mirror of
https://github.com/screentinker/screentinker.git
synced 2026-06-17 03:32:32 -06:00
c8a24d2243
The capability/target-restricted token model for the agency portal (#73 option B), proven before any endpoint sits on it: - 'agency' scope value is OFF the read/write/full ladder, so the existing tokenScopeGate rejects it on every public router by construction (auto-confinement, no new code). - api_token_targets join table: which playlists an agency token may act on. - agencyGate: THE single seam - agency-scope-only + (playlist in this token's allowlist AND in the bound workspace), one query enforcing target + cross-workspace isolation. - AGENCY_ROUTERS category in config/api-surface.js (mounted with agencyGate, not tokenScopeGate) - declared; router/mount land with the endpoints. Both bite-tested: spine (agency 403s on tokenScopeGate; read/write still pass) and the gate (non-designated/cross-workspace/non-agency/JWT -> 403; neutralizing the target check goes red). NARROW - not the general capability-scope system. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| admin-users.test.js | ||
| agency-gate.test.js | ||
| agency-scope.test.js | ||
| ai-design.test.js | ||
| api.test.js | ||
| apitoken-unit.test.js | ||
| branding.test.js | ||
| config-paths.test.js | ||
| i18n-tokens.test.js | ||
| openapi-contract.test.js | ||
| operator-permissions.test.js | ||
| pair-lockout.test.js | ||
| provisioning.test.js | ||
| schedule-eval.test.js | ||
| schema-check.test.js | ||
| security-fixes.test.js | ||
| tenant-cascade-migration.test.js | ||
| tizen-eval-drift.test.js | ||
| totp-keyrotation.test.js | ||
| totp-unit.test.js | ||
| totp.test.js | ||
| user-deletion.test.js | ||
| widget-render-xss.test.js | ||