fix(apollo): allow any scoped key on identity/context routes
@shamsharoondraftchecks…saddle-vulture → master2 files · +64 −0updated 1d agoloading diff…
@shamsharoondraftchecks…saddle-vulture → master2 files · +64 −0updated 1d ago@shamsharoondraftchecks…saddle-vulture → master2 files · +64 −0updated 1d agoFixes PLEN-2645.
Permissioned scoped project API keys (kind: SCOPED) fail closed on any route not in PROJECT_API_KEY_PERMISSION_CATALOG. Three GET routes resolve the key's own identity/context and are needed by every scoped key regardless of which permission presets are checked — SDK/CLI whoami, project-switch, and org-list flows were getting denied (112 denials across 8 orgs in the last 14 days).
ALWAYS_ALLOWED_ROUTES in enforce.ts — checked in canUsePermissionedScopedKey() before the catalog lookup using projectAPIKeyRoutePathMatchesGET /api/v3/auth/session/info, GET /api/v3/org/list, GET /api/v3/org/project/listOk(undefined); everything else unchanged (uncataloged routes still fail closed)apps/apollo/src/lib/apiKeys/project_api_key_permissions/enforce.ts — always-allowed bypass before catalog lookupapps/apollo/src/lib/apiKeys/project_api_key_permissions/enforce.unit.test.ts — bypass per route, non-listed still denied, structural GET-only assertionvitest run src/lib/apiKeys/project_api_key_permissions/ --config vitest.unit.config.ts — 24/24 passPermissioned scoped API key denied on route @permissionDenial.routePath:(*session/info* OR *org/list* OR *org/project/list*) → zero🤖 Generated with Claude Code