@powerhousedao/vetra 6.0.0-dev.59 → 6.0.0-dev.60

package/dist/subgraphs/__tests__/permission-utils.test.js

@@ -1,144 +1,30 @@
 import { GraphQLError } from "graphql";
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
-import { assertCanExecuteOperation, assertCanRead, assertCanWrite, canReadDocument, canWriteDocument, hasGlobalReadAccess, hasGlobalWriteAccess, } from "../permission-utils.js";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { assertCanExecuteOperation, assertCanRead, assertCanWrite, canReadDocument, canWriteDocument, hasGlobalAdminAccess, } from "../permission-utils.js";
 describe("permission-utils", () => {
     // Helper to create context with different permission levels
     const createContext = (options) => ({
         user: options.userAddress ? { address: options.userAddress } : undefined,
         isAdmin: vi.fn().mockReturnValue(options.isAdmin ?? false),
-        isUser: vi.fn().mockReturnValue(options.isUser ?? false),
-        isGuest: vi.fn().mockReturnValue(options.isGuest ?? false),
     });
-    describe("hasGlobalReadAccess", () => {
-        afterEach(() => {
-            delete process.env.FREE_ENTRY;
-        });
-        describe("Role-based access", () => {
-            it("should return true when user is global admin", () => {
-                const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-                expect(ctx.isAdmin).toHaveBeenCalledWith("0xadmin");
-            });
-            it("should return true when user is global user", () => {
-                const ctx = createContext({ isUser: true, userAddress: "0xuser" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-                expect(ctx.isUser).toHaveBeenCalledWith("0xuser");
-            });
-            it("should return true when user is global guest", () => {
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-                expect(ctx.isGuest).toHaveBeenCalledWith("0xguest");
-            });
-            it("should return false when user has no global role", () => {
-                const ctx = createContext({ userAddress: "0xnorole" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(false);
-            });
-            it("should return false when user is not authenticated (no address)", () => {
-                const ctx = createContext({});
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(false);
-                // Should call with empty string when no user address
-                expect(ctx.isAdmin).toHaveBeenCalledWith("");
-            });
-        });
-        describe("FREE_ENTRY environment variable", () => {
-            it("should return true when FREE_ENTRY is 'true' regardless of roles", () => {
-                process.env.FREE_ENTRY = "true";
-                const ctx = createContext({ userAddress: "0xanyone" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("should return true when FREE_ENTRY is 'true' even without authentication", () => {
-                process.env.FREE_ENTRY = "true";
-                const ctx = createContext({});
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("should not grant access when FREE_ENTRY is 'false'", () => {
-                process.env.FREE_ENTRY = "false";
-                const ctx = createContext({ userAddress: "0xanyone" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(false);
-            });
-            it("should not grant access when FREE_ENTRY is not set", () => {
-                const ctx = createContext({ userAddress: "0xanyone" });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(false);
-            });
-        });
-        describe("Combined roles", () => {
-            it("should return true when user has multiple roles (admin + user)", () => {
-                const ctx = createContext({
-                    isAdmin: true,
-                    isUser: true,
-                    userAddress: "0xmultirole",
-                });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("should return true when all roles are true (AUTH_ENABLED=false scenario)", () => {
-                const ctx = createContext({
-                    isAdmin: true,
-                    isUser: true,
-                    isGuest: true,
-                    userAddress: "0xanyone",
-                });
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-            });
-        });
-    });
-    describe("hasGlobalWriteAccess", () => {
-        describe("Role-based access", () => {
-            it("should return true when user is global admin", () => {
-                const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("should return true when user is global user", () => {
-                const ctx = createContext({ isUser: true, userAddress: "0xuser" });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("should return false when user is only global guest", () => {
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(false);
-            });
-            it("should return false when user has no global role", () => {
-                const ctx = createContext({ userAddress: "0xnorole" });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(false);
-            });
-            it("should return false when user is not authenticated", () => {
-                const ctx = createContext({});
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(false);
-            });
+    describe("hasGlobalAdminAccess", () => {
+        it("should return true when user is global admin", () => {
+            const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
+            const result = hasGlobalAdminAccess(ctx);
+            expect(result).toBe(true);
+            expect(ctx.isAdmin).toHaveBeenCalledWith("0xadmin");
         });
-        describe("Guest cannot write", () => {
-            it("should return false for guest even with FREE_ENTRY", () => {
-                process.env.FREE_ENTRY = "true";
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(false);
-                delete process.env.FREE_ENTRY;
-            });
+        it("should return false when user is not admin", () => {
+            const ctx = createContext({ userAddress: "0xnorole" });
+            const result = hasGlobalAdminAccess(ctx);
+            expect(result).toBe(false);
         });
-        describe("Combined roles", () => {
-            it("should return true when user is both guest and user (user wins)", () => {
-                const ctx = createContext({
-                    isGuest: true,
-                    isUser: true,
-                    userAddress: "0xmixed",
-                });
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(true);
-            });
+        it("should return false when user is not authenticated (no address)", () => {
+            const ctx = createContext({});
+            const result = hasGlobalAdminAccess(ctx);
+            expect(result).toBe(false);
+            // Should call with empty string when no user address
+            expect(ctx.isAdmin).toHaveBeenCalledWith("");
         });
     });
     describe("canReadDocument", () => {
@@ -162,18 +48,12 @@ describe("permission-utils", () => {
             };
         });
         describe("Global access bypass", () => {
-            it("should return true immediately when user has global read access", async () => {
+            it("should return true immediately when user has global admin access", async () => {
                 const ctx = createContext({ isAdmin: true, userAddress: "0xadmin" });
                 const result = await canReadDocument(mockSubgraph, "doc-123", ctx);
                 expect(result).toBe(true);
                 expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
             });
-            it("should return true for guest without checking document permissions", async () => {
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = await canReadDocument(mockSubgraph, "doc-123", ctx);
-                expect(result).toBe(true);
-                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
-            });
         });
         describe("Document-level permissions", () => {
             it("should check document permission service when no global access", async () => {
@@ -267,19 +147,6 @@ describe("permission-utils", () => {
                 expect(result).toBe(true);
                 expect(mockDocumentPermissionService.canWrite).not.toHaveBeenCalled();
             });
-            it("should return true immediately when user is global user", async () => {
-                const ctx = createContext({ isUser: true, userAddress: "0xuser" });
-                const result = await canWriteDocument(mockSubgraph, "doc-123", ctx);
-                expect(result).toBe(true);
-                expect(mockDocumentPermissionService.canWrite).not.toHaveBeenCalled();
-            });
-            it("should NOT return true for global guest (guests cannot write)", async () => {
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = await canWriteDocument(mockSubgraph, "doc-123", ctx);
-                // Guest has no global write access, so should check document permissions
-                expect(mockDocumentPermissionService.canWrite).toHaveBeenCalled();
-                expect(result).toBe(false);
-            });
         });
         describe("Document-level permissions", () => {
             it("should check document permission service when no global write access", async () => {
@@ -385,10 +252,6 @@ describe("permission-utils", () => {
             const ctx = createContext({ userAddress: "0xunpermitted" });
             await expect(assertCanWrite(mockSubgraph, "doc-123", ctx)).rejects.toThrow("Forbidden: insufficient permissions to write to this document");
         });
-        it("should throw for guest user (guests cannot write)", async () => {
-            const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-            await expect(assertCanWrite(mockSubgraph, "doc-123", ctx)).rejects.toThrow("Forbidden");
-        });
     });
     describe("assertCanExecuteOperation", () => {
         let mockSubgraph;
@@ -457,30 +320,10 @@ describe("permission-utils", () => {
         });
     });
     describe("Edge Cases", () => {
-        describe("Null/undefined context fields", () => {
-            it("hasGlobalReadAccess should handle context without isAdmin function", () => {
-                const ctx = {
-                    user: { address: "0xuser" },
-                    isUser: vi.fn().mockReturnValue(true),
-                    isGuest: vi.fn().mockReturnValue(false),
-                };
-                const result = hasGlobalReadAccess(ctx);
-                expect(result).toBe(true);
-            });
-            it("hasGlobalWriteAccess should handle context without isUser function", () => {
-                const ctx = {
-                    user: { address: "0xadmin" },
-                    isAdmin: vi.fn().mockReturnValue(true),
-                    isGuest: vi.fn().mockReturnValue(false),
-                };
-                const result = hasGlobalWriteAccess(ctx);
-                expect(result).toBe(true);
-            });
-        });
         describe("Empty string user address", () => {
             it("should handle empty string user address", () => {
                 const ctx = createContext({ userAddress: "" });
-                const result = hasGlobalReadAccess(ctx);
+                const result = hasGlobalAdminAccess(ctx);
                 expect(result).toBe(false);
                 expect(ctx.isAdmin).toHaveBeenCalledWith("");
             });

package/dist/subgraphs/__tests__/vetra-read-model-permissions.test.js

@@ -1,4 +1,4 @@
-import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { beforeEach, describe, expect, it, vi } from "vitest";
 import { getResolvers } from "../vetra-read-model/resolvers.js";
 // Mock the VetraReadModelProcessorLegacy
 vi.mock("../../processors/vetra-read-model/index.legacy.js", () => ({
@@ -65,8 +65,6 @@ describe("VetraReadModel Subgraph Permission Checks", () => {
     const createContext = (options) => ({
         user: options.userAddress ? { address: options.userAddress } : undefined,
         isAdmin: vi.fn().mockReturnValue(options.isAdmin ?? false),
-        isUser: vi.fn().mockReturnValue(options.isUser ?? false),
-        isGuest: vi.fn().mockReturnValue(options.isGuest ?? false),
     });
     // Setup mock query chain
     const setupMockQuery = (packages) => {
@@ -92,7 +90,6 @@ describe("VetraReadModel Subgraph Permission Checks", () => {
     };
     beforeEach(() => {
         vi.clearAllMocks();
-        delete process.env.FREE_ENTRY;
         // Create mock DocumentPermissionService
         mockDocumentPermissionService = {
             canRead: vi.fn().mockResolvedValue(false),
@@ -116,9 +113,6 @@ describe("VetraReadModel Subgraph Permission Checks", () => {
         // Get resolvers
         resolvers = getResolvers(mockSubgraph);
     });
-    afterEach(() => {
-        delete process.env.FREE_ENTRY;
-    });
     describe("Query: vetraPackages", () => {
         const callVetraPackages = async (ctx, args = {}) => {
             const query = resolvers.Query?.vetraPackages;
@@ -132,28 +126,6 @@ describe("VetraReadModel Subgraph Permission Checks", () => {
                 expect(result).toHaveLength(3);
                 expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
             });
-            it("should return all packages when user is global user", async () => {
-                setupMockQuery(mockPackages);
-                const ctx = createContext({ isUser: true, userAddress: "0xuser" });
-                const result = await callVetraPackages(ctx);
-                expect(result).toHaveLength(3);
-                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
-            });
-            it("should return all packages when user is global guest", async () => {
-                setupMockQuery(mockPackages);
-                const ctx = createContext({ isGuest: true, userAddress: "0xguest" });
-                const result = await callVetraPackages(ctx);
-                expect(result).toHaveLength(3);
-                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
-            });
-            it("should return all packages when FREE_ENTRY is true", async () => {
-                process.env.FREE_ENTRY = "true";
-                setupMockQuery(mockPackages);
-                const ctx = createContext({ userAddress: "0xanyone" });
-                const result = await callVetraPackages(ctx);
-                expect(result).toHaveLength(3);
-                expect(mockDocumentPermissionService.canRead).not.toHaveBeenCalled();
-            });
         });
         describe("Document Permission Filtering", () => {
             it("should filter packages based on permissions when no global access", async () => {
@@ -276,8 +248,6 @@ describe("VetraReadModel Subgraph Permission Checks", () => {
             setupMockQuery(mockPackages);
             const ctx = createContext({
                 isAdmin: true,
-                isUser: true,
-                isGuest: true,
                 userAddress: "0xanyone",
             });
             const result = await (resolvers.Query?.vetraPackages)(null, {}, ctx);

package/dist/subgraphs/permission-utils.d.ts

@@ -1,18 +1,17 @@
 import type { BaseSubgraph, Context } from "@powerhousedao/reactor-api";
 /**
- * Check if user has global read access (admin, user, or guest)
+ * Check if user has global admin access.
+ * Legacy fallback when authorizationService is not available.
  */
-export declare function hasGlobalReadAccess(ctx: Context): boolean;
+export declare function hasGlobalAdminAccess(ctx: Context): boolean;
 /**
- * Check if user has global write access (admin or user, not guest)
- */
-export declare function hasGlobalWriteAccess(ctx: Context): boolean;
-/**
- * Check if user can read a document (with hierarchy)
+ * Check if user can read a document (with hierarchy).
+ * Delegates to AuthorizationService when available.
  */
 export declare function canReadDocument(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<boolean>;
 /**
- * Check if user can write to a document (with hierarchy)
+ * Check if user can write to a document (with hierarchy).
+ * Delegates to AuthorizationService when available.
  */
 export declare function canWriteDocument(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<boolean>;
 /**
@@ -25,7 +24,7 @@ export declare function assertCanRead(subgraph: BaseSubgraph, documentId: string
 export declare function assertCanWrite(subgraph: BaseSubgraph, documentId: string, ctx: Context): Promise<void>;
 /**
  * Check if user can execute a specific operation on a document.
- * Throws an error if the operation is restricted and user lacks permission.
+ * Delegates to AuthorizationService.canMutate when available.
  */
 export declare function assertCanExecuteOperation(subgraph: BaseSubgraph, documentId: string, operationType: string, ctx: Context): Promise<void>;
 //# sourceMappingURL=permission-utils.d.ts.map

package/dist/subgraphs/permission-utils.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permission-utils.d.ts","sourceRoot":"","sources":["../../subgraphs/permission-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAGxE;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAMzD;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAI1D;AAgBD;;GAEG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAiCf"}
+{"version":3,"file":"permission-utils.d.ts","sourceRoot":"","sources":["../../subgraphs/permission-utils.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,OAAO,EAAE,MAAM,4BAA4B,CAAC;AAiBxE;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,OAAO,CAE1D;AAED;;;GAGG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAkBlB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CACpC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,OAAO,CAAC,CAkBlB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;GAEG;AACH,wBAAsB,cAAc,CAClC,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAOf;AAED;;;GAGG;AACH,wBAAsB,yBAAyB,CAC7C,QAAQ,EAAE,YAAY,EACtB,UAAU,EAAE,MAAM,EAClB,aAAa,EAAE,MAAM,EACrB,GAAG,EAAE,OAAO,GACX,OAAO,CAAC,IAAI,CAAC,CAwCf"}

package/dist/subgraphs/permission-utils.js

@@ -1,21 +1,4 @@
 import { GraphQLError } from "graphql";
-/**
- * Check if user has global read access (admin, user, or guest)
- */
-export function hasGlobalReadAccess(ctx) {
-    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
-    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
-    const isGlobalGuest = ctx.isGuest?.(ctx.user?.address ?? "") || process.env.FREE_ENTRY === "true";
-    return !!(isGlobalAdmin || isGlobalUser || isGlobalGuest);
-}
-/**
- * Check if user has global write access (admin or user, not guest)
- */
-export function hasGlobalWriteAccess(ctx) {
-    const isGlobalAdmin = ctx.isAdmin?.(ctx.user?.address ?? "");
-    const isGlobalUser = ctx.isUser?.(ctx.user?.address ?? "");
-    return !!(isGlobalAdmin || isGlobalUser);
-}
 /**
  * Get the parent IDs function for hierarchical permission checks
  */
@@ -31,28 +14,39 @@ function getParentIdsFn(subgraph) {
     };
 }
 /**
- * Check if user can read a document (with hierarchy)
+ * Check if user has global admin access.
+ * Legacy fallback when authorizationService is not available.
+ */
+export function hasGlobalAdminAccess(ctx) {
+    return !!ctx.isAdmin?.(ctx.user?.address ?? "");
+}
+/**
+ * Check if user can read a document (with hierarchy).
+ * Delegates to AuthorizationService when available.
  */
 export async function canReadDocument(subgraph, documentId, ctx) {
-    // Global access allows reading
-    if (hasGlobalReadAccess(ctx)) {
-        return true;
+    if (subgraph.authorizationService) {
+        return subgraph.authorizationService.canRead(documentId, ctx.user?.address, getParentIdsFn(subgraph));
     }
-    // Check document-level permissions with hierarchy
+    // Legacy fallback
+    if (hasGlobalAdminAccess(ctx))
+        return true;
     if (subgraph.documentPermissionService) {
         return subgraph.documentPermissionService.canRead(documentId, ctx.user?.address, getParentIdsFn(subgraph));
     }
     return false;
 }
 /**
- * Check if user can write to a document (with hierarchy)
+ * Check if user can write to a document (with hierarchy).
+ * Delegates to AuthorizationService when available.
  */
 export async function canWriteDocument(subgraph, documentId, ctx) {
-    // Global write access allows writing
-    if (hasGlobalWriteAccess(ctx)) {
-        return true;
+    if (subgraph.authorizationService) {
+        return subgraph.authorizationService.canWrite(documentId, ctx.user?.address, getParentIdsFn(subgraph));
     }
-    // Check document-level permissions with hierarchy
+    // Legacy fallback
+    if (hasGlobalAdminAccess(ctx))
+        return true;
     if (subgraph.documentPermissionService) {
         return subgraph.documentPermissionService.canWrite(documentId, ctx.user?.address, getParentIdsFn(subgraph));
     }
@@ -78,21 +72,23 @@ export async function assertCanWrite(subgraph, documentId, ctx) {
 }
 /**
  * Check if user can execute a specific operation on a document.
- * Throws an error if the operation is restricted and user lacks permission.
+ * Delegates to AuthorizationService.canMutate when available.
  */
 export async function assertCanExecuteOperation(subgraph, documentId, operationType, ctx) {
-    // Skip if no permission service
-    if (!subgraph.documentPermissionService) {
+    if (subgraph.authorizationService) {
+        const canMutate = await subgraph.authorizationService.canMutate(documentId, operationType, ctx.user?.address, getParentIdsFn(subgraph));
+        if (!canMutate) {
+            throw new GraphQLError(`Forbidden: insufficient permissions to execute operation "${operationType}" on this document`);
+        }
         return;
     }
-    // Global admins bypass operation-level restrictions
-    if (ctx.isAdmin?.(ctx.user?.address ?? "")) {
+    // Legacy fallback
+    if (!subgraph.documentPermissionService)
+        return;
+    if (ctx.isAdmin?.(ctx.user?.address ?? ""))
         return;
-    }
-    // Check if this operation has any restrictions set
     const isRestricted = await subgraph.documentPermissionService.isOperationRestricted(documentId, operationType);
     if (isRestricted) {
-        // Operation is restricted, check if user has permission
         const canExecute = await subgraph.documentPermissionService.canExecuteOperation(documentId, operationType, ctx.user?.address);
         if (!canExecute) {
             throw new GraphQLError(`Forbidden: insufficient permissions to execute operation "${operationType}" on this document`);

package/dist/subgraphs/vetra-read-model/resolvers.js

@@ -1,5 +1,5 @@
 import { VetraReadModelProcessorLegacy } from "../../processors/vetra-read-model/index.legacy.js";
-import { canReadDocument, hasGlobalReadAccess } from "../permission-utils.js";
+import { canReadDocument, hasGlobalAdminAccess } from "../permission-utils.js";
 export const getResolvers = (subgraph) => {
     const db = subgraph.relationalDb;
     return {
@@ -32,7 +32,7 @@ export const getResolvers = (subgraph) => {
                     driveId: pkg.drive_id,
                 }));
                 // If user doesn't have global read access, filter by document-level permissions
-                if (!hasGlobalReadAccess(ctx) && subgraph.documentPermissionService) {
+                if (!hasGlobalAdminAccess(ctx) && subgraph.documentPermissionService) {
                     const filteredResults = [];
                     for (const pkg of mappedResults) {
                         const canRead = await canReadDocument(subgraph, pkg.documentId, ctx);