Skip to content

Commit 6f8fa85

Browse files
committed
Add agent and knowledge fixtures for complete cross-user isolation coverage
1 parent 1be2abf commit 6f8fa85

1 file changed

Lines changed: 18 additions & 3 deletions

File tree

docs/testing/manual-validation-b-authz-contracts.md

Lines changed: 18 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -70,17 +70,32 @@ LABEL_A=$(curl -s -X POST http://localhost:5000/api/boards/$BOARD_A/labels \
7070
-H "Authorization: Bearer $TOKEN_A" \
7171
-d '{"name":"Priority","color":"#ff0000"}' | tee /dev/stderr | jq -r '.id')
7272

73+
## 8. UserA creates an agent profile (for cross-user agent isolation tests)
74+
AGENT_A=$(curl -s -X POST http://localhost:5000/api/agents \
75+
-H "Content-Type: application/json" \
76+
-H "Authorization: Bearer $TOKEN_A" \
77+
-d '{"name":"UserA Test Agent","description":"Fixture agent"}' | tee /dev/stderr | jq -r '.id')
78+
79+
# 9. UserA creates a knowledge item (for cross-user knowledge isolation tests)
80+
KNOWLEDGE_A=$(curl -s -X POST http://localhost:5000/api/knowledge \
81+
-H "Content-Type: application/json" \
82+
-H "Authorization: Bearer $TOKEN_A" \
83+
-d '{"title":"UserA Knowledge","content":"Fixture content"}' | tee /dev/stderr | jq -r '.id')
84+
7385
echo "TOKEN_A=$TOKEN_A"
7486
echo "TOKEN_B=$TOKEN_B"
7587
echo "BOARD_A=$BOARD_A"
7688
echo "COL_A=$COL_A"
7789
echo "CARD_A=$CARD_A"
7890
echo "LABEL_A=$LABEL_A"
91+
echo "AGENT_A=$AGENT_A"
92+
echo "KNOWLEDGE_A=$KNOWLEDGE_A"
7993
```
8094

8195
### Fixture Invariants
8296

8397
- UserA owns `BOARD_A` and all entities within it.
98+
- UserA owns `AGENT_A` and `KNOWLEDGE_A`.
8499
- UserB has no board access grants for `BOARD_A`.
85100
- Neither user is an admin unless explicitly promoted.
86101

@@ -388,15 +403,15 @@ These controllers have specialized auth or role requirements beyond standard boa
388403
| ID | Method | Route | Token | Expected | Notes |
389404
|-------|--------|-------------------------------------|---------|----------|--------------------------------|
390405
| B-160 | GET | `/api/agents` | UserB | 200 | Returns only UserB's agents |
391-
| B-161 | GET | `/api/agents/{UserA_agent_id}` | UserB | 404 | Cross-user agent isolation |
392-
| B-162 | POST | `/api/agents/{UserA_agent_id}/runs` | UserB | 404 | Cannot trigger run on foreign agent |
406+
| B-161 | GET | `/api/agents/{AGENT_A}` | UserB | 404 | Cross-user agent isolation |
407+
| B-162 | POST | `/api/agents/{AGENT_A}/runs` | UserB | 404 | Cannot trigger run on foreign agent |
393408

394409
### Knowledge (`/api/knowledge`)
395410

396411
| ID | Method | Route | Token | Expected | Notes |
397412
|-------|--------|-------------------------------------|---------|----------|--------------------------------|
398413
| B-165 | GET | `/api/knowledge` | UserB | 200 | Returns only UserB's items |
399-
| B-166 | GET | `/api/knowledge/{UserA_item_id}` | UserB | 404 | Cross-user knowledge isolation |
414+
| B-166 | GET | `/api/knowledge/{KNOWLEDGE_A}` | UserB | 404 | Cross-user knowledge isolation |
400415

401416
### Outbound Webhooks (`/api/boards/{boardId}/webhooks`)
402417

0 commit comments

Comments
 (0)