From fa929f02d68d414094a329d4b23b76e3ec762ce2 Mon Sep 17 00:00:00 2001 From: MaxHuang22 Date: Fri, 5 Jun 2026 11:37:46 +0800 Subject: [PATCH] feat: clear recommend.allow scope auto-approve overrides (#1272) The recommend.allow list in scope_overrides.json special-cased a set of calendar/contact/mail scopes into the auto-approve set on top of the platform recommendations in scope_priorities.json. Remove all entries so no scopes are special-cased anymore; auto-approve now reflects only the platform recommend=true scopes (plus the recommend.deny removals). Update registry tests to use a recommend=true scope (sheets:spreadsheet:read) as the auto-approve sample and assert the override allow set is empty. Change-Id: Ic555a2c664e2dbd742f79712253f2918dfabf7ce --- internal/registry/registry_test.go | 40 +++++++++----------------- internal/registry/scope_overrides.json | 20 +------------ 2 files changed, 15 insertions(+), 45 deletions(-) diff --git a/internal/registry/registry_test.go b/internal/registry/registry_test.go index a2482a8f..5a1e6756 100644 --- a/internal/registry/registry_test.go +++ b/internal/registry/registry_test.go @@ -231,14 +231,9 @@ func TestLoadAutoApproveSet(t *testing.T) { t.Fatal("expected non-empty auto-approve set") } - // From scope_overrides.json allow list - if !aaSet["calendar:calendar.event:create"] { - t.Error("expected calendar:calendar.event:create in auto-approve set (from allow list)") - } - - // Verify allow list entries are present + // From scope_priorities.json recommend=="true" if !aaSet["sheets:spreadsheet:read"] { - t.Error("expected sheets:spreadsheet:read in auto-approve set (from allow list)") + t.Error("expected sheets:spreadsheet:read in auto-approve set (recommend=true in priorities)") } t.Logf("Auto-approve set has %d scopes", len(aaSet)) @@ -257,16 +252,10 @@ func TestLoadPlatformAutoApproveSet(t *testing.T) { func TestLoadOverrideAutoApproveAllow(t *testing.T) { allowSet := LoadOverrideAutoApproveAllow() - if len(allowSet) == 0 { - t.Fatal("expected non-empty override allow set") - } - - // Known entries from scope_overrides.json - if !allowSet["calendar:calendar.event:create"] { - t.Error("expected calendar:calendar.event:create in allow set") - } - if !allowSet["mail:event"] { - t.Error("expected mail:event in allow set") + // recommend.allow in scope_overrides.json is intentionally empty: + // no scopes are special-cased into the auto-approve set anymore. + if len(allowSet) != 0 { + t.Errorf("expected empty override allow set, got %d entries", len(allowSet)) } } @@ -277,9 +266,9 @@ func TestLoadOverrideAutoApproveDeny(t *testing.T) { } func TestIsAutoApproveScope(t *testing.T) { - // Known auto-approve scope (in allow list) - if !IsAutoApproveScope("calendar:calendar.event:create") { - t.Error("expected calendar:calendar.event:create to be auto-approve") + // Known auto-approve scope (recommend=true in scope_priorities.json) + if !IsAutoApproveScope("sheets:spreadsheet:read") { + t.Error("expected sheets:spreadsheet:read to be auto-approve") } // Completely unknown scope @@ -290,9 +279,8 @@ func TestIsAutoApproveScope(t *testing.T) { func TestFilterAutoApproveScopes(t *testing.T) { scopes := []string{ - "calendar:calendar.event:create", // auto-approve (in allow list) - "zzz:unknown:scope", // not in auto-approve - "sheets:spreadsheet:read", // auto-approve (in allow list) + "sheets:spreadsheet:read", // auto-approve (recommend=true in priorities) + "zzz:unknown:scope", // not in auto-approve } result := FilterAutoApproveScopes(scopes) @@ -300,10 +288,10 @@ func TestFilterAutoApproveScopes(t *testing.T) { t.Fatal("expected at least 1 auto-approve scope in result") } - // Check that calendar:calendar.event:create is included + // Check that sheets:spreadsheet:read is included found := false for _, s := range result { - if s == "calendar:calendar.event:create" { + if s == "sheets:spreadsheet:read" { found = true } // Ensure unknown scopes are not included @@ -312,7 +300,7 @@ func TestFilterAutoApproveScopes(t *testing.T) { } } if !found { - t.Error("expected calendar:calendar.event:create in result") + t.Error("expected sheets:spreadsheet:read in result") } } diff --git a/internal/registry/scope_overrides.json b/internal/registry/scope_overrides.json index a381a8fd..17691e6e 100644 --- a/internal/registry/scope_overrides.json +++ b/internal/registry/scope_overrides.json @@ -12,25 +12,7 @@ "vc:meeting.meetingevent:read": 75 }, "recommend": { - "allow": [ - "calendar:calendar.event:create", - "calendar:calendar.event:delete", - "calendar:calendar.event:read", - "calendar:calendar.event:update", - "calendar:calendar.free_busy:read", - "calendar:calendar:create", - "calendar:calendar:delete", - "calendar:calendar:read", - "calendar:calendar:update", - "contact:user.basic_profile:readonly", - "mail:event", - "mail:user_mailbox.mail_contact:read", - "mail:user_mailbox.mail_contact:write", - "mail:user_mailbox.message.address:read", - "mail:user_mailbox.message.body:read", - "mail:user_mailbox.message.subject:read", - "mail:user_mailbox.message:readonly" - ], + "allow": [], "deny": [ "im:chat", "im:message.send_as_user"