feat(manager-core): admin is implicit app_admin; delete-script needs AppAdmin

Aligns the canonical capability rules with how the dashboard now shadows its UI. Instance admins become implicit app_admin on every app (only InstanceManageSettings stays owner-only), and the script-delete handler moves from AppWriteScript to AppAdmin so editors can save but not delete. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-28 19:27:32 +02:00
parent ec3c768262
commit 4644ea4919
5 changed files with 94 additions and 67 deletions
--- a/crates/manager-core/src/api.rs
+++ b/crates/manager-core/src/api.rs
@@ -270,10 +270,13 @@ async fn delete_script<R: ScriptRepository, L: ExecutionLogRepository>(
    Path(id): Path<ScriptId>,
 ) -> Result<StatusCode, ApiError> {
    let script = state.repo.get(id).await?.ok_or(ApiError::NotFound(id))?;
+    // Delete is gated tighter than Save: editors can edit scripts but
+    // only app_admin / instance admin / owner can remove them. See
+    // blueprint §11.6.
    require(
        state.authz.as_ref(),
        &principal,
-        Capability::AppWriteScript(script.app_id),
+        Capability::AppAdmin(script.app_id),
    )
    .await?;
    state.repo.delete(id).await?;