(info: TokenInfo, command: string)
| 354 | * but each subcommand within chain must be individually scope-checked. |
| 355 | */ |
| 356 | export function checkScope(info: TokenInfo, command: string): boolean { |
| 357 | if (info.clientId === 'root') return true; |
| 358 | |
| 359 | // Special case: chain is in SCOPE_META but requires that the caller |
| 360 | // has scopes covering ALL subcommands. The actual subcommand check |
| 361 | // happens at dispatch time, not here. |
| 362 | if (command === 'chain' && info.scopes.includes('meta')) return true; |
| 363 | |
| 364 | for (const scope of info.scopes) { |
| 365 | if (SCOPE_MAP[scope]?.has(command)) return true; |
| 366 | } |
| 367 | |
| 368 | return false; |
| 369 | } |
| 370 | |
| 371 | /** |
| 372 | * Check if a URL is allowed by the token's domain restrictions. |
no outgoing calls
no test coverage detected