fix: re enable scopes (CM-1231)

[ulemons]

Summary

Re-enables Auth0 scope enforcement on all public packages endpoints after the scopes were added to the Auth0 staging tenant.

Changes

• Restore requireScopes middleware on POST /packages:batch-stewardship — requires both read:packages and read:stewardships
• Restore scope enforcement on GET /packages, GET /packages/metrics, GET /packages/detail — requires both read:packages and read:stewardships
• Consolidate per-route scope checks into a single router.use() at the top of packagesRouter for clarity

Type of change

• Bug fix
• New feature
• Refactor / cleanup
• Performance improvement
• Chore / dependency update
• Documentation

JIRA ticket

ticket

[Copilot]

Pull request overview

This PR re-enables Auth0 scope enforcement for the public v1 packages endpoints, now that the required scopes exist in the Auth0 staging tenant. It ensures packages-related endpoints consistently require both read:packages and read:stewardships, aligning access control with the data returned by these endpoints (which includes stewardship fields).

Changes:

• Restores requireScopes([SCOPES.READ_PACKAGES, SCOPES.READ_STEWARDSHIPS], 'all') on POST /v1/packages:batch-stewardship.
• Re-enables scope enforcement for all /v1/packages/* endpoints by applying a single router.use(requireScopes(...)) in packagesRouter.
• Removes the previously-commented-out per-route scope middleware blocks and TODOs.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
backend/src/api/public/v1/packages/index.ts	Adds a top-level router.use(requireScopes([...], 'all')) so all /packages endpoints require both scopes.
backend/src/api/public/v1/index.ts	Restores requireScopes([...], 'all') on POST /packages:batch-stewardship and re-adds SCOPES import.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.