Gate GetEntryClaims by JWT claim subset

Run `validateClaimsSubsetBytes` against the entry's stored claims
inside `GetEntryClaims` and surface `ErrClaimsInsufficient` as 403 in
the handler. Without this, a `manageEntries` caller scoped to one team
could read the claim metadata of an entry scoped to a different team
even though the matching `PUT` would deny them — that asymmetry
contradicts the default-deny visibility rule in `auth.md` §4.

`GetEntryClaimsOptions` gains a `JWTClaims` field and `setJWTClaims`
setter so the handler can plumb the caller's JWT through `WithJWTClaims`,
mirroring how `UpdateEntryClaims` already works. Super-admin still
bypasses uniformly via the existing helper.

Tests: handler-level case for `ErrClaimsInsufficient` → 403; db-layer
cases for cross-team denied / covering caller succeeds; integration
sub-test exercising a cross-team writer against a platform-scoped
entry. Swagger regenerated for the new 403 response.

Author: rdimitrov

docs/thv-registry-api/docs.go

@@ -2049,6 +2049,19 @@
                         },
                         "description": "Bad request"
                     },
+                    "403": {
+                        "content": {
+                            "application/json": {
+                                "schema": {
+                                    "additionalProperties": {
+                                        "type": "string"
+                                    },
+                                    "type": "object"
+                                }
+                            }
+                        },
+                        "description": "Forbidden"
+                    },
                     "404": {
                         "content": {
                             "application/json": {

docs/thv-registry-api/swagger.json

@@ -1399,6 +1399,14 @@ paths:
                   type: string
                 type: object
           description: Bad request
+        "403":
+          content:
+            application/json:
+              schema:
+                additionalProperties:
+                  type: string
+                type: object
+          description: Forbidden
         "404":
           content:
             application/json:

docs/thv-registry-api/swagger.yaml

@@ -203,6 +203,7 @@ type entryClaimsResponse struct {
 // @Param		name	path		string	true	"Entry Name"
 // @Success		200	{object}	entryClaimsResponse	"Entry claims"
 // @Failure		400	{object}	map[string]string	"Bad request"
+// @Failure		403	{object}	map[string]string	"Forbidden"
 // @Failure		404	{object}	map[string]string	"Not found"
 // @Failure		500	{object}	map[string]string	"Internal server error"
 // @Failure		503	{object}	map[string]string	"No managed source available"
@@ -220,15 +221,24 @@ func (routes *Routes) getEntryClaims(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	claims, err := routes.service.GetEntryClaims(r.Context(),
+	opts := []service.Option{
 		service.WithEntryType(entryType),
 		service.WithName(name),
-	)
+	}
+	if jwtClaims := auth.ClaimsFromContext(r.Context()); jwtClaims != nil {
+		opts = append(opts, service.WithJWTClaims(map[string]any(jwtClaims)))
+	}
+
+	claims, err := routes.service.GetEntryClaims(r.Context(), opts...)
 	if err != nil {
 		if errors.Is(err, service.ErrInvalidEntryType) {
 			common.WriteErrorResponse(w, err.Error(), http.StatusBadRequest)
 			return
 		}
+		if errors.Is(err, service.ErrClaimsInsufficient) {
+			common.WriteErrorResponse(w, err.Error(), http.StatusForbidden)
+			return
+		}
 		if errors.Is(err, service.ErrNotFound) {
 			common.WriteErrorResponse(w, err.Error(), http.StatusNotFound)
 			return

internal/api/v1/entries.go

@@ -571,6 +571,16 @@ func TestGetEntryClaims(t *testing.T) {
 			wantStatus: http.StatusServiceUnavailable,
 			wantError:  "no managed source available",
 		},
+		{
+			name: "claims insufficient",
+			path: "/entries/server/test%2Fserver/claims",
+			setupMock: func(m *mocks.MockRegistryService) {
+				m.EXPECT().GetEntryClaims(gomock.Any(), gomock.Any(), gomock.Any()).
+					Return(nil, service.ErrClaimsInsufficient)
+			},
+			wantStatus: http.StatusForbidden,
+			wantError:  "insufficient claims",
+		},
 		{
 			name: "generic service error",
 			path: "/entries/server/test%2Fserver/claims",

internal/api/v1/entries_test.go

@@ -13,9 +13,10 @@ import (
 )
 
 // TestAuthzIntegration_GetEntryClaims exercises the GET /v1/entries/{type}/{name}/claims
-// endpoint across roles:
-//   - manageEntries (writer) and superAdmin can read claims (200)
-//   - admin (manageSources + manageRegistries only) is denied (403)
+// endpoint across roles and claim coverage:
+//   - manageEntries (writer) covering the entry's claims and superAdmin can read (200)
+//   - manageEntries (writer) NOT covering the entry's claims is denied (403)
+//   - admin (manageSources + manageRegistries only) is denied by role gate (403)
 //   - tokens with no matching role are denied (403)
 //   - unauthenticated requests are rejected (401)
 //
@@ -32,6 +33,7 @@ func TestAuthzIntegration_GetEntryClaims(t *testing.T) {
 	})
 
 	platformWriter := env.oidc.token(t, map[string]any{"org": "acme", "team": "platform", "role": "writer"})
+	dataWriter := env.oidc.token(t, map[string]any{"org": "acme", "team": "data", "role": "writer"})
 	platformAdmin := env.oidc.token(t, map[string]any{"org": "acme", "team": "platform", "role": "admin"})
 	superAdmin := env.oidc.token(t, map[string]any{"org": "acme", "role": "super-admin"})
 	noRole := env.oidc.token(t, map[string]any{"org": "acme"})
@@ -70,6 +72,12 @@ func TestAuthzIntegration_GetEntryClaims(t *testing.T) {
 		assertClaims(t, body, publishedClaims)
 	})
 
+	t.Run("cross-team writer denied", func(t *testing.T) {
+		// dataWriter has manageEntries role but no claim coverage for team=platform.
+		resp := doRequest(t, "GET", env.baseURL+claimsPath, dataWriter, nil)
+		assertStatus(t, resp, 403)
+	})
+
 	t.Run("manageSources/manageRegistries denied", func(t *testing.T) {
 		resp := doRequest(t, "GET", env.baseURL+claimsPath, platformAdmin, nil)
 		assertStatus(t, resp, 403)

internal/authz/authz_get_entry_claims_test.go

@@ -67,6 +67,66 @@ func TestGetEntryClaims_EmptyClaimsReturnsNonNilMap(t *testing.T) {
 	assert.Empty(t, claims)
 }
 
+func TestGetEntryClaims_ClaimsInsufficient(t *testing.T) {
+	t.Parallel()
+
+	svc, cleanup := setupTestService(t)
+	defer cleanup()
+
+	createManagedSource(t, svc, "gec-insufficient")
+
+	ctx := context.Background()
+
+	// Publish an entry scoped to team=data.
+	_, err := svc.PublishServerVersion(ctx,
+		service.WithServerData(&upstreamv0.ServerJSON{
+			Name:    "com.test/gec-insufficient",
+			Version: "1.0.0",
+		}),
+		service.WithClaims(map[string]any{"org": "acme", "team": "data"}),
+		service.WithJWTClaims(map[string]any{"org": "acme", "team": []string{"data"}}),
+	)
+	require.NoError(t, err)
+
+	// A caller in team=platform must not be able to read its claims.
+	_, err = svc.GetEntryClaims(ctx,
+		service.WithEntryType(service.EntryTypeServer),
+		service.WithName("com.test/gec-insufficient"),
+		service.WithJWTClaims(map[string]any{"org": "acme", "team": "platform"}),
+	)
+	assert.ErrorIs(t, err, service.ErrClaimsInsufficient)
+}
+
+func TestGetEntryClaims_ClaimsSufficient(t *testing.T) {
+	t.Parallel()
+
+	svc, cleanup := setupTestService(t)
+	defer cleanup()
+
+	createManagedSource(t, svc, "gec-sufficient")
+
+	ctx := context.Background()
+
+	_, err := svc.PublishServerVersion(ctx,
+		service.WithServerData(&upstreamv0.ServerJSON{
+			Name:    "com.test/gec-sufficient",
+			Version: "1.0.0",
+		}),
+		service.WithClaims(map[string]any{"org": "acme", "team": "platform"}),
+		service.WithJWTClaims(map[string]any{"org": "acme", "team": []string{"platform"}}),
+	)
+	require.NoError(t, err)
+
+	// A caller whose JWT covers the entry's claims must succeed.
+	claims, err := svc.GetEntryClaims(ctx,
+		service.WithEntryType(service.EntryTypeServer),
+		service.WithName("com.test/gec-sufficient"),
+		service.WithJWTClaims(map[string]any{"org": "acme", "team": []string{"platform", "ops"}}),
+	)
+	require.NoError(t, err)
+	assert.Equal(t, map[string]any{"org": "acme", "team": "platform"}, claims)
+}
+
 func TestGetEntryClaims_EntryNotFound(t *testing.T) {
 	t.Parallel()
 

internal/service/db/get_entry_claims_test.go

@@ -149,8 +149,9 @@ func mapEntryType(entryType string) (sqlc.EntryType, error) {
 
 // GetEntryClaims returns the claims map for a published entry within the managed source.
 // The returned map is non-nil even when the entry has no claims set, so callers can
-// rely on a stable JSON shape. The endpoint is admin-side and gated by role; it does
-// not run a claim-subset check against the caller's JWT.
+// rely on a stable JSON shape. Access is gated by the manageEntries role plus a
+// JWT-subset check against the entry's claims, mirroring the matching PUT and the
+// default-deny visibility rule (auth.md §4).
 func (s *dbService) GetEntryClaims(ctx context.Context, opts ...service.Option) (map[string]any, error) {
 	ctx, span := s.startSpan(ctx, "dbService.GetEntryClaims")
 	defer span.End()
@@ -195,6 +196,11 @@ func (s *dbService) GetEntryClaims(ctx context.Context, opts ...service.Option)
 		return nil, fmt.Errorf("failed to look up registry entry: %w", err)
 	}
 
+	if err := s.validateClaimsSubsetBytes(ctx, options.JWTClaims, row.Claims); err != nil {
+		otel.RecordError(span, err)
+		return nil, err
+	}
+
 	claims := db.DeserializeClaims(row.Claims)
 	if claims == nil {
 		claims = map[string]any{}

internal/service/db/impl_entries.go

@@ -42,6 +42,7 @@ func (o *UpdateEntryClaimsOptions) setJWTClaims(claims map[string]any) error {
 type GetEntryClaimsOptions struct {
 	EntryType string // EntryTypeServer or EntryTypeSkill
 	Name      string
+	JWTClaims map[string]any
 }
 
 func (o *GetEntryClaimsOptions) setEntryType(entryType string) error {
@@ -59,3 +60,9 @@ func (o *GetEntryClaimsOptions) setName(name string) error {
 	o.Name = name
 	return nil
 }
+
+//nolint:unparam
+func (o *GetEntryClaimsOptions) setJWTClaims(claims map[string]any) error {
+	o.JWTClaims = claims
+	return nil
+}