Gateway: scope node pending drain to nodes

mbelinky · mbelinky · commit c49af9ea7c49 · 2026-03-09T21:25:00.000+01:00
diff --git a/src/gateway/method-scopes.test.ts b/src/gateway/method-scopes.test.ts
@@ -18,6 +18,10 @@ describe("method scope resolution", () => {
     expect(resolveLeastPrivilegeOperatorScopesForMethod("poll")).toEqual(["operator.write"]);
   });
 
+  it("leaves node-only pending drain outside operator scopes", () => {
+    expect(resolveLeastPrivilegeOperatorScopesForMethod("node.pending.drain")).toEqual([]);
+  });
+
   it("returns empty scopes for unknown methods", () => {
     expect(resolveLeastPrivilegeOperatorScopesForMethod("totally.unknown.method")).toEqual([]);
   });
diff --git a/src/gateway/method-scopes.ts b/src/gateway/method-scopes.ts
@@ -22,6 +22,7 @@ export const CLI_DEFAULT_OPERATOR_SCOPES: OperatorScope[] = [
 const NODE_ROLE_METHODS = new Set([
   "node.invoke.result",
   "node.event",
+  "node.pending.drain",
   "node.canvas.capability.refresh",
   "node.pending.pull",
   "node.pending.ack",
@@ -78,7 +79,6 @@ const METHOD_SCOPE_GROUPS: Record<OperatorScope, readonly string[]> = {
     "last-heartbeat",
     "node.list",
     "node.describe",
-    "node.pending.drain",
     "chat.history",
     "config.get",
     "config.schema.lookup",
diff --git a/src/gateway/role-policy.test.ts b/src/gateway/role-policy.test.ts
@@ -24,7 +24,7 @@ describe("gateway role policy", () => {
     expect(isRoleAuthorizedForMethod("node", "node.pending.drain")).toBe(true);
     expect(isRoleAuthorizedForMethod("node", "status")).toBe(false);
     expect(isRoleAuthorizedForMethod("operator", "status")).toBe(true);
-    expect(isRoleAuthorizedForMethod("operator", "node.pending.drain")).toBe(true);
+    expect(isRoleAuthorizedForMethod("operator", "node.pending.drain")).toBe(false);
     expect(isRoleAuthorizedForMethod("operator", "node.event")).toBe(false);
   });
 });
diff --git a/src/gateway/role-policy.ts b/src/gateway/role-policy.ts
@@ -1,7 +1,6 @@
 import { isNodeRoleMethod } from "./method-scopes.js";
 
 export const GATEWAY_ROLES = ["operator", "node"] as const;
-const SHARED_ROLE_METHODS = new Set(["node.pending.drain"]);
 
 export type GatewayRole = (typeof GATEWAY_ROLES)[number];
 
@@ -17,9 +16,6 @@ export function roleCanSkipDeviceIdentity(role: GatewayRole, sharedAuthOk: boole
 }
 
 export function isRoleAuthorizedForMethod(role: GatewayRole, method: string): boolean {
-  if (SHARED_ROLE_METHODS.has(method)) {
-    return true;
-  }
   if (isNodeRoleMethod(method)) {
     return role === "node";
   }

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,6 @@`
`1`	`1`	`import { isNodeRoleMethod } from "./method-scopes.js";`
`2`	`2`
`3`	`3`	`export const GATEWAY_ROLES = ["operator", "node"] as const;`
`4`		`-const SHARED_ROLE_METHODS = new Set(["node.pending.drain"]);`
`5`	`4`
`6`	`5`	`export type GatewayRole = (typeof GATEWAY_ROLES)[number];`
`7`	`6`
`@@ -17,9 +16,6 @@ export function roleCanSkipDeviceIdentity(role: GatewayRole, sharedAuthOk: boole`
`17`	`16`	`}`
`18`	`17`
`19`	`18`	`export function isRoleAuthorizedForMethod(role: GatewayRole, method: string): boolean {`
`20`		`- if (SHARED_ROLE_METHODS.has(method)) {`
`21`		`- return true;`
`22`		`- }`
`23`	`19`	`if (isNodeRoleMethod(method)) {`
`24`	`20`	`return role === "node";`
`25`	`21`	`}`