gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 22:31:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

auth-bundle-1 Phase 6-7-8: bootstrap path + scope-down CLI + auditor-role split

Browse Source 
# Phase 6 — day-0 admin bootstrap

* internal/auth/bootstrap/ (new package): Strategy interface +
  EnvTokenStrategy with constant-time compare, one-shot consumption
  via sync.Mutex, optional admin-existence probe. Bundle 2's OIDC-
  first-admin will plug in alongside as an alternate Strategy.
* BootstrapService.ValidateAndMint: validates the operator's
  CERTCTL_BOOTSTRAP_TOKEN, mints a 32-byte (64-hex-char) random API
  key value, persists the SHA-256 hash to api_keys, grants r-admin
  via actor_roles, AddHashed's the runtime keystore so the just-
  minted key authenticates the next request without restart, and
  records bootstrap.consume to the audit trail with category=auth.
* internal/auth/keystore.go (new): KeyStore interface +
  StaticKeyStore (immutable env-var-only path) + MutableKeyStore
  (env-var keys + DB-loaded api_keys + runtime AddHashed). The auth
  middleware now consumes a KeyStore so the bootstrap path can
  extend the lookup table at runtime.
* migrations/000031_api_keys.up/down.sql: api_keys table with
  (id, name UNIQUE, key_hash UNIQUE, tenant_id, admin, created_by,
  created_at, expires_at, last_used_at). Idempotent.
* /v1/auth/bootstrap GET (probe) + POST (mint) — auth-exempt. Both
  routes documented in api/openapi.yaml + AuthExemptRouterRoutes
  allowlist updated. The token never leaves internal/auth/bootstrap;
  the minted plaintext key flows only into the HTTP response body.
* Startup warning emitted when CERTCTL_BOOTSTRAP_TOKEN is set AND
  admin actors already exist (config drift signal).
* Tests: 4 strategy invariants (empty token born disabled, wrong
  token=ErrInvalidToken without consumption, one-shot consumption,
  admin-exists closes path), 5 service tests (happy path + actor-
  name validation + propagation of strategy errors + nil-deps
  guard + 32-byte entropy budget), 8 HTTP-handler tests (status
  201/410/401/400 mapping + token-leak hygiene scan of slog +
  audit details + Location header). Token-leak test redirects
  slog.Default to a buffer for the test scope.

# Phase 7 — API-key migration + scope-down CLI

* GET /v1/auth/keys handler + service method ListKeys backed by
  ActorRoleRepository.ListDistinctActors. Returns one row per
  (actor_id, actor_type) pair with the slice of role IDs they hold.
  Permission: auth.role.list.
* internal/cli/auth_scope_down.go: AuthListKeys, AuthScopeDown
  (interactive), AuthScopeDownNonInteractive (JSON config),
  AuthScopeDownSuggest (--suggest with optional --apply). The
  synthetic actor-demo-anon is filtered out of every interactive /
  bulk path; non-interactive flow logs and skips it explicitly.
* SuggestRoleFromAuditEvents (pure function): walks 30 days of
  audit events per actor and returns the narrowest matching role
  (admin / mcp / viewer / agent / operator) plus a one-line reason.
  Classification: any admin-shaped action wins; otherwise all-MCP
  → mcp; all-read-only → viewer; all-agent-shaped → agent;
  otherwise operator. Test table pins all six classifications.
* CLI subcommand tree extended: 'auth keys list' + 'auth keys
  scope-down [--non-interactive <cfg>] [--suggest [--apply]]'.
* CHANGELOG.md leads v2.1.0 with the SECURITY: AUDIT YOUR API KEYS
  call-out + four flow examples.

# Phase 8 — auditor role + event_category column

* migrations/000032_audit_category.up/down.sql: ALTER TABLE
  audit_events ADD COLUMN event_category TEXT NOT NULL DEFAULT
  'cert_lifecycle' + CHECK constraint (cert_lifecycle/auth/config)
  + (event_category) and (event_category, timestamp DESC) indexes
  for the auditor-filter query path. WORM trigger from migration
  000018 continues to enforce append-only at the DB layer (DDL is
  not blocked).
* domain.AuditEvent gains EventCategory string (omitempty);
  domain.EventCategoryCertLifecycle / Auth / Config constants.
* AuditService.RecordEventWithCategory sibling of RecordEvent;
  legacy callers stay on RecordEvent (defaults to cert_lifecycle).
  Auth callers (RoleService, ActorRoleService, BootstrapService)
  switched to RecordEventWithCategory(..., 'auth', ...).
* GET /v1/audit?category=<cat>: handler accepts the optional query
  param, validates against the enum (400 on invalid value),
  dispatches through ListAuditEventsByCategory. OpenAPI updated
  with the new query param + AuditEvent.event_category schema.
* Postgres AuditRepository.Create now writes event_category;
  AuditRepository.List filters on it; AuditFilter.EventCategory
  gates the WHERE clause.
* Tests: 5 audit-category-filter HTTP tests (dispatch routing,
  back-compat fallback, 400 for invalid values, all 3 enum values
  accepted, page+category combine, JSON output surfaces the
  field). 3 auditor-role invariants (auditor holds exactly
  audit.read+audit.export, no mutating perms, disjoint from
  viewer except audit.read).

# Cross-phase wiring

* HandlerRegistry.Bootstrap field added; cmd/server/main.go wires
  the bootstrap service ahead of RegisterHandlers (extracted
  assembleNamedAPIKeys helper into auth_backfill.go, moved the
  keystore + bootstrap construction up alongside the auth repos).
* AuthCheckResolver / AuthActorRoleService extended with ListKeys
  to satisfy the Phase 7 surface; existing fakes updated.
* fakeAudit + mockAuditService stubs in tests gain
  RecordEventWithCategory + ListAuditEventsByCategory; existing
  tests untouched.

# Verifications

* gofmt -l: clean across every modified file.
* go vet ./...: clean.
* staticcheck across internal/auth + handler + router + cli +
  service + repository + cmd + domain: clean.
* go test -short -count=1: green across every Bundle-1-touched
  package — internal/auth (incl. bootstrap), internal/api/handler,
  internal/api/router, internal/cli, internal/service/auth,
  internal/service, internal/domain/auth, internal/repository/postgres,
  cmd/server, cmd/cli, plus internal/scheduler, internal/api/middleware,
  cmd/agent, internal/mcp.
This commit is contained in:
shankar0123
2026-05-09 20:15:43 +00:00
parent 99826c11e6
commit 3c605d5618
38 changed files with 3159 additions and 140 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/cli/auth_scope_down.go
+401
View File
@@ -0,0 +1,401 @@
package cli
import (
"bufio"
"encoding/json"
"errors"
"fmt"
"io"
"os"
"strings"
)
// =============================================================================
// Bundle 1 Phase 7 — `certctl-cli auth keys list` + scope-down helper.
//
// The Phase 1 migration backfills every CERTCTL_API_KEYS_NAMED entry to
// the admin role on first boot (Decision 7's safe-for-back-compat
// default). Scope-down is the operator-driven downgrade of any keys that
// don't actually need admin power. This file ships:
//
// - AuthListKeys: GET /api/v1/auth/keys — render every actor + roles
// in tabular / json form.
// - AuthScopeDown: interactive flow that walks every key (skipping
// the synthetic actor-demo-anon) and prompts for a target role.
// - AuthScopeDownNonInteractive: take a JSON config {actor_id: role_id}
// and apply role changes without prompts; for automation.
// - AuthScopeDownSuggest: read 30 days of audit events per key and
// suggest a narrower role based on actual call patterns. The suggest
// mode still requires confirmation (or --apply for non-interactive).
//
// The scope-down flow uses revoke + grant as separate API calls
// (no batch endpoint yet — by design; auditing each role mutation
// individually is a Bundle 1 invariant).
// =============================================================================
// AuthKeyEntry mirrors handler.ListKeys's response shape without
// importing the handler package.
type AuthKeyEntry struct {
ActorID string `json:"actor_id"`
ActorType string `json:"actor_type"`
TenantID string `json:"tenant_id"`
RoleIDs []string `json:"role_ids"`
}
type authKeysListResponse struct {
Keys []AuthKeyEntry `json:"keys"`
}
// AuthListKeys prints every actor in the tenant with their current role
// assignments. The synthetic actor-demo-anon is shown but flagged as
// "system-managed" so operators don't accidentally try to mutate it.
func (c *Client) AuthListKeys() error {
keys, err := c.fetchAuthKeys()
if err != nil {
return err
}
if c.format == "json" {
blob, _ := json.MarshalIndent(authKeysListResponse{Keys: keys}, "", " ")
fmt.Println(string(blob))
return nil
}
fmt.Printf("%-28s %-12s %s\n", "ACTOR", "TYPE", "ROLES")
for _, k := range keys {
notes := ""
if k.ActorID == DemoAnonActorID {
notes = " (system-managed; scope-down skips this)"
}
fmt.Printf("%-28s %-12s %s%s\n", k.ActorID, k.ActorType, strings.Join(k.RoleIDs, ","), notes)
}
return nil
}
// DemoAnonActorID is replicated from internal/auth/context.go so the
// CLI doesn't import internal/auth (the CLI binary stays small).
const DemoAnonActorID = "actor-demo-anon"
// AuthScopeDown runs the interactive scope-down flow against stdin /
// stdout. Each non-system actor is shown with its current roles and
// the operator picks one of: keep, admin, operator, viewer, agent,
// mcp, cli, auditor. Empty input keeps the current assignment.
func (c *Client) AuthScopeDown() error {
keys, err := c.fetchAuthKeys()
if err != nil {
return err
}
keys = filterScopeDownCandidates(keys)
if len(keys) == 0 {
fmt.Println("no actors eligible for scope-down (only the system-managed actor-demo-anon exists, or no actors hold roles).")
return nil
}
fmt.Println("certctl-cli auth keys scope-down")
fmt.Println("================================")
fmt.Printf("Bundle 1 ships role-based authorization. Existing API keys backfill to r-admin (full power).\n")
fmt.Printf("Walk each key below and select a role that matches its actual usage. Empty input keeps the\n")
fmt.Printf("current assignment; type a single role name to replace it.\n\n")
reader := bufio.NewReader(os.Stdin)
plan, err := buildScopeDownPlan(keys, reader, os.Stdout)
if err != nil {
return err
}
return c.applyScopeDownPlan(plan)
}
// AuthScopeDownNonInteractive applies a {actor_id: role_id} JSON
// config without prompts. Useful for automation / Helm post-upgrade
// hooks. Empty role_id revokes all current roles WITHOUT granting a
// replacement; the operator can then assign roles selectively via
// `certctl-cli auth keys assign`.
func (c *Client) AuthScopeDownNonInteractive(configPath string) error {
blob, err := os.ReadFile(configPath)
if err != nil {
return fmt.Errorf("read config %s: %w", configPath, err)
}
var cfg map[string]string
if err := json.Unmarshal(blob, &cfg); err != nil {
return fmt.Errorf("decode config %s: %w", configPath, err)
}
keys, err := c.fetchAuthKeys()
if err != nil {
return err
}
currentRoles := map[string][]string{}
for _, k := range keys {
currentRoles[k.ActorID] = k.RoleIDs
}
plan := []scopeDownAction{}
for actor, target := range cfg {
if actor == DemoAnonActorID {
fmt.Fprintf(os.Stderr, "skipping %s: reserved system actor\n", actor)
continue
}
current, ok := currentRoles[actor]
if !ok {
fmt.Fprintf(os.Stderr, "skipping %s: not in actor_roles (no grants to revoke)\n", actor)
continue
}
plan = append(plan, scopeDownAction{
ActorID: actor,
CurrentRoles: current,
TargetRole: target,
})
}
return c.applyScopeDownPlan(plan)
}
// AuthScopeDownSuggest analyses 30 days of audit events per key and
// prints suggested role assignments. With apply=false (default) the
// suggestions are advisory and the operator follows up with a manual
// scope-down or scope-down-non-interactive call. With apply=true the
// suggestions are applied directly.
func (c *Client) AuthScopeDownSuggest(apply bool) error {
keys, err := c.fetchAuthKeys()
if err != nil {
return err
}
keys = filterScopeDownCandidates(keys)
plan := []scopeDownAction{}
fmt.Println("certctl-cli auth keys scope-down --suggest")
fmt.Println("==========================================")
fmt.Printf("%-28s %-15s %-15s %s\n", "ACTOR", "CURRENT ROLES", "SUGGESTED", "REASON")
for _, k := range keys {
events, fetchErr := c.fetchAuditEventsForActor(k.ActorID, 1000)
if fetchErr != nil {
fmt.Fprintf(os.Stderr, "fetch audit for %s: %v\n", k.ActorID, fetchErr)
continue
}
suggested, reason := SuggestRoleFromAuditEvents(events)
fmt.Printf("%-28s %-15s %-15s %s\n",
k.ActorID,
strings.Join(k.RoleIDs, ","),
suggested,
reason)
plan = append(plan, scopeDownAction{
ActorID: k.ActorID,
CurrentRoles: k.RoleIDs,
TargetRole: suggested,
})
}
if !apply {
fmt.Println("\n(dry run; pass --apply to execute the suggested role changes)")
return nil
}
return c.applyScopeDownPlan(plan)
}
// =============================================================================
// Internals
// =============================================================================
type scopeDownAction struct {
ActorID string
CurrentRoles []string
TargetRole string
}
func (c *Client) fetchAuthKeys() ([]AuthKeyEntry, error) {
body, err := c.doGET("/api/v1/auth/keys")
if err != nil {
return nil, err
}
var resp authKeysListResponse
if err := json.Unmarshal(body, &resp); err != nil {
return nil, fmt.Errorf("decode /v1/auth/keys: %w", err)
}
return resp.Keys, nil
}
func filterScopeDownCandidates(keys []AuthKeyEntry) []AuthKeyEntry {
out := make([]AuthKeyEntry, 0, len(keys))
for _, k := range keys {
if k.ActorID == DemoAnonActorID {
continue
}
out = append(out, k)
}
return out
}
// validRoles is the canonical list scope-down accepts as targets.
// Mirrors the Phase 1 default-role seeds; new operator-defined roles
// can be assigned via `certctl auth keys assign --role <id>` directly.
var validRoles = []string{"admin", "operator", "viewer", "agent", "mcp", "cli", "auditor"}
func isValidRole(s string) bool {
for _, v := range validRoles {
if v == s {
return true
}
}
return false
}
func buildScopeDownPlan(keys []AuthKeyEntry, in *bufio.Reader, out io.Writer) ([]scopeDownAction, error) {
plan := []scopeDownAction{}
for _, k := range keys {
fmt.Fprintf(out, "\n%s (current: %s)\n", k.ActorID, strings.Join(k.RoleIDs, ","))
fmt.Fprintf(out, " enter target role [%s] or 'keep' (default): ",
strings.Join(validRoles, "|"))
line, err := in.ReadString('\n')
if err != nil && !errors.Is(err, io.EOF) {
return nil, err
}
choice := strings.TrimSpace(line)
if choice == "" || strings.EqualFold(choice, "keep") {
fmt.Fprintln(out, " → keeping existing roles")
continue
}
choice = strings.ToLower(choice)
if !isValidRole(choice) {
fmt.Fprintf(out, " → unknown role %q, keeping existing\n", choice)
continue
}
// Normalize target to r-<name> for the API.
plan = append(plan, scopeDownAction{
ActorID: k.ActorID,
CurrentRoles: k.RoleIDs,
TargetRole: "r-" + choice,
})
}
return plan, nil
}
// applyScopeDownPlan runs revoke+grant pairs for every action.
// Idempotent on the role layer (revoke a missing role yields 404; the
// CLI swallows that).
func (c *Client) applyScopeDownPlan(plan []scopeDownAction) error {
if len(plan) == 0 {
fmt.Println("\nno role changes to apply.")
return nil
}
fmt.Println("\nApplying role changes:")
var changed, kept int
for _, action := range plan {
// Skip actions whose target role is already exclusively
// held (no diff). This avoids spurious revoke+grant churn.
if len(action.CurrentRoles) == 1 && action.CurrentRoles[0] == action.TargetRole {
fmt.Printf(" %s: already at %s, skipping\n", action.ActorID, action.TargetRole)
kept++
continue
}
// Revoke every current role.
for _, current := range action.CurrentRoles {
if err := c.AuthRevokeRoleFromKey(action.ActorID, current); err != nil {
return fmt.Errorf("revoke %s/%s: %w", action.ActorID, current, err)
}
}
// Grant the target. Empty target = revoke-only (operator
// will assign roles selectively via `auth keys assign`).
if action.TargetRole != "" {
if err := c.AuthAssignRoleToKey(action.ActorID, action.TargetRole); err != nil {
return fmt.Errorf("grant %s/%s: %w", action.ActorID, action.TargetRole, err)
}
}
changed++
}
fmt.Printf("\nDone. %d actor(s) changed, %d kept.\n", changed, kept)
return nil
}
// =============================================================================
// --suggest mode: audit-event analyser. Pure function for ease of
// testing; no I/O.
// =============================================================================
// AuditEventLite is the subset of fields the suggest analyser
// consumes. The audit list endpoint returns full domain.AuditEvent
// rows; we only care about the action / resource_type / resource_id
// path classification.
type AuditEventLite struct {
Action string `json:"action"`
ResourceType string `json:"resource_type"`
}
// SuggestRoleFromAuditEvents inspects an actor's recent audit-event
// history and returns the narrowest role that covers the observed
// usage pattern, plus a one-line reason.
//
// Classification (priority order):
//
// 1. Any admin-shaped action (role/key/hierarchy/bulk_revoke/admin) → admin.
// 2. Every event is an MCP-shaped action (mcp.*) → mcp.
// 3. Every event is read-only (*.read / *.list) → viewer.
// 4. Every event is agent-shaped (agent.* OR cert.read OR cert.issue) → agent.
// 5. Otherwise → operator.
//
// Empty event list → "viewer" (the safest default).
func SuggestRoleFromAuditEvents(events []AuditEventLite) (role string, reason string) {
if len(events) == 0 {
return "viewer", "no audit history; defaulting to read-only"
}
var (
hasAdmin bool
allMCP = true
allReadOnly = true
allAgent = true
)
for _, e := range events {
action := strings.ToLower(e.Action)
// Admin-only signals — earliest exit.
if strings.HasPrefix(action, "auth.role.") ||
strings.HasPrefix(action, "auth.key.") ||
strings.HasPrefix(action, "ca.hierarchy.") ||
strings.Contains(action, "bulk_revoke") ||
strings.HasPrefix(action, "scep.admin") ||
strings.HasPrefix(action, "est.admin") ||
strings.HasPrefix(action, "crl.admin") {
hasAdmin = true
}
if !strings.HasPrefix(action, "mcp.") {
allMCP = false
}
if !strings.HasSuffix(action, ".read") && !strings.HasSuffix(action, ".list") {
allReadOnly = false
}
isAgentShape := strings.HasPrefix(action, "agent.") ||
action == "cert.issue" || action == "cert.read"
if !isAgentShape {
allAgent = false
}
}
switch {
case hasAdmin:
return "admin", "called admin-only action (role mgmt / bulk revoke / hierarchy)"
case allMCP:
return "mcp", "only MCP-shaped actions observed"
case allReadOnly:
return "viewer", "all observed actions are read-only"
case allAgent:
return "agent", "only agent + cert read/issue actions observed"
default:
return "operator", "cert / profile / target lifecycle mutations observed; no admin signals"
}
}
// fetchAuditEventsForActor pulls audit events filtered by actor=actorID
// from /v1/audit. Bundle 1 Phase 7 doesn't yet ship a per-actor query
// param; we filter client-side from the paginated list endpoint.
func (c *Client) fetchAuditEventsForActor(actorID string, limit int) ([]AuditEventLite, error) {
body, err := c.doGET(fmt.Sprintf("/api/v1/audit?per_page=%d", limit))
if err != nil {
return nil, err
}
var resp struct {
Data []struct {
Actor string `json:"actor"`
Action string `json:"action"`
ResourceType string `json:"resource_type"`
} `json:"data"`
}
if err := json.Unmarshal(body, &resp); err != nil {
return nil, fmt.Errorf("decode /v1/audit: %w", err)
}
out := make([]AuditEventLite, 0, len(resp.Data))
for _, e := range resp.Data {
if e.Actor != actorID {
continue
}
out = append(out, AuditEventLite{Action: e.Action, ResourceType: e.ResourceType})
}
return out, nil
}
internal/cli/auth_scope_down_test.go
+165
View File
@@ -0,0 +1,165 @@
package cli
import (
"bufio"
"bytes"
"strings"
"testing"
)
// TestSuggestRoleFromAuditEvents_TablePins the audit-event analyser
// classification rules. Pure function; no I/O. Adding a new role
// pattern means adding a row here.
func TestSuggestRoleFromAuditEvents_Table(t *testing.T) {
cases := []struct {
name string
events []AuditEventLite
wantRole string
reasonHint string
}{
{
name: "empty history → viewer",
events: nil,
wantRole: "viewer",
reasonHint: "no audit history",
},
{
name: "only cert.read → viewer",
events: []AuditEventLite{
{Action: "cert.read"},
{Action: "cert.read"},
{Action: "issuer.read"},
},
wantRole: "viewer",
reasonHint: "read-only",
},
{
name: "agent + cert.issue → agent",
events: []AuditEventLite{
{Action: "agent.heartbeat"},
{Action: "agent.job.poll"},
{Action: "cert.issue"},
{Action: "cert.read"},
},
wantRole: "agent",
reasonHint: "agent",
},
{
name: "cert lifecycle without admin → operator",
events: []AuditEventLite{
{Action: "cert.issue"},
{Action: "cert.revoke"},
{Action: "profile.edit"},
{Action: "target.edit"},
},
wantRole: "operator",
reasonHint: "lifecycle",
},
{
name: "any auth.role.assign → admin",
events: []AuditEventLite{
{Action: "auth.role.assign"},
},
wantRole: "admin",
reasonHint: "admin-only",
},
{
name: "any cert.bulk_revoke → admin",
events: []AuditEventLite{
{Action: "cert.bulk_revoke"},
},
wantRole: "admin",
reasonHint: "admin-only",
},
{
name: "ca.hierarchy.* → admin",
events: []AuditEventLite{
{Action: "ca.hierarchy.add_child"},
},
wantRole: "admin",
reasonHint: "admin-only",
},
{
name: "MCP-only history → mcp",
events: []AuditEventLite{
{Action: "mcp.list_certificates"},
{Action: "mcp.get_issuer"},
},
wantRole: "mcp",
reasonHint: "MCP",
},
}
for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
role, reason := SuggestRoleFromAuditEvents(tc.events)
if role != tc.wantRole {
t.Errorf("role = %q, want %q (reason=%q)", role, tc.wantRole, reason)
}
if !strings.Contains(strings.ToLower(reason), strings.ToLower(tc.reasonHint)) {
t.Errorf("reason %q does not contain hint %q", reason, tc.reasonHint)
}
})
}
}
// TestFilterScopeDownCandidates_HidesDemoAnon pins the invariant that
// the synthetic actor-demo-anon row never reaches the prompt loop.
func TestFilterScopeDownCandidates_HidesDemoAnon(t *testing.T) {
in := []AuthKeyEntry{
{ActorID: "alice", RoleIDs: []string{"r-admin"}},
{ActorID: DemoAnonActorID, RoleIDs: []string{"r-admin"}},
{ActorID: "bob", RoleIDs: []string{"r-viewer"}},
}
got := filterScopeDownCandidates(in)
if len(got) != 2 {
t.Fatalf("got %d candidates, want 2", len(got))
}
for _, k := range got {
if k.ActorID == DemoAnonActorID {
t.Errorf("filter let actor-demo-anon through")
}
}
}
// TestBuildScopeDownPlan_KeepEmptyAndUnknown pins the prompt-loop
// behaviour: empty input or "keep" leaves the row alone; unknown role
// names also fall through (operator can re-run the flow).
func TestBuildScopeDownPlan_KeepEmptyAndUnknown(t *testing.T) {
keys := []AuthKeyEntry{
{ActorID: "alice", RoleIDs: []string{"r-admin"}},
{ActorID: "bob", RoleIDs: []string{"r-admin"}},
{ActorID: "carol", RoleIDs: []string{"r-admin"}},
}
// alice keeps; bob → operator; carol → bogus role (no change).
in := bufio.NewReader(strings.NewReader("\noperator\nbogus\n"))
var out bytes.Buffer
plan, err := buildScopeDownPlan(keys, in, &out)
if err != nil {
t.Fatalf("plan err = %v", err)
}
if len(plan) != 1 {
t.Fatalf("plan size = %d, want 1 (only bob changes)", len(plan))
}
if plan[0].ActorID != "bob" || plan[0].TargetRole != "r-operator" {
t.Errorf("plan[0] = %+v, want bob → r-operator", plan[0])
}
}
// TestBuildScopeDownPlan_ApplyRolePrefix pins that the "operator"
// input becomes "r-operator" downstream — the API accepts the
// prefixed role IDs and the plan-builder normalizes.
func TestBuildScopeDownPlan_ApplyRolePrefix(t *testing.T) {
keys := []AuthKeyEntry{{ActorID: "alice", RoleIDs: []string{"r-admin"}}}
for _, role := range []string{"admin", "operator", "viewer", "agent", "mcp", "cli", "auditor"} {
in := bufio.NewReader(strings.NewReader(role + "\n"))
var out bytes.Buffer
plan, err := buildScopeDownPlan(keys, in, &out)
if err != nil {
t.Fatalf("role=%s: %v", role, err)
}
if len(plan) != 1 || plan[0].TargetRole != "r-"+role {
t.Errorf("role=%s: plan[0].TargetRole = %q, want r-%s", role, plan[0].TargetRole, role)
}
}
}