openresponses-http tests fail on origin/main for unauthenticated requests and owner detection

[efww]

Summary

I reproduced two failing tests in src/gateway/openresponses-http.test.ts on origin/main.

Reproduction

pnpm test -- src/gateway/openresponses-http.test.ts src/gateway/server-chat.agent-events.test.ts

Failures

1. Unauthenticated POST to /v1/responses returns 200 instead of 403

   • src/gateway/openresponses-http.test.ts:241

2. Requested HTTP scopes appear to imply owner identity

   • senderIsOwner is true when the test expects false
   • src/gateway/openresponses-http.test.ts:747

Expected behavior

• HTTP requests without auth should be rejected with 403
• Requested HTTP scopes should not, by themselves, prove owner identity for owner-only tool access

Notes

Reproduced on origin/main.

[steipete]

Closing this as not reproducible on current main after Codex review.

Current main no longer matches the reported test failures. The /v1/responses suite intentionally runs with gateway auth disabled and expects unauthenticated requests to succeed in that setup, and the current compat-owner logic explicitly keeps operator.write callers non-owner while only elevating trusted operator.admin or shared-secret compat auth to owner.

What I checked:

• Suite runs with auth disabled: The shared OpenResponses test server is started with auth: { mode: "none" }, so a request without auth is not expected to get a 403 in this test setup. (src/gateway/openresponses-http.test.ts:37, 11cffb230013)
• Current test expects 200 for missing auth: The exact resMissingAuth case now asserts expect(resMissingAuth.status).toBe(200) on current main. (src/gateway/openresponses-http.test.ts:222, 11cffb230013)
• Write scope is explicitly non-owner: Current main has a dedicated test asserting senderIsOwner is false for the default operator.write request and only true when operator.admin is present. (src/gateway/openresponses-http.test.ts:761, 11cffb230013)
• Compat handler intentionally applies compat owner logic: /v1/responses uses resolveOpenAiCompatibleHttpOperatorScopes and resolveOpenAiCompatibleHttpSenderIsOwner, with comments documenting that shared-secret compat auth is intentionally treated as full operator/owner on this surface. (src/gateway/openresponses-http.ts:441, 11cffb230013)
• Unit tests lock in current owner contract: The request-context unit tests separately assert that trusted operator.write stays non-owner, trusted operator.admin becomes owner, and shared-secret bearer auth on the compat surface is treated as owner. (src/gateway/http-utils.request-context.test.ts:160, 11cffb230013)

Review notes: reviewed against 11cffb230013.