api/routers/proxy.py enforces scoped tokens (an agent scoped to one service/action shouldn't be able to call another), but api/tests/ only has test_agents.py, test_logs.py, and test_tokens.py — there's no test_proxy.py. This enforcement is the core security guarantee and should be covered.
Task
- Add
api/tests/test_proxy.py with tests that:
- an in-scope action is allowed,
- an out-of-scope action is rejected (403),
- an expired/revoked token is rejected.
- Follow the fixtures/patterns in the existing
api/tests/.
Acceptance criteria
- Tests pass, and flipping the scope check off makes the deny cases fail.
Mentor available — comment to claim and I'll point you at the proxy validation path.
New here? See CONTRIBUTING.
api/routers/proxy.pyenforces scoped tokens (an agent scoped to one service/action shouldn't be able to call another), butapi/tests/only hastest_agents.py,test_logs.py, andtest_tokens.py— there's notest_proxy.py. This enforcement is the core security guarantee and should be covered.Task
api/tests/test_proxy.pywith tests that:api/tests/.Acceptance criteria
Mentor available — comment to claim and I'll point you at the proxy validation path.
New here? See CONTRIBUTING.