fix(api): harden user self-service and resource linking

packages/api/src/__tests__/assistant-tools-user-self-service-mfa-enable.test.ts

@@ -0,0 +1,96 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { SystemRole } from "@capakraken/shared";
+import {
+  createToolContext,
+  executeTool,
+  totpValidateMock,
+} from "./assistant-tools-user-self-service-mfa-test-helpers.js";
+
+describe("assistant user self-service MFA tools - enable flow", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    totpValidateMock.mockReset();
+  });
+
+  it("generates a TOTP secret through the real user router path", async () => {
+    const db = {
+      user: {
+        update: vi.fn().mockResolvedValue({}),
+      },
+    };
+    const ctx = createToolContext(db, SystemRole.ADMIN);
+
+    const result = await executeTool("generate_totp_secret", "{}", ctx);
+
+    expect(db.user.update).toHaveBeenCalledWith({
+      where: { id: "user_1" },
+      data: { totpSecret: "MOCKSECRET" },
+    });
+    expect(JSON.parse(result.content)).toEqual({
+      success: true,
+      secret: "MOCKSECRET",
+      uri: "otpauth://mock",
+      message: "Generated a new MFA TOTP secret.",
+    });
+    expect(result.action).toEqual({
+      type: "invalidate",
+      scope: ["user"],
+    });
+  });
+
+  it("enables TOTP through the real user router path when the token is valid", async () => {
+    totpValidateMock.mockReturnValue(0);
+
+    const db = {
+      user: {
+        findUnique: vi.fn().mockResolvedValue({
+          id: "user_1",
+          name: "Assistant User",
+          email: "assistant@example.com",
+          totpSecret: "MOCKSECRET",
+          totpEnabled: false,
+        }),
+        update: vi.fn().mockResolvedValue({}),
+      },
+      auditLog: {
+        create: vi.fn().mockResolvedValue({ id: "audit_1" }),
+      },
+    };
+    const ctx = createToolContext(db, SystemRole.ADMIN);
+
+    const result = await executeTool(
+      "verify_and_enable_totp",
+      JSON.stringify({ token: "123456" }),
+      ctx,
+    );
+
+    expect(db.user.findUnique).toHaveBeenCalledWith({
+      where: { id: "user_1" },
+      select: { id: true, name: true, email: true, totpSecret: true, totpEnabled: true },
+    });
+    expect(db.user.update).toHaveBeenCalledWith({
+      where: { id: "user_1" },
+      data: { totpEnabled: true },
+    });
+    expect(db.auditLog.create).toHaveBeenCalledWith({
+      data: expect.objectContaining({
+        entityType: "User",
+        entityId: "user_1",
+        action: "UPDATE",
+        userId: "user_1",
+        source: "ui",
+        entityName: "Assistant User (assistant@example.com)",
+        summary: "Enabled TOTP MFA",
+      }),
+    });
+    expect(JSON.parse(result.content)).toEqual({
+      success: true,
+      enabled: true,
+      message: "Enabled MFA TOTP.",
+    });
+    expect(result.action).toEqual({
+      type: "invalidate",
+      scope: ["user"],
+    });
+  });
+});