From f0e464dc36d18472eedd7aa643674a5a09792f92 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@dalby.cc>
Date: Tue, 16 Dec 2025 12:19:59 +0000
Subject: [PATCH] policy: add test to confirm group cant approve tag

Confirms #2891 is implemented correctly.

Signed-off-by: Kristoffer Dalby <kristoffer@dalby.cc>
---
 hscontrol/policy/route_approval_test.go | 26 +++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/hscontrol/policy/route_approval_test.go b/hscontrol/policy/route_approval_test.go
index fa7c108e..39b15cee 100644
--- a/hscontrol/policy/route_approval_test.go
+++ b/hscontrol/policy/route_approval_test.go
@@ -748,6 +748,32 @@ func TestNodeCanApproveRoute(t *testing.T) {
 			}`,
 			canApprove: true,
 		},
+		{
+			// Tags-as-identity: Tagged nodes are identified by their tags, not by the
+			// user who created them. Group membership of the creator is irrelevant.
+			// A tagged node can only be auto-approved via tag-based autoApprovers,
+			// not group-based ones (even if the creator is in the group).
+			name:  "tagged-node-with-group-autoapprover-not-approved",
+			node:  taggedNode, // Has tag:router, owned by user3
+			route: p("10.30.0.0/16"),
+			policy: `{
+				"tagOwners": {
+					"tag:router": ["user3@"]
+				},
+				"groups": {
+					"group:ops": ["user3@"]
+				},
+				"acls": [
+					{"action": "accept", "src": ["*"], "dst": ["*:*"]}
+				],
+				"autoApprovers": {
+					"routes": {
+						"10.30.0.0/16": ["group:ops"]
+					}
+				}
+			}`,
+			canApprove: false, // Tagged nodes don't inherit group membership for auto-approval
+		},
 		{
 			name:  "small-subnet-with-exitnode-only-approval",
 			node:  normalNode,