mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-18 03:30:39 +09:00
68f69975a4
## Thinking Path > - Paperclip relies on issue identifiers, execution policies, and agent heartbeat rules to keep autonomous work auditable. > - Safety checks need to reject ambiguous agent handoffs, and identifier parsing needs to support Cloud tenant prefixes. > - Agent instructions also need to make final-disposition rules explicit so work does not stall in vague states. > - This pull request isolates backend correctness and governance hardening from the UI and recovery-system-notice branches. > - The benefit is safer in-review transitions, better identifier compatibility, and clearer agent operating contracts. ## What Changed - Fixed run-aware confirmation ordering and interrupted-run state cleanup. - Added Cloud tenant identity bootstrap and alphanumeric issue identifier support across shared parsing and server routes. - Guarded agent-authored `in_review` updates unless a real review path exists. - Tightened heartbeat disposition instructions in adapter utilities/default AGENTS/Paperclip skill. ## Verification - `pnpm install --frozen-lockfile` - `pnpm exec vitest run packages/shared/src/issue-references.test.ts server/src/__tests__/issue-identifier-routes.test.ts server/src/__tests__/issue-execution-policy-routes.test.ts packages/adapter-utils/src/server-utils.test.ts` initially had the first execution-policy test hit Vitest's 5s timeout under the parallel bundle while the rest passed. - `pnpm exec vitest run server/src/__tests__/issue-execution-policy-routes.test.ts --testTimeout=20000` passed with 10/10 tests. - Follow-up: `pnpm run typecheck:build-gaps` passed. - Follow-up: `pnpm --filter @paperclipai/ui typecheck` passed. - Follow-up: `pnpm vitest run server/src/__tests__/issue-comment-reopen-routes.test.ts server/src/__tests__/company-portability.test.ts server/src/__tests__/costs-service.test.ts` passed. - Follow-up: `pnpm vitest run ui/src/context/LiveUpdatesProvider.test.ts ui/src/lib/issue-chat-messages.test.ts ui/src/lib/issue-reference.test.ts ui/src/lib/issue-timeline-events.test.ts` passed. ## Risks - Medium control-plane risk: in-review update validation changes agent behavior. The error message is explicit and tests cover allowed review paths. ## Model Used - OpenAI GPT-5 Codex via Paperclip `codex_local` adapter, with shell/git/GitHub CLI tool use. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have checked ROADMAP.md and confirmed this PR does not duplicate planned core work - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, I have included before/after screenshots - [x] I have updated relevant documentation to reflect my changes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
591 lines
20 KiB
TypeScript
591 lines
20 KiB
TypeScript
import express from "express";
|
|
import request from "supertest";
|
|
import { beforeEach, describe, expect, it, vi } from "vitest";
|
|
import { normalizeIssueExecutionPolicy } from "../services/issue-execution-policy.ts";
|
|
|
|
const mockIssueService = vi.hoisted(() => ({
|
|
getById: vi.fn(),
|
|
assertCheckoutOwner: vi.fn(),
|
|
update: vi.fn(),
|
|
createChild: vi.fn(),
|
|
addComment: vi.fn(),
|
|
findMentionedAgents: vi.fn(),
|
|
getRelationSummaries: vi.fn(),
|
|
listWakeableBlockedDependents: vi.fn(),
|
|
getWakeableParentAfterChildCompletion: vi.fn(),
|
|
}));
|
|
|
|
const mockHeartbeatService = vi.hoisted(() => ({
|
|
wakeup: vi.fn(async () => undefined),
|
|
triggerIssueMonitor: vi.fn(async () => ({ outcome: "triggered" as const })),
|
|
reportRunActivity: vi.fn(async () => undefined),
|
|
getRun: vi.fn(async () => null),
|
|
getActiveRunForAgent: vi.fn(async () => null),
|
|
cancelRun: vi.fn(async () => null),
|
|
}));
|
|
|
|
const mockAccessService = vi.hoisted(() => ({
|
|
canUser: vi.fn(async () => false),
|
|
hasPermission: vi.fn(async () => false),
|
|
}));
|
|
|
|
const mockLogActivity = vi.hoisted(() => vi.fn(async () => undefined));
|
|
const mockIssueThreadInteractionService = vi.hoisted(() => ({
|
|
listForIssue: vi.fn(async () => []),
|
|
expireRequestConfirmationsSupersededByComment: vi.fn(async () => []),
|
|
}));
|
|
const mockIssueApprovalService = vi.hoisted(() => ({
|
|
listApprovalsForIssue: vi.fn(async () => []),
|
|
}));
|
|
|
|
function registerModuleMocks() {
|
|
vi.doMock("../services/index.js", () => ({
|
|
companyService: () => ({
|
|
getById: vi.fn(async () => ({ id: "company-1", attachmentMaxBytes: 10 * 1024 * 1024 })),
|
|
}),
|
|
accessService: () => mockAccessService,
|
|
agentService: () => ({
|
|
getById: vi.fn(async () => null),
|
|
}),
|
|
documentService: () => ({}),
|
|
executionWorkspaceService: () => ({}),
|
|
feedbackService: () => ({
|
|
listIssueVotesForUser: vi.fn(async () => []),
|
|
saveIssueVote: vi.fn(async () => ({ vote: null, consentEnabledNow: false, sharingEnabled: false })),
|
|
}),
|
|
goalService: () => ({}),
|
|
heartbeatService: () => mockHeartbeatService,
|
|
environmentService: () => ({
|
|
getById: vi.fn(async () => null),
|
|
}),
|
|
instanceSettingsService: () => ({
|
|
get: vi.fn(async () => ({
|
|
id: "instance-settings-1",
|
|
general: {
|
|
censorUsernameInLogs: false,
|
|
feedbackDataSharingPreference: "prompt",
|
|
},
|
|
})),
|
|
listCompanyIds: vi.fn(async () => ["company-1"]),
|
|
}),
|
|
issueApprovalService: () => mockIssueApprovalService,
|
|
issueReferenceService: () => ({
|
|
deleteDocumentSource: async () => undefined,
|
|
diffIssueReferenceSummary: () => ({
|
|
addedReferencedIssues: [],
|
|
removedReferencedIssues: [],
|
|
currentReferencedIssues: [],
|
|
}),
|
|
emptySummary: () => ({ outbound: [], inbound: [] }),
|
|
listIssueReferenceSummary: async () => ({ outbound: [], inbound: [] }),
|
|
syncComment: async () => undefined,
|
|
syncDocument: async () => undefined,
|
|
syncIssue: async () => undefined,
|
|
}),
|
|
issueService: () => mockIssueService,
|
|
issueThreadInteractionService: () => mockIssueThreadInteractionService,
|
|
logActivity: mockLogActivity,
|
|
projectService: () => ({}),
|
|
routineService: () => ({
|
|
syncRunStatusForIssue: vi.fn(async () => undefined),
|
|
}),
|
|
workProductService: () => ({}),
|
|
}));
|
|
}
|
|
|
|
type TestActor =
|
|
| {
|
|
type: "board";
|
|
userId: string;
|
|
companyIds: string[];
|
|
source: "local_implicit";
|
|
isInstanceAdmin: boolean;
|
|
}
|
|
| {
|
|
type: "agent";
|
|
agentId: string;
|
|
companyId: string;
|
|
runId: string | null;
|
|
};
|
|
|
|
async function createApp(actor?: TestActor) {
|
|
const [{ errorHandler }, { issueRoutes }] = await Promise.all([
|
|
import("../middleware/index.js"),
|
|
import("../routes/issues.js"),
|
|
]);
|
|
const app = express();
|
|
app.use(express.json());
|
|
app.use((req, _res, next) => {
|
|
(req as any).actor = actor ?? {
|
|
type: "board",
|
|
userId: "local-board",
|
|
companyIds: ["company-1"],
|
|
source: "local_implicit",
|
|
isInstanceAdmin: false,
|
|
};
|
|
next();
|
|
});
|
|
app.use("/api", issueRoutes({} as any, {} as any));
|
|
app.use(errorHandler);
|
|
return app;
|
|
}
|
|
|
|
describe("issue execution policy routes", () => {
|
|
beforeEach(() => {
|
|
vi.resetModules();
|
|
vi.doUnmock("../services/index.js");
|
|
vi.doUnmock("../routes/issues.js");
|
|
vi.doUnmock("../middleware/index.js");
|
|
registerModuleMocks();
|
|
vi.clearAllMocks();
|
|
mockIssueService.assertCheckoutOwner.mockResolvedValue({ adoptedFromRunId: null });
|
|
mockIssueService.findMentionedAgents.mockResolvedValue([]);
|
|
mockIssueService.getRelationSummaries.mockResolvedValue({ blockedBy: [], blocks: [] });
|
|
mockIssueService.listWakeableBlockedDependents.mockResolvedValue([]);
|
|
mockIssueService.getWakeableParentAfterChildCompletion.mockResolvedValue(null);
|
|
mockIssueThreadInteractionService.listForIssue.mockResolvedValue([]);
|
|
mockIssueThreadInteractionService.expireRequestConfirmationsSupersededByComment.mockResolvedValue([]);
|
|
mockIssueApprovalService.listApprovalsForIssue.mockResolvedValue([]);
|
|
mockIssueService.createChild.mockResolvedValue({
|
|
issue: {
|
|
id: "bbbbbbbb-bbbb-4bbb-8bbb-bbbbbbbbbbbb",
|
|
companyId: "company-1",
|
|
identifier: "PAP-1002",
|
|
title: "Child issue",
|
|
},
|
|
parentBlockerAdded: false,
|
|
});
|
|
mockAccessService.canUser.mockResolvedValue(false);
|
|
mockAccessService.hasPermission.mockResolvedValue(false);
|
|
});
|
|
|
|
it("rejects an agent-authored in_review transition without a review path", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "todo",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1003",
|
|
title: "Missing review path",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "33333333-3333-4333-8333-333333333333",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({ status: "in_review" });
|
|
|
|
expect(res.status).toBe(422);
|
|
expect(res.body.error).toContain("invalid_issue_disposition");
|
|
expect(res.body.error).toContain("request_confirmation");
|
|
expect(res.body.details).toMatchObject({
|
|
code: "invalid_issue_disposition",
|
|
missing: "review_path",
|
|
});
|
|
expect(mockIssueService.update).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("allows an agent-authored in_review transition with a pending confirmation interaction", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "todo",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1004",
|
|
title: "Pending confirmation",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
mockIssueThreadInteractionService.listForIssue.mockResolvedValue([
|
|
{ id: "interaction-1", kind: "request_confirmation", status: "pending" },
|
|
]);
|
|
mockIssueService.update.mockImplementation(async (_id: string, patch: Record<string, unknown>) => ({
|
|
...issue,
|
|
...patch,
|
|
updatedAt: new Date(),
|
|
}));
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "33333333-3333-4333-8333-333333333333",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({ status: "in_review" });
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockIssueService.update).toHaveBeenCalledWith(
|
|
"aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
expect.objectContaining({ status: "in_review" }),
|
|
);
|
|
});
|
|
|
|
it("allows an agent-authored in_review transition with a typed execution participant", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "todo",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1005",
|
|
title: "Execution participant",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
};
|
|
const policy = normalizeIssueExecutionPolicy({
|
|
stages: [
|
|
{
|
|
id: "11111111-1111-4111-8111-111111111111",
|
|
type: "review",
|
|
participants: [{ type: "agent", agentId: "44444444-4444-4444-8444-444444444444" }],
|
|
},
|
|
],
|
|
})!;
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
mockIssueService.update.mockImplementation(async (_id: string, patch: Record<string, unknown>) => ({
|
|
...issue,
|
|
...patch,
|
|
updatedAt: new Date(),
|
|
}));
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "33333333-3333-4333-8333-333333333333",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({ status: "in_review", executionPolicy: policy });
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockIssueService.update).toHaveBeenCalledWith(
|
|
"aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
expect.objectContaining({
|
|
status: "in_review",
|
|
executionState: expect.objectContaining({
|
|
status: "pending",
|
|
currentParticipant: expect.objectContaining({
|
|
type: "agent",
|
|
agentId: "44444444-4444-4444-8444-444444444444",
|
|
}),
|
|
}),
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("allows an agent-authored in_review transition with a scheduled monitor", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "todo",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1006",
|
|
title: "External review monitor",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
monitorAttemptCount: 0,
|
|
monitorNextCheckAt: null,
|
|
monitorLastTriggeredAt: null,
|
|
monitorNotes: null,
|
|
monitorScheduledBy: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
mockIssueService.update.mockImplementation(async (_id: string, patch: Record<string, unknown>) => ({
|
|
...issue,
|
|
...patch,
|
|
updatedAt: new Date(),
|
|
}));
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "33333333-3333-4333-8333-333333333333",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({
|
|
status: "in_review",
|
|
executionPolicy: {
|
|
monitor: {
|
|
nextCheckAt: "2026-12-01T12:00:00.000Z",
|
|
scheduledBy: "assignee",
|
|
notes: "Wait for external QA report.",
|
|
},
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockIssueService.update).toHaveBeenCalledWith(
|
|
"aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
expect.objectContaining({
|
|
status: "in_review",
|
|
monitorNextCheckAt: new Date("2026-12-01T12:00:00.000Z"),
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("allows board-authored in_review repair updates without a review path", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "todo",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1007",
|
|
title: "Board repair",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
mockIssueService.update.mockImplementation(async (_id: string, patch: Record<string, unknown>) => ({
|
|
...issue,
|
|
...patch,
|
|
updatedAt: new Date(),
|
|
}));
|
|
|
|
const res = await request(await createApp())
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({ status: "in_review" });
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockIssueThreadInteractionService.listForIssue).not.toHaveBeenCalled();
|
|
expect(mockIssueApprovalService.listApprovalsForIssue).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("does not auto-start execution review when reviewers are added to an already in_review issue", async () => {
|
|
const policy = normalizeIssueExecutionPolicy({
|
|
stages: [
|
|
{
|
|
id: "11111111-1111-4111-8111-111111111111",
|
|
type: "review",
|
|
participants: [{ type: "agent", agentId: "33333333-3333-4333-8333-333333333333" }],
|
|
},
|
|
],
|
|
})!;
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "in_review",
|
|
assigneeAgentId: null,
|
|
assigneeUserId: "local-board",
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-999",
|
|
title: "Execution policy edit",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
mockIssueService.update.mockImplementation(async (_id: string, patch: Record<string, unknown>) => ({
|
|
...issue,
|
|
...patch,
|
|
updatedAt: new Date(),
|
|
}));
|
|
|
|
const res = await request(await createApp())
|
|
.patch("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa")
|
|
.send({ executionPolicy: policy });
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(mockIssueService.update).toHaveBeenCalledWith(
|
|
"aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
expect.objectContaining({
|
|
executionPolicy: policy,
|
|
actorAgentId: null,
|
|
actorUserId: "local-board",
|
|
}),
|
|
);
|
|
const updatePatch = mockIssueService.update.mock.calls[0]?.[1] as Record<string, unknown>;
|
|
expect(updatePatch.status).toBeUndefined();
|
|
expect(updatePatch.assigneeAgentId).toBeUndefined();
|
|
expect(updatePatch.assigneeUserId).toBeUndefined();
|
|
expect(updatePatch.executionState).toBeUndefined();
|
|
expect(mockHeartbeatService.wakeup).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("triggers a scheduled monitor immediately from the dedicated route", async () => {
|
|
const issue = {
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "in_progress",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1001",
|
|
title: "Manual monitor trigger",
|
|
executionPolicy: normalizeIssueExecutionPolicy({
|
|
monitor: {
|
|
nextCheckAt: "2026-04-11T12:30:00.000Z",
|
|
notes: "Check deployment",
|
|
scheduledBy: "board",
|
|
},
|
|
}),
|
|
executionState: null,
|
|
};
|
|
mockIssueService.getById.mockResolvedValue(issue);
|
|
|
|
const res = await request(await createApp())
|
|
.post("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa/monitor/check-now")
|
|
.send({});
|
|
|
|
expect(res.status).toBe(200);
|
|
expect(res.body).toEqual({ ok: true });
|
|
expect(mockHeartbeatService.triggerIssueMonitor).toHaveBeenCalledWith(
|
|
"aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
expect.objectContaining({
|
|
actorType: "user",
|
|
actorId: "local-board",
|
|
agentId: null,
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("lets a board user create a child issue with a scheduled monitor", async () => {
|
|
mockIssueService.getById.mockResolvedValue({
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "in_progress",
|
|
assigneeAgentId: "11111111-1111-4111-8111-111111111111",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1001",
|
|
title: "Parent issue",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
});
|
|
|
|
const res = await request(await createApp())
|
|
.post("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa/children")
|
|
.send({
|
|
title: "Child monitor",
|
|
status: "in_review",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
executionPolicy: {
|
|
monitor: {
|
|
nextCheckAt: "2026-04-11T12:30:00.000Z",
|
|
scheduledBy: "assignee",
|
|
},
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
const createPayload = mockIssueService.createChild.mock.calls[0]?.[1] as {
|
|
executionPolicy: { monitor: { scheduledBy: string } };
|
|
};
|
|
expect(createPayload.executionPolicy.monitor.scheduledBy).toBe("board");
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
action: "issue.monitor_scheduled",
|
|
details: expect.objectContaining({
|
|
scheduledBy: "board",
|
|
}),
|
|
}),
|
|
);
|
|
});
|
|
|
|
it("rejects child monitor scheduling by a non-assignee agent even with task assignment permission", async () => {
|
|
mockAccessService.hasPermission.mockResolvedValue(true);
|
|
mockIssueService.getById.mockResolvedValue({
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "in_progress",
|
|
assigneeAgentId: "11111111-1111-4111-8111-111111111111",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1001",
|
|
title: "Parent issue",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
});
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "22222222-2222-4222-8222-222222222222",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.post("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa/children")
|
|
.send({
|
|
title: "Child monitor",
|
|
status: "in_review",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
executionPolicy: {
|
|
monitor: {
|
|
nextCheckAt: "2026-04-11T12:30:00.000Z",
|
|
scheduledBy: "board",
|
|
},
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(403);
|
|
expect(res.body.error).toBe("Only the assignee agent or a board user can manage issue monitors");
|
|
expect(mockIssueService.createChild).not.toHaveBeenCalled();
|
|
});
|
|
|
|
it("normalizes spoofed child monitor scheduledBy to the assignee actor", async () => {
|
|
mockAccessService.hasPermission.mockResolvedValue(true);
|
|
mockIssueService.getById.mockResolvedValue({
|
|
id: "aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa",
|
|
companyId: "company-1",
|
|
status: "in_progress",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
assigneeUserId: null,
|
|
createdByUserId: "local-board",
|
|
identifier: "PAP-1001",
|
|
title: "Parent issue",
|
|
executionPolicy: null,
|
|
executionState: null,
|
|
});
|
|
|
|
const res = await request(await createApp({
|
|
type: "agent",
|
|
agentId: "33333333-3333-4333-8333-333333333333",
|
|
companyId: "company-1",
|
|
runId: "run-1",
|
|
}))
|
|
.post("/api/issues/aaaaaaaa-aaaa-4aaa-8aaa-aaaaaaaaaaaa/children")
|
|
.send({
|
|
title: "Child monitor",
|
|
status: "in_review",
|
|
assigneeAgentId: "33333333-3333-4333-8333-333333333333",
|
|
executionPolicy: {
|
|
monitor: {
|
|
nextCheckAt: "2026-04-11T12:30:00.000Z",
|
|
scheduledBy: "board",
|
|
externalRef: "https://example.test/deploy?token=secret",
|
|
},
|
|
},
|
|
});
|
|
|
|
expect(res.status).toBe(201);
|
|
const createPayload = mockIssueService.createChild.mock.calls[0]?.[1] as {
|
|
executionPolicy: { monitor: { scheduledBy: string; externalRef: string | null } };
|
|
};
|
|
expect(createPayload.executionPolicy.monitor.scheduledBy).toBe("assignee");
|
|
expect(createPayload.executionPolicy.monitor.externalRef).toBe("[redacted]");
|
|
expect(mockLogActivity).toHaveBeenCalledWith(
|
|
expect.anything(),
|
|
expect.objectContaining({
|
|
action: "issue.monitor_scheduled",
|
|
entityId: "bbbbbbbb-bbbb-4bbb-8bbb-bbbbbbbbbbbb",
|
|
details: expect.not.objectContaining({ externalRef: expect.anything() }),
|
|
}),
|
|
);
|
|
});
|
|
});
|