feat(assistant): extend audit and import parity

2026-03-29 12:56:29 +02:00
parent 47e4d701ff
commit 00b936fa1f
6 changed files with 699 additions and 86 deletions
@@ -222,9 +222,25 @@ describe("assistant router tool gating", () => {
      PermissionKey.USE_ASSISTANT_ADVANCED_TOOLS,
    ], SystemRole.USER);

+    expect(controllerNames).toContain("query_change_history");
+    expect(controllerNames).toContain("get_entity_timeline");
+    expect(controllerNames).toContain("export_resources_csv");
+    expect(controllerNames).toContain("export_projects_csv");
+    expect(controllerNames).toContain("list_audit_log_entries");
+    expect(controllerNames).toContain("get_audit_log_entry");
+    expect(controllerNames).toContain("get_audit_log_timeline");
+    expect(controllerNames).toContain("get_audit_activity_summary");
    expect(controllerNames).toContain("get_chargeability_report");
    expect(controllerNames).toContain("get_resource_computation_graph");
    expect(controllerNames).toContain("get_project_computation_graph");
+    expect(userNames).not.toContain("query_change_history");
+    expect(userNames).not.toContain("get_entity_timeline");
+    expect(userNames).not.toContain("export_resources_csv");
+    expect(userNames).not.toContain("export_projects_csv");
+    expect(userNames).not.toContain("list_audit_log_entries");
+    expect(userNames).not.toContain("get_audit_log_entry");
+    expect(userNames).not.toContain("get_audit_log_timeline");
+    expect(userNames).not.toContain("get_audit_activity_summary");
    expect(userNames).not.toContain("get_chargeability_report");
    expect(userNames).not.toContain("get_resource_computation_graph");
    expect(userNames).not.toContain("get_project_computation_graph");
@@ -257,6 +273,24 @@ describe("assistant router tool gating", () => {
    expect(missingAdvancedNames).not.toContain("quick_assign_timeline_resource");
  });

+  it("keeps import/dispo parity tools aligned to router roles and permissions", () => {
+    const managerNames = getToolNames([PermissionKey.IMPORT_DATA], SystemRole.MANAGER);
+    const controllerNames = getToolNames([], SystemRole.CONTROLLER);
+    const adminNames = getToolNames([], SystemRole.ADMIN);
+    const userNames = getToolNames([PermissionKey.IMPORT_DATA], SystemRole.USER);
+
+    expect(managerNames).toContain("import_csv_data");
+    expect(controllerNames).toContain("export_resources_csv");
+    expect(controllerNames).toContain("export_projects_csv");
+    expect(adminNames).toContain("list_dispo_import_batches");
+    expect(adminNames).toContain("get_dispo_import_batch");
+    expect(userNames).not.toContain("import_csv_data");
+    expect(userNames).not.toContain("export_resources_csv");
+    expect(userNames).not.toContain("export_projects_csv");
+    expect(userNames).not.toContain("list_dispo_import_batches");
+    expect(userNames).not.toContain("get_dispo_import_batch");
+  });
+
  it("keeps holiday calendar mutation tools admin-only while leaving read tools available", () => {
    const adminNames = getToolNames([], SystemRole.ADMIN);
    const managerNames = getToolNames([], SystemRole.MANAGER);
@@ -492,6 +526,18 @@ describe("assistant router tool gating", () => {
    expect(toolDescriptions.get("send_broadcast")).toContain("manageProjects");
    expect(toolDescriptions.get("create_holiday_calendar")).toContain("Admin role");
    expect(toolDescriptions.get("create_holiday_calendar_entry")).toContain("Admin role");
+    expect(toolDescriptions.get("query_change_history")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("get_entity_timeline")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("export_resources_csv")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("export_projects_csv")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("import_csv_data")).toContain("importData");
+    expect(toolDescriptions.get("import_csv_data")).toContain("manager/admin");
+    expect(toolDescriptions.get("list_dispo_import_batches")).toContain("Admin role");
+    expect(toolDescriptions.get("get_dispo_import_batch")).toContain("Admin role");
+    expect(toolDescriptions.get("list_audit_log_entries")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("get_audit_log_entry")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("get_audit_log_timeline")).toContain("Controller/manager/admin");
+    expect(toolDescriptions.get("get_audit_activity_summary")).toContain("Controller/manager/admin");
    expect(toolDescriptions.get("get_chargeability_report")).toContain("controller/manager/admin");
    expect(toolDescriptions.get("get_chargeability_report")).toContain("viewCosts");
    expect(toolDescriptions.get("get_resource_computation_graph")).toContain("useAssistantAdvancedTools");
@@ -0,0 +1,129 @@
+import { describe, expect, it, vi } from "vitest";
+import { SystemRole } from "@capakraken/shared";
+
+vi.mock("@capakraken/application", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@capakraken/application")>();
+  return {
+    ...actual,
+    getDashboardBudgetForecast: vi.fn().mockResolvedValue([]),
+    getDashboardPeakTimes: vi.fn().mockResolvedValue([]),
+    listAssignmentBookings: vi.fn().mockResolvedValue([]),
+  };
+});
+
+import { executeTool, type ToolContext } from "../router/assistant-tools.js";
+
+function createToolContext(
+  db: Record<string, unknown>,
+  userRole: SystemRole = SystemRole.CONTROLLER,
+): ToolContext {
+  return {
+    db: db as ToolContext["db"],
+    userId: "user_1",
+    userRole,
+    permissions: new Set(),
+    session: {
+      user: { email: "assistant@example.com", name: "Assistant User", image: null },
+      expires: "2026-03-29T00:00:00.000Z",
+    },
+    dbUser: {
+      id: "user_1",
+      systemRole: userRole,
+      permissionOverrides: null,
+    },
+    roleDefaults: null,
+  };
+}
+
+describe("assistant audit tools", () => {
+  it("lists audit entries through the real audit router path", async () => {
+    const ctx = createToolContext({
+      auditLog: {
+        findMany: vi.fn().mockResolvedValue([
+          {
+            id: "audit_1",
+            entityType: "Project",
+            entityId: "project_1",
+            entityName: "Gelddruckmaschine",
+            action: "UPDATE",
+            userId: "user_1",
+            source: "ui",
+            summary: "Updated project dates",
+            createdAt: new Date("2026-03-28T10:00:00.000Z"),
+            user: {
+              id: "user_1",
+              name: "Larissa",
+              email: "larissa@example.com",
+            },
+          },
+        ]),
+      },
+    });
+
+    const result = await executeTool(
+      "list_audit_log_entries",
+      JSON.stringify({
+        entityType: "Project",
+        search: "Gelddruckmaschine",
+        limit: 10,
+      }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual({
+      filters: {
+        entityType: "Project",
+        entityId: null,
+        userId: null,
+        action: null,
+        source: null,
+        startDate: null,
+        endDate: null,
+        search: "Gelddruckmaschine",
+      },
+      itemCount: 1,
+      nextCursor: null,
+      items: [
+        {
+          id: "audit_1",
+          entityType: "Project",
+          entityId: "project_1",
+          entityName: "Gelddruckmaschine",
+          action: "UPDATE",
+          userId: "user_1",
+          source: "ui",
+          summary: "Updated project dates",
+          createdAt: "2026-03-28T10:00:00.000Z",
+          user: {
+            id: "user_1",
+            name: "Larissa",
+            email: "larissa@example.com",
+          },
+        },
+      ],
+    });
+  });
+
+  it("enforces controller access for audit tools via the backing router", async () => {
+    const ctx = createToolContext(
+      {
+        auditLog: {
+          findMany: vi.fn(),
+        },
+      },
+      SystemRole.USER,
+    );
+
+    const result = await executeTool(
+      "query_change_history",
+      JSON.stringify({ entityType: "Project" }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: expect.stringContaining("Controller access required"),
+      }),
+    );
+  });
+});
@@ -0,0 +1,127 @@
+import { describe, expect, it, vi } from "vitest";
+import { PermissionKey, SystemRole } from "@capakraken/shared";
+
+vi.mock("@capakraken/application", async (importOriginal) => {
+  const actual = await importOriginal<typeof import("@capakraken/application")>();
+  return {
+    ...actual,
+    getDashboardBudgetForecast: vi.fn().mockResolvedValue([]),
+    getDashboardPeakTimes: vi.fn().mockResolvedValue([]),
+    listAssignmentBookings: vi.fn().mockResolvedValue([]),
+  };
+});
+
+import { executeTool, type ToolContext } from "../router/assistant-tools.js";
+
+function createToolContext(
+  db: Record<string, unknown>,
+  options?: {
+    permissions?: PermissionKey[];
+    userRole?: SystemRole;
+  },
+): ToolContext {
+  const userRole = options?.userRole ?? SystemRole.ADMIN;
+  return {
+    db: db as ToolContext["db"],
+    userId: "user_1",
+    userRole,
+    permissions: new Set(options?.permissions ?? []),
+    session: {
+      user: { email: "assistant@example.com", name: "Assistant User", image: null },
+      expires: "2026-03-29T00:00:00.000Z",
+    },
+    dbUser: {
+      id: "user_1",
+      systemRole: userRole,
+      permissionOverrides: null,
+    },
+    roleDefaults: null,
+  };
+}
+
+describe("assistant import/export and dispo tools", () => {
+  it("exports resources CSV through the real import/export router path", async () => {
+    const ctx = createToolContext(
+      {
+        resource: {
+          findMany: vi.fn().mockResolvedValue([
+            {
+              eid: "EMP-001",
+              displayName: "Carol Danvers",
+              email: "carol@example.com",
+              chapter: "Delivery",
+              lcrCents: 8000,
+              ucrCents: 12000,
+              currency: "EUR",
+              chargeabilityTarget: 0.8,
+              dynamicFields: {},
+            },
+          ]),
+        },
+        blueprint: {
+          findMany: vi.fn().mockResolvedValue([]),
+        },
+      },
+      { userRole: SystemRole.CONTROLLER },
+    );
+
+    const result = await executeTool("export_resources_csv", "{}", ctx);
+
+    expect(JSON.parse(result.content)).toEqual({
+      format: "csv",
+      lineCount: 2,
+      csv: "eid,displayName,email,chapter,lcrCents,ucrCents,currency,chargeabilityTarget\nEMP-001,Carol Danvers,carol@example.com,Delivery,8000,12000,EUR,0.8",
+    });
+  });
+
+  it("requires importData permission for CSV imports", async () => {
+    const ctx = createToolContext(
+      {
+        auditLog: { create: vi.fn() },
+      },
+      {
+        userRole: SystemRole.MANAGER,
+        permissions: [],
+      },
+    );
+
+    const result = await executeTool(
+      "import_csv_data",
+      JSON.stringify({
+        entityType: "resources",
+        rows: [{ eid: "EMP-001", displayName: "Carol Danvers" }],
+        dryRun: true,
+      }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: expect.stringContaining(PermissionKey.IMPORT_DATA),
+      }),
+    );
+  });
+
+  it("enforces admin access for dispo batch inspection via the backing router", async () => {
+    const ctx = createToolContext(
+      {
+        importBatch: {
+          findUnique: vi.fn(),
+        },
+      },
+      { userRole: SystemRole.MANAGER },
+    );
+
+    const result = await executeTool(
+      "get_dispo_import_batch",
+      JSON.stringify({ id: "batch_1" }),
+      ctx,
+    );
+
+    expect(JSON.parse(result.content)).toEqual(
+      expect.objectContaining({
+        error: expect.stringContaining("Admin role required"),
+      }),
+    );
+  });
+});