Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

test(api): cover assistant tool policy parity

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-04-01 00:05:33 +02:00
parent 58125b284c
commit bca6abf2bb
4 changed files with 728 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/api/src/__tests__/assistant-tools-registry-access.test.ts
+71
View File
@@ -0,0 +1,71 @@
import { describe, expect, it } from "vitest";
import { PermissionKey, SystemRole } from "@capakraken/shared";
import {
executeTool,
getAvailableAssistantToolsForContext,
} from "../router/assistant-tools.js";
function createToolContext(
userRole: SystemRole,
permissions: PermissionKey[] = [],
) {
return {
db: {} as never,
userId: "user_1",
userRole,
permissions: new Set(permissions),
session: {
user: { email: "user@example.com", name: "User", image: null },
expires: "2099-01-01T00:00:00.000Z",
},
dbUser: {
id: "user_1",
systemRole: userRole,
permissionOverrides: null,
},
roleDefaults: null,
};
}
describe("assistant tool registry access", () => {
it("derives admin-only settings tools directly from tool metadata", () => {
const adminNames = getAvailableAssistantToolsForContext(new Set(), SystemRole.ADMIN)
.map((tool) => tool.function.name);
const managerNames = getAvailableAssistantToolsForContext(new Set(), SystemRole.MANAGER)
.map((tool) => tool.function.name);
expect(adminNames).toContain("get_ai_configured");
expect(adminNames).toContain("list_system_role_configs");
expect(managerNames).not.toContain("get_ai_configured");
expect(managerNames).not.toContain("list_system_role_configs");
});
it("keeps cost-sensitive registry tools hidden until viewCosts is granted", () => {
const managerWithoutCosts = getAvailableAssistantToolsForContext(
new Set(),
SystemRole.MANAGER,
).map((tool) => tool.function.name);
const managerWithCosts = getAvailableAssistantToolsForContext(
new Set([PermissionKey.VIEW_COSTS]),
SystemRole.MANAGER,
).map((tool) => tool.function.name);
expect(managerWithoutCosts).not.toContain("get_budget_forecast");
expect(managerWithoutCosts).not.toContain("lookup_rate");
expect(managerWithCosts).toContain("get_budget_forecast");
expect(managerWithCosts).toContain("lookup_rate");
});
it("enforces metadata-derived permission checks before executing cost tools", async () => {
const result = await executeTool(
"lookup_rate",
JSON.stringify({ chapter: "Animation" }),
createToolContext(SystemRole.MANAGER),
);
expect(JSON.parse(result.content)).toEqual({
error: `Permission denied: you need the "${PermissionKey.VIEW_COSTS}" permission to perform this action.`,
});
});
});