@@ -70,17 +70,32 @@ LABEL_A=$(curl -s -X POST http://localhost:5000/api/boards/$BOARD_A/labels \
7070 -H " Authorization: Bearer $TOKEN_A " \
7171 -d ' {"name":"Priority","color":"#ff0000"}' | tee /dev/stderr | jq -r ' .id' )
7272
73+ # # 8. UserA creates an agent profile (for cross-user agent isolation tests)
74+ AGENT_A=$( curl -s -X POST http://localhost:5000/api/agents \
75+ -H " Content-Type: application/json" \
76+ -H " Authorization: Bearer $TOKEN_A " \
77+ -d ' {"name":"UserA Test Agent","description":"Fixture agent"}' | tee /dev/stderr | jq -r ' .id' )
78+
79+ # 9. UserA creates a knowledge item (for cross-user knowledge isolation tests)
80+ KNOWLEDGE_A=$( curl -s -X POST http://localhost:5000/api/knowledge \
81+ -H " Content-Type: application/json" \
82+ -H " Authorization: Bearer $TOKEN_A " \
83+ -d ' {"title":"UserA Knowledge","content":"Fixture content"}' | tee /dev/stderr | jq -r ' .id' )
84+
7385echo " TOKEN_A=$TOKEN_A "
7486echo " TOKEN_B=$TOKEN_B "
7587echo " BOARD_A=$BOARD_A "
7688echo " COL_A=$COL_A "
7789echo " CARD_A=$CARD_A "
7890echo " LABEL_A=$LABEL_A "
91+ echo " AGENT_A=$AGENT_A "
92+ echo " KNOWLEDGE_A=$KNOWLEDGE_A "
7993```
8094
8195### Fixture Invariants
8296
8397- UserA owns ` BOARD_A ` and all entities within it.
98+ - UserA owns ` AGENT_A ` and ` KNOWLEDGE_A ` .
8499- UserB has no board access grants for ` BOARD_A ` .
85100- Neither user is an admin unless explicitly promoted.
86101
@@ -388,15 +403,15 @@ These controllers have specialized auth or role requirements beyond standard boa
388403| ID | Method | Route | Token | Expected | Notes |
389404| -------| --------| -------------------------------------| ---------| ----------| --------------------------------|
390405| B-160 | GET | ` /api/agents ` | UserB | 200 | Returns only UserB's agents |
391- | B-161 | GET | ` /api/agents/{UserA_agent_id} ` | UserB | 404 | Cross-user agent isolation |
392- | B-162 | POST | ` /api/agents/{UserA_agent_id }/runs ` | UserB | 404 | Cannot trigger run on foreign agent |
406+ | B-161 | GET | ` /api/agents/{AGENT_A} ` | UserB | 404 | Cross-user agent isolation |
407+ | B-162 | POST | ` /api/agents/{AGENT_A }/runs ` | UserB | 404 | Cannot trigger run on foreign agent |
393408
394409### Knowledge (` /api/knowledge ` )
395410
396411| ID | Method | Route | Token | Expected | Notes |
397412| -------| --------| -------------------------------------| ---------| ----------| --------------------------------|
398413| B-165 | GET | ` /api/knowledge ` | UserB | 200 | Returns only UserB's items |
399- | B-166 | GET | ` /api/knowledge/{UserA_item_id} ` | UserB | 404 | Cross-user knowledge isolation |
414+ | B-166 | GET | ` /api/knowledge/{KNOWLEDGE_A} ` | UserB | 404 | Cross-user knowledge isolation |
400415
401416### Outbound Webhooks (` /api/boards/{boardId}/webhooks ` )
402417
0 commit comments