mirror of
https://github.com/alkimake/paperclip.git
synced 2026-06-14 01:50:39 +09:00
32a9165ddf
## Thinking Path > - Paperclip orchestrates AI agents for zero-human companies > - The control plane depends on authenticated routes enforcing company boundaries and role permissions correctly > - This branch also touches the issue detail and markdown editing flows operators use while handling advisory and triage work > - Partial issue cache seeds and fragile rich-editor parsing could leave important issue content missing or blank at the moment an operator needed it > - Blocked issues becoming actionable again should wake their assignee automatically instead of silently staying idle > - This pull request rebases the advisory follow-up branch onto current `master`, hardens authenticated route authorization, and carries the issue-detail/editor reliability fixes forward with regression tests > - The benefit is tighter authz on sensitive routes plus more reliable issue/advisory editing and wakeup behavior on top of the latest base ## What Changed - Hardened authenticated route authorization across agent, activity, approval, access, project, plugin, health, execution-workspace, portability, and related server paths, with new cross-tenant and runtime-authz regression coverage. - Switched issue detail queries from `initialData` to placeholder-based hydration so list/quicklook seeds still refetch full issue bodies. - Normalized advisory-style HTML images before mounting the markdown editor and strengthened fallback behavior when the rich editor silently fails or rejects the content. - Woke assigned agents when blocked issues move back to `todo`, with route coverage for reopen and unblock transitions. - Rebasing note: this branch now sits cleanly on top of the latest `master` tip used for the PR base. ## Verification - `pnpm exec vitest run ui/src/lib/issueDetailQuery.test.tsx ui/src/components/MarkdownEditor.test.tsx server/src/__tests__/issue-comment-reopen-routes.test.ts server/src/__tests__/activity-routes.test.ts server/src/__tests__/agent-cross-tenant-authz-routes.test.ts` - Confirmed `pnpm-lock.yaml` is not part of the PR diff. - Rebased the branch onto current `public-gh/master` before publishing. ## Risks - Broad authz tightening may expose existing flows that were relying on permissive board or agent access and now need explicit grants. - Markdown editor fallback changes could affect focus or rendering in edge-case content that mixes HTML-like advisory markup with normal markdown. - This verification was intentionally scoped to touched regressions and did not run the full repository suite. ## Model Used - OpenAI Codex, GPT-5-based coding agent in the Codex CLI environment with tool use for terminal, git, and GitHub operations. The exact runtime model identifier is not exposed inside this session. ## Checklist - [x] I have included a thinking path that traces from project context to this change - [x] I have specified the model used (with version and capability details) - [x] I have run tests locally and they pass - [x] I have added or updated tests where applicable - [x] If this change affects the UI, it is behavior-only and does not need before/after screenshots - [x] I have updated relevant documentation to reflect my changes, or no documentation changes were needed for these internal fixes - [x] I have considered and documented any risks above - [x] I will address all Greptile and reviewer comments before requesting merge --------- Co-authored-by: Paperclip <noreply@paperclip.ing>
279 lines
8.4 KiB
TypeScript
279 lines
8.4 KiB
TypeScript
import { randomUUID } from "node:crypto";
|
|
import { afterAll, afterEach, beforeAll, describe, expect, it } from "vitest";
|
|
import {
|
|
agents,
|
|
companies,
|
|
createDb,
|
|
executionWorkspaces,
|
|
issues,
|
|
projectWorkspaces,
|
|
projects,
|
|
} from "@paperclipai/db";
|
|
import {
|
|
getEmbeddedPostgresTestSupport,
|
|
startEmbeddedPostgresTestDatabase,
|
|
} from "./helpers/embedded-postgres.js";
|
|
import {
|
|
assertCanManageExecutionWorkspaceRuntimeServices,
|
|
assertCanManageProjectWorkspaceRuntimeServices,
|
|
} from "../routes/workspace-runtime-service-authz.js";
|
|
|
|
const embeddedPostgresSupport = await getEmbeddedPostgresTestSupport();
|
|
const describeEmbeddedPostgres = embeddedPostgresSupport.supported ? describe : describe.skip;
|
|
|
|
if (!embeddedPostgresSupport.supported) {
|
|
console.warn(
|
|
`Skipping embedded Postgres workspace runtime auth tests on this host: ${embeddedPostgresSupport.reason ?? "unsupported environment"}`,
|
|
);
|
|
}
|
|
|
|
describeEmbeddedPostgres("workspace runtime service authz helper", () => {
|
|
let db!: ReturnType<typeof createDb>;
|
|
let tempDb: Awaited<ReturnType<typeof startEmbeddedPostgresTestDatabase>> | null = null;
|
|
|
|
beforeAll(async () => {
|
|
tempDb = await startEmbeddedPostgresTestDatabase("paperclip-workspace-runtime-authz-");
|
|
db = createDb(tempDb.connectionString);
|
|
}, 20_000);
|
|
|
|
afterEach(async () => {
|
|
await db.delete(issues);
|
|
await db.delete(executionWorkspaces);
|
|
await db.delete(projectWorkspaces);
|
|
await db.delete(projects);
|
|
await db.delete(agents);
|
|
await db.delete(companies);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await tempDb?.cleanup();
|
|
});
|
|
|
|
async function seedCompany() {
|
|
const companyId = randomUUID();
|
|
await db.insert(companies).values({
|
|
id: companyId,
|
|
name: "Paperclip",
|
|
issuePrefix: `PAP-${companyId.slice(0, 8)}`,
|
|
requireBoardApprovalForNewAgents: false,
|
|
});
|
|
return companyId;
|
|
}
|
|
|
|
async function seedProjectWorkspace(companyId: string) {
|
|
const projectId = randomUUID();
|
|
const projectWorkspaceId = randomUUID();
|
|
await db.insert(projects).values({
|
|
id: projectId,
|
|
companyId,
|
|
name: "Workspace authz",
|
|
status: "in_progress",
|
|
});
|
|
await db.insert(projectWorkspaces).values({
|
|
id: projectWorkspaceId,
|
|
companyId,
|
|
projectId,
|
|
name: "Primary",
|
|
sourceType: "local_path",
|
|
cwd: "/tmp/paperclip-authz-project",
|
|
isPrimary: true,
|
|
});
|
|
return { projectId, projectWorkspaceId };
|
|
}
|
|
|
|
async function seedExecutionWorkspace(companyId: string, projectId: string, projectWorkspaceId: string) {
|
|
const executionWorkspaceId = randomUUID();
|
|
await db.insert(executionWorkspaces).values({
|
|
id: executionWorkspaceId,
|
|
companyId,
|
|
projectId,
|
|
projectWorkspaceId,
|
|
mode: "isolated_workspace",
|
|
strategyType: "git_worktree",
|
|
name: "Execution workspace",
|
|
status: "active",
|
|
providerType: "local_fs",
|
|
cwd: "/tmp/paperclip-authz-execution",
|
|
});
|
|
return executionWorkspaceId;
|
|
}
|
|
|
|
async function seedAgent(
|
|
companyId: string,
|
|
input: { role?: string; reportsTo?: string | null; name?: string } = {},
|
|
) {
|
|
const agentId = randomUUID();
|
|
await db.insert(agents).values({
|
|
id: agentId,
|
|
companyId,
|
|
name: input.name ?? "Agent",
|
|
role: input.role ?? "engineer",
|
|
reportsTo: input.reportsTo ?? null,
|
|
});
|
|
return agentId;
|
|
}
|
|
|
|
it("allows board actors to manage project workspace runtime services", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
|
|
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "board",
|
|
userId: "board-1",
|
|
companyIds: [companyId],
|
|
source: "session",
|
|
isInstanceAdmin: false,
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
projectWorkspaceId,
|
|
})).resolves.toBeUndefined();
|
|
});
|
|
|
|
it("allows CEO agents to manage any project workspace runtime services in their company", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
const ceoAgentId = await seedAgent(companyId, { role: "ceo", name: "CEO" });
|
|
|
|
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "agent",
|
|
agentId: ceoAgentId,
|
|
companyId,
|
|
source: "agent_key",
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
projectWorkspaceId,
|
|
})).resolves.toBeUndefined();
|
|
});
|
|
|
|
it("allows agents with a non-terminal assigned issue in the target project workspace", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
const agentId = await seedAgent(companyId, { name: "Engineer" });
|
|
|
|
await db.insert(issues).values({
|
|
id: randomUUID(),
|
|
companyId,
|
|
projectId,
|
|
projectWorkspaceId,
|
|
title: "Use this workspace",
|
|
status: "todo",
|
|
priority: "medium",
|
|
assigneeAgentId: agentId,
|
|
});
|
|
|
|
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "agent",
|
|
agentId,
|
|
companyId,
|
|
source: "agent_key",
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
projectWorkspaceId,
|
|
})).resolves.toBeUndefined();
|
|
});
|
|
|
|
it("allows managers to manage execution workspace runtime services for their reporting subtree", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
const executionWorkspaceId = await seedExecutionWorkspace(companyId, projectId, projectWorkspaceId);
|
|
const managerId = await seedAgent(companyId, { role: "cto", name: "Manager" });
|
|
const reportId = await seedAgent(companyId, { reportsTo: managerId, name: "Report" });
|
|
|
|
await db.insert(issues).values({
|
|
id: randomUUID(),
|
|
companyId,
|
|
projectId,
|
|
projectWorkspaceId,
|
|
executionWorkspaceId,
|
|
title: "Use execution workspace",
|
|
status: "in_progress",
|
|
priority: "medium",
|
|
assigneeAgentId: reportId,
|
|
});
|
|
|
|
await expect(assertCanManageExecutionWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "agent",
|
|
agentId: managerId,
|
|
companyId,
|
|
source: "agent_key",
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
executionWorkspaceId,
|
|
})).resolves.toBeUndefined();
|
|
});
|
|
|
|
it("rejects unrelated same-company agents without matching workspace assignments", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
const executionWorkspaceId = await seedExecutionWorkspace(companyId, projectId, projectWorkspaceId);
|
|
const assignedAgentId = await seedAgent(companyId, { name: "Assigned" });
|
|
const unrelatedAgentId = await seedAgent(companyId, { name: "Unrelated" });
|
|
|
|
await db.insert(issues).values({
|
|
id: randomUUID(),
|
|
companyId,
|
|
projectId,
|
|
projectWorkspaceId,
|
|
executionWorkspaceId,
|
|
title: "Assigned issue",
|
|
status: "todo",
|
|
priority: "medium",
|
|
assigneeAgentId: assignedAgentId,
|
|
});
|
|
|
|
await expect(assertCanManageExecutionWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "agent",
|
|
agentId: unrelatedAgentId,
|
|
companyId,
|
|
source: "agent_key",
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
executionWorkspaceId,
|
|
})).rejects.toMatchObject({
|
|
status: 403,
|
|
message: "Missing permission to manage workspace runtime services",
|
|
});
|
|
});
|
|
|
|
it("rejects completed workspace assignments so stale issues do not keep access alive", async () => {
|
|
const companyId = await seedCompany();
|
|
const { projectId, projectWorkspaceId } = await seedProjectWorkspace(companyId);
|
|
const agentId = await seedAgent(companyId, { name: "Engineer" });
|
|
|
|
await db.insert(issues).values({
|
|
id: randomUUID(),
|
|
companyId,
|
|
projectId,
|
|
projectWorkspaceId,
|
|
title: "Completed issue",
|
|
status: "done",
|
|
priority: "medium",
|
|
assigneeAgentId: agentId,
|
|
});
|
|
|
|
await expect(assertCanManageProjectWorkspaceRuntimeServices(db, {
|
|
actor: {
|
|
type: "agent",
|
|
agentId,
|
|
companyId,
|
|
source: "agent_key",
|
|
},
|
|
} as any, {
|
|
companyId,
|
|
projectWorkspaceId,
|
|
})).rejects.toMatchObject({
|
|
status: 403,
|
|
message: "Missing permission to manage workspace runtime services",
|
|
});
|
|
});
|
|
});
|