test: tighten tlon security assertions

2026-05-13 15:47:28 +00:00 · 2026-05-11 09:47:44 +01:00
parent 7e8f74ded4
commit 0f4a37c828
1 changed files with 16 additions and 16 deletions
--- a/extensions/tlon/src/security.test.ts
+++ b/extensions/tlon/src/security.test.ts
@@ -126,24 +126,24 @@ describe("Security: DM Allowlist", () => {
    });

    it("uses the ingress command gate for owner-only command authorization", async () => {
-      await expect(
-        resolveTlonCommandAuthorizationWithIngress({
-          senderShip: "~zod",
-          ownerShip: "zod",
-          useAccessGroups: true,
-        }),
-      ).resolves.toMatchObject({
-        commandAccess: { authorized: true },
+      const authorized = await resolveTlonCommandAuthorizationWithIngress({
+        senderShip: "~zod",
+        ownerShip: "zod",
+        useAccessGroups: true,
      });
-      await expect(
-        resolveTlonCommandAuthorizationWithIngress({
-          senderShip: "~nec",
-          ownerShip: "~zod",
-          useAccessGroups: true,
-        }),
-      ).resolves.toMatchObject({
-        commandAccess: { authorized: false },
+      expect(authorized.commandAccess.requested).toBe(true);
+      expect(authorized.commandAccess.authorized).toBe(true);
+      expect(authorized.commandAccess.shouldBlockControlCommand).toBe(false);
+      expect(authorized.commandAccess.reasonCode).toBe("command_authorized");
+
+      const unauthorized = await resolveTlonCommandAuthorizationWithIngress({
+        senderShip: "~nec",
+        ownerShip: "~zod",
+        useAccessGroups: true,
      });
+      expect(unauthorized.commandAccess.requested).toBe(true);
+      expect(unauthorized.commandAccess.authorized).toBe(false);
+      expect(unauthorized.commandAccess.shouldBlockControlCommand).toBe(false);
    });
  });
 });