@apart-tech/intelligence-core 1.11.4 → 1.11.5

package/dist/auth/ability.test.js

@@ -0,0 +1,680 @@
+import { createMongoAbility } from "@casl/ability";
+import { describe, expect, it } from "vitest";
+import { buildAbility, intersect, UnsupportedIntersectionError, } from "./ability.js";
+// ── UserPrincipal ──────────────────────────────────────────────────────────
+describe("buildAbility(UserPrincipal) — owner", () => {
+    const owner = {
+        type: "user",
+        id: "u-1",
+        email: "owner@example.com",
+        organizationId: "org-1",
+        role: "owner",
+    };
+    const ability = buildAbility(owner);
+    it("can manage everything via the wildcard", () => {
+        expect(ability.can("manage", "all")).toBe(true);
+        expect(ability.can("manage", "Organization")).toBe(true);
+        expect(ability.can("manage", "Membership")).toBe(true);
+        expect(ability.can("manage", "Invite")).toBe(true);
+        expect(ability.can("manage", "User")).toBe(true);
+        expect(ability.can("manage", "OrgConfig")).toBe(true);
+        expect(ability.can("manage", "AgentSchedule")).toBe(true);
+        expect(ability.can("manage", "Pii")).toBe(true);
+    });
+    it("can perform every specific action on every subject", () => {
+        for (const action of [
+            "create",
+            "read",
+            "update",
+            "delete",
+            "bypass",
+        ]) {
+            for (const subject of [
+                "Organization",
+                "Membership",
+                "Invite",
+                "User",
+                "OrgConfig",
+                "AgentSchedule",
+                "Pii",
+                "Node",
+                "Search",
+                "Import",
+                "Domain",
+                "Workspace",
+                "AgentRun",
+                "OrgAgentConfig",
+                "OrgEmbedding",
+                "UserSecret",
+            ]) {
+                expect(ability.can(action, subject)).toBe(true);
+            }
+        }
+    });
+    it("can bypass Pii via the manage wildcard (Phase 1e M3)", () => {
+        // Owners inherit `bypass` on every subject from `manage all`. This is
+        // the design call recorded in decision 500bfa31 — the bypass action is
+        // intentionally granted implicitly by `manage` so that owners and
+        // legacy api-keys keep their pre-Phase-1e behavior with no code change.
+        expect(ability.can("bypass", "Pii")).toBe(true);
+    });
+});
+describe("buildAbility(UserPrincipal) — admin", () => {
+    const admin = {
+        type: "user",
+        id: "u-2",
+        email: "admin@example.com",
+        organizationId: "org-1",
+        role: "admin",
+    };
+    const ability = buildAbility(admin);
+    it("can manage invites", () => {
+        expect(ability.can("create", "Invite")).toBe(true);
+        expect(ability.can("read", "Invite")).toBe(true);
+        expect(ability.can("update", "Invite")).toBe(true);
+        expect(ability.can("delete", "Invite")).toBe(true);
+    });
+    it("can manage AgentSchedule (Phase 1e H7)", () => {
+        // Admins are responsible for the operational side of scheduled
+        // delegated agents — creating, updating, and deleting schedules. The
+        // trigger endpoint stays api-key-authed at the network layer; this
+        // rule gates the CRUD routes.
+        expect(ability.can("create", "AgentSchedule")).toBe(true);
+        expect(ability.can("read", "AgentSchedule")).toBe(true);
+        expect(ability.can("update", "AgentSchedule")).toBe(true);
+        expect(ability.can("delete", "AgentSchedule")).toBe(true);
+    });
+    it("can read Organization, Membership, OrgConfig, and Pii", () => {
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("read", "OrgConfig")).toBe(true);
+        expect(ability.can("read", "Pii")).toBe(true);
+    });
+    it("cannot write Organization or Membership", () => {
+        expect(ability.can("update", "Organization")).toBe(false);
+        expect(ability.can("delete", "Organization")).toBe(false);
+        expect(ability.can("create", "Membership")).toBe(false);
+        expect(ability.can("update", "Membership")).toBe(false);
+        expect(ability.can("delete", "Membership")).toBe(false);
+    });
+    it("cannot write OrgConfig or Pii (Phase 1e H6/M3)", () => {
+        // Admins see the config surfaces but cannot change them — org-wide
+        // search/context config and PII policy are owner-only governance
+        // settings.
+        expect(ability.can("create", "OrgConfig")).toBe(false);
+        expect(ability.can("update", "OrgConfig")).toBe(false);
+        expect(ability.can("delete", "OrgConfig")).toBe(false);
+        expect(ability.can("create", "Pii")).toBe(false);
+        expect(ability.can("update", "Pii")).toBe(false);
+        expect(ability.can("delete", "Pii")).toBe(false);
+    });
+    it("cannot bypass Pii scrubbing (Phase 1e M3)", () => {
+        // The bypass action is reserved for manage-grade principals. Admins
+        // cannot bypass PII even though they can read the PII config.
+        expect(ability.can("bypass", "Pii")).toBe(false);
+    });
+    it("cannot bypass the wildcard", () => {
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    // Phase 1b: admin can manage graph, import, org config subjects
+    it("can manage Node, Import, Domain, Workspace, AgentRun, OrgAgentConfig, OrgEmbedding (Phase 1b)", () => {
+        for (const subject of [
+            "Node",
+            "Import",
+            "Domain",
+            "Workspace",
+            "AgentRun",
+            "OrgAgentConfig",
+            "OrgEmbedding",
+            "UserSecret",
+        ]) {
+            expect(ability.can("create", subject)).toBe(true);
+            expect(ability.can("read", subject)).toBe(true);
+            expect(ability.can("update", subject)).toBe(true);
+            expect(ability.can("delete", subject)).toBe(true);
+        }
+    });
+    it("can read Search (Phase 1b)", () => {
+        expect(ability.can("read", "Search")).toBe(true);
+        expect(ability.can("create", "Search")).toBe(false);
+        expect(ability.can("update", "Search")).toBe(false);
+        expect(ability.can("delete", "Search")).toBe(false);
+    });
+});
+describe("buildAbility(UserPrincipal) — member", () => {
+    const member = {
+        type: "user",
+        id: "u-3",
+        email: "member@example.com",
+        organizationId: "org-1",
+        role: "member",
+    };
+    const ability = buildAbility(member);
+    it("can read Organization, Membership, OrgConfig, AgentSchedule, and Pii", () => {
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("read", "OrgConfig")).toBe(true);
+        expect(ability.can("read", "AgentSchedule")).toBe(true);
+        expect(ability.can("read", "Pii")).toBe(true);
+    });
+    it("cannot touch invites", () => {
+        expect(ability.can("read", "Invite")).toBe(false);
+        expect(ability.can("create", "Invite")).toBe(false);
+        expect(ability.can("update", "Invite")).toBe(false);
+        expect(ability.can("delete", "Invite")).toBe(false);
+    });
+    it("cannot create AgentSchedule in Phase 1e (no self-ID CASL conditions)", () => {
+        // Members cannot create schedules this phase — see the risk accepted
+        // in story 1a630ff2. CASL conditions for "own schedules" are not in
+        // the starter vocabulary, and member-created schedules would need
+        // handler-level self-ID enforcement that this phase does not bring in.
+        expect(ability.can("create", "AgentSchedule")).toBe(false);
+        expect(ability.can("update", "AgentSchedule")).toBe(false);
+        expect(ability.can("delete", "AgentSchedule")).toBe(false);
+    });
+    it("cannot write OrgConfig or Pii, cannot bypass Pii (Phase 1e H6/M3)", () => {
+        expect(ability.can("update", "OrgConfig")).toBe(false);
+        expect(ability.can("delete", "OrgConfig")).toBe(false);
+        expect(ability.can("update", "Pii")).toBe(false);
+        expect(ability.can("delete", "Pii")).toBe(false);
+        expect(ability.can("bypass", "Pii")).toBe(false);
+    });
+    it("cannot write anything on Phase 1e subjects", () => {
+        expect(ability.can("update", "Organization")).toBe(false);
+        expect(ability.can("create", "Membership")).toBe(false);
+        expect(ability.can("delete", "Membership")).toBe(false);
+    });
+    // Phase 1b: member can manage Node and Workspace (core graph work)
+    it("can manage Node and Workspace (Phase 1b — graph CRUD is the core work)", () => {
+        for (const subject of ["Node", "Workspace"]) {
+            expect(ability.can("create", subject)).toBe(true);
+            expect(ability.can("read", subject)).toBe(true);
+            expect(ability.can("update", subject)).toBe(true);
+            expect(ability.can("delete", subject)).toBe(true);
+        }
+    });
+    it("can manage UserSecret (Phase 1b — self-service tokens)", () => {
+        expect(ability.can("create", "UserSecret")).toBe(true);
+        expect(ability.can("read", "UserSecret")).toBe(true);
+        expect(ability.can("update", "UserSecret")).toBe(true);
+        expect(ability.can("delete", "UserSecret")).toBe(true);
+    });
+    it("can create and read AgentRun (Phase 1b)", () => {
+        expect(ability.can("create", "AgentRun")).toBe(true);
+        expect(ability.can("read", "AgentRun")).toBe(true);
+        expect(ability.can("update", "AgentRun")).toBe(false);
+        expect(ability.can("delete", "AgentRun")).toBe(false);
+    });
+    it("can read but not write Import, Domain, OrgAgentConfig, OrgEmbedding, Search (Phase 1b)", () => {
+        for (const subject of [
+            "Import",
+            "Domain",
+            "OrgAgentConfig",
+            "OrgEmbedding",
+            "Search",
+        ]) {
+            expect(ability.can("read", subject)).toBe(true);
+            expect(ability.can("create", subject)).toBe(false);
+            expect(ability.can("update", subject)).toBe(false);
+            expect(ability.can("delete", subject)).toBe(false);
+        }
+    });
+});
+describe("buildAbility(UserPrincipal) — none (no active org)", () => {
+    const unscoped = {
+        type: "user",
+        id: "u-4",
+        email: "new@example.com",
+        organizationId: null,
+        role: "none",
+    };
+    const ability = buildAbility(unscoped);
+    it("can read User (handler must verify self-ID)", () => {
+        expect(ability.can("read", "User")).toBe(true);
+    });
+    it("can create Membership for the accept-invite flow", () => {
+        expect(ability.can("create", "Membership")).toBe(true);
+    });
+    it("cannot read Organization or existing Memberships", () => {
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("read", "Membership")).toBe(false);
+    });
+    it("cannot touch invites as a subject (they're accepted via a separate token flow, not CASL-gated)", () => {
+        expect(ability.can("manage", "Invite")).toBe(false);
+    });
+    it("can manage UserSecret even without an active org (Phase 1b)", () => {
+        expect(ability.can("create", "UserSecret")).toBe(true);
+        expect(ability.can("read", "UserSecret")).toBe(true);
+        expect(ability.can("update", "UserSecret")).toBe(true);
+        expect(ability.can("delete", "UserSecret")).toBe(true);
+    });
+    it("cannot touch Phase 1b org-scoped subjects without an active org", () => {
+        expect(ability.can("read", "Node")).toBe(false);
+        expect(ability.can("read", "Search")).toBe(false);
+        expect(ability.can("read", "Import")).toBe(false);
+        expect(ability.can("read", "Domain")).toBe(false);
+        expect(ability.can("read", "Workspace")).toBe(false);
+        expect(ability.can("read", "AgentRun")).toBe(false);
+        expect(ability.can("read", "OrgAgentConfig")).toBe(false);
+        expect(ability.can("read", "OrgEmbedding")).toBe(false);
+    });
+});
+// ── OrgAgentPrincipal ──────────────────────────────────────────────────────
+describe("buildAbility(OrgAgentPrincipal) — legacyApiKey (pre-Phase-1c)", () => {
+    const legacy = {
+        type: "org_agent",
+        id: "legacy-api-key:apikey-1",
+        organizationId: "org-1",
+        name: "legacy api key",
+        legacyApiKey: true,
+    };
+    const ability = buildAbility(legacy);
+    it("grants full org access matching current API-key behavior", () => {
+        expect(ability.can("manage", "all")).toBe(true);
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("update", "Membership")).toBe(true);
+        expect(ability.can("delete", "Invite")).toBe(true);
+    });
+    // ── H4 interim-closure regression (Phase 1e) ────────────────────────────
+    //
+    // H4 ("API keys bound to agents with explicit permissions") is
+    // structurally blocked on the Phase 1c backfill of api_keys ->
+    // org_agent_types. Until that lands, the interim closure is that
+    // legacy api-keys synthesize an `OrgAgentPrincipal` with
+    // `legacyApiKey: true`, which grants `manage all`. The tests below
+    // lock in that interim behavior so that growing the CASL vocabulary
+    // (adding `OrgConfig`, `AgentSchedule`, `Pii`, and the new `bypass`
+    // action in Phase 1e) does NOT silently narrow what legacy api-keys
+    // can do. If any of these assertions ever flips to `false`, a
+    // production integration depending on the legacy api-key path has
+    // just lost access, and either the vocabulary change or the
+    // legacyApiKey branch in `buildAbility` needs to compensate.
+    it("H4 regression: legacy api-key can manage Phase 1e + 1b subjects", () => {
+        expect(ability.can("manage", "OrgConfig")).toBe(true);
+        expect(ability.can("manage", "AgentSchedule")).toBe(true);
+        expect(ability.can("manage", "Pii")).toBe(true);
+        // Phase 1b subjects — all must be accessible to legacy api-keys
+        expect(ability.can("manage", "Node")).toBe(true);
+        expect(ability.can("manage", "Search")).toBe(true);
+        expect(ability.can("manage", "Import")).toBe(true);
+        expect(ability.can("manage", "Domain")).toBe(true);
+        expect(ability.can("manage", "Workspace")).toBe(true);
+        expect(ability.can("manage", "AgentRun")).toBe(true);
+        expect(ability.can("manage", "OrgAgentConfig")).toBe(true);
+        expect(ability.can("manage", "OrgEmbedding")).toBe(true);
+        expect(ability.can("manage", "UserSecret")).toBe(true);
+    });
+    it("H4 regression: legacy api-key can bypass Pii via manage wildcard (M3 interim)", () => {
+        expect(ability.can("bypass", "Pii")).toBe(true);
+        expect(ability.can("bypass", "OrgConfig")).toBe(true);
+        expect(ability.can("bypass", "AgentSchedule")).toBe(true);
+    });
+    it("H4 regression: legacy api-key can do every concrete (action, subject) pair", () => {
+        for (const action of [
+            "create",
+            "read",
+            "update",
+            "delete",
+            "bypass",
+        ]) {
+            for (const subject of [
+                "Organization",
+                "Membership",
+                "Invite",
+                "User",
+                "OrgConfig",
+                "AgentSchedule",
+                "Pii",
+                "Node",
+                "Search",
+                "Import",
+                "Domain",
+                "Workspace",
+                "AgentRun",
+                "OrgAgentConfig",
+                "OrgEmbedding",
+                "UserSecret",
+            ]) {
+                expect(ability.can(action, subject)).toBe(true);
+            }
+        }
+    });
+});
+describe("buildAbility(OrgAgentPrincipal) — non-legacy (Phase 1c placeholder)", () => {
+    const modern = {
+        type: "org_agent",
+        id: "orgagent-1",
+        organizationId: "org-1",
+        name: "a real bound agent (Phase 1c)",
+        legacyApiKey: false,
+    };
+    const ability = buildAbility(modern);
+    it("denies by default — no rules until Phase 1c wires intrinsicPolicy", () => {
+        expect(ability.can("manage", "all")).toBe(false);
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("read", "Membership")).toBe(false);
+    });
+});
+// ── DelegatedAgentPrincipal ────────────────────────────────────────────────
+describe("buildAbility(DelegatedAgentPrincipal) — rehydrated from capturedAbility", () => {
+    it("applies the captured rules exactly", () => {
+        // Fake captured snapshot: the agent can only read Organization and
+        // Membership — nothing else. Simulates a spawn-time intersection
+        // between a member user and a read-only agent policy.
+        const captured = [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+        ];
+        const delegated = {
+            type: "delegated_agent",
+            agentRunId: "run-1",
+            behalfOfUserId: "u-3",
+            organizationId: "org-1",
+            capturedAbility: captured,
+        };
+        const ability = buildAbility(delegated);
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("update", "Organization")).toBe(false);
+        expect(ability.can("create", "Invite")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    it("yields deny-by-default when capturedAbility is garbage", () => {
+        const delegated = {
+            type: "delegated_agent",
+            agentRunId: "run-2",
+            behalfOfUserId: "u-3",
+            organizationId: "org-1",
+            capturedAbility: "this is not an array",
+        };
+        const ability = buildAbility(delegated);
+        expect(ability.can("manage", "all")).toBe(false);
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("read", "Membership")).toBe(false);
+    });
+    it("yields deny-by-default when capturedAbility is null", () => {
+        const delegated = {
+            type: "delegated_agent",
+            agentRunId: "run-3",
+            behalfOfUserId: "u-3",
+            organizationId: "org-1",
+            capturedAbility: null,
+        };
+        const ability = buildAbility(delegated);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    it("yields deny-by-default when capturedAbility is an empty array", () => {
+        const delegated = {
+            type: "delegated_agent",
+            agentRunId: "run-4",
+            behalfOfUserId: "u-3",
+            organizationId: "org-1",
+            capturedAbility: [],
+        };
+        const ability = buildAbility(delegated);
+        expect(ability.can("read", "Organization")).toBe(false);
+    });
+    it("handles a wildcard captured rule", () => {
+        // An agent whose intrinsic policy was "manage all" and whose invoking
+        // user was an owner — the intersection is still "manage all".
+        const captured = [{ action: "manage", subject: "all" }];
+        const delegated = {
+            type: "delegated_agent",
+            agentRunId: "run-5",
+            behalfOfUserId: "u-1",
+            organizationId: "org-1",
+            capturedAbility: captured,
+        };
+        const ability = buildAbility(delegated);
+        expect(ability.can("manage", "all")).toBe(true);
+        expect(ability.can("delete", "Invite")).toBe(true);
+    });
+});
+// ── intersect() rule-set intersection (Phase 1d) ───────────────────────────
+/**
+ * Helper for the intersect() tests: instead of asserting on the raw rule
+ * structure (which would couple the tests to the uncompressed
+ * representation chosen in Phase 1d), we rehydrate the intersection into
+ * a CASL ability and check behavior via `.can()`. This is robust to any
+ * future change in how the intersection is serialized — compression,
+ * different ordering, wildcard collapsing — as long as the authorization
+ * semantics stay the same.
+ */
+function rehydrate(rules) {
+    return createMongoAbility(rules);
+}
+describe("intersect() — identity cases", () => {
+    it("empty ∩ empty → deny-by-default", () => {
+        const result = intersect([], []);
+        const ability = rehydrate(result);
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    it("X ∩ empty → deny-by-default (the empty side wins)", () => {
+        const result = intersect([{ action: "manage", subject: "all" }], []);
+        const ability = rehydrate(result);
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    it("empty ∩ X → deny-by-default (direction does not matter)", () => {
+        const result = intersect([], [{ action: "manage", subject: "all" }]);
+        const ability = rehydrate(result);
+        expect(ability.can("read", "Organization")).toBe(false);
+    });
+});
+describe("intersect() — full overlap", () => {
+    it("manage-all ∩ manage-all → functionally manage-all", () => {
+        const result = intersect([{ action: "manage", subject: "all" }], [{ action: "manage", subject: "all" }]);
+        const ability = rehydrate(result);
+        // Every concrete (action, subject) pair should be allowed. We test
+        // the functional behavior rather than the rule count — the Phase 1d
+        // implementation emits 16 concrete rules, but a future compression
+        // pass might emit just one `manage all`, and either is correct.
+        for (const action of ["create", "read", "update", "delete"]) {
+            for (const subject of [
+                "Organization",
+                "Membership",
+                "Invite",
+                "User",
+            ]) {
+                expect(ability.can(action, subject)).toBe(true);
+            }
+        }
+    });
+    it("identical non-wildcard inputs → the same rules (functionally)", () => {
+        const input = [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+        ];
+        const ability = rehydrate(intersect(input, input));
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("update", "Organization")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+});
+describe("intersect() — wildcards restrict to the narrower side", () => {
+    it("manage-all ∩ [read Organization] → read Organization", () => {
+        const ability = rehydrate(intersect([{ action: "manage", subject: "all" }], [{ action: "read", subject: "Organization" }]));
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("update", "Organization")).toBe(false);
+        expect(ability.can("read", "Membership")).toBe(false);
+        expect(ability.can("create", "Invite")).toBe(false);
+    });
+    it("[read Org, read Membership] ∩ manage-all → read Org, read Membership", () => {
+        const ability = rehydrate(intersect([
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+        ], [{ action: "manage", subject: "all" }]));
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("read", "Invite")).toBe(false);
+        expect(ability.can("update", "Organization")).toBe(false);
+    });
+    it("manage-Organization ∩ read-everything-concrete → read Organization only", () => {
+        // "manage Invite" on the user side, "read all concrete subjects" on
+        // the agent side — only `read Invite` should survive (no other
+        // subject appears on both sides, and the actions intersect to
+        // {read} on Invite).
+        const ability = rehydrate(intersect([{ action: "manage", subject: "Invite" }], [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+            { action: "read", subject: "Invite" },
+            { action: "read", subject: "User" },
+        ]));
+        expect(ability.can("read", "Invite")).toBe(true);
+        expect(ability.can("update", "Invite")).toBe(false);
+        expect(ability.can("read", "Organization")).toBe(false);
+    });
+});
+describe("intersect() — disjoint inputs", () => {
+    it("[read Organization] ∩ [read Invite] → deny-by-default", () => {
+        const ability = rehydrate(intersect([{ action: "read", subject: "Organization" }], [{ action: "read", subject: "Invite" }]));
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("read", "Invite")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+    });
+    it("[read Organization] ∩ [update Organization] → deny-by-default (same subject, different actions)", () => {
+        const ability = rehydrate(intersect([{ action: "read", subject: "Organization" }], [{ action: "update", subject: "Organization" }]));
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("update", "Organization")).toBe(false);
+    });
+});
+describe("intersect() — realistic spawn scenarios", () => {
+    it("admin user ∩ invite-bot agent → the admin's Invite management, nothing else", () => {
+        // Mirrors the actual rule set buildAbility() emits for an admin
+        // UserPrincipal, intersected with an agent whose intrinsic policy
+        // is "manage Invite".
+        const adminRules = [
+            { action: "manage", subject: "Invite" },
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+        ];
+        const inviteBotPolicy = [
+            { action: "manage", subject: "Invite" },
+        ];
+        const ability = rehydrate(intersect(adminRules, inviteBotPolicy));
+        expect(ability.can("create", "Invite")).toBe(true);
+        expect(ability.can("read", "Invite")).toBe(true);
+        expect(ability.can("update", "Invite")).toBe(true);
+        expect(ability.can("delete", "Invite")).toBe(true);
+        // Read-only affordances from the admin side should NOT leak through:
+        // the bot's intrinsic policy does not include them.
+        expect(ability.can("read", "Organization")).toBe(false);
+        expect(ability.can("read", "Membership")).toBe(false);
+    });
+    it("member user ∩ manage-all agent → member's read affordances only", () => {
+        // A read-only user runs a powerful agent: the intersection is
+        // bounded by the user, not by the agent. This is the whole reason
+        // the intersection is computed in the first place.
+        const memberRules = [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+        ];
+        const powerfulAgentPolicy = [
+            { action: "manage", subject: "all" },
+        ];
+        const ability = rehydrate(intersect(memberRules, powerfulAgentPolicy));
+        expect(ability.can("read", "Organization")).toBe(true);
+        expect(ability.can("read", "Membership")).toBe(true);
+        expect(ability.can("create", "Invite")).toBe(false);
+        expect(ability.can("manage", "all")).toBe(false);
+        expect(ability.can("update", "Organization")).toBe(false);
+    });
+});
+describe("intersect() — Phase 1e bypass semantics", () => {
+    // These tests lock in the delegation behavior for the bypass action
+    // added in Phase 1e. The crucial property is that `bypass Pii` is
+    // captured at spawn time only if BOTH the invoking user AND the agent's
+    // intrinsic policy include it. That is the whole point of the
+    // intersect — a member user running a manage-all agent never gets
+    // bypass authority, even though the agent's policy has it.
+    it("owner ∩ manage-all agent → bypass Pii survives", () => {
+        // Mirrors an owner spawning an agent with `manage all` intrinsic
+        // policy. Both sides grant bypass via the wildcard, so the
+        // intersection includes it.
+        const ownerRules = [{ action: "manage", subject: "all" }];
+        const agentPolicy = [{ action: "manage", subject: "all" }];
+        const ability = rehydrate(intersect(ownerRules, agentPolicy));
+        expect(ability.can("bypass", "Pii")).toBe(true);
+    });
+    it("member ∩ manage-all agent → bypass Pii does NOT survive (the whole point)", () => {
+        // The member's captured ability does not include bypass on any
+        // subject. Running a powerful agent does not broaden that — the
+        // delegated agent inherits the floor, not the ceiling.
+        const memberRules = [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+            { action: "read", subject: "OrgConfig" },
+            { action: "read", subject: "AgentSchedule" },
+            { action: "read", subject: "Pii" },
+        ];
+        const agentPolicy = [{ action: "manage", subject: "all" }];
+        const ability = rehydrate(intersect(memberRules, agentPolicy));
+        expect(ability.can("bypass", "Pii")).toBe(false);
+        // And the member's read affordances still come through.
+        expect(ability.can("read", "OrgConfig")).toBe(true);
+        expect(ability.can("read", "Pii")).toBe(true);
+    });
+    it("owner ∩ read-only agent → bypass does NOT survive (agent side blocks it)", () => {
+        // An agent whose intrinsic policy is `read Pii` does not grant
+        // bypass, regardless of how powerful the invoking user is. The
+        // intersection respects the agent's narrower grant.
+        const ownerRules = [{ action: "manage", subject: "all" }];
+        const readOnlyAgent = [
+            { action: "read", subject: "Pii" },
+        ];
+        const ability = rehydrate(intersect(ownerRules, readOnlyAgent));
+        expect(ability.can("bypass", "Pii")).toBe(false);
+        expect(ability.can("read", "Pii")).toBe(true);
+        expect(ability.can("update", "Pii")).toBe(false);
+    });
+});
+describe("intersect() — unsupported rule shapes", () => {
+    it("rejects a conditional rule on the left side", () => {
+        const leftWithCondition = [
+            {
+                action: "read",
+                subject: "Organization",
+                conditions: { organizationId: "org-1" },
+            },
+        ];
+        expect(() => intersect(leftWithCondition, [])).toThrow(UnsupportedIntersectionError);
+        expect(() => intersect(leftWithCondition, [])).toThrow(/left\[0\]/);
+    });
+    it("rejects a conditional rule on the right side", () => {
+        const rightWithCondition = [
+            {
+                action: "read",
+                subject: "Organization",
+                conditions: { organizationId: "org-1" },
+            },
+        ];
+        expect(() => intersect([], rightWithCondition)).toThrow(UnsupportedIntersectionError);
+        expect(() => intersect([], rightWithCondition)).toThrow(/right\[0\]/);
+    });
+    it("rejects a field-scoped rule", () => {
+        const withFields = [
+            {
+                action: "read",
+                subject: "Organization",
+                fields: ["name"],
+            },
+        ];
+        expect(() => intersect(withFields, [])).toThrow(UnsupportedIntersectionError);
+        expect(() => intersect(withFields, [])).toThrow(/field scoping/);
+    });
+    it("identifies the offending index in a multi-rule input", () => {
+        const rules = [
+            { action: "read", subject: "Organization" },
+            { action: "read", subject: "Membership" },
+            {
+                action: "read",
+                subject: "Invite",
+                conditions: { organizationId: "org-1" },
+            },
+        ];
+        expect(() => intersect(rules, [])).toThrow(/left\[2\]/);
+    });
+});
+//# sourceMappingURL=ability.test.js.map