@tellescope/sdk 1.250.2 → 1.251.0

package/src/tests/api_tests/enduser_login.test.ts

@@ -0,0 +1,215 @@
+require('source-map-support').install();
+
+import axios from "axios"
+import { Session } from "../../sdk"
+import {
+  async_test,
+  log_header,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+// Coverage for the /v1/login-enduser response surface:
+// - When an enduser has no password set, the error response must not include
+//   enduser fields (PHI, hashedPassword, etc.).
+// - The "enduser not found" and "wrong password" cases must be indistinguishable
+//   (same status code, same message) to prevent account enumeration.
+// - verify_otp invalid-code error must not include enduser fields.
+
+const post_login = async (body: any) => {
+  try {
+    const res = await axios.post(`${host}/v1/login-enduser`, body, { validateStatus: () => true })
+    return { status: res.status, data: res.data }
+  } catch (err: any) {
+    return { status: err?.response?.status, data: err?.response?.data }
+  }
+}
+
+export const enduser_login_tests = async ({ sdk, sdkNonAdmin } : { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("Enduser Login Tests")
+
+  const ts = Date.now()
+  // Distinctive markers we can grep the response body for.
+  const MARKER_FNAME = `LoginTestFname${ts}`
+  const MARKER_ADDRESS = `${ts} Test Way`
+  const MARKER_DOB = '01-01-1990'
+
+  const noPasswordEnduser = await sdk.api.endusers.createOne({
+    fname: MARKER_FNAME,
+    lname: 'LoginTest',
+    email: `login-test-no-password-${ts}@tellescope.com`,
+    dateOfBirth: MARKER_DOB,
+    addressLineOne: MARKER_ADDRESS,
+    addressLineTwo: 'Apt 4B',
+    city: 'Springfield',
+    state: 'IL',
+    zipCode: '62701',
+    gender: 'Female',
+    assignedTo: [sdk.userInfo.id],
+    fields: { secretField: `should-not-leak-${ts}` },
+    tags: ['vip', 'sensitive'],
+  })
+
+  const withPasswordEnduser = await sdk.api.endusers.createOne({
+    fname: 'PasswordedEnduser',
+    lname: 'LoginTest',
+    email: `login-test-with-password-${ts}@tellescope.com`,
+  })
+  await sdk.api.endusers.set_password({ id: withPasswordEnduser.id, password: 'CorrectPassword123!' })
+
+  try {
+    // Login response for an enduser without a password set must not include
+    // enduser fields.
+    const noPasswordResp = await post_login({
+      email: noPasswordEnduser.email,
+      password: 'arbitrary-password',
+      businessId: sdk.userInfo.businessId,
+    })
+
+    const noPasswordBody = JSON.stringify(noPasswordResp.data ?? {})
+
+    await async_test(
+      'No-password login response does not include fname marker',
+      async () => noPasswordBody.includes(MARKER_FNAME) ? 'leaked' : 'safe',
+      { expectedResult: 'safe' }
+    )
+    await async_test(
+      'No-password login response does not include dateOfBirth',
+      async () => noPasswordBody.includes(MARKER_DOB) ? 'leaked' : 'safe',
+      { expectedResult: 'safe' }
+    )
+    await async_test(
+      'No-password login response does not include addressLineOne marker',
+      async () => noPasswordBody.includes(MARKER_ADDRESS) ? 'leaked' : 'safe',
+      { expectedResult: 'safe' }
+    )
+    for (const sensitiveKey of ['hashedPassword', 'assignedTo', 'fields', 'tags', 'insurance', 'customFields']) {
+      await async_test(
+        `No-password login response does not include "${sensitiveKey}" key`,
+        async () => noPasswordBody.includes(`"${sensitiveKey}"`) ? 'leaked' : 'safe',
+        { expectedResult: 'safe' }
+      )
+    }
+    await async_test(
+      'No-password login response info field is absent or empty',
+      async () => {
+        const info = (noPasswordResp.data ?? {}).info
+        if (info === undefined) return 'safe'
+        if (typeof info === 'object' && info !== null && Object.keys(info).length === 0) return 'safe'
+        return 'leaked'
+      },
+      { expectedResult: 'safe' }
+    )
+
+    // All three failure modes (no-password-set, wrong-password, unknown-email)
+    // must return an identical 401 + identical message — no enumeration of
+    // which case actually applies.
+    const wrongPasswordResp = await post_login({
+      email: withPasswordEnduser.email,
+      password: 'WrongPassword!2025',
+      businessId: sdk.userInfo.businessId,
+    })
+    const unknownEmailResp = await post_login({
+      email: `does-not-exist-${ts}@tellescope.com`,
+      password: 'AnyPassword!2025',
+      businessId: sdk.userInfo.businessId,
+    })
+
+    await async_test(
+      'Login returns 401 for no-password account (indistinguishable from wrong password)',
+      async () => `${noPasswordResp.status}:${noPasswordResp.data?.message ?? ''}`,
+      { expectedResult: '401:Login details are invalid' }
+    )
+    await async_test(
+      'Login returns same status for no-password vs wrong-password vs unknown-email',
+      async () => {
+        const statuses = [noPasswordResp.status, wrongPasswordResp.status, unknownEmailResp.status]
+        const allSame = statuses.every(s => s === statuses[0])
+        return allSame ? `same:${statuses[0]}` : `diff:${statuses.join(',')}`
+      },
+      { expectedResult: 'same:401' }
+    )
+    await async_test(
+      'Login returns same message for no-password vs wrong-password vs unknown-email',
+      async () => {
+        const messages = [noPasswordResp.data?.message, wrongPasswordResp.data?.message, unknownEmailResp.data?.message]
+        const allSame = messages.every(m => m === messages[0])
+        return allSame ? 'same' : `diff:${JSON.stringify(messages)}`
+      },
+      { expectedResult: 'same' }
+    )
+
+    // verify_otp invalid-code response must not include enduser fields.
+    const verifyOtpInvalidResp = await axios.post(
+      `${host}/v1/verify-otp-code`,
+      { token: 'not-a-real-token', code: '000000', businessId: sdk.userInfo.businessId },
+      { validateStatus: () => true }
+    )
+    const verifyOtpBody = JSON.stringify(verifyOtpInvalidResp.data ?? {})
+    await async_test(
+      'verify_otp invalid-code response does not include any enduser fields',
+      async () => (
+        verifyOtpBody.includes('"hashedPassword"')
+        || verifyOtpBody.includes('"assignedTo"')
+        || verifyOtpBody.includes(MARKER_FNAME)
+          ? 'leaked' : 'safe'
+      ),
+      { expectedResult: 'safe' }
+    )
+
+    // Regression: admin creating a duplicate enduser (same email) must still
+    // receive the existing record's id in the error info — this is an
+    // authenticated, intentional API-aid pattern via uniquenessError and must
+    // not be regressed by the public-endpoint sanitizer.
+    let duplicateError: any = null
+    try {
+      await sdk.api.endusers.createOne({ email: noPasswordEnduser.email })
+    } catch (err: any) {
+      duplicateError = err
+    }
+    await async_test(
+      'Admin duplicate enduser create rejects with 409 Uniqueness Violation',
+      async () => duplicateError?.message ?? 'no-error',
+      { expectedResult: 'Uniqueness Violation' }
+    )
+    await async_test(
+      'Admin duplicate enduser create returns the existing record id in info',
+      async () => {
+        const info = duplicateError?.info
+        if (!Array.isArray(info) || info.length === 0) return `no-info:${JSON.stringify(info)}`
+        const existing = info[0]?.existingRecord
+        const existingId = existing?._id ?? existing?.id
+        return existingId === noPasswordEnduser.id ? 'matched' : `mismatched:${existingId}`
+      },
+      { expectedResult: 'matched' }
+    )
+  } finally {
+    await Promise.all([
+      sdk.api.endusers.deleteOne(noPasswordEnduser.id).catch(() => null),
+      sdk.api.endusers.deleteOne(withPasswordEnduser.id).catch(() => null),
+    ])
+  }
+}
+
+// Allow running this test file independently
+if (require.main === module) {
+  console.log(`🌐 Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await enduser_login_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ Enduser login test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ Enduser login test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/push_forms_to_portal_group_completion.test.ts

@@ -0,0 +1,198 @@
+require('source-map-support').install();
+
+import { Session } from "../../sdk"
+import { log_header, wait, async_test } from "@tellescope/testing"
+import { Enduser } from "@tellescope/types-client"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || "http://localhost:8080"
+
+const pollFor = async <T>(
+  fetchFn: () => Promise<T | undefined>,
+  evaluateFn: (result: T | undefined) => result is T,
+  description: string,
+  intervalMs = 500,
+  maxIterations = 30,
+): Promise<T> => {
+  let lastResult: T | undefined
+  for (let i = 0; i < maxIterations; i++) {
+    await wait(undefined, intervalMs)
+    lastResult = await fetchFn()
+    if (evaluateFn(lastResult)) return lastResult
+  }
+  throw new Error(`Polling timeout: ${description} - waited ${maxIterations * intervalMs}ms`)
+}
+
+export const push_forms_to_portal_group_completion_tests = async ({ sdk, sdkNonAdmin } : { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("Push Forms To Portal - Form Group Completed Trigger Tests")
+
+  const createdEnduserIds: string[] = []
+  const createdJourneyIds: string[] = []
+  const createdFormIds: string[] = []
+  const createdFormGroupIds: string[] = []
+  const createdTriggerIds: string[] = []
+
+  try {
+    // 1. Create two forms, each with a single text field
+    const formA = await sdk.api.forms.createOne({ title: 'Push To Portal Form A' })
+    createdFormIds.push(formA.id)
+    const fieldA = await sdk.api.form_fields.createOne({
+      formId: formA.id,
+      type: 'string',
+      title: 'FieldA',
+      previousFields: [{ type: 'root', info: {} }],
+    })
+
+    const formB = await sdk.api.forms.createOne({ title: 'Push To Portal Form B' })
+    createdFormIds.push(formB.id)
+    const fieldB = await sdk.api.form_fields.createOne({
+      formId: formB.id,
+      type: 'string',
+      title: 'FieldB',
+      previousFields: [{ type: 'root', info: {} }],
+    })
+
+    // 2. Create a form group containing both forms
+    const formGroup = await sdk.api.form_groups.createOne({
+      title: 'Push To Portal Test Group',
+      formIds: [formA.id, formB.id],
+    })
+    createdFormGroupIds.push(formGroup.id)
+
+    // 3. Configure trigger with event.info.groupId = the real formGroupId
+    const trigger = await sdk.api.automation_triggers.createOne({
+      event: { type: 'Form Group Completed', info: { groupId: formGroup.id } },
+      action: { type: 'Add Tags', info: { tags: ['form-group-completed-push'] } },
+      status: 'Active',
+      title: 'Form Group Completed - Push to Portal',
+    })
+    createdTriggerIds.push(trigger.id)
+
+    // 4. Create journey with a pushFormsToPortal step referencing the form group
+    const journey = await sdk.api.journeys.createOne({
+      title: 'Push To Portal Trigger Journey',
+    })
+    createdJourneyIds.push(journey.id)
+
+    const pushStep = await sdk.api.automation_steps.createOne({
+      journeyId: journey.id,
+      action: { type: 'pushFormsToPortal', info: { formGroupIds: [formGroup.id] } },
+      events: [{ type: 'onJourneyStart', info: {} }],
+    })
+
+    // 5. Create enduser and add to journey
+    const enduser = await sdk.api.endusers.createOne({ fname: 'PushPortal', lname: 'Tester' })
+    createdEnduserIds.push(enduser.id)
+
+    await sdk.api.endusers.add_to_journey({
+      enduserIds: [enduser.id],
+      journeyId: journey.id,
+    })
+
+    // 6. Poll for the worker to create the push-to-portal form_responses
+    const pushedResponses = await pollFor(
+      async () => {
+        const responses = await sdk.api.form_responses.getSome({
+          filter: { enduserId: enduser.id },
+        })
+        const pushed = responses.filter(r => !!r.pushedToPortalAt)
+        return pushed.length >= 2 ? pushed : undefined
+      },
+      (result): result is any[] => Array.isArray(result) && result.length >= 2,
+      'pushed-to-portal form_responses to be created by worker',
+      500,
+      40,
+    )
+
+    // 7. Assert worker behavior: groupId === automationStepId and pushedToPortalAt is set
+    for (const fr of pushedResponses) {
+      if (!fr.pushedToPortalAt) {
+        throw new Error(`Expected pushedToPortalAt to be set on form_response ${fr.id}`)
+      }
+      if (fr.groupId !== pushStep.id) {
+        throw new Error(`Expected form_response.groupId (${fr.groupId}) to equal automation step id (${pushStep.id})`)
+      }
+      if (fr.automationStepId !== pushStep.id) {
+        throw new Error(`Expected form_response.automationStepId (${fr.automationStepId}) to equal automation step id (${pushStep.id})`)
+      }
+    }
+
+    await async_test(
+      "Worker writes groupId === automationStepId and pushedToPortalAt set",
+      async () => true,
+      { onResult: r => r === true },
+    )
+
+    // 8. Submit every form_response on behalf of the enduser
+    // Identify which form_response corresponds to formA / formB via formId
+    for (const fr of pushedResponses) {
+      const isFormA = fr.formId === formA.id
+      const targetFieldId = isFormA ? fieldA.id : fieldB.id
+      const targetFieldTitle = isFormA ? 'FieldA' : 'FieldB'
+      await sdk.api.form_responses.submit_form_response({
+        accessCode: fr.accessCode as string,
+        responses: [{
+          fieldId: targetFieldId,
+          fieldTitle: targetFieldTitle,
+          answer: { type: 'string', value: 'pushed-portal-answer' },
+        }],
+      })
+    }
+
+    // 9. Poll for the trigger's side-effect (tag on enduser)
+    await pollFor(
+      async () => {
+        const e = await sdk.api.endusers.getOne(enduser.id)
+        return e.tags?.includes('form-group-completed-push') ? e : undefined
+      },
+      (result): result is Enduser => !!result,
+      'Form Group Completed trigger to apply tag after push-to-portal submissions',
+      500,
+      30,
+    )
+
+    await async_test(
+      "Form Group Completed trigger fires for push-to-portal completion",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: (e: Enduser) => !!e.tags?.includes('form-group-completed-push') },
+    )
+
+  } finally {
+    for (const id of createdTriggerIds) {
+      try { await sdk.api.automation_triggers.deleteOne(id) } catch (e) { /* ignore */ }
+    }
+    for (const id of createdEnduserIds) {
+      try { await sdk.api.endusers.deleteOne(id) } catch (e) { /* ignore */ }
+    }
+    for (const id of createdJourneyIds) {
+      try { await sdk.api.journeys.deleteOne(id) } catch (e) { /* ignore */ }
+    }
+    for (const id of createdFormGroupIds) {
+      try { await sdk.api.form_groups.deleteOne(id) } catch (e) { /* ignore */ }
+    }
+    for (const id of createdFormIds) {
+      try { await sdk.api.forms.deleteOne(id) } catch (e) { /* ignore */ }
+    }
+  }
+}
+
+if (require.main === module) {
+  console.log(`🌐 Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await push_forms_to_portal_group_completion_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ Push forms to portal group completion test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ Push forms to portal group completion test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/set_fields_order_templates.test.ts

@@ -0,0 +1,258 @@
+require('source-map-support').install();
+
+import { Session } from "../../sdk"
+import {
+  assert,
+  async_test,
+  log_header,
+  wait,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+const TRIGGER_TITLE_BLOCK_A = "Order Templates: Block A"
+const TRIGGER_TITLE_BLOCK_B = "Order Templates: Block B"
+
+const buildSetFieldsAction = (prefix: string) => ({
+  type: 'Set Fields' as const,
+  info: {
+    fields: [
+      { name: `${prefix}_status`,     value: '{{order.status}}',     type: 'Custom Value' as const },
+      { name: `${prefix}_tracking`,   value: '{{order.tracking}}',   type: 'Custom Value' as const },
+      { name: `${prefix}_carrier`,    value: '{{order.carrier}}',    type: 'Custom Value' as const },
+      { name: `${prefix}_sku`,        value: '{{order.sku}}',        type: 'Custom Value' as const },
+      { name: `${prefix}_externalId`, value: '{{order.externalId}}', type: 'Custom Value' as const },
+      { name: `${prefix}_id`,         value: '{{order.id}}',         type: 'Custom Value' as const },
+      { name: `${prefix}_protocol`,   value: '{{order.protocol}}',   type: 'Custom Value' as const },
+    ],
+  },
+})
+
+// Block A: Direct EnduserOrder creation path
+const direct_order_creation_block = async ({ sdk }: { sdk: Session }) => {
+  log_header("Block A: Direct EnduserOrder creation -> {{order.*}} in Set Fields")
+
+  const enduser = await sdk.api.endusers.createOne({})
+  const trigger = await sdk.api.automation_triggers.createOne({
+    title: TRIGGER_TITLE_BLOCK_A,
+    status: 'Active',
+    event: { type: 'Order Status Equals', info: { source: 'Beluga', status: 'Shipped' } },
+    action: buildSetFieldsAction('pharmacy'),
+  })
+
+  let createdOrderId: string | undefined
+  let nonMatchingOrderId: string | undefined
+
+  try {
+    const order = await sdk.api.enduser_orders.createOne({
+      enduserId: enduser.id,
+      source: 'Beluga',
+      status: 'Shipped',
+      title: 'Beluga Pharmacy Order',
+      externalId: 'EXT-A-123',
+      tracking: '1Z-AAA',
+      carrier: 'UPS',
+      sku: 'SKU-A',
+      protocol: 'wl1',
+    })
+    createdOrderId = order.id
+
+    await wait(undefined, 250) // allow trigger + Set Fields to run
+
+    await async_test(
+      "Block A: {{order.*}} templates resolve to literal values",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: e => !!(
+           e.fields?.pharmacy_status === 'Shipped'
+        && e.fields?.pharmacy_tracking === '1Z-AAA'
+        && e.fields?.pharmacy_carrier === 'UPS'
+        && e.fields?.pharmacy_sku === 'SKU-A'
+        && e.fields?.pharmacy_externalId === 'EXT-A-123'
+        && e.fields?.pharmacy_protocol === 'wl1'
+        && typeof e.fields?.pharmacy_id === 'string'
+        && (e.fields?.pharmacy_id as string).length > 0
+        && (e.fields?.pharmacy_id as string) === order.id
+      )}
+    )
+
+    // Negative case: status that doesn't match the trigger should NOT alter fields
+    const beforeNonMatch = await sdk.api.endusers.getOne(enduser.id)
+    const snapshot = {
+      pharmacy_status: beforeNonMatch.fields?.pharmacy_status,
+      pharmacy_tracking: beforeNonMatch.fields?.pharmacy_tracking,
+      pharmacy_carrier: beforeNonMatch.fields?.pharmacy_carrier,
+      pharmacy_sku: beforeNonMatch.fields?.pharmacy_sku,
+      pharmacy_externalId: beforeNonMatch.fields?.pharmacy_externalId,
+      pharmacy_id: beforeNonMatch.fields?.pharmacy_id,
+      pharmacy_protocol: beforeNonMatch.fields?.pharmacy_protocol,
+    }
+
+    const nonMatching = await sdk.api.enduser_orders.createOne({
+      enduserId: enduser.id,
+      source: 'Beluga',
+      status: 'In Fulfillment', // does NOT match the trigger
+      title: 'Beluga Pharmacy Order (other status)',
+      externalId: 'EXT-A-NOMATCH',
+      tracking: 'NOPE',
+      carrier: 'NoCarrier',
+      sku: 'SKU-NOPE',
+      protocol: 'nope',
+    })
+    nonMatchingOrderId = nonMatching.id
+
+    await wait(undefined, 250)
+
+    await async_test(
+      "Block A: non-matching status leaves fields unchanged",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: e => !!(
+           e.fields?.pharmacy_status === snapshot.pharmacy_status
+        && e.fields?.pharmacy_tracking === snapshot.pharmacy_tracking
+        && e.fields?.pharmacy_carrier === snapshot.pharmacy_carrier
+        && e.fields?.pharmacy_sku === snapshot.pharmacy_sku
+        && e.fields?.pharmacy_externalId === snapshot.pharmacy_externalId
+        && e.fields?.pharmacy_id === snapshot.pharmacy_id
+        && e.fields?.pharmacy_protocol === snapshot.pharmacy_protocol
+      )}
+    )
+  } finally {
+    if (createdOrderId) await sdk.api.enduser_orders.deleteOne(createdOrderId).catch(console.error)
+    if (nonMatchingOrderId) await sdk.api.enduser_orders.deleteOne(nonMatchingOrderId).catch(console.error)
+    await sdk.api.automation_triggers.deleteOne(trigger.id).catch(console.error)
+    await sdk.api.endusers.deleteOne(enduser.id).catch(console.error)
+  }
+}
+
+// Block B: Beluga webhook integration path
+const beluga_webhook_block = async ({ sdk }: { sdk: Session }) => {
+  log_header("Block B: Beluga webhook -> {{order.*}} in Set Fields")
+
+  const webhookUrl = `${host}/v1/webhooks/beluga`
+  const externalOrderId = `EXT-B-${Date.now()}`
+
+  const enduser = await sdk.api.endusers.createOne({})
+  const form = await sdk.api.forms.createOne({ title: 'Order Templates Beluga Form' })
+  const formResponse = await sdk.api.form_responses.createOne({
+    formId: form.id,
+    enduserId: enduser.id,
+    formTitle: form.title,
+  })
+
+  const trigger = await sdk.api.automation_triggers.createOne({
+    title: TRIGGER_TITLE_BLOCK_B,
+    status: 'Active',
+    event: { type: 'Order Status Equals', info: { source: 'Beluga', status: 'Shipped' } },
+    action: buildSetFieldsAction('pharmacy'),
+  })
+
+  const deliveredTrigger = await sdk.api.automation_triggers.createOne({
+    title: `${TRIGGER_TITLE_BLOCK_B} (Delivered)`,
+    status: 'Active',
+    event: { type: 'Order Status Equals', info: { source: 'Beluga', status: 'Delivered' } },
+    action: buildSetFieldsAction('pharmacy'),
+  })
+
+  try {
+    // Step 1: PHARMACY_ORDER_SHIPPED
+    const shippedRes = await fetch(webhookUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        masterId: `tellescope_${formResponse.id}`,
+        event: 'PHARMACY_ORDER_SHIPPED',
+        orderId: externalOrderId,
+        info: { carrier: 'FedEx', tracking: '7777-BBB' },
+      }),
+    })
+    assert(shippedRes.status === 200, `Beluga webhook (shipped) expected 200, got ${shippedRes.status}`)
+
+    await wait(undefined, 250) // webhook upsert + trigger + Set Fields
+
+    await async_test(
+      "Block B: Beluga PHARMACY_ORDER_SHIPPED resolves {{order.*}} into enduser fields",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: e => !!(
+           e.fields?.pharmacy_status === 'Shipped'
+        && e.fields?.pharmacy_tracking === '7777-BBB'
+        && e.fields?.pharmacy_carrier === 'FedEx'
+        && e.fields?.pharmacy_externalId === externalOrderId
+        && typeof e.fields?.pharmacy_id === 'string'
+        && (e.fields?.pharmacy_id as string).length > 0
+        // Webhook does not set sku/protocol -> default branch in helper -> ''
+        && e.fields?.pharmacy_sku === ''
+        && e.fields?.pharmacy_protocol === ''
+      )}
+    )
+
+    // Step 2: PHARMACY_ORDER_DELIVERED for the same order
+    const deliveredRes = await fetch(webhookUrl, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({
+        masterId: `tellescope_${formResponse.id}`,
+        event: 'PHARMACY_ORDER_DELIVERED',
+        orderId: externalOrderId,
+      }),
+    })
+    assert(deliveredRes.status === 200, `Beluga webhook (delivered) expected 200, got ${deliveredRes.status}`)
+
+    await wait(undefined, 250)
+
+    await async_test(
+      "Block B: PHARMACY_ORDER_DELIVERED flips pharmacy_status to 'Delivered'",
+      () => sdk.api.endusers.getOne(enduser.id),
+      { onResult: e => !!(
+           e.fields?.pharmacy_status === 'Delivered'
+        && e.fields?.pharmacy_externalId === externalOrderId
+      )}
+    )
+  } finally {
+    // Clean up the order created by the webhook
+    try {
+      const orders = await sdk.api.enduser_orders.getSome({
+        filter: { source: 'Beluga', externalId: externalOrderId } as any,
+      })
+      for (const o of orders) {
+        await sdk.api.enduser_orders.deleteOne(o.id).catch(console.error)
+      }
+    } catch (err) {
+      console.error(err)
+    }
+
+    await sdk.api.automation_triggers.deleteOne(trigger.id).catch(console.error)
+    await sdk.api.automation_triggers.deleteOne(deliveredTrigger.id).catch(console.error)
+    await sdk.api.form_responses.deleteOne(formResponse.id).catch(console.error)
+    await sdk.api.forms.deleteOne(form.id).catch(console.error)
+    await sdk.api.endusers.deleteOne(enduser.id).catch(console.error)
+  }
+}
+
+export const set_fields_order_templates_tests = async (
+  { sdk, sdkNonAdmin }: { sdk: Session, sdkNonAdmin: Session }
+) => {
+  log_header("Set Fields: {{order.*}} template resolution")
+  await direct_order_creation_block({ sdk })
+  await beluga_webhook_block({ sdk })
+}
+
+if (require.main === module) {
+  console.log(`Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await set_fields_order_templates_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("set_fields_order_templates test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("set_fields_order_templates test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/setup.ts

@@ -37,9 +37,16 @@ export const setup_tests = async (sdk: Session, sdkNonAdmin: Session) => {
   // Authenticate the SDKs first
   await sdk.authenticate(email, password)
   await sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword)
-  
+
   await async_test('test_authenticated', sdk.test_authenticated, { expectedResult: 'Authenticated!' })
 
+  // Defensive: clear residual OTP gating from a previously-aborted run of
+  // enduser_session_invalidation_tests, which would otherwise cause enduser
+  // tokens minted in subsequent tests to be rejected as Unauthenticated.
+  await sdk.api.organizations.updateOne(sdk.userInfo.businessId, {
+    portalSettings: { authentication: { requireOTP: false, requireOTPAfterPassword: false } },
+  }, { replaceObjectFields: true })
+
   await async_test(
     'test_authenticated (with API Key)', 
     (new Session({ host, apiKey: '3n5q0SCBT_iUvZz-b9BJtX7o7HQUVJ9v132PgHJNJsg.' /* local test key */  })).test_authenticated,