From 4eadef18a9cc606ffd83a682566e2aec8fed1de7 Mon Sep 17 00:00:00 2001
From: teknium1 <127238744+teknium1@users.noreply.github.com>
Date: Tue, 9 Jun 2026 22:41:53 -0700
Subject: [PATCH] fix: guard role_authorized check against MagicMock test
 sources

Compare source.role_authorized with 'is True' so a MagicMock source
(test fixtures that build bare runners via object.__new__) doesn't
auto-truthy through the gate. The real SessionSource field is a bool,
so production behavior is unchanged. Fixes test_signal_in_allowlist_maps.
---
 gateway/authz_mixin.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/gateway/authz_mixin.py b/gateway/authz_mixin.py
index ad3aa854982..2372fcbdb00 100644
--- a/gateway/authz_mixin.py
+++ b/gateway/authz_mixin.py
@@ -209,7 +209,10 @@ class GatewayAuthorizationMixin:
 
         # Adapter-verified role auth: the Discord adapter already confirmed the
         # user holds a role in DISCORD_ALLOWED_ROLES before dispatching the message.
-        if getattr(source, "role_authorized", False):
+        # Compare with ``is True`` so the real bool field authorizes while a
+        # MagicMock source (test fixtures using ``object.__new__`` runners with
+        # mock sources) does not auto-truthy through this gate (see pitfall #13).
+        if getattr(source, "role_authorized", False) is True:
             return True
 
         if getattr(source, "is_bot", False):