@tellescope/sdk 1.247.0 → 1.249.0

package/src/tests/api_tests/managed_content_file_access.test.ts

@@ -0,0 +1,214 @@
+require('source-map-support').install();
+
+import * as buffer from 'buffer'
+import { Session, EnduserSession } from "../../sdk"
+import {
+  async_test,
+  log_header,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+const businessId = '60398b1131a295e64f084ff6'
+
+/**
+ * Tests for file_download_URL enduser access via managed content fallback.
+ *
+ * Verifies the backend fallback logic that allows endusers to access files
+ * attached to managed content records they have access to, even when the
+ * file itself does not have enduserId set or publicRead: true.
+ */
+export const managed_content_file_access_tests = async ({ sdk, sdkNonAdmin }: { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("Managed Content File Access Tests")
+
+  const contentRecordIds: string[] = []
+  const assignmentIds: string[] = []
+  const fileIds: string[] = []
+  let testEnduserId: string | undefined
+  let otherEnduserId: string | undefined
+  let enduserSDK: EnduserSession | undefined
+  let otherEnduserSDK: EnduserSession | undefined
+
+  const uploadFile = async (
+    name: string,
+    opts: { enduserId?: string, publicRead?: boolean } = {}
+  ) => {
+    const buff = buffer.Buffer.from(`test file content for ${name}`)
+    const { presignedUpload, file } = await sdk.api.files.prepare_file_upload({
+      name,
+      type: 'text/plain',
+      size: buff.byteLength,
+      ...opts,
+    })
+    await sdk.UPLOAD(presignedUpload as any, buff)
+    await sdk.api.files.confirm_file_upload({ id: file.id })
+    fileIds.push(file.id)
+    return file
+  }
+
+  try {
+    console.log("Setting up test data...")
+
+    const testEnduser = await sdk.api.endusers.createOne({
+      email: `mcr_file_access_test_${Date.now()}@test.tellescope.com`,
+    })
+    testEnduserId = testEnduser.id
+    await sdk.api.endusers.set_password({ id: testEnduser.id, password: 'TestPassword123!' })
+
+    const otherEnduser = await sdk.api.endusers.createOne({
+      email: `mcr_file_access_other_${Date.now()}@test.tellescope.com`,
+    })
+    otherEnduserId = otherEnduser.id
+    await sdk.api.endusers.set_password({ id: otherEnduser.id, password: 'TestPassword123!' })
+
+    enduserSDK = new EnduserSession({ host, businessId })
+    await enduserSDK.authenticate(testEnduser.email!, 'TestPassword123!')
+
+    otherEnduserSDK = new EnduserSession({ host, businessId })
+    await otherEnduserSDK.authenticate(otherEnduser.email!, 'TestPassword123!')
+
+    // ===== Test 1: File attached to assignmentType: 'All' content - enduser CAN access =====
+    const fileForAll = await uploadFile('mcr-file-all.txt')
+    const contentAll = await sdk.api.managed_content_records.createOne({
+      title: 'MCR File Access - All',
+      htmlContent: '<p>All</p>',
+      textContent: 'All',
+      assignmentType: 'All',
+      attachments: [{ secureName: fileForAll.secureName, type: 'file', name: fileForAll.name }],
+    })
+    contentRecordIds.push(contentAll.id)
+
+    await async_test(
+      'staff-uploaded file in assignmentType:All content - enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileForAll.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 2: File attached to Individual content for enduser A - enduser B CANNOT access =====
+    const fileForIndividual = await uploadFile('mcr-file-individual.txt')
+    const contentIndividual = await sdk.api.managed_content_records.createOne({
+      title: 'MCR File Access - Individual',
+      htmlContent: '<p>Individual</p>',
+      textContent: 'Individual',
+      enduserId: testEnduser.id,
+      attachments: [{ secureName: fileForIndividual.secureName, type: 'file', name: fileForIndividual.name }],
+    })
+    contentRecordIds.push(contentIndividual.id)
+
+    await async_test(
+      'file attached to Individual content - assigned enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileForIndividual.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    await async_test(
+      'file attached to Individual content - unassigned enduser CANNOT access',
+      async () => {
+        try {
+          await otherEnduserSDK!.api.files.file_download_URL({ secureName: fileForIndividual.secureName })
+          return false
+        } catch (err) {
+          return true
+        }
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 3: File not attached to any managed content - enduser CANNOT access =====
+    const fileNoContent = await uploadFile('mcr-file-no-content.txt')
+
+    await async_test(
+      'file not attached to any managed content - enduser CANNOT access',
+      async () => {
+        try {
+          await enduserSDK!.api.files.file_download_URL({ secureName: fileNoContent.secureName })
+          return false
+        } catch (err) {
+          return true
+        }
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 4: File with enduserId set - existing behavior preserved =====
+    const fileWithEnduser = await uploadFile('mcr-file-with-enduser.txt', { enduserId: testEnduser.id })
+
+    await async_test(
+      'file with enduserId set - enduser CAN access (no fallback needed)',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: fileWithEnduser.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    // ===== Test 5: File with publicRead: true - existing behavior preserved =====
+    const filePublic = await uploadFile('mcr-file-public.txt', { publicRead: true })
+
+    await async_test(
+      'file with publicRead - enduser CAN access',
+      async () => {
+        const result = await enduserSDK!.api.files.file_download_URL({ secureName: filePublic.secureName })
+        return !!result?.downloadURL
+      },
+      { onResult: (r) => r === true }
+    )
+
+    console.log("All Managed Content File Access tests passed!")
+
+  } finally {
+    console.log("Cleaning up test data...")
+
+    try {
+      for (const assignmentId of assignmentIds) {
+        await sdk.api.managed_content_record_assignments.deleteOne(assignmentId).catch(() => {})
+      }
+
+      for (const recordId of contentRecordIds) {
+        await sdk.api.managed_content_records.deleteOne(recordId).catch(() => {})
+      }
+
+      for (const fileId of fileIds) {
+        await sdk.api.files.deleteOne(fileId).catch(() => {})
+      }
+
+      if (testEnduserId) {
+        await sdk.api.endusers.deleteOne(testEnduserId).catch(() => {})
+      }
+      if (otherEnduserId) {
+        await sdk.api.endusers.deleteOne(otherEnduserId).catch(() => {})
+      }
+
+      console.log("Cleanup completed")
+    } catch (error) {
+      console.error('Cleanup error:', error)
+    }
+  }
+}
+
+if (require.main === module) {
+  console.log(`Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await managed_content_file_access_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("Managed content file access test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("Managed content file access test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/openloop_webhooks.test.ts

@@ -144,6 +144,27 @@ export const openloop_webhooks_tests = async ({ sdk, sdkNonAdmin }: { sdk: Sessi
       { onResult: (r: boolean) => r === true }
     )
 
+    await async_test(
+      'V1: order_confirmation maps program_code to protocol field',
+      async () => {
+        const orderNum = `ol-conf-protocol-${uid()}`
+        const res = await postV1(makeV1Confirmation({
+          patientID: healthieId1,
+          orderNumber: orderNum,
+          program_code: 'Weight-Loss',
+        }))
+        assert(res.status === 200, `Expected 200, got ${res.status}`)
+
+        const orders = await sdk.api.enduser_orders.getSome({
+          filter: { source: 'OpenLoop', externalId: orderNum }
+        })
+        assert(orders.length === 1, `Expected 1 order, got ${orders.length}`)
+        assert(orders[0].protocol === 'Weight-Loss', `protocol mismatch: ${orders[0].protocol}`)
+        return true
+      },
+      { onResult: (r: boolean) => r === true }
+    )
+
     await async_test(
       'V1: order_confirmation idempotency - same order not duplicated',
       async () => {
@@ -314,6 +335,28 @@ export const openloop_webhooks_tests = async ({ sdk, sdkNonAdmin }: { sdk: Sessi
       { onResult: (r: boolean) => r === true }
     )
 
+    await async_test(
+      'V1: order_shipped maps program_code to protocol field',
+      async () => {
+        const orderNum = `ol-ship-protocol-${uid()}`
+        await postV1(makeV1Confirmation({ patientID: healthieId1, orderNumber: orderNum }))
+        const res = await postV1(makeV1Shipped({
+          patientID: healthieId1,
+          orderNumber: orderNum,
+          program_code: 'Diabetes',
+        }))
+        assert(res.status === 200, `Expected 200, got ${res.status}`)
+
+        const orders = await sdk.api.enduser_orders.getSome({
+          filter: { source: 'OpenLoop', externalId: orderNum }
+        })
+        assert(orders.length === 1, `Expected 1 order, got ${orders.length}`)
+        assert(orders[0].protocol === 'Diabetes', `protocol mismatch: ${orders[0].protocol}`)
+        return true
+      },
+      { onResult: (r: boolean) => r === true }
+    )
+
     // ===== SECTION D: V1 enduserId Isolation =====
     log_header("V1 enduserId Isolation")
 
@@ -414,6 +457,27 @@ export const openloop_webhooks_tests = async ({ sdk, sdkNonAdmin }: { sdk: Sessi
       { onResult: (r: boolean) => r === true }
     )
 
+    await async_test(
+      'V2: prescription-created maps program_code to protocol field',
+      async () => {
+        const orderNum = `v2-protocol-${uid()}`
+        const res = await postV2(makeV2Payload('prescription-created', {
+          id: orderNum,
+          patientId: healthieId1,
+          program_code: 'GLP-1',
+        }))
+        assert(res.status === 200, `Expected 200, got ${res.status}`)
+
+        const orders = await sdk.api.enduser_orders.getSome({
+          filter: { source: 'OpenLoop', externalId: orderNum }
+        })
+        assert(orders.length === 1, `Expected 1 order, got ${orders.length}`)
+        assert(orders[0].protocol === 'GLP-1', `protocol mismatch: ${orders[0].protocol}`)
+        return true
+      },
+      { onResult: (r: boolean) => r === true }
+    )
+
     await async_test(
       'V2: prescription-shipped updates with carrier and tracking',
       async () => {

package/src/tests/api_tests/organization_settings_duplicates.test.ts

@@ -176,6 +176,20 @@ export const organization_settings_duplicates_tests = async ({ sdk, sdkNonAdmin
       },
     }
   }, { replaceObjectFields: true })
+
+  // === D. subdomain is readonly ===
+  const orgBefore = await sdk.api.organizations.getOne(orgId)
+  await async_test(
+    "subdomain field is readonly — update does not change persisted value",
+    async () => {
+      await sdk.api.organizations.updateOne(orgId, {
+        subdomain: `readonly-attempt-${Date.now()}`,
+      } as any).catch(() => undefined) // tolerate either silent-drop or unknown-field rejection
+      const orgAfter = await sdk.api.organizations.getOne(orgId)
+      return orgAfter.subdomain === orgBefore.subdomain
+    },
+    { onResult: (unchanged: boolean) => unchanged === true }
+  )
 }
 
 // Allow running this test file independently

package/src/tests/tests.ts

@@ -36,6 +36,7 @@ import {
 
 import { Session, APIQuery, EnduserSession } from "../sdk"
 import { enduser_observations_acknowledge_tests } from "./api_tests/enduser_observations_acknowledge.test"
+import { integrations_redacted_tests } from "./api_tests/integrations_redacted.test"
 import { get_some_projection_tests } from "./api_tests/get_some_projection.test"
 import { mdb_sort_tests } from "./api_tests/mdb_sort.test"
 import { create_user_notifications_trigger_tests } from "./api_tests/create_user_notifications_trigger.test"
@@ -73,26 +74,34 @@ import {
 
 import fs from "fs"
 import { load_inbox_data_tests } from "./api_tests/load_inbox_data.test";
+import { eom_procedure_codes_tests } from "./api_tests/eom_procedure_codes.test";
+import { cross_org_api_key_tests } from "./api_tests/cross_org_api_key.test";
 import { custom_dashboards_tests } from "./api_tests/custom_dashboards.test";
 import { message_assignment_trigger_tests } from "./api_tests/message_assignment_trigger.test";
 import { time_tracks_tests, time_tracks_historical_tests, time_tracks_correction_tests, time_tracks_review_tests, time_tracks_lock_tests, time_tracks_edge_case_tests } from "./api_tests/time_tracks.test";
 import { monthly_availability_restrictions_tests } from "./api_tests/monthly_availability_restrictions.test";
 import { calendar_event_limits_tests } from "./api_tests/calendar_event_limits.test";
 import { custom_aggregation_tests } from "./api_tests/custom_aggregation.test";
+import { chats_analytics_tests } from "./api_tests/chats_analytics.test";
 import { no_access_permission_checks_tests } from "./api_tests/no_access_permission_checks.test";
+import { field_redaction_tests } from "./api_tests/field_redaction.test";
 import { bulk_assignment_tests } from "./api_tests/bulk_assignment.test";
 import { managed_content_enduser_access_tests } from "./api_tests/managed_content_enduser_access.test";
+import { managed_content_file_access_tests } from "./api_tests/managed_content_file_access.test";
 import { auto_merge_form_submission_tests } from "./api_tests/auto_merge_form_submission.test";
 import { database_cascade_delete_tests } from "./api_tests/database_cascade_delete.test";
 import { ai_conversations_tests } from "./api_tests/ai_conversations.test";
 import { load_team_chat_tests } from "./api_tests/load_team_chat.test";
 import { form_started_trigger_tests } from "./api_tests/form_started_trigger.test";
+import { form_submitted_trigger_tests } from "./api_tests/form_submitted_trigger.test";
 import { medication_added_trigger_tests } from "./api_tests/medication_added_trigger.test";
 import { elation_user_id_tests } from "./api_tests/elation_user_id.test";
 import { organization_settings_duplicates_tests } from "./api_tests/organization_settings_duplicates.test";
 import { calendar_events_bulk_update_tests } from "./api_tests/calendar_events_bulk_update.test";
 import { openloop_webhooks_tests } from "./api_tests/openloop_webhooks.test";
 import { beluga_pharmacy_mappings_tests } from "./api_tests/beluga_pharmacy_mappings.test";
+import { date_string_validation_tests } from "./api_tests/date_string_validation.test";
+import { enduser_session_invalidation_tests } from "./api_tests/enduser_session_invalidation.test";
 
 const UniquenessViolationMessage = 'Uniqueness Violation'
 
@@ -3429,6 +3438,12 @@ const order_status_equals_tests = async () => {
     status: 'Active',
     title: "Title Partial And Condition"
   })
+  const t9 = await sdk.api.automation_triggers.createOne({
+    event: { type: 'Order Status Equals', info: { source: 'Source', status: "Update", protocols: ['Protocol-A'] } },
+    action: { type: 'Add Tags', info: { tags: ['Protocol Match'] }},
+    status: 'Active',
+    title: "Protocol Condition"
+  })
 
   const e = await sdk.api.endusers.createOne({})
 
@@ -3610,6 +3625,38 @@ const order_status_equals_tests = async () => {
     ) }
   )
 
+  await sdk.api.enduser_orders.updateOne(u.id, { status: 'Toggle', externalId: "also avoid rate limit 7" })
+  await sdk.api.enduser_orders.updateOne(u.id, { status: "Update", protocol: 'Protocol-Mismatch', externalId: 'avoid rate limiting 7' })
+  await wait(undefined, 500) // allow triggers to happen
+  await async_test(
+    "Protocol no match (wrong protocol)",
+    () => sdk.api.endusers.getOne(e.id),
+    { onResult: e => !!(
+       e.tags?.length === 8
+    && !e.tags?.includes('Protocol Match')
+    ) }
+  )
+
+  await sdk.api.enduser_orders.updateOne(u.id, { status: 'Toggle', externalId: "also avoid rate limit 8" })
+  await sdk.api.enduser_orders.updateOne(u.id, { status: "Update", protocol: 'Protocol-A', externalId: 'avoid rate limiting 8' })
+  await wait(undefined, 500) // allow triggers to happen
+  await async_test(
+    "Protocol match tag added",
+    () => sdk.api.endusers.getOne(e.id),
+    { onResult: e => !!(
+       e.tags?.length === 9
+    && e.tags?.includes('Source')
+    && e.tags?.includes('Fill')
+    && e.tags?.includes('Status Update')
+    && e.tags?.includes('Fill Update')
+    && e.tags?.includes('SKU Update')
+    && e.tags?.includes('SKU Partial Update')
+    && e.tags?.includes('Title Partial Update')
+    && e.tags?.includes('Title Partial And Update')
+    && e.tags?.includes('Protocol Match')
+    ) }
+  )
+
   await Promise.all([
     sdk.api.automation_triggers.deleteOne(t1.id),
     sdk.api.automation_triggers.deleteOne(t2.id),
@@ -3619,6 +3666,7 @@ const order_status_equals_tests = async () => {
     sdk.api.automation_triggers.deleteOne(t6.id),
     sdk.api.automation_triggers.deleteOne(t7.id),
     sdk.api.automation_triggers.deleteOne(t8.id),
+    sdk.api.automation_triggers.deleteOne(t9.id),
     sdk.api.endusers.deleteOne(e.id),
   ])
 }
@@ -5016,8 +5064,8 @@ const trigger_events_api_tests = async () => {
 const automation_trigger_tests = async () => {
   log_header("Automation Trigger Tests")
 
-  await medication_added_trigger_tests({ sdk, sdkNonAdmin })
   await order_status_equals_tests()
+  await medication_added_trigger_tests({ sdk, sdkNonAdmin })
   await appointment_cancelled_tests()
   await set_fields_tests()
   await purchase_made_trigger_tests({ sdk, sdkNonAdmin })
@@ -8588,7 +8636,7 @@ export const formsort_tests = async () => {
   const form = await sdk.api.forms.createOne({ title: "FormSort" })
 
   const postToFormsort = async ({ matchByName=false, createNewEnduser=false, enduserId, returnJSON=false, ...o }: {
-    answers: { key: string, value: any }[],
+    answers: { key: string, value: any, label?: string }[],
     responder_uuid: string,
     finalized: boolean,
     matchByName?: boolean,
@@ -8605,8 +8653,8 @@ export const formsort_tests = async () => {
     return await axios.post(url.toString(), o)
   }
 
-  const postToFormsortGeneric = async ({ matchByName=false, createNewEnduser=false, ...o }: { 
-    answers: { key: string, value: any }[],
+  const postToFormsortGeneric = async ({ matchByName=false, createNewEnduser=false, ...o }: {
+    answers: { key: string, value: any, label?: string }[],
     responder_uuid: string,
     finalized: boolean,
     matchByName?: boolean,
@@ -8985,6 +9033,37 @@ export const formsort_tests = async () => {
     onResult: r => r?.fname === 'ChangedFirst' && r?.lname === 'ChangedLast'
   })
 
+  // Test label as fieldTitle
+  const validateFieldTitle = (fr: { responses?: { externalId?: string, fieldTitle?: string }[] }, key: string, expectedTitle: string): boolean => {
+    return fr.responses?.find(r => r.externalId === key)?.fieldTitle === expectedTitle
+  }
+
+  // Label provided: fieldTitle should use label, externalId should use key
+  await postToFormsort({
+    answers: [
+      { key: 'email', value: 'label-test@tellescope.com' },
+      { key: 'label_test_key', value: 'test_value', label: 'My Custom Label' },
+    ],
+    responder_uuid: "label-test",
+    finalized: true,
+  })
+  await async_test(`label as fieldTitle`, () => sdk.api.form_responses.getOne({ externalId: 'label-test' }), {
+    onResult: r => validateFieldTitle(r, 'label_test_key', 'My Custom Label')
+  })
+
+  // No label: fieldTitle should fall back to key
+  await postToFormsort({
+    answers: [
+      { key: 'email', value: 'no-label-test@tellescope.com' },
+      { key: 'no_label_key', value: 'test_value' },
+    ],
+    responder_uuid: "no-label-test",
+    finalized: true,
+  })
+  await async_test(`no label falls back to key as fieldTitle`, () => sdk.api.form_responses.getOne({ externalId: 'no-label-test' }), {
+    onResult: r => validateFieldTitle(r, 'no_label_key', 'no_label_key')
+  })
+
   // cleanup
   const endusers = await sdk.api.endusers.getSome()
   await Promise.all([
@@ -14126,8 +14205,18 @@ const ip_address_form_tests = async () => {
     await replace_enduser_template_values_tests()
     await mfa_tests()
     await setup_tests(sdk, sdkNonAdmin)
-    await mdb_sort_tests({ sdk, sdkNonAdmin })
+    await eom_procedure_codes_tests({ sdk, sdkNonAdmin })
+    await cross_org_api_key_tests({ sdk, sdkNonAdmin })
     await organization_settings_duplicates_tests({ sdk, sdkNonAdmin })
+    await enduser_session_invalidation_tests({ sdk, sdkNonAdmin })
+    await chats_analytics_tests({ sdk, sdkNonAdmin })
+    await field_redaction_tests({ sdk, sdkNonAdmin })
+    await form_submitted_trigger_tests({ sdk, sdkNonAdmin })
+    await date_string_validation_tests({ sdk, sdkNonAdmin })
+    await openloop_webhooks_tests({ sdk, sdkNonAdmin })
+    await automation_trigger_tests()
+    await integrations_redacted_tests({ sdk, sdkNonAdmin })
+    await mdb_sort_tests({ sdk, sdkNonAdmin })
     await search_tests()
     await time_tracks_tests({ sdk, sdkNonAdmin })
     await time_tracks_historical_tests({ sdk, sdkNonAdmin })
@@ -14136,8 +14225,6 @@ const ip_address_form_tests = async () => {
     await time_tracks_lock_tests({ sdk, sdkNonAdmin })
     await time_tracks_edge_case_tests({ sdk, sdkNonAdmin })
     await calendar_event_limits_tests({ sdk, sdkNonAdmin })
-    await openloop_webhooks_tests({ sdk, sdkNonAdmin })
-    await automation_trigger_tests()
     await get_some_projection_tests({ sdk, sdkNonAdmin })
     await elation_user_id_tests({ sdk, sdkNonAdmin })
     await custom_dashboards_tests({ sdk, sdkNonAdmin })
@@ -14156,6 +14243,7 @@ const ip_address_form_tests = async () => {
     await beluga_pharmacy_mappings_tests({ sdk, sdkNonAdmin })
     await threadKeyTests()
     await managed_content_enduser_access_tests({ sdk, sdkNonAdmin })
+    await managed_content_file_access_tests({ sdk, sdkNonAdmin })
     await afteraction_day_of_month_delay_tests({ sdk, sdkNonAdmin })
     await bulk_assignment_tests({ sdk, sdkNonAdmin })
     await formsort_tests()