From 7f9e7f433f04be732e551d79f71ce8290a7e504e Mon Sep 17 00:00:00 2001
From: Kyle Isom <kyle@imap.cc>
Date: Wed, 25 Mar 2026 20:19:14 -0700
Subject: [PATCH] Treat authenticated callers with no roles as service accounts

MCIAS service tokens have nil roles and may not return account_type
in the validate response. Recognize authenticated callers with a
username but no roles as service accounts for IsUser() purposes.
Explicit guest role still blocks access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/engine/engine.go | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/internal/engine/engine.go b/internal/engine/engine.go
index 34905f8..1774efc 100644
--- a/internal/engine/engine.go
+++ b/internal/engine/engine.go
@@ -52,8 +52,10 @@ type CallerInfo struct {
 	IsAdmin     bool
 }
 
-// IsUser returns true if the caller is a human user with the "user" or
-// "admin" role, or a system (service) account. Guest-only humans are excluded.
+// IsUser returns true if the caller is authorized to perform user-level
+// operations. Admins, system (service) accounts, and humans with the
+// "user" role all qualify. Authenticated callers with no roles are treated
+// as service accounts (MCIAS issues service tokens with nil roles).
 func (c *CallerInfo) IsUser() bool {
 	if c.IsAdmin {
 		return true
@@ -65,6 +67,13 @@ func (c *CallerInfo) IsUser() bool {
 		if r == "user" {
 			return true
 		}
+		if r == "guest" {
+			return false
+		}
+	}
+	// Authenticated caller with no roles — service account.
+	if c.Username != "" && len(c.Roles) == 0 {
+		return true
 	}
 	return false
 }