server: block proxy-role agents from self-approving proposals

[dangtony98]

Summary

• Fixes a privilege escalation: a proxy-role agent on an instance-level token could approve its own proposals, bypassing the two-axis permission model. By raising a proposal that adds a service for an attacker-controlled host using a known credential key name, then self-approving it, the agent could induce the broker to inject the real credential into a request to the attacker's host on the next /proxy/... call.
• Root cause: requireProposalReview's instance-level branch called requireVaultAccess (existence-only check on vault_grants) instead of enforcing a role floor. Switched to requireVaultMember so member+ is required — proxy is now blocked, matching what the call-site comments already claimed.
• Scoped-session branch (admin required) is unchanged. Proposal creation is unchanged (proxy can still raise proposals — that's by design).

Test plan

• New regression tests TestInstanceLevelProxyCannotApproveProposal / TestInstanceLevelProxyCannotRejectProposal assert 403 and that the proposal stays pending (proves the apply step never ran, so credential injection cannot occur)
• Existing TestMemberCanApproveProposalInAnyMemberVault still passes via the new requireVaultMember path — locks in non-regression of the legitimate member-approval flow
• go test ./internal/server/ and make test are green
• Reviewer to confirm no other call site of requireVaultAccess should have been requireVaultMember

🤖 Generated with Claude Code

[infisical-review-police]

💬 Discussion in Slack: #pr-review-agent-vault-140-server-block-proxy-role-agents-from-self-approving-pro

Posted by Review Police — reviews, comments, new commits, and CI failures will stream into this channel.