test(auth): cover reserved username sentinel gate (#4276)

tests/test_reserved_username_admin_escalation.py

@@ -11,7 +11,10 @@ is reserved for the same reason (bearer-token owner attribution collision).
 See the privilege-escalation finding from the 2026-06 code review.
 """
 
+from types import SimpleNamespace
+
 import pytest
+from fastapi import HTTPException
 
 from tests.helpers.import_state import clear_module
 
@@ -89,6 +92,35 @@ def test_legacy_reserved_username_session_cannot_authenticate(tmp_path):
     assert mgr.get_username_for_token("tok") is None
 
 
+def test_legacy_reserved_username_session_cannot_pass_admin_gate(tmp_path, monkeypatch):
+    auth_path = tmp_path / "auth.json"
+    sessions_path = tmp_path / "sessions.json"
+    auth_path.write_text(
+        '{"users": {"internal-tool": {"password_hash": "unused", "is_admin": false}, '
+        '"admin": {"password_hash": "unused", "is_admin": true}}}',
+        encoding="utf-8",
+    )
+    sessions_path.write_text(
+        '{"tok": {"username": "internal-tool", "expiry": 9999999999}}',
+        encoding="utf-8",
+    )
+    mgr = _fresh_auth_manager(tmp_path)
+    clear_module("core.middleware")
+    from core.middleware import require_admin
+
+    monkeypatch.setenv("AUTH_ENABLED", "true")
+    request = SimpleNamespace(
+        state=SimpleNamespace(current_user=mgr.get_username_for_token("tok")),
+        headers={},
+        app=SimpleNamespace(state=SimpleNamespace(auth_manager=mgr)),
+    )
+
+    assert request.state.current_user is None
+    with pytest.raises(HTTPException) as exc:
+        require_admin(request)
+    assert exc.value.status_code == 403
+
+
 def test_legacy_reserved_single_user_migrates_to_admin(tmp_path):
     auth_path = tmp_path / "auth.json"
     auth_path.write_text(