ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-16 02:40:39 +09:00
Code Issues Projects Releases Packages Wiki Activity
paperclip/server/src/__tests__/workspace-runtime-service-authz.test.ts

280 lines
8.4 KiB
TypeScript
Raw Normal View History

[codex] harden authenticated routes and issue editor reliability (#3741) ## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The control plane depends on authenticated routes enforcing company boundaries and role permissions correctly > - This branch also touches the issue detail and markdown editing flows operators use while handling advisory and triage work > - Partial issue cache seeds and fragile rich-editor parsing could leave important issue content missing or blank at the moment an operator needed it > - Blocked issues becoming actionable again should wake their assignee automatically instead of silently staying idle > - This pull request rebases the advisory follow-up branch onto current `master`, hardens authenticated route authorization, and carries the issue-detail/editor reliability fixes forward with regression tests > - The benefit is tighter authz on sensitive routes plus more reliable issue/advisory editing and wakeup behavior on top of the latest base ## What Changed - Hardened authenticated route authorization across agent, activity, approval, access, project, plugin, health, execution-workspace, portability, and related server paths, with new cross-tenant and runtime-authz regression coverage. - Switched issue detail queries from `initialData` to placeholder-based hydration so list/quicklook seeds still refetch full issue bodies. - Normalized advisory-style HTML images before mounting the markdown editor and strengthened fallback behavior when the rich editor silently fails or rejects the content. - Woke assigned agents when blocked issues move back to `todo`, with route coverage for reopen and unblock transitions. - Rebasing note: this branch now sits cleanly on top of the latest `master` tip used for the PR base. ## Verification - `pnpm exec vitest run ui/src/lib/issueDetailQuery.test.tsx ui/src/components/MarkdownEditor.test.tsx server/src/__tests__/issue-comment-reopen-routes.test.ts server/src/__tests__/activity-routes.test.ts server/src/__tests__/agent-cross-tenant-authz-routes.test.ts` - Confirmed `pnpm-lock.yaml` is not part of the PR diff. - Rebased the branch onto current `public-gh/master` before publishing. ## Risks - Broad authz tightening may expose existing flows that were relying on permissive board or agent access and now need explicit grants. - Markdown editor fallback changes could affect focus or rendering in edge-case content that mixes HTML-like advisory markup with normal markdown. - This verification was intentionally scoped to touched regressions and did not run the full repository suite. ## Model Used - OpenAI Codex, GPT-5-based coding agent in the Codex CLI environment with tool use for terminal, git, and GitHub operations. The exact runtime model identifier is not exposed inside this session. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, it is behavior-only and does not need before/after screenshots - [x] I have updated relevant documentation to reflect my changes, or no documentation changes were needed for these internal fixes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
2026-04-15 08:41:15 -05:00
import { randomUUID } from "node:crypto";
import { afterAll, afterEach, beforeAll, describe, expect, it } from "vitest";
import {
agents,
companies,
createDb,
executionWorkspaces,
issues,
projectWorkspaces,
projects,
} from "@paperclipai/db";
import {
getEmbeddedPostgresTestSupport,
startEmbeddedPostgresTestDatabase,
} from "./helpers/embedded-postgres.js";
import {
assertCanManageExecutionWorkspaceRuntimeServices,
assertCanManageProjectWorkspaceRuntimeServices,
} from "../routes/workspace-runtime-service-authz.js";
const embeddedPostgresSupport = await getEmbeddedPostgresTestSupport();
const describeEmbeddedPostgres = embeddedPostgresSupport.supported ? describe : describe.skip;
if (!embeddedPostgresSupport.supported) {
console.warn(
`Skipping embedded Postgres workspace runtime auth tests on this host: ${embeddedPostgresSupport.reason ?? "unsupported environment"}`,
);
}
describeEmbeddedPostgres("workspace runtime service authz helper", () => {
let db!: ReturnType<typeof createDb>;
let tempDb: Awaited<ReturnType<typeof startEmbeddedPostgresTestDatabase>> | null = null;
beforeAll(async () => {
tempDb = await startEmbeddedPostgresTestDatabase("paperclip-workspace-runtime-authz-");
db = createDb(tempDb.connectionString);
}, 20_000);
afterEach(async () => {
await db.delete(issues);
await db.delete(executionWorkspaces);
await db.delete(projectWorkspaces);
await db.delete(projects);
await db.delete(agents);
await db.delete(companies);
});
afterAll(async () => {
await tempDb?.cleanup();
});
async function seedCompany() {
const companyId = randomUUID();
await db.insert(companies).values({
id: companyId,
name: "Paperclip",
issuePrefix: `PAP-${companyId.slice(0, 8)}`,
requireBoardApprovalForNewAgents: false,
});
return companyId;
}
async function seedProjectWorkspace(companyId: string) {
const projectId = randomUUID();
const projectWorkspaceId = randomUUID();
await db.insert(projects).values({
id: projectId,
companyId,
name: "Workspace authz",
status: "in_progress",
});
await db.insert(projectWorkspaces).values({
id: projectWorkspaceId,
companyId,
projectId,
name: "Primary",
sourceType: "local_path",
cwd: "/tmp/paperclip-authz-project",
isPrimary: true,
});
return { projectId, projectWorkspaceId };
}
async function seedExecutionWorkspace(companyId: string, projectId: string, projectWorkspaceId: string) {
const executionWorkspaceId = randomUUID();
await db.insert(executionWorkspaces).values({
id: executionWorkspaceId,
companyId,
projectId,
projectWorkspaceId,
mode: "isolated_workspace",
strategyType: "git_worktree",
name: "Execution workspace",
status: "active",
providerType: "local_fs",
cwd: "/tmp/paperclip-authz-execution",
});
return executionWorkspaceId;
}
async function seedAgent(
companyId: string,
input: { role?: string; reportsTo?: string | null; name?: string } = {},
) {
const agentId = randomUUID();
await db.insert(agents).values({
id: agentId,
companyId,
name: input.name ?? "Agent",
role: input.role ?? "engineer",
reportsTo: input.reportsTo ?? null,
});
return agentId;
}
it("allows board actors to manage project workspace runtime services", async () => {
const companyId = await seedCompany();
const { projectWorkspaceId } = await seedProjectWorkspace(companyId);
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
actor: {
type: "board",
userId: "board-1",
companyIds: [companyId],
source: "session",
isInstanceAdmin: false,
},
} as any, {
companyId,
projectWorkspaceId,
})).resolves.toBeUndefined();
});
it("allows CEO agents to manage any project workspace runtime services in their company", async () => {
const companyId = await seedCompany();
const { projectWorkspaceId } = await seedProjectWorkspace(companyId);
const ceoAgentId = await seedAgent(companyId, { role: "ceo", name: "CEO" });
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
actor: {
type: "agent",
agentId: ceoAgentId,
companyId,
source: "agent_key",
},
} as any, {
companyId,
projectWorkspaceId,
})).resolves.toBeUndefined();
});
it("allows agents with a non-terminal assigned issue in the target project workspace", async () => {
const companyId = await seedCompany();
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
const agentId = await seedAgent(companyId, { name: "Engineer" });
await db.insert(issues).values({
id: randomUUID(),
companyId,
projectId,
projectWorkspaceId,
title: "Use this workspace",
status: "todo",
priority: "medium",
assigneeAgentId: agentId,
});
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
actor: {
type: "agent",
agentId,
companyId,
source: "agent_key",
},
} as any, {
companyId,
projectWorkspaceId,
})).resolves.toBeUndefined();
});
it("allows managers to manage execution workspace runtime services for their reporting subtree", async () => {
const companyId = await seedCompany();
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
const executionWorkspaceId = await seedExecutionWorkspace(companyId, projectId, projectWorkspaceId);
const managerId = await seedAgent(companyId, { role: "cto", name: "Manager" });
const reportId = await seedAgent(companyId, { reportsTo: managerId, name: "Report" });
await db.insert(issues).values({
id: randomUUID(),
companyId,
projectId,
projectWorkspaceId,
executionWorkspaceId,
title: "Use execution workspace",
status: "in_progress",
priority: "medium",
assigneeAgentId: reportId,
});
await expect(assertCanManageExecutionWorkspaceRuntimeServices(db, {
actor: {
type: "agent",
agentId: managerId,
companyId,
source: "agent_key",
},
} as any, {
companyId,
executionWorkspaceId,
})).resolves.toBeUndefined();
});
it("rejects unrelated same-company agents without matching workspace assignments", async () => {
const companyId = await seedCompany();
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
const executionWorkspaceId = await seedExecutionWorkspace(companyId, projectId, projectWorkspaceId);
const assignedAgentId = await seedAgent(companyId, { name: "Assigned" });
const unrelatedAgentId = await seedAgent(companyId, { name: "Unrelated" });
await db.insert(issues).values({
id: randomUUID(),
companyId,
projectId,
projectWorkspaceId,
executionWorkspaceId,
title: "Assigned issue",
status: "todo",
priority: "medium",
assigneeAgentId: assignedAgentId,
});
await expect(assertCanManageExecutionWorkspaceRuntimeServices(db, {
actor: {
type: "agent",
agentId: unrelatedAgentId,
companyId,
source: "agent_key",
},
} as any, {
companyId,
executionWorkspaceId,
})).rejects.toMatchObject({
status: 403,
message: "Missing permission to manage workspace runtime services",
});
});
it("rejects completed workspace assignments so stale issues do not keep access alive", async () => {
const companyId = await seedCompany();
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
const agentId = await seedAgent(companyId, { name: "Engineer" });
await db.insert(issues).values({
id: randomUUID(),
companyId,
projectId,
projectWorkspaceId,
title: "Completed issue",
status: "done",
priority: "medium",
assigneeAgentId: agentId,
});
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
actor: {
type: "agent",
agentId,
companyId,
source: "agent_key",
},
} as any, {
companyId,
projectWorkspaceId,
})).rejects.toMatchObject({
status: 403,
message: "Missing permission to manage workspace runtime services",
});
});
});
Reference in a new issue Copy permalink