02-missing-scope
JWT missing the route's required scope
Valid JWT, but scopes contain `ai.chat.read` instead of the required `ai.chat.write` for /v1/chat.
authzscopedeny
FIXTURE
tenant_id"acme-turkiye"
home_region"tst"
scopes
ai.chat.read
Defaults: iss = http://localhost/tst-issuer, aud = edge, exp = now+1h, kid = tester-rs256
EXPECTED OUTCOME
HTTP STATUS403
X-POLICY-DECISIONdeny
X-POLICY-REASONauthz.missing_scope
OPA EXPECTATION
OPA.ALLOWfalse
DENY_REASONauthz.missing_scope
DENY_CATEGORYauthz
RUNNER
Execute scenario
Mints a JWT, sends the request through the live Envoy, and compares the response against the expected outcome.
Requires the PolicyGate stack reachable on host ports 10000 / 8181.
WHY THIS MATTERS
Proves per-route scope enforcement from the signed bundle.