feat(api): pending-changes + audit routes
Owner-only routes wired with an applyPendingChange dispatch helper covering page/project/task/ref/resource/source_doc create/update/delete. Approve and reject emit their own audit_log entries (actions already in the CHECK vocab) so the audit trail is self-contained. Documents a latent bug in security-followups.md: pending_changes.action CHECK constraint blocks 'upsert' / 'add_dependency' / 'remove_dependency' divertToPending paths in refs/resources routes when an agent at suggest tier hits them. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
root
86
tests/api/audit.test.js
Normal file
86
tests/api/audit.test.js
Normal file
@@ -0,0 +1,86 @@
|
||||
import { describe, it, expect, beforeAll, beforeEach } from 'vitest';
|
||||
import request from 'supertest';
|
||||
import { setup } from './helpers.js';
|
||||
import * as spacesRepo from '../../lib/db/repos/spaces.js';
|
||||
import * as pagesRepo from '../../lib/db/repos/pages.js';
|
||||
import * as agentsRepo from '../../lib/db/repos/agents.js';
|
||||
|
||||
let app, ownerHeaders, space;
|
||||
const owner = { kind: 'user', id: null };
|
||||
|
||||
beforeAll(async () => { ({ app, ownerHeaders } = await setup()); });
|
||||
beforeEach(async () => {
|
||||
space = await spacesRepo.create(
|
||||
{ slug: `s-${Date.now()}-${Math.random().toString(36).slice(2,5)}`, name: 'S' }, owner
|
||||
);
|
||||
});
|
||||
|
||||
describe('audit routes', () => {
|
||||
it('GET /entity/:type/:id returns create + update entries ordered DESC', async () => {
|
||||
const page = await pagesRepo.create(
|
||||
{ space_id: space.id, slug: 'pg-au', title: 'T1' }, owner
|
||||
);
|
||||
await pagesRepo.update(page.id, { title: 'T2' }, owner);
|
||||
const res = await request(app)
|
||||
.get(`/api/audit/entity/page/${page.id}`).set(ownerHeaders);
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.body.length).toBeGreaterThanOrEqual(2);
|
||||
const actions = res.body.map(e => e.action);
|
||||
expect(actions).toContain('create');
|
||||
expect(actions).toContain('update');
|
||||
});
|
||||
|
||||
it('GET /entity/:type/:id respects limit', async () => {
|
||||
const page = await pagesRepo.create(
|
||||
{ space_id: space.id, slug: 'pg-lim', title: 'T1' }, owner
|
||||
);
|
||||
for (const t of ['T2','T3','T4']) {
|
||||
await pagesRepo.update(page.id, { title: t }, owner);
|
||||
}
|
||||
const res = await request(app)
|
||||
.get(`/api/audit/entity/page/${page.id}?limit=2`).set(ownerHeaders);
|
||||
expect(res.body.length).toBe(2);
|
||||
});
|
||||
|
||||
it('GET /actor filters by actor_kind=user', async () => {
|
||||
await pagesRepo.create({ space_id: space.id, slug: 'a-u', title: 'Au' }, owner);
|
||||
const res = await request(app)
|
||||
.get('/api/audit/actor?actor_kind=user').set(ownerHeaders);
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.body.every(e => e.actor_kind === 'user')).toBe(true);
|
||||
});
|
||||
|
||||
it('GET /actor with actor_id filters tightly', async () => {
|
||||
const agent = await agentsRepo.create({
|
||||
slug: `au-agent-${Date.now()}`, name: 'A', kind: 'claude', model: 'sonnet',
|
||||
capabilities: { read: true, write: true }, scopes: { page: true }
|
||||
}, owner);
|
||||
const actor = { kind: 'agent', id: agent.id };
|
||||
await pagesRepo.create({ space_id: space.id, slug: 'a-x', title: 'X' }, actor);
|
||||
const res = await request(app)
|
||||
.get(`/api/audit/actor?actor_kind=agent&actor_id=${agent.id}`).set(ownerHeaders);
|
||||
expect(res.status).toBe(200);
|
||||
expect(res.body.length).toBeGreaterThan(0);
|
||||
expect(res.body.every(e => e.actor_id === agent.id)).toBe(true);
|
||||
});
|
||||
|
||||
it('agent token → 403 on audit endpoints (owner-only)', async () => {
|
||||
const agent = await agentsRepo.create({
|
||||
slug: `au-403-${Date.now()}`, name: 'A', kind: 'claude', model: 'sonnet',
|
||||
capabilities: { read: true }, scopes: {}
|
||||
}, owner);
|
||||
const { token } = await agentsRepo.createToken(agent.id, 'test');
|
||||
const headers = { Authorization: `Bearer ${token}` };
|
||||
const e = await request(app)
|
||||
.get('/api/audit/entity/page/00000000-0000-0000-0000-000000000000').set(headers);
|
||||
expect(e.status).toBe(403);
|
||||
const a = await request(app).get('/api/audit/actor').set(headers);
|
||||
expect(a.status).toBe(403);
|
||||
});
|
||||
|
||||
it('invalid entity_type → 400', async () => {
|
||||
const res = await request(app)
|
||||
.get('/api/audit/entity/widget/00000000-0000-0000-0000-000000000000').set(ownerHeaders);
|
||||
expect(res.status).toBe(400);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user