delete', 'resource')).toBe('allow');
});
it('read-only agent can read', () => {
expect(canAct(readAgent, 'read', 'page')).toBe('allow');
});
it('default agent on create returns "suggest"', () => {
expect(canAct(readAgent, 'create', 'page')).toBe('suggest');
});
it('write-scoped agent can write to its scope', () => {
expect(canAct(writeAgent, 'create', 'page')).toBe('allow');
});
it('write-capable agent without scope still suggests outside it', () => {
expect(canAct(writeAgent, 'create', 'resource')).toBe('suggest');
});
it('agent with no capabilities is deny on mutations', () => {
expect(canAct({ kind: 'agent', id: 'x', capabilities: {} }, 'create', 'page')).toBe('deny');
});
it('agent with no read capability is deny on read', () => {
expect(canAct({ kind: 'agent', id: 'x', capabilities: {} }, 'read', 'page')).toBe('deny');
});
it('null actor is deny', () => {
expect(canAct(null, 'read', 'page')).toBe('deny');
});
it('cron/worker/system get allow', () => {
expect(canAct({ kind: 'cron', id: null }, 'create', 'page')).toBe('allow');
expect(canAct({ kind: 'worker', id: null }, 'update', 'page')).toBe('allow');
expect(canAct({ kind: 'system', id: null }, 'delete', 'page')).toBe('allow');
});
});