aaronrene / knowtation public
hosted-workspace-resolve.test.mjs
100 lines 3.1 KB
Raw
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor ⚠ breaking 2 days ago
1 import assert from 'node:assert/strict';
2 import { describe, it } from 'node:test';
3 import {
4 resolveEffectiveCanisterUser,
5 getAllowedVaultIdsFromAccessMap,
6 getScopeForUserVaultFromScopeMap,
7 intersectVaultIds,
8 } from '../hub/lib/hosted-workspace-resolve.mjs';
9
10 describe('hosted-workspace-resolve', () => {
11 const admins = new Set(['google:admin']);
12
13 it('no workspace owner: everyone uses self', () => {
14 const r = resolveEffectiveCanisterUser({
15 actorSub: 'google:a',
16 workspaceOwnerId: null,
17 storedRoles: {},
18 adminUserIdsSet: admins,
19 });
20 assert.equal(r.effective, 'google:a');
21 assert.equal(r.delegate, false);
22 });
23
24 it('owner uses self', () => {
25 const r = resolveEffectiveCanisterUser({
26 actorSub: 'google:owner',
27 workspaceOwnerId: 'google:owner',
28 storedRoles: { 'google:member': 'editor' },
29 adminUserIdsSet: new Set(),
30 });
31 assert.equal(r.effective, 'google:owner');
32 assert.equal(r.delegate, false);
33 });
34
35 it('invited member delegates to owner', () => {
36 const r = resolveEffectiveCanisterUser({
37 actorSub: 'github:member',
38 workspaceOwnerId: 'google:owner',
39 storedRoles: { 'github:member': 'editor' },
40 adminUserIdsSet: new Set(),
41 });
42 assert.equal(r.effective, 'google:owner');
43 assert.equal(r.delegate, true);
44 });
45
46 it('evaluator delegates to owner like editor', () => {
47 const r = resolveEffectiveCanisterUser({
48 actorSub: 'google:eval',
49 workspaceOwnerId: 'google:owner',
50 storedRoles: { 'google:eval': 'evaluator' },
51 adminUserIdsSet: new Set(),
52 });
53 assert.equal(r.effective, 'google:owner');
54 assert.equal(r.delegate, true);
55 });
56
57 it('env admin delegates when not owner', () => {
58 const r = resolveEffectiveCanisterUser({
59 actorSub: 'google:admin',
60 workspaceOwnerId: 'google:owner',
61 storedRoles: {},
62 adminUserIdsSet: admins,
63 });
64 assert.equal(r.effective, 'google:owner');
65 assert.equal(r.delegate, true);
66 });
67
68 it('solo user not in roles does not delegate', () => {
69 const r = resolveEffectiveCanisterUser({
70 actorSub: 'google:stranger',
71 workspaceOwnerId: 'google:owner',
72 storedRoles: { 'github:member': 'editor' },
73 adminUserIdsSet: new Set(),
74 });
75 assert.equal(r.effective, 'google:stranger');
76 assert.equal(r.delegate, false);
77 });
78
79 it('getAllowedVaultIdsFromAccessMap defaults to default', () => {
80 assert.deepEqual(getAllowedVaultIdsFromAccessMap({}, 'any'), ['default']);
81 assert.deepEqual(getAllowedVaultIdsFromAccessMap({ 'google:x': ['work'] }, 'google:x'), ['work']);
82 });
83
84 it('getScopeForUserVaultFromScopeMap', () => {
85 const map = {
86 'google:x': {
87 default: { projects: ['p1'], folders: [] },
88 },
89 };
90 assert.deepEqual(getScopeForUserVaultFromScopeMap(map, 'google:x', 'default'), {
91 projects: ['p1'],
92 folders: [],
93 });
94 assert.equal(getScopeForUserVaultFromScopeMap(map, 'google:x', 'other'), null);
95 });
96
97 it('intersectVaultIds preserves canister order', () => {
98 assert.deepEqual(intersectVaultIds(['default', 'work', 'x'], ['work', 'default']), ['default', 'work']);
99 });
100 });
File History 2 commits
sha256:65ccb454656ea5acdea0a10e559b78bcde1eb6ff753ecc2911bc99d1c3d7cadd feat(calendar): enforce agent context tiers in retrieval AP… Human minor 2 days ago
sha256:9103f98c89257ed2b01c237cea895dabb3e85ea337dccb1161c175e4422355b6 docs: accept Calendar Events v0 spec with Phase 0 security … Human 3 days ago