fix: review comments

Author: ravverma

packages/spacecat-shared-http-utils/src/auth/handlers/ims.js

@@ -105,7 +105,7 @@ function isUserASOAdmin(organizations) {
 /**
  * Checks whether the read-only org gate flag is enabled for the user's first
  * IMS organization. When true, ALL IMS-authenticated users in that org are
- * blocked (not just RO admins) — this intentionally forces the entire org to
+ * blocked (not just RO admins) - this intentionally forces the entire org to
  * authenticate via the JWT/auth-service path instead.
  *
  * NOTE: Only the first org in the array is evaluated. Multi-org users whose
@@ -122,7 +122,7 @@ async function isOrgBlockedFromImsAuth(context, organizations) {
     const ldClient = LaunchDarklyClient.createFrom(context);
     if (!ldClient) return false;
 
-    // Only evaluate the first org — see NOTE above.
+    // Only evaluate the first org - see NOTE above.
     const ident = organizations[0]?.orgRef?.ident;
     if (!ident) return false;
 

packages/spacecat-shared-http-utils/src/auth/read-only-admin-wrapper.js

@@ -57,15 +57,15 @@ async function evaluateFeatureFlag(context, authInfo) {
  * wrapper), this wrapper checks whether the authenticated user is a read-only admin.
  * If so it:
  *
- * 1. Evaluates the `FT_LLMO-3008` LaunchDarkly feature flag (fail-closed).
+ * 1. Evaluates the `FT_READ_ONLY_ORG` LaunchDarkly feature flag (fail-closed).
  * 2. Resolves the route's action from the routeCapabilities map and blocks
  *    write operations (or unmapped routes) for RO admins.
  * 3. Emits a structured audit log entry for allowed RO admin requests.
  *
  * Non-RO-admin requests pass through untouched.
  *
  * @param {Function} fn - The handler to wrap.
- * @param {{ routeCapabilities?: Object<string, string> }} opts - Map of route
+ * @param {{ routeCapabilities: Object<string, string> }} opts - Required map of route
  *   patterns (e.g. 'GET /sites/:siteId') to action strings ('read' | 'write').
  * @returns {Function} A wrapped handler.
  */
@@ -84,6 +84,7 @@ export function readOnlyAdminWrapper(fn, { routeCapabilities } = {}) {
       if (!ffEnabled) {
         log.warn({
           tag: 'ro-admin',
+          email: authInfo.getProfile?.()?.email,
           org: authInfo.getTenantIds?.()[0],
         }, 'Feature flag disabled, denying RO admin access');
         return forbidden('Forbidden');
@@ -99,6 +100,7 @@ export function readOnlyAdminWrapper(fn, { routeCapabilities } = {}) {
         if (action !== 'read') {
           log.warn({
             tag: 'ro-admin',
+            email: authInfo.getProfile?.()?.email,
             method: context.pathInfo?.method,
             suffix: context.pathInfo?.suffix,
             org: authInfo.getTenantIds?.()[0],
@@ -109,6 +111,7 @@ export function readOnlyAdminWrapper(fn, { routeCapabilities } = {}) {
 
       log.info({
         tag: 'ro-admin-audit',
+        email: authInfo.getProfile?.()?.email,
         method: context.pathInfo?.method,
         suffix: context.pathInfo?.suffix,
         org: authInfo.getTenantIds?.()[0],

packages/spacecat-shared-http-utils/src/index.d.ts

@@ -45,7 +45,7 @@ export declare function forbidden(message?: string, headers?: object): Response;
  */
 export function readOnlyAdminWrapper(
   fn: Function,
-  opts?: { routeCapabilities?: Record<string, string> },
+  opts: { routeCapabilities: Record<string, string> },
 ): Function;
 
 /**