2026-03-18 21:54:10 -05:00
|
|
|
import express from "express";
|
|
|
|
|
import request from "supertest";
|
|
|
|
|
import { beforeEach, describe, expect, it, vi } from "vitest";
|
|
|
|
|
|
|
|
|
|
const mockCompanyService = vi.hoisted(() => ({
|
|
|
|
|
list: vi.fn(),
|
|
|
|
|
stats: vi.fn(),
|
|
|
|
|
getById: vi.fn(),
|
|
|
|
|
create: vi.fn(),
|
|
|
|
|
update: vi.fn(),
|
|
|
|
|
archive: vi.fn(),
|
|
|
|
|
remove: vi.fn(),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const mockAgentService = vi.hoisted(() => ({
|
|
|
|
|
getById: vi.fn(),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const mockAccessService = vi.hoisted(() => ({
|
|
|
|
|
ensureMembership: vi.fn(),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const mockBudgetService = vi.hoisted(() => ({
|
|
|
|
|
upsertPolicy: vi.fn(),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const mockCompanyPortabilityService = vi.hoisted(() => ({
|
|
|
|
|
exportBundle: vi.fn(),
|
|
|
|
|
previewExport: vi.fn(),
|
|
|
|
|
previewImport: vi.fn(),
|
|
|
|
|
importBundle: vi.fn(),
|
|
|
|
|
}));
|
|
|
|
|
|
|
|
|
|
const mockLogActivity = vi.hoisted(() => vi.fn());
|
2026-04-02 09:11:49 -05:00
|
|
|
const mockFeedbackService = vi.hoisted(() => ({
|
|
|
|
|
listIssueVotesForUser: vi.fn(),
|
|
|
|
|
listFeedbackTraces: vi.fn(),
|
|
|
|
|
getFeedbackTraceById: vi.fn(),
|
|
|
|
|
saveIssueVote: vi.fn(),
|
|
|
|
|
}));
|
2026-03-18 21:54:10 -05:00
|
|
|
|
2026-04-09 06:12:39 -05:00
|
|
|
function registerServiceMocks() {
|
|
|
|
|
vi.doMock("../services/index.js", () => ({
|
|
|
|
|
accessService: () => mockAccessService,
|
|
|
|
|
agentService: () => mockAgentService,
|
|
|
|
|
budgetService: () => mockBudgetService,
|
|
|
|
|
companyPortabilityService: () => mockCompanyPortabilityService,
|
|
|
|
|
companyService: () => mockCompanyService,
|
|
|
|
|
feedbackService: () => mockFeedbackService,
|
|
|
|
|
logActivity: mockLogActivity,
|
|
|
|
|
}));
|
|
|
|
|
}
|
2026-03-18 21:54:10 -05:00
|
|
|
|
2026-03-20 16:40:27 -05:00
|
|
|
async function createApp(actor: Record<string, unknown>) {
|
|
|
|
|
const { companyRoutes } = await import("../routes/companies.js");
|
|
|
|
|
const { errorHandler } = await import("../middleware/index.js");
|
2026-03-18 21:54:10 -05:00
|
|
|
const app = express();
|
|
|
|
|
app.use(express.json());
|
|
|
|
|
app.use((req, _res, next) => {
|
|
|
|
|
(req as any).actor = actor;
|
|
|
|
|
next();
|
|
|
|
|
});
|
|
|
|
|
app.use("/api/companies", companyRoutes({} as any));
|
|
|
|
|
app.use(errorHandler);
|
|
|
|
|
return app;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
describe("company portability routes", () => {
|
|
|
|
|
beforeEach(() => {
|
2026-03-20 16:40:27 -05:00
|
|
|
vi.resetModules();
|
2026-04-09 06:12:39 -05:00
|
|
|
registerServiceMocks();
|
|
|
|
|
vi.resetAllMocks();
|
2026-03-18 21:54:10 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("rejects non-CEO agents from CEO-safe export preview routes", async () => {
|
|
|
|
|
mockAgentService.getById.mockResolvedValue({
|
|
|
|
|
id: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
role: "engineer",
|
|
|
|
|
});
|
2026-03-20 16:40:27 -05:00
|
|
|
const app = await createApp({
|
2026-03-18 21:54:10 -05:00
|
|
|
type: "agent",
|
|
|
|
|
agentId: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
source: "agent_key",
|
|
|
|
|
runId: "run-1",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/11111111-1111-4111-8111-111111111111/exports/preview")
|
|
|
|
|
.send({ include: { company: true, agents: true, projects: true } });
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(403);
|
|
|
|
|
expect(res.body.error).toContain("Only CEO agents");
|
|
|
|
|
expect(mockCompanyPortabilityService.previewExport).not.toHaveBeenCalled();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("allows CEO agents to use company-scoped export preview routes", async () => {
|
|
|
|
|
mockAgentService.getById.mockResolvedValue({
|
|
|
|
|
id: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
role: "ceo",
|
|
|
|
|
});
|
|
|
|
|
mockCompanyPortabilityService.previewExport.mockResolvedValue({
|
|
|
|
|
rootPath: "paperclip",
|
2026-03-20 06:20:30 -05:00
|
|
|
manifest: { agents: [], skills: [], projects: [], issues: [], envInputs: [], includes: { company: true, agents: true, projects: true, issues: false, skills: false }, company: null, schemaVersion: 1, generatedAt: new Date().toISOString(), source: null },
|
2026-03-18 21:54:10 -05:00
|
|
|
files: {},
|
|
|
|
|
fileInventory: [],
|
|
|
|
|
counts: { files: 0, agents: 0, skills: 0, projects: 0, issues: 0 },
|
|
|
|
|
warnings: [],
|
|
|
|
|
paperclipExtensionPath: ".paperclip.yaml",
|
|
|
|
|
});
|
2026-03-20 16:40:27 -05:00
|
|
|
const app = await createApp({
|
2026-03-18 21:54:10 -05:00
|
|
|
type: "agent",
|
|
|
|
|
agentId: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
source: "agent_key",
|
|
|
|
|
runId: "run-1",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/11111111-1111-4111-8111-111111111111/exports/preview")
|
|
|
|
|
.send({ include: { company: true, agents: true, projects: true } });
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(200);
|
2026-04-09 07:07:08 -05:00
|
|
|
expect(res.body.rootPath).toBe("paperclip");
|
2026-03-18 21:54:10 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("rejects replace collision strategy on CEO-safe import routes", async () => {
|
|
|
|
|
mockAgentService.getById.mockResolvedValue({
|
|
|
|
|
id: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
role: "ceo",
|
|
|
|
|
});
|
2026-03-20 16:40:27 -05:00
|
|
|
const app = await createApp({
|
2026-03-18 21:54:10 -05:00
|
|
|
type: "agent",
|
|
|
|
|
agentId: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
source: "agent_key",
|
|
|
|
|
runId: "run-1",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/11111111-1111-4111-8111-111111111111/imports/preview")
|
|
|
|
|
.send({
|
|
|
|
|
source: { type: "inline", files: { "COMPANY.md": "---\nname: Test\n---\n" } },
|
|
|
|
|
include: { company: true, agents: true, projects: false, issues: false },
|
|
|
|
|
target: { mode: "existing_company", companyId: "11111111-1111-4111-8111-111111111111" },
|
|
|
|
|
collisionStrategy: "replace",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(403);
|
|
|
|
|
expect(res.body.error).toContain("does not allow replace");
|
|
|
|
|
expect(mockCompanyPortabilityService.previewImport).not.toHaveBeenCalled();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("keeps global import preview routes board-only", async () => {
|
2026-03-20 16:40:27 -05:00
|
|
|
const app = await createApp({
|
2026-03-18 21:54:10 -05:00
|
|
|
type: "agent",
|
|
|
|
|
agentId: "agent-1",
|
|
|
|
|
companyId: "11111111-1111-4111-8111-111111111111",
|
|
|
|
|
source: "agent_key",
|
|
|
|
|
runId: "run-1",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/import/preview")
|
|
|
|
|
.send({
|
|
|
|
|
source: { type: "inline", files: { "COMPANY.md": "---\nname: Test\n---\n" } },
|
|
|
|
|
include: { company: true, agents: true, projects: false, issues: false },
|
|
|
|
|
target: { mode: "existing_company", companyId: "11111111-1111-4111-8111-111111111111" },
|
|
|
|
|
collisionStrategy: "rename",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(403);
|
|
|
|
|
expect(res.body.error).toContain("Board access required");
|
|
|
|
|
});
|
fix(authz): scope import, approvals, activity, and heartbeat routes (#3315)
## Thinking Path
> - Paperclip orchestrates AI agents and company-scoped control-plane
actions for zero-human companies.
> - This change touches the server authz boundary around company
portability, approvals, activity, and heartbeat-run operations.
> - The vulnerability was that board-authenticated callers could cross
company boundaries or create new companies through import paths without
the same authorization checks enforced elsewhere.
> - Once that gap existed, an attacker could chain it into higher-impact
behavior through agent execution paths.
> - The fix needed to harden every confirmed authorization gap in the
reported chain, not just the first route that exposed it.
> - This pull request adds the missing instance-admin and company-access
checks and adds regression tests for each affected route.
> - The benefit is that cross-company actions and new-company import
flows now follow the same control-plane authorization rules as the rest
of the product.
## What Changed
- Required instance-admin access for `new_company` import preview/apply
flows in `server/src/routes/companies.ts`.
- Required company access before approval decision routes in
`server/src/routes/approvals.ts`.
- Required company access for activity creation and heartbeat-run issue
listing in `server/src/routes/activity.ts`.
- Required company access before heartbeat cancellation in
`server/src/routes/agents.ts`.
- Added regression coverage in the corresponding server route tests.
## Verification
- `pnpm --filter @paperclipai/server exec vitest run
src/__tests__/company-portability-routes.test.ts
src/__tests__/approval-routes-idempotency.test.ts
src/__tests__/activity-routes.test.ts
src/__tests__/agent-permissions-routes.test.ts`
- `pnpm --filter @paperclipai/server typecheck`
- Prior verification on the original security patch branch also included
`pnpm build`.
## Risks
- Low code risk: the change is narrow and only adds missing
authorization gates to existing routes.
- Operational risk: the advisory is already public, so this PR should be
merged quickly to minimize the public unpatched window.
- Residual product risk remains around open signup / bootstrap defaults,
which was intentionally left out of this patch because the current
first-user onboarding flow depends on it.
## Model Used
- OpenAI GPT-5 Codex coding agent with tool use and local code execution
in the Codex CLI environment.
## Checklist
- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [ ] If this change affects the UI, I have included before/after
screenshots
- [ ] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge
Co-authored-by: Forgotten <forgottenrunes@protonmail.com>
2026-04-10 11:55:27 -05:00
|
|
|
|
|
|
|
|
it("requires instance admin for new-company import preview", async () => {
|
|
|
|
|
const app = await createApp({
|
|
|
|
|
type: "board",
|
|
|
|
|
userId: "user-1",
|
|
|
|
|
companyIds: ["11111111-1111-4111-8111-111111111111"],
|
|
|
|
|
source: "session",
|
|
|
|
|
isInstanceAdmin: false,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/import/preview")
|
|
|
|
|
.send({
|
|
|
|
|
source: { type: "inline", files: { "COMPANY.md": "---\nname: Test\n---\n" } },
|
|
|
|
|
include: { company: true, agents: true, projects: false, issues: false },
|
|
|
|
|
target: { mode: "new_company", newCompanyName: "Imported Test" },
|
|
|
|
|
collisionStrategy: "rename",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(403);
|
|
|
|
|
expect(res.body.error).toContain("Instance admin");
|
|
|
|
|
expect(mockCompanyPortabilityService.previewImport).not.toHaveBeenCalled();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it("requires instance admin for new-company import apply", async () => {
|
|
|
|
|
const app = await createApp({
|
|
|
|
|
type: "board",
|
|
|
|
|
userId: "user-1",
|
|
|
|
|
companyIds: ["11111111-1111-4111-8111-111111111111"],
|
|
|
|
|
source: "session",
|
|
|
|
|
isInstanceAdmin: false,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const res = await request(app)
|
|
|
|
|
.post("/api/companies/import")
|
|
|
|
|
.send({
|
|
|
|
|
source: { type: "inline", files: { "COMPANY.md": "---\nname: Test\n---\n" } },
|
|
|
|
|
include: { company: true, agents: true, projects: false, issues: false },
|
|
|
|
|
target: { mode: "new_company", newCompanyName: "Imported Test" },
|
|
|
|
|
collisionStrategy: "rename",
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(res.status).toBe(403);
|
|
|
|
|
expect(res.body.error).toContain("Instance admin");
|
|
|
|
|
expect(mockCompanyPortabilityService.importBundle).not.toHaveBeenCalled();
|
|
|
|
|
});
|
2026-03-18 21:54:10 -05:00
|
|
|
});
|