ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

feat: implement multi-user access and invite flows (#3784)

Browse source 
## Thinking Path

> - Paperclip is the control plane for autonomous AI companies.
> - V1 needs to stay local-first while also supporting shared,
authenticated deployments.
> - Human operators need real identities, company membership, invite
flows, profile surfaces, and company-scoped access controls.
> - Agents and operators also need the existing issue, inbox, workspace,
approval, and plugin flows to keep working under those authenticated
boundaries.
> - This branch accumulated the multi-user implementation, follow-up QA
fixes, workspace/runtime refinements, invite UX improvements,
release-branch conflict resolution, and review hardening.
> - This pull request consolidates that branch onto the current `master`
branch as a single reviewable PR.
> - The benefit is a complete multi-user implementation path with tests
and docs carried forward without dropping existing branch work.

## What Changed

- Added authenticated human-user access surfaces: auth/session routes,
company user directory, profile settings, company access/member
management, join requests, and invite management.
- Added invite creation, invite landing, onboarding, logo/branding,
invite grants, deduped join requests, and authenticated multi-user E2E
coverage.
- Tightened company-scoped and instance-admin authorization across
board, plugin, adapter, access, issue, and workspace routes.
- Added profile-image URL validation hardening, avatar preservation on
name-only profile updates, and join-request uniqueness migration cleanup
for pending human requests.
- Added an atomic member role/status/grants update path so Company
Access saves no longer leave partially updated permissions.
- Improved issue chat, inbox, assignee identity rendering,
sidebar/account/company navigation, workspace routing, and execution
workspace reuse behavior for multi-user operation.
- Added and updated server/UI tests covering auth, invites, membership,
issue workspace inheritance, plugin authz, inbox/chat behavior, and
multi-user flows.
- Merged current `public-gh/master` into this branch, resolved all
conflicts, and verified no `pnpm-lock.yaml` change is included in this
PR diff.

## Verification

- `pnpm exec vitest run server/src/__tests__/issues-service.test.ts
ui/src/components/IssueChatThread.test.tsx ui/src/pages/Inbox.test.tsx`
- `pnpm run preflight:workspace-links && pnpm exec vitest run
server/src/__tests__/plugin-routes-authz.test.ts`
- `pnpm exec vitest run server/src/__tests__/plugin-routes-authz.test.ts
server/src/__tests__/workspace-runtime-service-authz.test.ts
server/src/__tests__/access-validators.test.ts`
- `pnpm exec vitest run
server/src/__tests__/authz-company-access.test.ts
server/src/__tests__/routines-routes.test.ts
server/src/__tests__/sidebar-preferences-routes.test.ts
server/src/__tests__/approval-routes-idempotency.test.ts
server/src/__tests__/openclaw-invite-prompt-route.test.ts
server/src/__tests__/agent-cross-tenant-authz-routes.test.ts
server/src/__tests__/routines-e2e.test.ts`
- `pnpm exec vitest run server/src/__tests__/auth-routes.test.ts
ui/src/pages/CompanyAccess.test.tsx`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/db typecheck && pnpm --filter @paperclipai/server
typecheck`
- `pnpm --filter @paperclipai/shared typecheck && pnpm --filter
@paperclipai/server typecheck`
- `pnpm --filter @paperclipai/ui typecheck`
- `pnpm db:generate`
- `npx playwright test --config tests/e2e/playwright.config.ts --list`
- Confirmed branch has no uncommitted changes and is `0` commits behind
`public-gh/master` before PR creation.
- Confirmed no `pnpm-lock.yaml` change is staged or present in the PR
diff.

## Risks

- High review surface area: this PR contains the accumulated multi-user
branch plus follow-up fixes, so reviewers should focus especially on
company-boundary enforcement and authenticated-vs-local deployment
behavior.
- UI behavior changed across invites, inbox, issue chat, access
settings, and sidebar navigation; no browser screenshots are included in
this branch-consolidation PR.
- Plugin install, upgrade, and lifecycle/config mutations now require
instance-admin access, which is intentional but may change expectations
for non-admin board users.
- A join-request dedupe migration rejects duplicate pending human
requests before creating unique indexes; deployments with unusual
historical duplicates should review the migration behavior.
- Company member role/status/grant saves now use a new combined
endpoint; older separate endpoints remain for compatibility.
- Full production build was not run locally in this heartbeat; CI should
cover the full matrix.

## Model Used

- OpenAI Codex coding agent, GPT-5-based model, CLI/tool-use
environment. Exact deployed model identifier and context window were not
exposed by the runtime.

## Checklist

- [x] I have included a thinking path that traces from project context
to this change
- [x] I have specified the model used (with version and capability
details)
- [x] I have run tests locally and they pass
- [x] I have added or updated tests where applicable
- [x] If this change affects the UI, I have included before/after
screenshots
- [x] I have updated relevant documentation to reflect my changes
- [x] I have considered and documented any risks above
- [x] I will address all Greptile and reviewer comments before
requesting merge

Note on screenshots: this is a branch-consolidation PR for an
already-developed multi-user branch, and no browser screenshots were
captured during this heartbeat.

---------

Co-authored-by: dotta <dotta@example.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Dotta 2026-04-17 09:44:19 -05:00 committed by GitHub
parent e93e418cbf
commit b9a80dcf22
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
150 changed files with 26872 additions and 1289 deletions
Download patch file Download diff file Expand all files Collapse all files

326
tests/e2e/multi-user-authenticated.spec.ts Normal file
View file

@ -0,0 +1,326 @@
import { execFileSync } from "node:child_process";
import { existsSync } from "node:fs";
import path from "node:path";
import { test, expect, type Browser, type Page } from "@playwright/test";
const BASE = process.env.PAPERCLIP_E2E_BASE_URL ?? "http://127.0.0.1:3105";
const DATA_DIR = process.env.PAPERCLIP_E2E_DATA_DIR ?? process.env.PAPERCLIP_HOME;
const CONFIG_PATH = process.env.PAPERCLIP_E2E_CONFIG_PATH ?? path.resolve(process.cwd(), ".paperclip/config.json");
const BOOTSTRAP_SCRIPT_PATH = path.resolve(process.cwd(), "packages/db/scripts/create-auth-bootstrap-invite.ts");
const OWNER_PASSWORD = "paperclip-owner-password";
const INVITED_PASSWORD = "paperclip-invited-password";
type HumanUser = {
name: string;
email: string;
password: string;
};
type CompanySummary = {
id: string;
name: string;
issuePrefix?: string | null;
};
type CompanyMember = {
id: string;
membershipRole: "owner" | "admin" | "operator" | "viewer";
status: "pending" | "active" | "suspended";
user: { id: string; email: string | null; name: string | null } | null;
};
type SessionJsonResponse<T> = {
ok: boolean;
status: number;
text: string;
json: T | null;
};
const runId = Date.now();
const companyName = `MU-Auth-${runId}`;
const ownerUser: HumanUser = {
name: "Owner User",
email: `owner-${runId}@paperclip.local`,
password: OWNER_PASSWORD,
};
const invitedUser: HumanUser = {
name: "Invited User",
email: `invitee-${runId}@paperclip.local`,
password: INVITED_PASSWORD,
};
function createBootstrapInvite() {
if (!DATA_DIR) {
throw new Error("PAPERCLIP_E2E_DATA_DIR or PAPERCLIP_HOME is required for authenticated bootstrap tests");
}
if (!existsSync(CONFIG_PATH)) {
throw new Error(`Authenticated bootstrap config not found at ${CONFIG_PATH}`);
}
if (!existsSync(BOOTSTRAP_SCRIPT_PATH)) {
throw new Error(`Authenticated bootstrap helper not found at ${BOOTSTRAP_SCRIPT_PATH}`);
}
const pnpmCommand = process.platform === "win32" ? "pnpm.cmd" : "pnpm";
return execFileSync(
pnpmCommand,
[
"--filter",
"@paperclipai/db",
"exec",
"tsx",
BOOTSTRAP_SCRIPT_PATH,
"--config",
CONFIG_PATH,
"--base-url",
BASE,
],
{
cwd: process.cwd(),
env: {
...process.env,
FORCE_COLOR: "0",
NO_COLOR: "1",
PAPERCLIP_HOME: DATA_DIR,
},
encoding: "utf8",
stdio: ["ignore", "pipe", "pipe"],
}
).trim();
}
async function signUp(page: Page, user: HumanUser) {
await page.goto(`${BASE}/auth`);
await expect(page.getByRole("heading", { name: "Sign in to Paperclip" })).toBeVisible();
await page.getByRole("button", { name: "Create one" }).click();
await expect(page.getByRole("heading", { name: "Create your Paperclip account" })).toBeVisible();
await page.getByLabel("Name").fill(user.name);
await page.getByLabel("Email").fill(user.email);
await page.getByLabel("Password").fill(user.password);
await page.getByRole("button", { name: "Create Account" }).click();
await expect(page).not.toHaveURL(/\/auth/, { timeout: 20_000 });
}
async function acceptBootstrapInvite(page: Page, inviteUrl: string) {
await page.goto(inviteUrl);
await expect(page.getByRole("heading", { name: "Bootstrap your Paperclip instance" })).toBeVisible();
await page.getByRole("button", { name: "Accept bootstrap invite" }).click();
await expect(page.getByRole("heading", { name: "Bootstrap complete" })).toBeVisible({
timeout: 20_000,
});
await page.getByRole("link", { name: "Open board" }).click();
}
async function createCompanyForSession(page: Page, nextCompanyName: string) {
const createRes = await sessionJsonRequest<CompanySummary>(page, `${BASE}/api/companies`, {
method: "POST",
data: { name: nextCompanyName },
});
expect(createRes.ok).toBe(true);
expect(createRes.json).toBeTruthy();
return createRes.json!;
}
async function createAuthenticatedInvite(page: Page, companyPrefix: string) {
await page.goto(`${BASE}/${companyPrefix}/company/settings`);
await expect(page.getByTestId("company-settings-invites-section")).toBeVisible({
timeout: 20_000,
});
await page.getByTestId("company-settings-human-invite-role").selectOption("operator");
await page.getByTestId("company-settings-create-human-invite").click();
const inviteField = page.getByTestId("company-settings-human-invite-url");
await expect(inviteField).toBeVisible({ timeout: 20_000 });
return (await inviteField.inputValue()).trim();
}
async function signUpFromInvite(page: Page, inviteUrl: string, user: HumanUser) {
await page.goto(inviteUrl);
await expect(page.getByText("Sign in or create an account before submitting a human join request.")).toBeVisible();
await page.getByRole("link", { name: "Sign in / Create account" }).click();
await expect(page).toHaveURL(/\/auth\?next=/);
await expect(page.getByRole("heading", { name: "Sign in to Paperclip" })).toBeVisible();
await page.getByRole("button", { name: "Create one" }).click();
await page.getByLabel("Name").fill(user.name);
await page.getByLabel("Email").fill(user.email);
await page.getByLabel("Password").fill(user.password);
await page.getByRole("button", { name: "Create Account" }).click();
await expect(page).toHaveURL(new RegExp(`/invite/[^/]+$`), { timeout: 20_000 });
}
async function acceptHumanInvite(page: Page) {
await expect(page.getByRole("button", { name: "Join company" })).toBeEnabled();
await page.getByRole("button", { name: "Join company" }).click();
await expect(page.getByRole("heading", { name: "You joined the company" })).toBeVisible({
timeout: 20_000,
});
await page.getByRole("link", { name: "Open board" }).click();
}
async function sessionJsonRequest<T>(
page: Page,
url: string,
options: {
method?: string;
data?: unknown;
} = {}
) {
return page.evaluate(
async ({ url: targetUrl, method, data }) => {
const response = await fetch(targetUrl, {
method,
credentials: "include",
headers: data === undefined ? undefined : { "Content-Type": "application/json" },
body: data === undefined ? undefined : JSON.stringify(data),
});
const text = await response.text();
let json: unknown = null;
if (text.length > 0) {
try {
json = JSON.parse(text);
} catch {
json = null;
}
}
return {
ok: response.ok,
status: response.status,
text,
json,
};
},
{
url,
method: options.method ?? "GET",
data: options.data,
}
) as Promise<SessionJsonResponse<T>>;
}
async function waitForMember(page: Page, companyId: string, email: string) {
let member: CompanyMember | null = null;
await expect
.poll(
async () => {
const membersRes = await sessionJsonRequest<{ members: CompanyMember[] }>(
page,
`${BASE}/api/companies/${companyId}/members`
);
expect(membersRes.ok).toBe(true);
const body = membersRes.json;
if (!body) return null;
member = body.members.find((entry) => entry.user?.email === email) ?? null;
return member;
},
{
timeout: 20_000,
intervals: [500, 1_000, 2_000],
}
)
.toMatchObject({
status: "active",
membershipRole: "operator",
user: { email },
});
return member!;
}
async function waitForMemberRole(
page: Page,
companyId: string,
memberId: string,
membershipRole: CompanyMember["membershipRole"]
) {
await expect
.poll(
async () => {
const membersRes = await sessionJsonRequest<{ members: CompanyMember[] }>(
page,
`${BASE}/api/companies/${companyId}/members`
);
expect(membersRes.ok).toBe(true);
const body = membersRes.json;
if (!body) return null;
return body.members.find((member) => member.id === memberId) ?? null;
},
{
timeout: 20_000,
intervals: [500, 1_000, 2_000],
}
)
.toMatchObject({
id: memberId,
membershipRole,
});
}
async function newPage(browser: Browser) {
const context = await browser.newContext();
const page = await context.newPage();
return { context, page };
}
test.describe("Multi-user: authenticated mode", () => {
test("authenticated humans can bootstrap, invite, join, and respect viewer restrictions", async ({
browser,
page,
}) => {
test.setTimeout(180_000);
const healthRes = await page.request.get(`${BASE}/api/health`);
expect(healthRes.ok()).toBe(true);
const health = (await healthRes.json()) as {
deploymentMode?: string;
bootstrapStatus?: string;
};
expect(health.deploymentMode).toBe("authenticated");
await signUp(page, ownerUser);
await acceptBootstrapInvite(page, createBootstrapInvite());
const company = await createCompanyForSession(page, companyName);
const companyPrefix = company.issuePrefix ?? company.id;
await page.goto(`${BASE}/${companyPrefix}/dashboard`);
await expect(page.getByTestId("layout-account-menu-trigger")).toContainText(ownerUser.name);
await page.getByTestId("layout-account-menu-trigger").click();
await expect(page.getByText(ownerUser.email)).toBeVisible();
const inviteUrl = await createAuthenticatedInvite(page, companyPrefix);
const invited = await newPage(browser);
try {
await signUpFromInvite(invited.page, inviteUrl, invitedUser);
await acceptHumanInvite(invited.page);
await expect(invited.page).not.toHaveURL(/\/auth/, { timeout: 10_000 });
const joinedMember = await waitForMember(page, company.id, invitedUser.email);
await page.goto(`${BASE}/${companyPrefix}/company/settings`);
const roleSelect = page.getByTestId(`company-settings-member-role-${joinedMember.id}`);
await expect(roleSelect).toBeVisible({ timeout: 20_000 });
await roleSelect.selectOption("viewer");
await expect(roleSelect).toHaveValue("viewer");
await waitForMemberRole(page, company.id, joinedMember.id, "viewer");
await invited.page.goto(`${BASE}/${companyPrefix}/company/settings`);
await expect(
invited.page.getByText("Your current company role cannot create human invites.")
).toBeVisible({ timeout: 20_000 });
await expect(
invited.page.getByTestId("company-settings-create-human-invite")
).toHaveCount(0);
const forbiddenInviteRes = await sessionJsonRequest(
invited.page,
`${BASE}/api/companies/${company.id}/invites`,
{
method: "POST",
data: {
allowedJoinTypes: "human",
humanRole: "viewer",
},
}
);
expect(forbiddenInviteRes.status).toBe(403);
} finally {
await invited.context.close();
}
});
});

518
tests/e2e/multi-user.spec.ts Normal file
View file

@ -0,0 +1,518 @@
import { test, expect, type Page, type APIRequestContext } from "@playwright/test";
/**
* E2E: Multi-user implementation tests (local_trusted mode).
*
* Covers:
* 1. Company member management API (list, update role, suspend)
* 2. Human invite creation and acceptance API
* 3. Company Settings UI member list, role editing, invite creation
* 4. Invite landing page UI
* 5. Role-based access control (viewer read-only)
* 6. Last-owner protection
*/
const BASE = process.env.PAPERCLIP_E2E_BASE_URL ?? "http://127.0.0.1:3104";
// ---------------------------------------------------------------------------
// Helpers
// ---------------------------------------------------------------------------
/** Ensure the server is bootstrapped (claimed) before running tests. */
async function ensureBootstrapped(request: APIRequestContext): Promise<void> {
const healthRes = await request.get(`${BASE}/api/health`);
const health = await healthRes.json();
if (health.bootstrapStatus === "ready") return;
// If bootstrap_pending, we need to use the claim token from the bootstrap invite.
// In local_trusted mode, just try hitting companies — that should auto-bootstrap.
if (health.deploymentMode === "local_trusted") {
// local_trusted should work without explicit bootstrap
return;
}
}
/** Create a company via the onboarding wizard API shortcut. */
async function createCompanyViaWizard(
request: APIRequestContext,
name: string
): Promise<{ companyId: string; agentId: string; prefix: string }> {
await ensureBootstrapped(request);
const createRes = await request.post(`${BASE}/api/companies`, {
data: { name },
});
if (!createRes.ok()) {
const errText = await createRes.text();
throw new Error(
`Failed to create company (${createRes.status()}): ${errText}`
);
}
const company = await createRes.json();
// Create a CEO agent
const agentRes = await request.post(
`${BASE}/api/companies/${company.id}/agents`,
{
data: {
name: "CEO",
role: "ceo",
title: "CEO",
adapterType: "claude_local",
},
}
);
expect(agentRes.ok()).toBe(true);
const agent = await agentRes.json();
return {
companyId: company.id,
agentId: agent.id,
prefix: company.issuePrefix ?? company.id,
};
}
/** Create a human invite and return token + invite URL. */
async function createHumanInvite(
request: APIRequestContext,
companyId: string,
role: string = "operator"
): Promise<{ token: string; inviteUrl: string; inviteId: string }> {
const res = await request.post(
`${BASE}/api/companies/${companyId}/invites`,
{
data: {
allowedJoinTypes: "human",
humanRole: role,
},
}
);
expect(res.ok()).toBe(true);
const body = await res.json();
return {
token: body.token,
inviteUrl: body.inviteUrl,
inviteId: body.id,
};
}
// ---------------------------------------------------------------------------
// Tests
// ---------------------------------------------------------------------------
test.describe("Multi-user: API", () => {
let companyId: string;
test.beforeAll(async ({ request }) => {
const result = await createCompanyViaWizard(
request,
`MU-API-${Date.now()}`
);
companyId = result.companyId;
});
test("GET /companies/:id/members returns member list with access info", async ({
request,
}) => {
const res = await request.get(
`${BASE}/api/companies/${companyId}/members`
);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body).toHaveProperty("members");
expect(body).toHaveProperty("access");
expect(Array.isArray(body.members)).toBe(true);
expect(body.access).toHaveProperty("currentUserRole");
expect(body.access).toHaveProperty("canManageMembers");
expect(body.access).toHaveProperty("canInviteUsers");
});
test("POST /companies/:id/invites creates a human invite with role", async ({
request,
}) => {
const res = await request.post(
`${BASE}/api/companies/${companyId}/invites`,
{
data: {
allowedJoinTypes: "human",
humanRole: "operator",
},
}
);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body).toHaveProperty("token");
expect(body).toHaveProperty("inviteUrl");
expect(body.allowedJoinTypes).toBe("human");
expect(body.inviteUrl).toContain("/invite/");
});
test("GET /invites/:token returns invite summary", async ({ request }) => {
const invite = await createHumanInvite(request, companyId, "viewer");
const res = await request.get(`${BASE}/api/invites/${invite.token}`);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body).toHaveProperty("companyId");
expect(body).toHaveProperty("allowedJoinTypes");
expect(body.allowedJoinTypes).toBe("human");
expect(body).toHaveProperty("inviteType");
expect(body.inviteType).toBe("company_join");
});
test("POST /invites/:token/accept (human) creates membership", async ({
request,
}) => {
const invite = await createHumanInvite(request, companyId, "operator");
const acceptRes = await request.post(
`${BASE}/api/invites/${invite.token}/accept`,
{
data: { requestType: "human" },
}
);
expect(acceptRes.ok()).toBe(true);
const body = await acceptRes.json();
// In local_trusted, human accept should succeed
expect(body).toHaveProperty("id");
});
test("POST /invites/:token/accept rejects agent on human-only invite", async ({
request,
}) => {
const invite = await createHumanInvite(request, companyId, "operator");
const acceptRes = await request.post(
`${BASE}/api/invites/${invite.token}/accept`,
{
data: { requestType: "agent", agentName: "Rogue" },
}
);
expect(acceptRes.ok()).toBe(false);
expect(acceptRes.status()).toBe(400);
});
test("POST /companies/:id/invites supports all four roles", async ({
request,
}) => {
for (const role of ["owner", "admin", "operator", "viewer"]) {
const res = await request.post(
`${BASE}/api/companies/${companyId}/invites`,
{
data: { allowedJoinTypes: "human", humanRole: role },
}
);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body.token).toBeTruthy();
}
});
test("PATCH /companies/:id/members/:memberId cannot remove last owner", async ({
request,
}) => {
// Create a fresh company for this test
const fresh = await createCompanyViaWizard(
request,
`MU-LastOwner-${Date.now()}`
);
// First promote the local-board member to owner
const membersRes = await request.get(
`${BASE}/api/companies/${fresh.companyId}/members`
);
const { members } = await membersRes.json();
// Find the board member (should be the only one)
const boardMember = members.find(
(m: { principalId: string }) => m.principalId === "local-board"
);
if (!boardMember) {
test.skip();
return;
}
// Promote to owner first
const promoteRes = await request.patch(
`${BASE}/api/companies/${fresh.companyId}/members/${boardMember.id}`,
{ data: { membershipRole: "owner" } }
);
expect(promoteRes.ok()).toBe(true);
// Now try to demote the last (and only) owner to operator — should fail
const demoteRes = await request.patch(
`${BASE}/api/companies/${fresh.companyId}/members/${boardMember.id}`,
{ data: { membershipRole: "operator" } }
);
expect(demoteRes.status()).toBe(409);
const errBody = await demoteRes.json();
expect(JSON.stringify(errBody)).toContain("last active owner");
});
test("POST /companies/:id/openclaw/invite-prompt creates agent invite", async ({
request,
}) => {
const res = await request.post(
`${BASE}/api/companies/${companyId}/openclaw/invite-prompt`,
{
data: { agentMessage: "E2E test agent invite" },
}
);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body).toHaveProperty("token");
expect(body).toHaveProperty("inviteUrl");
expect(body.allowedJoinTypes).toBe("agent");
});
});
test.describe("Multi-user: Company Settings UI", () => {
let companyId: string;
let companyPrefix: string;
test.beforeAll(async ({ request }) => {
const result = await createCompanyViaWizard(
request,
`MU-UI-${Date.now()}`
);
companyId = result.companyId;
companyPrefix = result.prefix;
});
test("shows Team and Invites sections on settings page", async ({ page }) => {
await page.goto(`${BASE}/${companyPrefix}/company/settings`);
await page.waitForLoadState("networkidle");
await expect(page.getByTestId("company-settings-invites-section")).toBeVisible({
timeout: 10_000,
});
await expect(page.getByTestId("company-settings-team-section")).toBeVisible({
timeout: 10_000,
});
});
test("shows human invite creation controls", async ({ page }) => {
await page.goto(`${BASE}/${companyPrefix}/company/settings`);
await page.waitForLoadState("networkidle");
const inviteButton = page.getByTestId("company-settings-create-human-invite");
await expect(inviteButton).toBeVisible({ timeout: 10_000 });
const roleSelect = page.getByTestId("company-settings-human-invite-role");
await expect(roleSelect).toBeVisible();
});
test("can create human invite and shows URL", async ({ page }) => {
await page.goto(`${BASE}/${companyPrefix}/company/settings`);
await page.waitForLoadState("networkidle");
const inviteButton = page.getByTestId("company-settings-create-human-invite");
await expect(inviteButton).toBeVisible({ timeout: 10_000 });
await inviteButton.click();
await expect(page.getByTestId("company-settings-human-invite-url")).toBeVisible({
timeout: 10_000,
});
});
});
test.describe("Multi-user: Invite Landing UI", () => {
let companyId: string;
let inviteToken: string;
test.beforeAll(async ({ request }) => {
const result = await createCompanyViaWizard(
request,
`MU-Invite-${Date.now()}`
);
companyId = result.companyId;
const invite = await createHumanInvite(request, companyId, "operator");
inviteToken = invite.token;
});
test("invite landing page loads with join options", async ({ page }) => {
await page.goto(`${BASE}/invite/${inviteToken}`);
await page.waitForLoadState("networkidle");
// Should show the invite landing page heading
await expect(
page.getByRole("heading", { name: /join/i })
).toBeVisible({ timeout: 10_000 });
});
test("invite landing shows human join type", async ({ page }) => {
await page.goto(`${BASE}/invite/${inviteToken}`);
await page.waitForLoadState("networkidle");
// For a human-only invite, should show human join option
const humanOption = page.locator("text=/human/i");
await expect(humanOption).toBeVisible({ timeout: 10_000 });
});
test("expired/invalid invite token returns error", async ({ page }) => {
await page.goto(`${BASE}/invite/invalid-token-e2e-test`);
await page.waitForLoadState("networkidle");
await expect(page.getByTestId("invite-error")).toBeVisible({ timeout: 10_000 });
});
});
test.describe("Multi-user: Member role management API", () => {
let companyId: string;
test.beforeAll(async ({ request }) => {
const result = await createCompanyViaWizard(
request,
`MU-Roles-${Date.now()}`
);
companyId = result.companyId;
});
test("invite + accept creates member with correct role", async ({
request,
}) => {
// Create invite for 'viewer' role
const invite = await createHumanInvite(request, companyId, "viewer");
// Accept the invite
const acceptRes = await request.post(
`${BASE}/api/invites/${invite.token}/accept`,
{ data: { requestType: "human" } }
);
expect(acceptRes.ok()).toBe(true);
// Check members list
const membersRes = await request.get(
`${BASE}/api/companies/${companyId}/members`
);
const { members } = await membersRes.json();
// Should have at least one member (the creator/local-board)
expect(members.length).toBeGreaterThanOrEqual(1);
});
test("PATCH member role updates correctly", async ({ request }) => {
// First create an invite and accept it to get a second member
const invite = await createHumanInvite(request, companyId, "operator");
const acceptRes = await request.post(
`${BASE}/api/invites/${invite.token}/accept`,
{ data: { requestType: "human" } }
);
expect(acceptRes.ok()).toBe(true);
// List members
const membersRes = await request.get(
`${BASE}/api/companies/${companyId}/members`
);
const { members } = await membersRes.json();
// Find a non-owner member to modify
const nonOwner = members.find(
(m: { membershipRole: string }) => m.membershipRole !== "owner"
);
if (!nonOwner) {
test.skip();
return;
}
// Update role to admin
const patchRes = await request.patch(
`${BASE}/api/companies/${companyId}/members/${nonOwner.id}`,
{ data: { membershipRole: "admin" } }
);
expect(patchRes.ok()).toBe(true);
const updated = await patchRes.json();
expect(updated.membershipRole).toBe("admin");
});
test("PATCH member status to suspended works", async ({ request }) => {
// Create another member
const invite = await createHumanInvite(request, companyId, "operator");
await request.post(`${BASE}/api/invites/${invite.token}/accept`, {
data: { requestType: "human" },
});
const membersRes = await request.get(
`${BASE}/api/companies/${companyId}/members`
);
const { members } = await membersRes.json();
const nonOwner = members.find(
(m: { membershipRole: string; status: string }) =>
m.membershipRole !== "owner" && m.status === "active"
);
if (!nonOwner) {
test.skip();
return;
}
const patchRes = await request.patch(
`${BASE}/api/companies/${companyId}/members/${nonOwner.id}`,
{ data: { status: "suspended" } }
);
expect(patchRes.ok()).toBe(true);
const updated = await patchRes.json();
expect(updated.status).toBe("suspended");
});
});
test.describe("Multi-user: Agent invite flow", () => {
let companyId: string;
test.beforeAll(async ({ request }) => {
const result = await createCompanyViaWizard(
request,
`MU-Agent-${Date.now()}`
);
companyId = result.companyId;
});
test("agent invite accept creates pending join request", async ({
request,
}) => {
// Create agent invite
const res = await request.post(
`${BASE}/api/companies/${companyId}/openclaw/invite-prompt`,
{ data: {} }
);
expect(res.ok()).toBe(true);
const { token } = await res.json();
// Accept as agent
const acceptRes = await request.post(
`${BASE}/api/invites/${token}/accept`,
{
data: {
requestType: "agent",
agentName: "TestAgent",
adapterType: "claude_local",
},
}
);
expect(acceptRes.ok()).toBe(true);
const body = await acceptRes.json();
expect(body).toHaveProperty("id");
expect(body.status).toBe("pending_approval");
});
test("join requests list shows pending agent request", async ({
request,
}) => {
const res = await request.get(
`${BASE}/api/companies/${companyId}/join-requests?status=pending_approval`
);
expect(res.ok()).toBe(true);
const requests = await res.json();
expect(Array.isArray(requests)).toBe(true);
});
});
test.describe("Multi-user: Health check integration", () => {
test("health endpoint reports deployment mode", async ({ request }) => {
const res = await request.get(`${BASE}/api/health`);
expect(res.ok()).toBe(true);
const body = await res.json();
expect(body).toHaveProperty("deploymentMode");
expect(body).toHaveProperty("authReady");
expect(body.authReady).toBe(true);
});
});

28
tests/e2e/playwright-multiuser-authenticated.config.ts Normal file
View file

@ -0,0 +1,28 @@
import { defineConfig } from "@playwright/test";
const PORT = Number(process.env.PAPERCLIP_E2E_PORT ?? 3105);
const BASE_URL = process.env.PAPERCLIP_E2E_BASE_URL ?? `http://127.0.0.1:${PORT}`;
export default defineConfig({
testDir: ".",
testMatch: "multi-user-authenticated.spec.ts",
timeout: 180_000,
expect: {
timeout: 20_000,
},
retries: 0,
use: {
baseURL: BASE_URL,
headless: true,
screenshot: "only-on-failure",
trace: "on-first-retry",
},
projects: [
{
name: "chromium",
use: { browserName: "chromium" },
},
],
outputDir: "./test-results",
reporter: [["list"], ["html", { open: "never", outputFolder: "./playwright-report" }]],
});

26
tests/e2e/playwright-multiuser.config.ts Normal file
View file

@ -0,0 +1,26 @@
import { defineConfig } from "@playwright/test";
const PORT = Number(process.env.PAPERCLIP_E2E_PORT ?? 3104);
const BASE_URL = `http://127.0.0.1:${PORT}`;
export default defineConfig({
testDir: ".",
testMatch: "multi-user.spec.ts",
timeout: 60_000,
retries: 0,
use: {
baseURL: BASE_URL,
headless: true,
screenshot: "only-on-failure",
trace: "on-first-retry",
},
projects: [
{
name: "chromium",
use: { browserName: "chromium" },
},
],
// No webServer — expects an already-running server at BASE_URL.
outputDir: "./test-results",
reporter: [["list"], ["html", { open: "never", outputFolder: "./playwright-report" }]],
});

3
tests/e2e/playwright.config.ts
View file

@ -12,6 +12,9 @@ const PAPERCLIP_HOME = fs.mkdtempSync(path.join(os.tmpdir(), "paperclip-e2e-home
export default defineConfig({
testDir: ".",
testMatch: "**/*.spec.ts",
// These suites target dedicated multi-user configurations/ports and are
// intentionally not part of the default local_trusted e2e run.
testIgnore: ["multi-user.spec.ts", "multi-user-authenticated.spec.ts"],
timeout: 60_000,
retries: 0,
use: {