npm - @tellescope/sdk - Versions diffs - 1.251.0 → 1.252.0 - Mend

@tellescope/sdk 1.251.0 → 1.252.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (89) hide show

package/lib/cjs/tests/api_tests/security/F-0001-data-sync-redaction-bypass.test.js ADDED Viewed

@@ -0,0 +1,349 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.data_sync_redaction_bypass_tests = void 0;
+require('source-map-support').install();
+var sdk_1 = require("../../../sdk");
+var testing_1 = require("@tellescope/testing");
+var setup_1 = require("../../setup");
+var constants_1 = require("@tellescope/constants");
+var host = process.env.API_URL || 'http://localhost:8080';
+var _a = [process.env.NON_ADMIN_EMAIL, process.env.NON_ADMIN_PASSWORD], nonAdminEmail = _a[0], nonAdminPassword = _a[1];
+var FULL_ACCESS = { create: 'All', read: 'All', update: 'All', delete: 'All' };
+// Schema fields tagged `redactions: ['all']` that must never appear in
+// `/v1/data-sync` results. See packages/public/schema/src/schema.ts.
+var REDACTABLE_FIELDS_BY_MODEL = {
+    users: ['hashedPass', 'hashedInviteCode'],
+    endusers: ['hashedPassword'],
+};
+var collectViolations = function (results) {
+    var violations = [];
+    for (var _i = 0, results_1 = results; _i < results_1.length; _i++) {
+        var record = results_1[_i];
+        if (!record.data || record.data === 'deleted')
+            continue;
+        var fields = REDACTABLE_FIELDS_BY_MODEL[record.modelName];
+        if (!fields)
+            continue;
+        var parsed = void 0;
+        try {
+            parsed = JSON.parse(record.data);
+        }
+        catch (_a) {
+            continue;
+        }
+        for (var _b = 0, fields_1 = fields; _b < fields_1.length; _b++) {
+            var f = fields_1[_b];
+            if (f in parsed && parsed[f] !== undefined && parsed[f] !== null && parsed[f] !== '') {
+                violations.push({ modelName: record.modelName, recordId: record.recordId, leakedField: f });
+            }
+        }
+    }
+    return violations;
+};
+/**
+ * Regression test for F-0001 (security-audit/findings/F-0001-data-sync-bypasses-applyRedactions.md).
+ *
+ * The /v1/data-sync handler must apply the central applyRedactions() pipeline to
+ * every non-deleted record. The original bug: redactions were gated behind
+ *   `if (session.fieldRedactions && session.fieldRedactions[record.modelName])`
+ * which meant any session without role-based field redactions (including all
+ * admins) received raw records — leaking schema-level `redactions: ['all']`
+ * fields (hashedPass, hashedPassword, hashedInviteCode).
+ *
+ * This test:
+ *   1. Configures a non-admin user with broad read access on users + endusers
+ *      and NO fieldRedactions — the realistic "regular user with read access"
+ *      condition that triggers the bypass.
+ *   2. Creates an enduser with a password to populate the sync stream.
+ *   3. Calls /v1/data-sync as the non-admin.
+ *   4. Asserts no returned record contains hashedPass / hashedPassword /
+ *      hashedInviteCode.
+ *
+ * Pre-fix: assertion fails with leaked records.
+ * Post-fix: assertion passes.
+ */
+var data_sync_redaction_bypass_tests = function (_a) {
+    var sdk = _a.sdk, sdkNonAdmin = _a.sdkNonAdmin;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var roleName, testEnduserId, rbapId, originalRoles, rbap, testEnduser, sync_1, violations_1, userRecordsInStream_1, adminSync, adminViolations_1, otherUsersInStream_2, linkedAccountLeaks_1, _i, otherUsersInStream_1, record, parsed, _b, _c, _d, _e;
+        return __generator(this, function (_f) {
+            switch (_f.label) {
+                case 0:
+                    (0, testing_1.log_header)("F-0001: /v1/data-sync field-redaction bypass regression");
+                    roleName = "f0001-data-sync-bypass-".concat(Date.now());
+                    originalRoles = sdkNonAdmin.userInfo.roles;
+                    _f.label = 1;
+                case 1:
+                    _f.trys.push([1, , 15, 32]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.createOne({
+                            role: roleName,
+                            permissions: __assign(__assign({}, constants_1.PROVIDER_PERMISSIONS), { users: FULL_ACCESS, endusers: FULL_ACCESS }),
+                            // intentionally NO fieldRedactions — this is the exploit condition.
+                        })];
+                case 2:
+                    rbap = _f.sent();
+                    rbapId = rbap.id;
+                    // 2. Assign role to the non-admin user and re-authenticate so the new
+                    //    session reflects the role's permissions.
+                    return [4 /*yield*/, sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { roles: [roleName] }, { replaceObjectFields: true })];
+                case 3:
+                    // 2. Assign role to the non-admin user and re-authenticate so the new
+                    //    session reflects the role's permissions.
+                    _f.sent();
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)];
+                case 4:
+                    _f.sent();
+                    return [4 /*yield*/, sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword)
+                        // 3. Create a test enduser and set a password — this populates
+                        //    `hashedPassword` on the enduser record and writes a data_sync_records
+                        //    row for it.
+                    ];
+                case 5:
+                    _f.sent();
+                    return [4 /*yield*/, sdk.api.endusers.createOne({
+                            fname: 'F0001Target',
+                            lname: 'Patient',
+                            email: "f0001-target-".concat(Date.now(), "@example.com"),
+                        })];
+                case 6:
+                    testEnduser = _f.sent();
+                    testEnduserId = testEnduser.id;
+                    return [4 /*yield*/, sdk.api.endusers.set_password({ id: testEnduser.id, password: 'F0001TestPassword!123' })
+                        // The non-admin user's own `hashedPass` is set from login and refreshed
+                        // on every write to their user record (e.g., the role-assignment update
+                        // above). No extra setup needed for users.hashedPass to be in the stream.
+                    ];
+                case 7:
+                    _f.sent();
+                    // The non-admin user's own `hashedPass` is set from login and refreshed
+                    // on every write to their user record (e.g., the role-assignment update
+                    // above). No extra setup needed for users.hashedPass to be in the stream.
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 500)
+                        // 4. As the non-admin, call /v1/data-sync from epoch zero to capture all
+                        //    sync records the role can see.
+                    ];
+                case 8:
+                    // The non-admin user's own `hashedPass` is set from login and refreshed
+                    // on every write to their user record (e.g., the role-assignment update
+                    // above). No extra setup needed for users.hashedPass to be in the stream.
+                    _f.sent();
+                    return [4 /*yield*/, sdkNonAdmin.sync({ from: new Date(0) })
+                        // 5. Walk every record. Fail if any contains a `redactions: ['all']` field.
+                    ];
+                case 9:
+                    sync_1 = _f.sent();
+                    violations_1 = collectViolations(sync_1.results);
+                    userRecordsInStream_1 = sync_1.results.filter(function (r) { return r.modelName === 'users'; }).length;
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0001 guard: /v1/data-sync sync stream contains at least one user record", function () { return __awaiter(void 0, void 0, void 0, function () { return __generator(this, function (_a) {
+                            return [2 /*return*/, ({ userRecords: userRecordsInStream_1, totalRecords: sync_1.results.length })];
+                        }); }); }, { onResult: function (r) { return r.userRecords >= 1; } })];
+                case 10:
+                    _f.sent();
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0001: /v1/data-sync must NOT return hashedPass / hashedPassword / hashedInviteCode (see security-audit/findings/F-0001)", function () { return __awaiter(void 0, void 0, void 0, function () {
+                            return __generator(this, function (_a) {
+                                return [2 /*return*/, ({
+                                        violationCount: violations_1.length,
+                                        violations: violations_1.slice(0, 10),
+                                        affectedModels: Array.from(new Set(violations_1.map(function (v) { return v.modelName; }))),
+                                        affectedFields: Array.from(new Set(violations_1.map(function (v) { return v.leakedField; }))),
+                                    })];
+                            });
+                        }); }, { onResult: function (r) { return r.violationCount === 0; } })
+                        // ========================================================================
+                        // Additional coverage for applyRedactions code paths reachable via /v1/data-sync.
+                        // Each of these is a distinct branch in applyRedactions (routing.ts:1165-1238)
+                        // and could regress independently of the F-0001 fix.
+                        // ========================================================================
+                        // Case A: schema-level `redactions: ['all']` must apply to ADMIN sessions too.
+                        // Admins have no session.fieldRedactions, but `redactions: ['all']` is universal.
+                        // Pre-fix: admin saw hashedPass via data-sync because applyRedactions was skipped entirely.
+                        // Post-fix: applyRedactions always runs and `redactions: ['all']` strips for everyone.
+                    ];
+                case 11:
+                    _f.sent();
+                    return [4 /*yield*/, sdk.sync({ from: new Date(0) })];
+                case 12:
+                    adminSync = _f.sent();
+                    adminViolations_1 = collectViolations(adminSync.results);
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0001 coverage A: admin /v1/data-sync also strips redactions:['all'] fields (hashedPass etc.)", function () { return __awaiter(void 0, void 0, void 0, function () {
+                            return __generator(this, function (_a) {
+                                return [2 /*return*/, ({
+                                        violationCount: adminViolations_1.length,
+                                        violations: adminViolations_1.slice(0, 10),
+                                    })];
+                            });
+                        }); }, { onResult: function (r) { return r.violationCount === 0; } })
+                        // Case B: `linkedAccountAccess` on users must be stripped when the caller is NOT
+                        // the record's owner. This is a separate branch in applyRedactions (routing.ts:1220-1225)
+                        // and protects against cross-user enumeration of who-requested-access-to-whom.
+                        // The non-admin user reads other user records via data-sync; if any of those
+                        // records have linkedAccountAccess set, it must be stripped on read.
+                    ];
+                case 13:
+                    _f.sent();
+                    otherUsersInStream_2 = sync_1.results.filter(function (r) { return r.modelName === 'users' && r.recordId !== sdkNonAdmin.userInfo.id; });
+                    linkedAccountLeaks_1 = [];
+                    for (_i = 0, otherUsersInStream_1 = otherUsersInStream_2; _i < otherUsersInStream_1.length; _i++) {
+                        record = otherUsersInStream_1[_i];
+                        if (!record.data || record.data === 'deleted')
+                            continue;
+                        try {
+                            parsed = JSON.parse(record.data);
+                            if ('linkedAccountAccess' in parsed && parsed.linkedAccountAccess !== undefined) {
+                                linkedAccountLeaks_1.push({ recordId: record.recordId });
+                            }
+                        }
+                        catch (_g) { }
+                    }
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0001 coverage B: /v1/data-sync strips linkedAccountAccess from other users' records", function () { return __awaiter(void 0, void 0, void 0, function () {
+                            return __generator(this, function (_a) {
+                                return [2 /*return*/, ({
+                                        otherUserRecords: otherUsersInStream_2.length,
+                                        leakCount: linkedAccountLeaks_1.length,
+                                        leaks: linkedAccountLeaks_1.slice(0, 5),
+                                    })];
+                            });
+                        }); }, { onResult: function (r) { return r.leakCount === 0; } })];
+                case 14:
+                    _f.sent();
+                    return [3 /*break*/, 32];
+                case 15:
+                    _f.trys.push([15, 17, , 18]);
+                    return [4 /*yield*/, sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { roles: originalRoles !== null && originalRoles !== void 0 ? originalRoles : [] }, { replaceObjectFields: true })];
+                case 16:
+                    _f.sent();
+                    return [3 /*break*/, 18];
+                case 17:
+                    _b = _f.sent();
+                    return [3 /*break*/, 18];
+                case 18:
+                    if (!rbapId) return [3 /*break*/, 22];
+                    _f.label = 19;
+                case 19:
+                    _f.trys.push([19, 21, , 22]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.deleteOne(rbapId)];
+                case 20:
+                    _f.sent();
+                    return [3 /*break*/, 22];
+                case 21:
+                    _c = _f.sent();
+                    return [3 /*break*/, 22];
+                case 22:
+                    if (!testEnduserId) return [3 /*break*/, 26];
+                    _f.label = 23;
+                case 23:
+                    _f.trys.push([23, 25, , 26]);
+                    return [4 /*yield*/, sdk.api.endusers.deleteOne(testEnduserId)];
+                case 24:
+                    _f.sent();
+                    return [3 /*break*/, 26];
+                case 25:
+                    _d = _f.sent();
+                    return [3 /*break*/, 26];
+                case 26:
+                // Re-authenticate the non-admin to drop the exploit role from their JWT
+                // before subsequent tests run.
+                // Role restore above re-triggers deauthenticate_user; wait > 1s so the freshly minted
+                // token's (second-floored) iat lands after the deauth timestamp and isn't permanently
+                // rejected by is_logged_in's iat-slack check. Matches the in-test re-auth above.
+                return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)];
+                case 27:
+                    // Re-authenticate the non-admin to drop the exploit role from their JWT
+                    // before subsequent tests run.
+                    // Role restore above re-triggers deauthenticate_user; wait > 1s so the freshly minted
+                    // token's (second-floored) iat lands after the deauth timestamp and isn't permanently
+                    // rejected by is_logged_in's iat-slack check. Matches the in-test re-auth above.
+                    _f.sent();
+                    _f.label = 28;
+                case 28:
+                    _f.trys.push([28, 30, , 31]);
+                    return [4 /*yield*/, sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword)];
+                case 29:
+                    _f.sent();
+                    return [3 /*break*/, 31];
+                case 30:
+                    _e = _f.sent();
+                    return [3 /*break*/, 31];
+                case 31: return [7 /*endfinally*/];
+                case 32: return [2 /*return*/];
+            }
+        });
+    });
+};
+exports.data_sync_redaction_bypass_tests = data_sync_redaction_bypass_tests;
+// Allow running this test file independently
+if (require.main === module) {
+    console.log("\uD83C\uDF10 Using API URL: ".concat(host));
+    var sdk_2 = new sdk_1.Session({ host: host });
+    var sdkNonAdmin_1 = new sdk_1.Session({ host: host });
+    var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, setup_1.setup_tests)(sdk_2, sdkNonAdmin_1)];
+                case 1:
+                    _a.sent();
+                    return [4 /*yield*/, (0, exports.data_sync_redaction_bypass_tests)({ sdk: sdk_2, sdkNonAdmin: sdkNonAdmin_1 })];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); };
+    runTests()
+        .then(function () {
+        console.log("✅ F-0001 data-sync redaction-bypass test suite completed successfully");
+        process.exit(0);
+    })
+        .catch(function (error) {
+        console.error("❌ F-0001 data-sync redaction-bypass test suite failed:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=F-0001-data-sync-redaction-bypass.test.js.map

package/lib/cjs/tests/api_tests/security/F-0001-data-sync-redaction-bypass.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0001-data-sync-redaction-bypass.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0001-data-sync-redaction-bypass.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,oCAAsC;AACtC,+CAI4B;AAC5B,qCAAyC;AACzC,mDAA4D;AAE5D,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AAC9D,IAAA,KAAoC,CAAC,OAAO,CAAC,GAAG,CAAC,eAAe,EAAE,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC,EAAhG,aAAa,QAAA,EAAE,gBAAgB,QAAiE,CAAA;AAEvG,IAAM,WAAW,GAAG,EAAE,MAAM,EAAE,KAAc,EAAE,IAAI,EAAE,KAAc,EAAE,MAAM,EAAE,KAAc,EAAE,MAAM,EAAE,KAAc,EAAE,CAAA;AAEpH,uEAAuE;AACvE,qEAAqE;AACrE,IAAM,0BAA0B,GAA6B;IAC3D,KAAK,EAAK,CAAC,YAAY,EAAE,kBAAkB,CAAC;IAC5C,QAAQ,EAAE,CAAC,gBAAgB,CAAC;CAC7B,CAAA;AAID,IAAM,iBAAiB,GAAG,UAAC,OAAgE;IACzF,IAAM,UAAU,GAAgB,EAAE,CAAA;IAClC,KAAqB,UAAO,EAAP,mBAAO,EAAP,qBAAO,EAAP,IAAO,EAAE;QAAzB,IAAM,MAAM,gBAAA;QACf,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;YAAE,SAAQ;QACvD,IAAM,MAAM,GAAG,0BAA0B,CAAC,MAAM,CAAC,SAAS,CAAC,CAAA;QAC3D,IAAI,CAAC,MAAM;YAAE,SAAQ;QACrB,IAAI,MAAM,SAAK,CAAA;QACf,IAAI;YAAE,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;SAAE;QAAC,WAAM;YAAE,SAAQ;SAAE;QAC3D,KAAgB,UAAM,EAAN,iBAAM,EAAN,oBAAM,EAAN,IAAM,EAAE;YAAnB,IAAM,CAAC,eAAA;YACV,IAAI,CAAC,IAAI,MAAM,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,SAAS,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,IAAI,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE;gBACpF,UAAU,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,WAAW,EAAE,CAAC,EAAE,CAAC,CAAA;aAC5F;SACF;KACF;IACD,OAAO,UAAU,CAAA;AACnB,CAAC,CAAA;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACI,IAAM,gCAAgC,GAAG,UAAO,EAA6D;QAA3D,GAAG,SAAA,EAAE,WAAW,iBAAA;;;;;;oBACvE,IAAA,oBAAU,EAAC,yDAAyD,CAAC,CAAA;oBAE/D,QAAQ,GAAG,iCAA0B,IAAI,CAAC,GAAG,EAAE,CAAE,CAAA;oBAGjD,aAAa,GAAG,WAAW,CAAC,QAAQ,CAAC,KAAK,CAAA;;;;oBAMjC,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC;4BACjE,IAAI,EAAE,QAAQ;4BACd,WAAW,wBACN,gCAAoB,KACvB,KAAK,EAAE,WAAW,EAClB,QAAQ,EAAE,WAAW,GACtB;4BACD,oEAAoE;yBACrE,CAAC,EAAA;;oBARI,IAAI,GAAG,SAQX;oBACF,MAAM,GAAG,IAAI,CAAC,EAAE,CAAA;oBAEhB,sEAAsE;oBACtE,8CAA8C;oBAC9C,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAC3B,WAAW,CAAC,QAAQ,CAAC,EAAE,EACvB,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EACrB,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAC9B,EAAA;;oBAND,sEAAsE;oBACtE,8CAA8C;oBAC9C,SAIC,CAAA;oBACD,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,IAAI,CAAC,EAAA;;oBAA3B,SAA2B,CAAA;oBAC3B,qBAAM,WAAW,CAAC,YAAY,CAAC,aAAc,EAAE,gBAAiB,CAAC;wBAEjE,+DAA+D;wBAC/D,2EAA2E;wBAC3E,iBAAiB;sBAJgD;;oBAAjE,SAAiE,CAAA;oBAK7C,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC;4BACnD,KAAK,EAAE,aAAa;4BACpB,KAAK,EAAE,SAAS;4BAChB,KAAK,EAAE,uBAAgB,IAAI,CAAC,GAAG,EAAE,iBAAc;yBAChD,CAAC,EAAA;;oBAJI,WAAW,GAAG,SAIlB;oBACF,aAAa,GAAG,WAAW,CAAC,EAAE,CAAA;oBAC9B,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,WAAW,CAAC,EAAE,EAAE,QAAQ,EAAE,uBAAuB,EAAE,CAAC;wBAE9F,wEAAwE;wBACxE,wEAAwE;wBACxE,0EAA0E;sBAJoB;;oBAA9F,SAA8F,CAAA;oBAE9F,wEAAwE;oBACxE,wEAAwE;oBACxE,0EAA0E;oBAE1E,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,GAAG,CAAC;wBAE1B,yEAAyE;wBACzE,oCAAoC;sBAHV;;oBAJ1B,wEAAwE;oBACxE,wEAAwE;oBACxE,0EAA0E;oBAE1E,SAA0B,CAAA;oBAIb,qBAAM,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC;wBAE1D,4EAA4E;sBAFlB;;oBAApD,SAAO,SAA6C;oBAGpD,eAAa,iBAAiB,CAAC,MAAI,CAAC,OAAO,CAAC,CAAA;oBAK5C,wBAAsB,MAAI,CAAC,OAAO,CAAC,MAAM,CAAC,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,SAAS,KAAK,OAAO,EAAvB,CAAuB,CAAC,CAAC,MAAM,CAAA;oBACpF,qBAAM,IAAA,oBAAU,EACd,2EAA2E,EAC3E;4BAAY,sBAAA,CAAC,EAAE,WAAW,EAAE,qBAAmB,EAAE,YAAY,EAAE,MAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,EAAA;iCAAA,EACrF,EAAE,QAAQ,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,WAAW,IAAI,CAAC,EAAlB,CAAkB,EAAE,CACtC,EAAA;;oBAJD,SAIC,CAAA;oBAED,qBAAM,IAAA,oBAAU,EACd,2HAA2H,EAC3H;;gCAAY,sBAAA,CAAC;wCACX,cAAc,EAAE,YAAU,CAAC,MAAM;wCACjC,UAAU,EAAE,YAAU,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;wCACnC,cAAc,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,YAAU,CAAC,GAAG,CAAC,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,SAAS,EAAX,CAAW,CAAC,CAAC,CAAC;wCACrE,cAAc,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,YAAU,CAAC,GAAG,CAAC,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,WAAW,EAAb,CAAa,CAAC,CAAC,CAAC;qCACxE,CAAC,EAAA;;6BAAA,EACF,EAAE,QAAQ,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,cAAc,KAAK,CAAC,EAAtB,CAAsB,EAAE,CAC1C;wBAED,2EAA2E;wBAC3E,kFAAkF;wBAClF,+EAA+E;wBAC/E,qDAAqD;wBACrD,2EAA2E;wBAE3E,+EAA+E;wBAC/E,kFAAkF;wBAClF,4FAA4F;wBAC5F,uFAAuF;sBAXtF;;oBATD,SASC,CAAA;oBAYiB,qBAAM,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAA;;oBAAjD,SAAS,GAAG,SAAqC;oBACjD,oBAAkB,iBAAiB,CAAC,SAAS,CAAC,OAAO,CAAC,CAAA;oBAC5D,qBAAM,IAAA,oBAAU,EACd,gGAAgG,EAChG;;gCAAY,sBAAA,CAAC;wCACX,cAAc,EAAE,iBAAe,CAAC,MAAM;wCACtC,UAAU,EAAE,iBAAe,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;qCACzC,CAAC,EAAA;;6BAAA,EACF,EAAE,QAAQ,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,cAAc,KAAK,CAAC,EAAtB,CAAsB,EAAE,CAC1C;wBAED,iFAAiF;wBACjF,0FAA0F;wBAC1F,+EAA+E;wBAC/E,6EAA6E;wBAC7E,qEAAqE;sBANpE;;oBAPD,SAOC,CAAA;oBAOK,uBAAqB,MAAI,CAAC,OAAO,CAAC,MAAM,CAC5C,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,SAAS,KAAK,OAAO,IAAI,CAAC,CAAC,QAAQ,KAAK,WAAW,CAAC,QAAQ,CAAC,EAAE,EAAjE,CAAiE,CACvE,CAAA;oBACK,uBAA6C,EAAE,CAAA;oBACrD,WAAuC,EAAlB,uBAAA,oBAAkB,EAAlB,gCAAkB,EAAlB,IAAkB,EAAE;wBAA9B,MAAM;wBACf,IAAI,CAAC,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS;4BAAE,SAAQ;wBACvD,IAAI;4BACI,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,CAAA;4BACtC,IAAI,qBAAqB,IAAI,MAAM,IAAI,MAAM,CAAC,mBAAmB,KAAK,SAAS,EAAE;gCAC/E,oBAAkB,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAA;6BACvD;yBACF;wBAAC,WAAM,GAAE;qBACX;oBACD,qBAAM,IAAA,oBAAU,EACd,uFAAuF,EACvF;;gCAAY,sBAAA,CAAC;wCACX,gBAAgB,EAAE,oBAAkB,CAAC,MAAM;wCAC3C,SAAS,EAAE,oBAAkB,CAAC,MAAM;wCACpC,KAAK,EAAE,oBAAkB,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC;qCACtC,CAAC,EAAA;;6BAAA,EACF,EAAE,QAAQ,EAAE,UAAA,CAAC,IAAI,OAAA,CAAC,CAAC,SAAS,KAAK,CAAC,EAAjB,CAAiB,EAAE,CACrC,EAAA;;oBARD,SAQC,CAAA;;;;oBAIC,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAC3B,WAAW,CAAC,QAAQ,CAAC,EAAE,EACvB,EAAE,KAAK,EAAE,aAAa,aAAb,aAAa,cAAb,aAAa,GAAI,EAAE,EAAE,EAC9B,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAC9B,EAAA;;oBAJD,SAIC,CAAA;;;;;;yBAEC,MAAM,EAAN,yBAAM;;;;oBACF,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC,MAAM,CAAC,EAAA;;oBAA7D,SAA6D,CAAA;;;;;;yBAEjE,aAAa,EAAb,yBAAa;;;;oBACT,qBAAM,GAAG,CAAC,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,aAAa,CAAC,EAAA;;oBAA/C,SAA+C,CAAA;;;;;;gBAEvD,wEAAwE;gBACxE,+BAA+B;gBAC/B,sFAAsF;gBACtF,sFAAsF;gBACtF,iFAAiF;gBACjF,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,IAAI,CAAC,EAAA;;oBAL3B,wEAAwE;oBACxE,+BAA+B;oBAC/B,sFAAsF;oBACtF,sFAAsF;oBACtF,iFAAiF;oBACjF,SAA2B,CAAA;;;;oBACrB,qBAAM,WAAW,CAAC,YAAY,CAAC,aAAc,EAAE,gBAAiB,CAAC,EAAA;;oBAAjE,SAAiE,CAAA;;;;;;;;;;CAE1E,CAAA;AArJY,QAAA,gCAAgC,oCAqJ5C;AAED,6CAA6C;AAC7C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,IAAA,mBAAW,EAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,IAAA,wCAAgC,EAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAA5D,SAA4D,CAAA;;;;SAC7D,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,uEAAuE,CAAC,CAAA;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,wDAAwD,EAAE,KAAK,CAAC,CAAA;QAC9E,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}

package/lib/cjs/tests/api_tests/security/F-0005-ai-conversations-rbac.test.d.ts ADDED Viewed

@@ -0,0 +1,28 @@
+import { Session } from "../../../sdk";
+/**
+ * Regression test for F-0005 (security-audit/findings/F-0005-ai-conversations-bypass-rbac.md).
+ *
+ * Both `ai_conversations.send_message` and `ai_conversations.generate_ai_decision` are
+ * registered with `noAccessPermissions: true` ([api.ts:22699, 22721](packages/private/api/api/v1/api.ts)).
+ * Their only access gate is `if (req.session.type === 'enduser') throw 403`. They must ALSO
+ * check `session.access?.ai_conversations?.<action>` (and `session.access?.endusers?.read`
+ * for generate_ai_decision) — the standard pattern used 16 lines earlier in the same file
+ * at api.ts:22680 for the background_errors handler.
+ *
+ * This test:
+ *   1. Creates a role with explicit NO_ACCESS for ai_conversations (and endusers).
+ *   2. Assigns the role to the non-admin user.
+ *   3. Calls each endpoint as the non-admin.
+ *   4. Asserts each endpoint returns a 403-equivalent error (not 200).
+ *
+ * Pre-fix:
+ *   - send_message: 200 (or some downstream error from Bedrock) — NOT 403. Test fails.
+ *   - generate_ai_decision: 200 with `{}` (handler responds early before access check). Test fails.
+ *
+ * Post-fix: both endpoints throw 403 before any work happens. Test passes.
+ */
+export declare const ai_conversations_rbac_tests: ({ sdk, sdkNonAdmin }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=F-0005-ai-conversations-rbac.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0005-ai-conversations-rbac.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0005-ai-conversations-rbac.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0005-ai-conversations-rbac.test.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAYtC;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,2BAA2B;SAAwC,OAAO;iBAAe,OAAO;mBA8F5G,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0005-ai-conversations-rbac.test.js ADDED Viewed

@@ -0,0 +1,247 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ai_conversations_rbac_tests = void 0;
+require('source-map-support').install();
+var bson_1 = require("bson");
+var sdk_1 = require("../../../sdk");
+var testing_1 = require("@tellescope/testing");
+var setup_1 = require("../../setup");
+var constants_1 = require("@tellescope/constants");
+var host = process.env.API_URL || 'http://localhost:8080';
+var _a = [process.env.NON_ADMIN_EMAIL, process.env.NON_ADMIN_PASSWORD], nonAdminEmail = _a[0], nonAdminPassword = _a[1];
+/**
+ * Regression test for F-0005 (security-audit/findings/F-0005-ai-conversations-bypass-rbac.md).
+ *
+ * Both `ai_conversations.send_message` and `ai_conversations.generate_ai_decision` are
+ * registered with `noAccessPermissions: true` ([api.ts:22699, 22721](packages/private/api/api/v1/api.ts)).
+ * Their only access gate is `if (req.session.type === 'enduser') throw 403`. They must ALSO
+ * check `session.access?.ai_conversations?.<action>` (and `session.access?.endusers?.read`
+ * for generate_ai_decision) — the standard pattern used 16 lines earlier in the same file
+ * at api.ts:22680 for the background_errors handler.
+ *
+ * This test:
+ *   1. Creates a role with explicit NO_ACCESS for ai_conversations (and endusers).
+ *   2. Assigns the role to the non-admin user.
+ *   3. Calls each endpoint as the non-admin.
+ *   4. Asserts each endpoint returns a 403-equivalent error (not 200).
+ *
+ * Pre-fix:
+ *   - send_message: 200 (or some downstream error from Bedrock) — NOT 403. Test fails.
+ *   - generate_ai_decision: 200 with `{}` (handler responds early before access check). Test fails.
+ *
+ * Post-fix: both endpoints throw 403 before any work happens. Test passes.
+ */
+var ai_conversations_rbac_tests = function (_a) {
+    var sdk = _a.sdk, sdkNonAdmin = _a.sdkNonAdmin;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var roleName, rbapId, originalRoles, rbap, _b, _c, _d;
+        return __generator(this, function (_e) {
+            switch (_e.label) {
+                case 0:
+                    (0, testing_1.log_header)("F-0005: ai_conversations RBAC bypass regression");
+                    roleName = "f0005-ai-conversations-no-access-".concat(Date.now());
+                    originalRoles = sdkNonAdmin.userInfo.roles;
+                    _e.label = 1;
+                case 1:
+                    _e.trys.push([1, , 8, 21]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.createOne({
+                            role: roleName,
+                            permissions: __assign(__assign({}, constants_1.PROVIDER_PERMISSIONS), { ai_conversations: { create: null, read: null, update: null, delete: null }, endusers: { create: null, read: null, update: null, delete: null } }),
+                        })];
+                case 2:
+                    rbap = _e.sent();
+                    rbapId = rbap.id;
+                    // 2. Assign the role to the non-admin user and re-authenticate so the new
+                    //    session reflects the role's denied permissions.
+                    return [4 /*yield*/, sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { roles: [roleName] }, { replaceObjectFields: true })];
+                case 3:
+                    // 2. Assign the role to the non-admin user and re-authenticate so the new
+                    //    session reflects the role's denied permissions.
+                    _e.sent();
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)];
+                case 4:
+                    _e.sent();
+                    return [4 /*yield*/, sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword)
+                        // 3a. send_message must throw 403 (or equivalent access error). Pre-fix: succeeds (or
+                        //     fails downstream in Bedrock without 403). Post-fix: throws before any work.
+                    ];
+                case 5:
+                    _e.sent();
+                    // 3a. send_message must throw 403 (or equivalent access error). Pre-fix: succeeds (or
+                    //     fails downstream in Bedrock without 403). Post-fix: throws before any work.
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0005: ai_conversations.send_message must throw 403 when role denies ai_conversations", function () { return sdkNonAdmin.api.ai_conversations.send_message({
+                            message: 'F-0005 regression test',
+                            type: 'Test',
+                        }); }, {
+                            shouldError: true,
+                            onError: function (e) {
+                                var _a, _b;
+                                // Accept any 4xx access-denial response — handler may use 403 (recommended)
+                                // or 400 with "access" / "permission" in the message.
+                                var msg = ((_a = e === null || e === void 0 ? void 0 : e.message) !== null && _a !== void 0 ? _a : '').toLowerCase();
+                                var status = (_b = e === null || e === void 0 ? void 0 : e.status) !== null && _b !== void 0 ? _b : e === null || e === void 0 ? void 0 : e.code;
+                                return status === 403 || status === 401
+                                    || msg.includes('access') || msg.includes('permission') || msg.includes('forbidden');
+                            },
+                        })
+                        // 3b. generate_ai_decision must throw 403 BEFORE the early res.json({}) response.
+                        //     Pre-fix: handler responds 200 with {} immediately and processes in background.
+                        //     Post-fix: handler throws 403 before res.json({}).
+                    ];
+                case 6:
+                    // 3a. send_message must throw 403 (or equivalent access error). Pre-fix: succeeds (or
+                    //     fails downstream in Bedrock without 403). Post-fix: throws before any work.
+                    _e.sent();
+                    // 3b. generate_ai_decision must throw 403 BEFORE the early res.json({}) response.
+                    //     Pre-fix: handler responds 200 with {} immediately and processes in background.
+                    //     Post-fix: handler throws 403 before res.json({}).
+                    return [4 /*yield*/, (0, testing_1.async_test)("F-0005: ai_conversations.generate_ai_decision must throw 403 when role denies endusers/ai_conversations", function () { return sdkNonAdmin.api.ai_conversations.generate_ai_decision({
+                            enduserId: new bson_1.ObjectId().toHexString(),
+                            automationStepId: new bson_1.ObjectId().toHexString(),
+                            outcomes: ['yes', 'no'],
+                            prompt: 'F-0005 regression test',
+                            sources: [{ type: 'SMS', limit: 1 }], // non-empty so the validator passes; access check then fires
+                        }); }, {
+                            shouldError: true,
+                            onError: function (e) {
+                                var _a, _b;
+                                var msg = ((_a = e === null || e === void 0 ? void 0 : e.message) !== null && _a !== void 0 ? _a : '').toLowerCase();
+                                var status = (_b = e === null || e === void 0 ? void 0 : e.status) !== null && _b !== void 0 ? _b : e === null || e === void 0 ? void 0 : e.code;
+                                return status === 403 || status === 401
+                                    || msg.includes('access') || msg.includes('permission') || msg.includes('forbidden');
+                            },
+                        })];
+                case 7:
+                    // 3b. generate_ai_decision must throw 403 BEFORE the early res.json({}) response.
+                    //     Pre-fix: handler responds 200 with {} immediately and processes in background.
+                    //     Post-fix: handler throws 403 before res.json({}).
+                    _e.sent();
+                    return [3 /*break*/, 21];
+                case 8:
+                    _e.trys.push([8, 10, , 11]);
+                    return [4 /*yield*/, sdk.api.users.updateOne(sdkNonAdmin.userInfo.id, { roles: originalRoles !== null && originalRoles !== void 0 ? originalRoles : [] }, { replaceObjectFields: true })];
+                case 9:
+                    _e.sent();
+                    return [3 /*break*/, 11];
+                case 10:
+                    _b = _e.sent();
+                    return [3 /*break*/, 11];
+                case 11:
+                    if (!rbapId) return [3 /*break*/, 15];
+                    _e.label = 12;
+                case 12:
+                    _e.trys.push([12, 14, , 15]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.deleteOne(rbapId)];
+                case 13:
+                    _e.sent();
+                    return [3 /*break*/, 15];
+                case 14:
+                    _c = _e.sent();
+                    return [3 /*break*/, 15];
+                case 15:
+                // Re-authenticate the non-admin to drop the no-access role from their JWT
+                // before subsequent tests run.
+                // Role restore above re-triggers deauthenticate_user; wait > 1s so the freshly minted
+                // token's (second-floored) iat lands after the deauth timestamp and isn't permanently
+                // rejected by is_logged_in's iat-slack check. Matches the in-test re-auth above.
+                return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)];
+                case 16:
+                    // Re-authenticate the non-admin to drop the no-access role from their JWT
+                    // before subsequent tests run.
+                    // Role restore above re-triggers deauthenticate_user; wait > 1s so the freshly minted
+                    // token's (second-floored) iat lands after the deauth timestamp and isn't permanently
+                    // rejected by is_logged_in's iat-slack check. Matches the in-test re-auth above.
+                    _e.sent();
+                    _e.label = 17;
+                case 17:
+                    _e.trys.push([17, 19, , 20]);
+                    return [4 /*yield*/, sdkNonAdmin.authenticate(nonAdminEmail, nonAdminPassword)];
+                case 18:
+                    _e.sent();
+                    return [3 /*break*/, 20];
+                case 19:
+                    _d = _e.sent();
+                    return [3 /*break*/, 20];
+                case 20: return [7 /*endfinally*/];
+                case 21: return [2 /*return*/];
+            }
+        });
+    });
+};
+exports.ai_conversations_rbac_tests = ai_conversations_rbac_tests;
+// Allow running this test file independently
+if (require.main === module) {
+    console.log("\uD83C\uDF10 Using API URL: ".concat(host));
+    var sdk_2 = new sdk_1.Session({ host: host });
+    var sdkNonAdmin_1 = new sdk_1.Session({ host: host });
+    var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, setup_1.setup_tests)(sdk_2, sdkNonAdmin_1)];
+                case 1:
+                    _a.sent();
+                    return [4 /*yield*/, (0, exports.ai_conversations_rbac_tests)({ sdk: sdk_2, sdkNonAdmin: sdkNonAdmin_1 })];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); };
+    runTests()
+        .then(function () {
+        console.log("✅ F-0005 ai_conversations RBAC test suite completed successfully");
+        process.exit(0);
+    })
+        .catch(function (error) {
+        console.error("❌ F-0005 ai_conversations RBAC test suite failed:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=F-0005-ai-conversations-rbac.test.js.map