Tighten getEntryClaims godoc and cover super-admin bypass

The godoc previously said the nil-claims-to-{} normalisation was
"unreachable in practice" under authz — that's wrong for super-admin,
who bypasses the subset check uniformly and would hit that branch
when reading legacy or synced rows that lack claims. Reword to call
out the super-admin path explicitly so the next reader doesn't trust
a stale invariant.

Add `TestGetEntryClaims_SuperAdminBypassesSubsetCheck` at the db
layer: super-admin caller with non-covering JWT claims still reads
the entry. Pairs with the existing cross-team-denied case to lock in
both halves of the bypass contract.

Author: rdimitrov

internal/api/v1/entries.go

@@ -204,9 +204,10 @@ type entryClaimsResponse struct {
 //
 // The response envelope `{"claims": {...}}` is always a non-nil JSON object —
 // the impl normalises a missing/nil claims blob to `map[string]any{}`. Under
-// authz, that branch is unreachable in practice (publish forbids empty claims
-// per auth.md §6, and the gate denies empty-claim rows per §4); the
-// normalisation is for the auth-off / synced-source case.
+// authz, that branch is reachable only by super-admin (the publish path
+// forbids empty claims per auth.md §6, and the gate denies empty-claim rows
+// for everyone else per §4) or by callers in `skipAuthz=true` deployments.
+// Either way the response shape stays stable.
 //
 // @Summary		Get entry claims
 // @Description	Get the claims for a published entry name. Claims are stored at the

internal/service/db/get_entry_claims_test.go

@@ -8,6 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 
+	"github.com/stacklok/toolhive-registry-server/internal/auth"
 	"github.com/stacklok/toolhive-registry-server/internal/service"
 )
 
@@ -97,6 +98,39 @@ func TestGetEntryClaims_ClaimsInsufficient(t *testing.T) {
 	assert.ErrorIs(t, err, service.ErrClaimsInsufficient)
 }
 
+func TestGetEntryClaims_SuperAdminBypassesSubsetCheck(t *testing.T) {
+	t.Parallel()
+
+	svc, cleanup := setupTestService(t)
+	defer cleanup()
+
+	createManagedSource(t, svc, "gec-superadmin")
+
+	ctx := context.Background()
+
+	// Publish an entry scoped to team=data with JWT claims that cover it.
+	_, err := svc.PublishServerVersion(ctx,
+		service.WithServerData(&upstreamv0.ServerJSON{
+			Name:    "com.test/gec-superadmin",
+			Version: "1.0.0",
+		}),
+		service.WithClaims(map[string]any{"org": "acme", "team": "data"}),
+		service.WithJWTClaims(map[string]any{"org": "acme", "team": []string{"data"}}),
+	)
+	require.NoError(t, err)
+
+	// A super-admin caller in a completely different org must still read the
+	// entry's claims — the bypass is uniform across every claim check.
+	superAdminCtx := auth.ContextWithRoles(ctx, []auth.Role{auth.RoleSuperAdmin})
+	claims, err := svc.GetEntryClaims(superAdminCtx,
+		service.WithEntryType(service.EntryTypeServer),
+		service.WithName("com.test/gec-superadmin"),
+		service.WithJWTClaims(map[string]any{"org": "contoso"}),
+	)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]any{"org": "acme", "team": "data"}, claims)
+}
+
 func TestGetEntryClaims_ClaimsSufficient(t *testing.T) {
 	t.Parallel()