feat: add the subgraph-viewer role

[wilsonrivera]

Summary by CodeRabbit

• New Features

  • Introduced a new "subgraph-viewer" role, granting read-only access to selected subgraphs.

• Improvements

  • Updated access control logic and user interface to recognize and support the new "subgraph-viewer" role.

• Bug Fixes

  • Enhanced authorization checks to ensure only permitted roles can access or modify subgraph-related resources.

• Documentation

  • Added descriptions for the new role in user-facing role lists.

• Tests

  • Extended test coverage to verify permissions and restrictions for the "subgraph-viewer" role across various features.

Checklist

• I have discussed my proposed changes in an issue and have received approval to proceed.
• I have followed the coding standards of the project.
• Tests or benchmarks have been added or updated.
• Documentation has been updated on https://github.com/wundergraph/cosmo-docs.
• I have read the Contributors Guide.

[coderabbitai]

Walkthrough

A new RBAC role, subgraph-viewer, was introduced across the backend, database schema, and frontend constants. Authorization logic and RBAC evaluators were updated to recognize this role as granting read-only access to subgraphs. Related test suites were expanded to cover the new role, ensuring correct permission enforcement and access restrictions throughout the system.

Changes

File(s)	Change Summary
controlplane/migrations/meta/_journal.json, controlplane/migrations/0127_lonely_centennial.sql	Added migration entry and SQL to append 'subgraph-viewer' to the organization_role enum in the database.
controlplane/src/db/schema.ts	Extended organizationRoleEnum to include 'subgraph-viewer'.
controlplane/src/core/services/RBACEvaluator.ts	Updated hasSubGraphReadAccess to include 'subgraph-viewer' as a valid read role.
controlplane/src/core/repositories/FeatureFlagRepository.ts, controlplane/src/core/repositories/SubgraphRepository.ts	Modified RBAC query logic to recognize 'subgraph-viewer'; marked getSubgraphMembers as deprecated in SubgraphRepository.
controlplane/src/core/bufservices/subgraph/getSubgraphMembers.ts, controlplane/src/core/bufservices/subgraph/getSubgraphSDLFromLatestComposition.ts	Added explicit authorization checks for subgraph read access using updated RBAC logic.
studio/src/lib/constants.ts	Added 'subgraph-viewer' to the exported roles array for frontend use.
controlplane/test/rbac-evaluator.test.ts	Added new test suite for 'subgraph-viewer' role, verifying its read-only subgraph access and restrictions elsewhere.
controlplane/test/api-keys.test.ts, controlplane/test/cache-warmer/configure-cache-warmer.test.ts, controlplane/test/cache-warmer/delete-cache-operation.test.ts, controlplane/test/cache-warmer/push-cache-operation.test.ts, controlplane/test/check-federated-graph.test.ts, controlplane/test/check-subgraph-schema.test.ts, controlplane/test/feature-flag/create-feature-flag.test.ts, controlplane/test/feature-flag/delete-feature-flag.test.ts, controlplane/test/feature-flag/update-feature-flag.test.ts, controlplane/test/feature-subgraph/create-feature-subgraph.test.ts, controlplane/test/feature-subgraph/delete-feature-subgraph.test.ts, controlplane/test/feature-subgraph/get-feature-subgraphs.test.ts, controlplane/test/feature-subgraph/update-feature-subgraph.test.ts, controlplane/test/federated-graph/version.test.ts, controlplane/test/monograph/version.test.ts, controlplane/test/namespace/get-namespaces.test.ts, controlplane/test/proposal/create-proposal.test.ts, controlplane/test/proposal/update-proposal.test.ts, controlplane/test/subgraph/create-subgraph.test.ts, controlplane/test/subgraph/get-subgraphs.test.ts, controlplane/test/subgraph/publish-subgraph.test.ts, controlplane/test/subgraph/update-subgraph.test.ts	Expanded test coverage to include 'subgraph-viewer' in role-based permission checks for subgraph, feature flag, cache, and proposal operations.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06a7872 and c46e45e.

📒 Files selected for processing (5)

• controlplane/migrations/0127_lonely_centennial.sql (1 hunks)
• controlplane/migrations/meta/_journal.json (1 hunks)
• controlplane/src/db/schema.ts (1 hunks)
• controlplane/test/proposal/create-proposal.test.ts (1 hunks)
• controlplane/test/proposal/update-proposal.test.ts (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• controlplane/migrations/0127_lonely_centennial.sql

🚧 Files skipped from review as they are similar to previous changes (4)

• controlplane/migrations/meta/_journal.json
• controlplane/test/proposal/create-proposal.test.ts
• controlplane/test/proposal/update-proposal.test.ts
• controlplane/src/db/schema.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build_test
• GitHub Check: Analyze (go)

✨ Finishing Touches

• 📝 Generate Docstrings

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

controlplane/test/feature-subgraph/create-feature-subgraph.test.ts (1)

433-433: Fix the test description

The test description says "feature flag" but this test is actually verifying feature subgraph creation permissions.

-  ])('%s should not be able to create feature flag', async (role) => {
+  ])('%s should not be able to create feature subgraph', async (role) => {

controlplane/test/feature-subgraph/delete-feature-subgraph.test.ts (1)

197-197: Fix the test description

The test description says "feature flag" but this test is actually verifying feature subgraph deletion permissions.

-  ])('%s should not be able to create feature flag', async (role) => {
+  ])('%s should not be able to delete feature subgraph', async (role) => {

controlplane/src/core/repositories/SubgraphRepository.ts (1)

1395-1397: Consider enhancing the deprecation comment with migration guidance.

While marking the method as deprecated is appropriate, consider adding context about why it's deprecated and what developers should use instead.

  /**
+  * @deprecated Use getSubgraphMembersByTargetId instead. This method will be removed in a future version.
-  * @deprecated
   */

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e753dce and 9c66fcc.

📒 Files selected for processing (32)

• controlplane/migrations/0126_certain_puppet_master.sql (1 hunks)
• controlplane/migrations/meta/_journal.json (1 hunks)
• controlplane/src/core/bufservices/subgraph/getSubgraphMembers.ts (2 hunks)
• controlplane/src/core/bufservices/subgraph/getSubgraphSDLFromLatestComposition.ts (2 hunks)
• controlplane/src/core/repositories/FeatureFlagRepository.ts (2 hunks)
• controlplane/src/core/repositories/SubgraphRepository.ts (3 hunks)
• controlplane/src/core/services/RBACEvaluator.ts (1 hunks)
• controlplane/src/db/schema.ts (1 hunks)
• controlplane/test/api-keys.test.ts (3 hunks)
• controlplane/test/cache-warmer/configure-cache-warmer.test.ts (1 hunks)
• controlplane/test/cache-warmer/delete-cache-operation.test.ts (1 hunks)
• controlplane/test/cache-warmer/push-cache-operation.test.ts (1 hunks)
• controlplane/test/check-federated-graph.test.ts (1 hunks)
• controlplane/test/check-subgraph-schema.test.ts (1 hunks)
• controlplane/test/feature-flag/create-feature-flag.test.ts (1 hunks)
• controlplane/test/feature-flag/delete-feature-flag.test.ts (1 hunks)
• controlplane/test/feature-flag/update-feature-flag.test.ts (1 hunks)
• controlplane/test/feature-subgraph/create-feature-subgraph.test.ts (1 hunks)
• controlplane/test/feature-subgraph/delete-feature-subgraph.test.ts (1 hunks)
• controlplane/test/feature-subgraph/get-feature-subgraphs.test.ts (1 hunks)
• controlplane/test/feature-subgraph/update-feature-subgraph.test.ts (1 hunks)
• controlplane/test/federated-graph/version.test.ts (2 hunks)
• controlplane/test/monograph/version.test.ts (2 hunks)
• controlplane/test/namespace/get-namespaces.test.ts (5 hunks)
• controlplane/test/proposal/create-proposal.test.ts (1 hunks)
• controlplane/test/proposal/update-proposal.test.ts (1 hunks)
• controlplane/test/rbac-evaluator.test.ts (2 hunks)
• controlplane/test/subgraph/create-subgraph.test.ts (3 hunks)
• controlplane/test/subgraph/get-subgraphs.test.ts (1 hunks)
• controlplane/test/subgraph/publish-subgraph.test.ts (2 hunks)
• controlplane/test/subgraph/update-subgraph.test.ts (1 hunks)
• studio/src/lib/constants.ts (1 hunks)

🧰 Additional context used

🧠 Learnings (4)

controlplane/test/feature-subgraph/create-feature-subgraph.test.ts (1)

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: docker-compose.yml:102-103
Timestamp: 2025-07-03T10:33:38.291Z
Learning: In the wundergraph/cosmo project, anonymous admin access in Grafana (GF_AUTH_ANONYMOUS_ENABLED=true and GF_AUTH_ANONYMOUS_ORG_ROLE=Admin) is intentionally configured for development environments in docker-compose.yml files.

controlplane/test/subgraph/create-subgraph.test.ts (1)

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: docker-compose.yml:102-103
Timestamp: 2025-07-03T10:33:38.291Z
Learning: In the wundergraph/cosmo project, anonymous admin access in Grafana (GF_AUTH_ANONYMOUS_ENABLED=true and GF_AUTH_ANONYMOUS_ORG_ROLE=Admin) is intentionally configured for development environments in docker-compose.yml files.

controlplane/test/rbac-evaluator.test.ts (1)

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: docker-compose.yml:102-103
Timestamp: 2025-07-03T10:33:38.291Z
Learning: In the wundergraph/cosmo project, anonymous admin access in Grafana (GF_AUTH_ANONYMOUS_ENABLED=true and GF_AUTH_ANONYMOUS_ORG_ROLE=Admin) is intentionally configured for development environments in docker-compose.yml files.

controlplane/test/feature-subgraph/delete-feature-subgraph.test.ts (1)

Learnt from: endigma
PR: wundergraph/cosmo#2009
File: docker-compose.yml:102-103
Timestamp: 2025-07-03T10:33:38.291Z
Learning: In the wundergraph/cosmo project, anonymous admin access in Grafana (GF_AUTH_ANONYMOUS_ENABLED=true and GF_AUTH_ANONYMOUS_ORG_ROLE=Admin) is intentionally configured for development environments in docker-compose.yml files.

🧬 Code Graph Analysis (2)

controlplane/src/core/repositories/SubgraphRepository.ts (1)

controlplane/src/db/schema.ts (1)

• namespaces (461-482)

controlplane/test/rbac-evaluator.test.ts (1)

controlplane/src/core/test-util.ts (2)

• createTestGroup (181-198)
• createTestRBACEvaluator (173-175)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)

• GitHub Check: build_test
• GitHub Check: build_push_image
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (go)
• GitHub Check: build_push_image
• GitHub Check: build_test

🔇 Additional comments (42)

controlplane/migrations/meta/_journal.json (1)

887-893: LGTM! Properly formatted migration journal entry.

The migration entry follows the standard Drizzle format and correctly tracks the database schema change for adding the subgraph-viewer role to the PostgreSQL enum.

controlplane/test/feature-subgraph/get-feature-subgraphs.test.ts (1)

191-191: LGTM! Appropriate read access for viewer role.

Adding subgraph-viewer to this test correctly validates that the new role has read access to feature subgraphs from allowed namespaces, which aligns with the expected viewer permissions.

controlplane/test/subgraph/update-subgraph.test.ts (1)

128-128: LGTM! Correct write access restriction for viewer role.

Properly restricts the subgraph-viewer role from update operations, ensuring it remains read-only as intended for a viewer role.

controlplane/test/proposal/create-proposal.test.ts (1)

272-272: LGTM! Appropriate restriction on proposal creation.

Correctly prevents the subgraph-viewer role from creating proposals, maintaining its read-only nature and ensuring proper separation of permissions.

controlplane/test/cache-warmer/delete-cache-operation.test.ts (1)

260-260: LGTM! Proper restriction on cache operation deletion.

Appropriately restricts the subgraph-viewer role from deleting cache operations, maintaining consistency with its read-only permissions and ensuring proper access control.

controlplane/test/feature-flag/update-feature-flag.test.ts (1)

340-340: LGTM: Consistent RBAC implementation

The addition of 'subgraph-viewer' to the unauthorized roles list correctly enforces the read-only nature of this role for feature flag operations.

controlplane/test/cache-warmer/push-cache-operation.test.ts (1)

655-655: LGTM: Proper access control implementation

The inclusion of 'subgraph-viewer' in the unauthorized roles list correctly prevents this read-only role from configuring cache warmer operations.

controlplane/migrations/0126_certain_puppet_master.sql (1)

1-1: LGTM: Clean database migration

The migration correctly adds the new 'subgraph-viewer' enum value to the PostgreSQL organization_role type using standard syntax.

controlplane/test/feature-subgraph/create-feature-subgraph.test.ts (1)

432-432: LGTM: Correct role authorization

The addition of 'subgraph-viewer' to the unauthorized roles list properly enforces read-only permissions for feature subgraph creation.

controlplane/test/feature-subgraph/delete-feature-subgraph.test.ts (1)

196-196: LGTM: Consistent access control

The addition of 'subgraph-viewer' correctly restricts this read-only role from deleting feature subgraphs.

controlplane/test/feature-flag/create-feature-flag.test.ts (1)

228-228: LGTM! Appropriate restriction for viewer role.

The addition of 'subgraph-viewer' to the list of roles that cannot create feature flags is consistent with the expected read-only permissions of a viewer role.

controlplane/test/monograph/version.test.ts (2)

155-155: LGTM! Correct access restriction for subgraph-focused role.

Adding 'subgraph-viewer' to the restricted roles is appropriate since monograph operations are outside the scope of a subgraph-focused viewer role.

---

439-440: LGTM! Appropriate write operation restriction.

The addition of 'subgraph-viewer' to roles that cannot update router compatibility versions correctly enforces the read-only nature of viewer roles.

controlplane/test/proposal/update-proposal.test.ts (1)

185-185: LGTM! Correct restriction for proposal state management.

Adding 'subgraph-viewer' to the list of roles that cannot update proposal states is appropriate, as proposal approval is a write operation that should be restricted to roles with elevated permissions.

controlplane/src/db/schema.ts (1)

1349-1349: LGTM! New subgraph-viewer role properly added to schema.

The addition of 'subgraph-viewer' to the organizationRoleEnum is correctly positioned and follows the established naming convention. This change aligns with the PR objective and is consistent with the broader implementation of the new role across the codebase.

controlplane/test/feature-flag/delete-feature-flag.test.ts (1)

128-128: Correct authorization test coverage for subgraph-viewer role.

The addition of 'subgraph-viewer' to the list of roles that should not be able to delete feature flags is appropriate. This aligns with the read-only nature of viewer roles and ensures proper test coverage for the new role's authorization constraints.

controlplane/test/feature-subgraph/update-feature-subgraph.test.ts (1)

253-253: Appropriate test coverage for subgraph-viewer update restrictions.

Adding 'subgraph-viewer' to the roles that should not be able to update feature subgraphs is correct. This maintains the read-only access pattern for viewer roles and ensures comprehensive authorization testing.

controlplane/test/cache-warmer/configure-cache-warmer.test.ts (1)

201-201: Consistent authorization enforcement for cache warmer configuration.

The inclusion of 'subgraph-viewer' in the roles that cannot configure the cache warmer is appropriate. This maintains the read-only access model for viewer roles and ensures proper authorization boundaries are tested.

controlplane/test/api-keys.test.ts (1)

172-172: LGTM! Consistent RBAC implementation for the new viewer role.

The addition of 'subgraph-viewer' to the test cases that verify unauthorized access for API key operations is correct. As a read-only role, subgraph-viewer should not have permissions to create, update, or delete API keys.

Also applies to: 208-208, 253-253

controlplane/test/subgraph/publish-subgraph.test.ts (1)

103-103: LGTM! Proper enforcement of read-only permissions for the viewer role.

The inclusion of 'subgraph-viewer' in the test cases that verify unauthorized access for subgraph publishing operations is appropriate. This ensures the viewer role maintains read-only access and cannot perform write operations.

Also applies to: 240-240

controlplane/test/subgraph/get-subgraphs.test.ts (1)

192-192: LGTM! Appropriate read access granted to the viewer role.

The addition of 'subgraph-viewer' to the test that verifies the ability to list subgraphs from allowed namespaces is correct. This ensures the viewer role has the necessary read permissions while maintaining the namespace-based access control.

controlplane/src/core/bufservices/subgraph/getSubgraphSDLFromLatestComposition.ts (2)

13-13: LGTM! Proper import for authorization error handling.

The import of UnauthorizedError is necessary for the new authorization check implemented below.

---

41-43: LGTM! Well-implemented authorization check.

The authorization logic is correctly placed and implemented:

• Validates user permissions after confirming resource existence
• Uses the appropriate RBAC method hasSubGraphReadAccess
• Throws the correct error type for unauthorized access
• Prevents unauthorized SDL retrieval while maintaining proper error handling flow

controlplane/test/check-subgraph-schema.test.ts (1)

248-248: LGTM! Consistent restriction of write operations for the viewer role.

The addition of 'subgraph-viewer' to the test case that verifies unauthorized access for schema operations (create, publish, check) is appropriate. This maintains the read-only nature of the viewer role across all subgraph operations.

controlplane/test/check-federated-graph.test.ts (1)

372-373: LGTM! Proper test coverage for new roles.

The addition of 'subgraph-publisher' and 'subgraph-viewer' to the list of roles that cannot check graphs for composition errors is appropriate. These roles should have limited scopes - subgraph-publisher for publishing subgraph schemas only, and subgraph-viewer for read-only access to subgraphs.

studio/src/lib/constants.ts (1)

276-281: LGTM! Well-structured role definition.

The new subgraph-viewer role is properly defined with all required properties and follows the established patterns. The description clearly communicates the read-only nature of this role.

controlplane/src/core/bufservices/subgraph/getSubgraphMembers.ts (1)

11-11: LGTM! Proper authorization implementation.

The authorization check is correctly implemented:

• Placed after existence verification to avoid information leakage
• Uses the appropriate RBAC method hasSubGraphReadAccess
• Throws the correct error type for unauthorized access
• Follows security best practices

Also applies to: 38-40

controlplane/test/federated-graph/version.test.ts (2)

154-154: LGTM! Appropriate test coverage for subgraph-viewer role.

Correctly adding 'subgraph-viewer' to roles that cannot read federated graph versions. This role should be limited to subgraph read access only.

---

412-412: LGTM! Appropriate test coverage for subgraph-publisher role.

Correctly adding 'subgraph-publisher' to roles that cannot update router compatibility versions. This role should be limited to publishing subgraph schemas.

controlplane/src/core/services/RBACEvaluator.ts (1)

221-224: LGTM! Proper RBAC implementation for subgraph read access.

The modification correctly implements explicit read access checking by including all relevant subgraph roles: 'subgraph-admin', 'subgraph-publisher', and the new 'subgraph-viewer'. This approach is more maintainable and clear than relying on write access methods for read permissions.

controlplane/test/namespace/get-namespaces.test.ts (3)

25-34: LGTM! Comprehensive test coverage for the new subgraph-viewer role.

The addition of 'subgraph-viewer' to the namespace retrieval tests ensures that the new role has appropriate read access to namespaces, which is essential for a viewer role.

---

76-82: Consistent test coverage across namespace access scenarios.

The systematic addition of 'subgraph-publisher' and 'subgraph-viewer' roles across all namespace access test scenarios provides comprehensive validation of the new RBAC permissions.

Also applies to: 110-114, 145-149

---

209-213: Critical test coverage for subgraph-viewer namespace access.

Adding 'subgraph-viewer' to this test ensures that viewers can properly access namespaces containing subgraphs they're permitted to view, which is fundamental to the role's functionality.

controlplane/src/core/repositories/SubgraphRepository.ts (1)

592-614: RBAC logic correctly implements subgraph-viewer role.

The implementation follows the established pattern for role handling, properly extending query conditions to include namespaces and resources accessible to the subgraph-viewer role. This ensures consistent read access permissions across the subgraph repository.

controlplane/test/subgraph/create-subgraph.test.ts (2)

186-187: Correct permissions and improved test description.

Adding 'subgraph-viewer' to the roles that cannot create subgraphs is appropriate for a read-only viewer role. The test description fix also improves clarity and readability.

---

413-415: Consistent RBAC permission model across test suites.

The role permission alignment between regular and RBAC-enabled tests ensures consistent behavior. Restricting 'subgraph-publisher' and 'subgraph-viewer' from creating subgraphs maintains the appropriate permission hierarchy.

Also applies to: 444-445

controlplane/src/core/repositories/FeatureFlagRepository.ts (2)

255-256: LGTM: Correctly adds subgraph-viewer role to RBAC evaluation.

The implementation follows the established pattern for role checking and correctly includes the new role in the condition that determines if any subgraph-related roles are present.

---

273-276: LGTM: Proper handling of subgraph-viewer namespaces and resources.

The implementation correctly follows the established pattern for collecting namespaces and resources from the role, ensuring proper RBAC scope application for feature flag queries.

controlplane/test/rbac-evaluator.test.ts (4)

19-19: LGTM: Properly defines test group for the new role.

The subgraph-viewer test group follows the established pattern and correctly sets up the role for testing.

---

671-695: LGTM: Comprehensive test for global read-only access.

The test correctly verifies that subgraph-viewer has only read access to subgraphs while ensuring all other permissions are denied. The assertions properly validate the read-only nature of this role.

---

697-724: LGTM: Proper validation of namespace-scoped read access.

The test correctly verifies that subgraph-viewer with namespace restrictions only has read access to subgraphs within the granted namespace, while maintaining denial of all other permissions.

---

726-754: LGTM: Accurate testing of resource-scoped read access.

The test correctly validates that subgraph-viewer with resource restrictions only has read access to specifically granted subgraph resources, while properly denying access to non-granted resources and all other permissions.

[StarpTech]

LGTM