@tellescope/sdk 1.251.0 → 1.252.1

package/src/tests/api_tests/calendar_event_webhook_template.test.ts

@@ -0,0 +1,204 @@
+require('source-map-support').install();
+
+import { Session } from "../../sdk"
+import {
+  async_test,
+  log_header,
+  wait,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+const HEALTHIE_TITLE = 'Healthie' // mirror @tellescope/constants HEALTHIE_TITLE
+
+// Unreachable webhook target — the request will fail quickly but the API still writes
+// the resolved payload to webhook_logs, which is what we're verifying.
+const WEBHOOK_TARGET_URL = 'http://127.0.0.1:9'
+
+const find_log_for_url = async (sdk: Session, url: string, expectedHealthieId: string) => {
+  const start = Date.now()
+  while (Date.now() - start < 10_000) {
+    const logs = await sdk.api.webhook_logs.getSome({ limit: 50, sort: 'newFirst' as any }) as Array<any>
+    const match = logs.find(l => l.url === url && (l.payload as any)?.healthieId === expectedHealthieId)
+    if (match) return match
+    await wait(undefined, 500)
+  }
+  return null
+}
+
+// Main test function that can be called independently
+export const calendar_event_webhook_template_tests = async (
+  { sdk, sdkNonAdmin } : { sdk: Session, sdkNonAdmin: Session }
+) => {
+  log_header("Calendar Event Webhook Template Tests")
+
+  const enduser = await sdk.api.endusers.createOne({})
+
+  // Case 1: Healthie ID resolved via source + externalId
+  const externalIdEvent = await sdk.api.calendar_events.createOne({
+    title: 'External ID Calendar Event',
+    durationInMinutes: 30,
+    startTimeInMS: Date.now(),
+    attendees: [{ type: 'enduser', id: enduser.id }],
+    source: HEALTHIE_TITLE,
+    externalId: 'evt_HEALTHIE_123',
+  } as any)
+
+  // Case 2: Healthie ID resolved via references
+  const referencesEvent = await sdk.api.calendar_events.createOne({
+    title: 'References Calendar Event',
+    durationInMinutes: 30,
+    startTimeInMS: Date.now(),
+    attendees: [{ type: 'enduser', id: enduser.id }],
+    references: [{ type: HEALTHIE_TITLE, id: 'evt_REF_456' }],
+  } as any)
+
+  // create an automation step to satisfy schema validation (automationStepId is required)
+  const journey = await sdk.api.journeys.createOne({
+    title: 'Calendar Event Webhook Template Tests',
+    defaultState: 'State 1',
+  })
+  const step = await sdk.api.automation_steps.createOne({
+    journeyId: journey.id,
+    events: [{ type: 'onJourneyStart', info: {} }],
+    action: {
+      type: 'sendWebhook',
+      info: {
+        message: 'placeholder',
+        url: WEBHOOK_TARGET_URL,
+      },
+    },
+  })
+
+  try {
+    await async_test(
+      'Send Webhook resolves {{calendar_event.Healthie ID}} from source+externalId',
+      async () => {
+        const url = `${WEBHOOK_TARGET_URL}/external/${externalIdEvent.id}`
+        await sdk.api.webhooks.send_automation_webhook({
+          message: 'placeholder',
+          enduserId: enduser.id,
+          automationStepId: step.id,
+          action: {
+            type: 'sendWebhook',
+            info: {
+              message: 'placeholder',
+              url,
+              fields: [
+                { field: 'healthieId', value: '{{calendar_event.Healthie ID}}' },
+                { field: 'title', value: '{{calendar_event.title}}' },
+              ],
+            },
+          },
+          context: { calendarEventId: externalIdEvent.id },
+        }).catch(() => {}) // the unreachable URL is expected to error after logging
+
+        const log = await find_log_for_url(sdk, url, 'evt_HEALTHIE_123')
+        if (!log) return false
+        const payload = log.payload as any
+        return payload?.healthieId === 'evt_HEALTHIE_123'
+          && payload?.title === externalIdEvent.title
+      },
+      { onResult: r => r === true }
+    )
+
+    await async_test(
+      'Send Webhook resolves {{calendar_event.Healthie ID}} from references',
+      async () => {
+        const url = `${WEBHOOK_TARGET_URL}/refs/${referencesEvent.id}`
+        await sdk.api.webhooks.send_automation_webhook({
+          message: 'placeholder',
+          enduserId: enduser.id,
+          automationStepId: step.id,
+          action: {
+            type: 'sendWebhook',
+            info: {
+              message: 'placeholder',
+              url,
+              fields: [
+                { field: 'healthieId', value: '{{calendar_event.Healthie ID}}' },
+                { field: 'title', value: '{{calendar_event.title}}' },
+              ],
+            },
+          },
+          context: { calendarEventId: referencesEvent.id },
+        }).catch(() => {})
+
+        const log = await find_log_for_url(sdk, url, 'evt_REF_456')
+        if (!log) return false
+        const payload = log.payload as any
+        return payload?.healthieId === 'evt_REF_456'
+          && payload?.title === referencesEvent.title
+      },
+      { onResult: r => r === true }
+    )
+
+    await async_test(
+      'Send Webhook leaves {{calendar_event.Healthie ID}} blank when no calendarEventId in context',
+      async () => {
+        const url = `${WEBHOOK_TARGET_URL}/nocontext`
+        await sdk.api.webhooks.send_automation_webhook({
+          message: 'placeholder',
+          enduserId: enduser.id,
+          automationStepId: step.id,
+          action: {
+            type: 'sendWebhook',
+            info: {
+              message: 'placeholder',
+              url,
+              fields: [
+                { field: 'healthieId', value: '{{calendar_event.Healthie ID}}' },
+              ],
+            },
+          },
+          // no calendarEventId
+        }).catch(() => {})
+
+        // Without a calendar event in context, the templating helper returns the input
+        // unchanged, so the literal template string remains in the payload.
+        const start = Date.now()
+        while (Date.now() - start < 10_000) {
+          const logs = await sdk.api.webhook_logs.getSome({ limit: 50, sort: 'newFirst' as any }) as Array<any>
+          const match = logs.find(l => l.url === url)
+          if (match) {
+            const payload = match.payload as any
+            return payload?.healthieId === '{{calendar_event.Healthie ID}}'
+          }
+          await wait(undefined, 500)
+        }
+        return false
+      },
+      { onResult: r => r === true }
+    )
+
+  } finally {
+    try { await sdk.api.calendar_events.deleteOne(externalIdEvent.id) } catch {}
+    try { await sdk.api.calendar_events.deleteOne(referencesEvent.id) } catch {}
+    try { await sdk.api.automation_steps.deleteOne(step.id) } catch {}
+    try { await sdk.api.journeys.deleteOne(journey.id) } catch {}
+    try { await sdk.api.endusers.deleteOne(enduser.id) } catch {}
+  }
+}
+
+// Allow running this test file independently
+if (require.main === module) {
+  console.log(`🌐 Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await calendar_event_webhook_template_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ Calendar event webhook template test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ Calendar event webhook template test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/enduser_login_rate_limits.test.ts

@@ -0,0 +1,178 @@
+require('source-map-support').install();
+
+import axios from "axios"
+import { Session } from "../../sdk"
+import {
+  async_test,
+  log_header,
+} from "@tellescope/testing"
+import { setup_tests } from "../setup"
+
+const host = process.env.API_URL || 'http://localhost:8080' as const
+
+// Per-IP rate limits applied to enduser public endpoints:
+//   POST /v1/login-enduser              20 / min, 100 / hour
+//   POST /v1/begin-enduser-login-flow   10 / min,  50 / hour
+//   POST /v1/endusers/send-otp-code      5 / min,  30 / hour
+// Plus a per-identifier limit on begin_login_flow: 5 / 10 min per email|phone.
+
+const post = async (path: string, body: any) => {
+  try {
+    const res = await axios.post(`${host}${path}`, body, { validateStatus: () => true })
+    return { status: res.status, data: res.data }
+  } catch (err: any) {
+    return { status: err?.response?.status, data: err?.response?.data }
+  }
+}
+
+const fire_until_429 = async (cap: number, send: (i: number) => Promise<{ status: number }>) => {
+  let triggeredAt = -1
+  for (let i = 0; i < cap + 5; i++) {
+    const { status } = await send(i)
+    if (status === 429) {
+      triggeredAt = i
+      break
+    }
+  }
+  return triggeredAt
+}
+
+export const enduser_login_rate_limits_tests = async ({ sdk, sdkNonAdmin } : { sdk: Session, sdkNonAdmin: Session }) => {
+  log_header("Enduser Login Rate Limit Tests")
+
+  const businessId = sdk.userInfo.businessId
+
+  // Ensure throttled_events from prior tests don't bleed in.
+  await sdk.reset_db()
+
+  // ---- /v1/login-enduser per-IP cap (20/min) ----
+  // Bogus emails ensure we never reach the actual DB lookup / login work.
+  const loginTrip = await fire_until_429(20, i => post('/v1/login-enduser', {
+    email: `rl-login-${Date.now()}-${i}@tellescope.com`,
+    password: 'NotARealPassword!2025',
+    businessId,
+  }))
+  await async_test(
+    'login per-IP throttle trips within first 21 requests',
+    async () => (loginTrip >= 0 && loginTrip <= 20) ? 'tripped' : `not-tripped:${loginTrip}`,
+    { expectedResult: 'tripped' }
+  )
+
+  await sdk.reset_db()
+
+  // ---- /v1/begin-enduser-login-flow per-IP cap (10/min) ----
+  // Use distinct emails so the per-identifier limit (5/10min) does NOT trip first;
+  // we want the IP cap to be the first thing to fire.
+  const beginIpTrip = await fire_until_429(10, i => post('/v1/begin-enduser-login-flow', {
+    email: `rl-begin-ip-${Date.now()}-${i}@tellescope.com`,
+    businessId,
+  }))
+  await async_test(
+    'begin_login_flow per-IP throttle trips within first 11 requests',
+    async () => (beginIpTrip >= 0 && beginIpTrip <= 10) ? 'tripped' : `not-tripped:${beginIpTrip}`,
+    { expectedResult: 'tripped' }
+  )
+
+  await sdk.reset_db()
+
+  // ---- /v1/begin-enduser-login-flow per-identifier cap (5 / 10 min per email) ----
+  // Hit a single email below the per-IP cap.
+  const fixedEmail = `rl-begin-id-${Date.now()}@tellescope.com`
+  const beginIdTrip = await fire_until_429(5, () => post('/v1/begin-enduser-login-flow', {
+    email: fixedEmail,
+    businessId,
+  }))
+  await async_test(
+    'begin_login_flow per-identifier throttle trips within first 6 requests',
+    async () => (beginIdTrip >= 0 && beginIdTrip <= 5) ? 'tripped' : `not-tripped:${beginIdTrip}`,
+    { expectedResult: 'tripped' }
+  )
+
+  await sdk.reset_db()
+
+  // ---- /v1/endusers/send-otp-code per-IP cap (5/min) ----
+  // Use a bogus JWT-shaped token so we trip the IP guard first (it runs before any DB work).
+  const fakeToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMCJ9.sig'
+  const sendOtpTrip = await fire_until_429(5, () => post('/v1/endusers/send-otp-code', {
+    token: fakeToken,
+    method: 'email',
+  }))
+  await async_test(
+    'send_otp per-IP throttle trips within first 6 requests',
+    async () => (sendOtpTrip >= 0 && sendOtpTrip <= 5) ? 'tripped' : `not-tripped:${sendOtpTrip}`,
+    { expectedResult: 'tripped' }
+  )
+
+  // Confirm 429 response does not leak the keying strategy (no mention of "ip" or "address").
+  const tripped = await post('/v1/endusers/send-otp-code', { token: fakeToken, method: 'email' })
+  await async_test(
+    '429 response does not mention "ip" or "address"',
+    async () => {
+      const msg = (tripped.data?.message ?? '').toLowerCase()
+      return (msg.includes('ip') || msg.includes('address')) ? 'leaked' : 'safe'
+    },
+    { expectedResult: 'safe' }
+  )
+
+  // ---- Legitimate-login regression: a single successful login should still go through ----
+  // Reset state, then create a real enduser with a password and confirm one login succeeds.
+  await sdk.reset_db()
+
+  const ts = Date.now()
+  const enduser = await sdk.api.endusers.createOne({
+    fname: 'RateLimitOk', lname: 'Enduser',
+    email: `rl-legit-${ts}@tellescope.com`,
+  })
+  try {
+    await sdk.api.endusers.set_password({ id: enduser.id, password: 'CorrectPassword123!' })
+
+    const goodLogin = await post('/v1/login-enduser', {
+      email: enduser.email,
+      password: 'CorrectPassword123!',
+      businessId,
+    })
+    await async_test(
+      'legitimate login still succeeds (returns authToken, not 429)',
+      async () => goodLogin.status === 200 && !!goodLogin.data?.authToken ? 'ok' : `failed:${goodLogin.status}`,
+      { expectedResult: 'ok' }
+    )
+
+    // A subsequent successful login by the same user/IP should also succeed —
+    // a single legitimate user retrying must not trip the per-IP cap.
+    const goodLoginRetry = await post('/v1/login-enduser', {
+      email: enduser.email,
+      password: 'CorrectPassword123!',
+      businessId,
+    })
+    await async_test(
+      'legitimate login retry still succeeds',
+      async () => goodLoginRetry.status === 200 && !!goodLoginRetry.data?.authToken ? 'ok' : `failed:${goodLoginRetry.status}`,
+      { expectedResult: 'ok' }
+    )
+  } finally {
+    await sdk.api.endusers.deleteOne(enduser.id).catch(() => null)
+    await sdk.reset_db().catch(() => null)
+  }
+}
+
+// Allow running this test file independently
+if (require.main === module) {
+  console.log(`🌐 Using API URL: ${host}`)
+  const sdk = new Session({ host })
+  const sdkNonAdmin = new Session({ host })
+
+  const runTests = async () => {
+    await setup_tests(sdk, sdkNonAdmin)
+    await enduser_login_rate_limits_tests({ sdk, sdkNonAdmin })
+  }
+
+  runTests()
+    .then(() => {
+      console.log("✅ Enduser login rate limit test suite completed successfully")
+      process.exit(0)
+    })
+    .catch((error) => {
+      console.error("❌ Enduser login rate limit test suite failed:", error)
+      process.exit(1)
+    })
+}

package/src/tests/api_tests/integrations_redacted.test.ts

@@ -205,6 +205,14 @@ export const integrations_redacted_tests = async ({ sdk, sdkNonAdmin } : { sdk:
       }}
     )
 
+    // F-0049: connect_stripe must reject caller-supplied accountId (Stripe-account-spoofing defense).
+    // Stripe Connect is deprecated in Tellescope; accountId was a test shortcut, kept rejected to preserve SDK shape.
+    await async_test(
+      "connect_stripe rejects caller-supplied accountId",
+      () => sdk.api.integrations.connect_stripe({ countryCode: 'US', accountId: 'acct_someoneElsesAccount' } as any),
+      { shouldError: true, onError: (e: any) => /accountId is not supported/i.test(e?.message || e?.toString() || '') }
+    )
+
   } finally {
     if (integrationId) {
       try {

package/src/tests/api_tests/push_forms_to_portal_group_completion.test.ts

@@ -1,6 +1,6 @@
 require('source-map-support').install();
 
-import { Session } from "../../sdk"
+import { Session, EnduserSession } from "../../sdk"
 import { log_header, wait, async_test } from "@tellescope/testing"
 import { Enduser } from "@tellescope/types-client"
 import { setup_tests } from "../setup"
@@ -52,110 +52,135 @@ export const push_forms_to_portal_group_completion_tests = async ({ sdk, sdkNonA
       previousFields: [{ type: 'root', info: {} }],
     })
 
-    // 2. Create a form group containing both forms
+    // 2. Create a form group containing both forms (shared across both submission flows)
     const formGroup = await sdk.api.form_groups.createOne({
       title: 'Push To Portal Test Group',
       formIds: [formA.id, formB.id],
     })
     createdFormGroupIds.push(formGroup.id)
 
-    // 3. Configure trigger with event.info.groupId = the real formGroupId
-    const trigger = await sdk.api.automation_triggers.createOne({
-      event: { type: 'Form Group Completed', info: { groupId: formGroup.id } },
-      action: { type: 'Add Tags', info: { tags: ['form-group-completed-push'] } },
-      status: 'Active',
-      title: 'Form Group Completed - Push to Portal',
-    })
-    createdTriggerIds.push(trigger.id)
+    // Helper: run the full push-to-portal → submit → trigger flow with a configurable submitter.
+    // Each invocation creates its own trigger/journey/step/enduser and asserts its own tag.
+    // We test both the admin (user-session) submitter and the enduser (portal-session) submitter
+    // because they exercise different DB scopes in submit_form_response — and the regression QA caught
+    // was only triggered on the enduser-session path.
+    const runFlow = async ({ label, tag, submitAsEnduser } : { label: string, tag: string, submitAsEnduser: boolean }) => {
+      const trigger = await sdk.api.automation_triggers.createOne({
+        event: { type: 'Form Group Completed', info: { groupId: formGroup.id } },
+        action: { type: 'Add Tags', info: { tags: [tag] } },
+        status: 'Active',
+        title: `Form Group Completed - Push to Portal (${label})`,
+      })
+      createdTriggerIds.push(trigger.id)
 
-    // 4. Create journey with a pushFormsToPortal step referencing the form group
-    const journey = await sdk.api.journeys.createOne({
-      title: 'Push To Portal Trigger Journey',
-    })
-    createdJourneyIds.push(journey.id)
+      const journey = await sdk.api.journeys.createOne({
+        title: `Push To Portal Trigger Journey (${label})`,
+      })
+      createdJourneyIds.push(journey.id)
 
-    const pushStep = await sdk.api.automation_steps.createOne({
-      journeyId: journey.id,
-      action: { type: 'pushFormsToPortal', info: { formGroupIds: [formGroup.id] } },
-      events: [{ type: 'onJourneyStart', info: {} }],
-    })
+      const pushStep = await sdk.api.automation_steps.createOne({
+        journeyId: journey.id,
+        action: { type: 'pushFormsToPortal', info: { formGroupIds: [formGroup.id] } },
+        events: [{ type: 'onJourneyStart', info: {} }],
+      })
 
-    // 5. Create enduser and add to journey
-    const enduser = await sdk.api.endusers.createOne({ fname: 'PushPortal', lname: 'Tester' })
-    createdEnduserIds.push(enduser.id)
+      const enduser = await sdk.api.endusers.createOne({ fname: 'PushPortal', lname: label })
+      createdEnduserIds.push(enduser.id)
 
-    await sdk.api.endusers.add_to_journey({
-      enduserIds: [enduser.id],
-      journeyId: journey.id,
-    })
+      await sdk.api.endusers.add_to_journey({
+        enduserIds: [enduser.id],
+        journeyId: journey.id,
+      })
 
-    // 6. Poll for the worker to create the push-to-portal form_responses
-    const pushedResponses = await pollFor(
-      async () => {
-        const responses = await sdk.api.form_responses.getSome({
-          filter: { enduserId: enduser.id },
-        })
-        const pushed = responses.filter(r => !!r.pushedToPortalAt)
-        return pushed.length >= 2 ? pushed : undefined
-      },
-      (result): result is any[] => Array.isArray(result) && result.length >= 2,
-      'pushed-to-portal form_responses to be created by worker',
-      500,
-      40,
-    )
-
-    // 7. Assert worker behavior: groupId === automationStepId and pushedToPortalAt is set
-    for (const fr of pushedResponses) {
-      if (!fr.pushedToPortalAt) {
-        throw new Error(`Expected pushedToPortalAt to be set on form_response ${fr.id}`)
+      const pushedResponses = await pollFor(
+        async () => {
+          const responses = await sdk.api.form_responses.getSome({
+            filter: { enduserId: enduser.id },
+          })
+          const pushed = responses.filter(r => !!r.pushedToPortalAt)
+          return pushed.length >= 2 ? pushed : undefined
+        },
+        (result): result is any[] => Array.isArray(result) && result.length >= 2,
+        `pushed-to-portal form_responses to be created by worker (${label})`,
+        500,
+        40,
+      )
+
+      for (const fr of pushedResponses) {
+        if (!fr.pushedToPortalAt) {
+          throw new Error(`Expected pushedToPortalAt to be set on form_response ${fr.id} (${label})`)
+        }
+        if (fr.groupId !== pushStep.id) {
+          throw new Error(`Expected form_response.groupId (${fr.groupId}) to equal automation step id (${pushStep.id}) (${label})`)
+        }
+        if (fr.automationStepId !== pushStep.id) {
+          throw new Error(`Expected form_response.automationStepId (${fr.automationStepId}) to equal automation step id (${pushStep.id}) (${label})`)
+        }
       }
-      if (fr.groupId !== pushStep.id) {
-        throw new Error(`Expected form_response.groupId (${fr.groupId}) to equal automation step id (${pushStep.id})`)
+
+      await async_test(
+        `Worker writes groupId === automationStepId and pushedToPortalAt set (${label})`,
+        async () => true,
+        { onResult: r => r === true },
+      )
+
+      // Build the submitter session
+      let submitterApi: typeof sdk.api | EnduserSession['api']
+      if (submitAsEnduser) {
+        const { authToken } = await sdk.api.endusers.generate_auth_token({ id: enduser.id })
+        const enduserSDK = new EnduserSession({ host, authToken, businessId: sdk.userInfo.businessId })
+        submitterApi = enduserSDK.api
+      } else {
+        submitterApi = sdk.api
       }
-      if (fr.automationStepId !== pushStep.id) {
-        throw new Error(`Expected form_response.automationStepId (${fr.automationStepId}) to equal automation step id (${pushStep.id})`)
+
+      for (const fr of pushedResponses) {
+        const isFormA = fr.formId === formA.id
+        const targetFieldId = isFormA ? fieldA.id : fieldB.id
+        const targetFieldTitle = isFormA ? 'FieldA' : 'FieldB'
+        await submitterApi.form_responses.submit_form_response({
+          accessCode: fr.accessCode as string,
+          responses: [{
+            fieldId: targetFieldId,
+            fieldTitle: targetFieldTitle,
+            answer: { type: 'string', value: 'pushed-portal-answer' },
+          }],
+        })
       }
-    }
 
-    await async_test(
-      "Worker writes groupId === automationStepId and pushedToPortalAt set",
-      async () => true,
-      { onResult: r => r === true },
-    )
-
-    // 8. Submit every form_response on behalf of the enduser
-    // Identify which form_response corresponds to formA / formB via formId
-    for (const fr of pushedResponses) {
-      const isFormA = fr.formId === formA.id
-      const targetFieldId = isFormA ? fieldA.id : fieldB.id
-      const targetFieldTitle = isFormA ? 'FieldA' : 'FieldB'
-      await sdk.api.form_responses.submit_form_response({
-        accessCode: fr.accessCode as string,
-        responses: [{
-          fieldId: targetFieldId,
-          fieldTitle: targetFieldTitle,
-          answer: { type: 'string', value: 'pushed-portal-answer' },
-        }],
-      })
+      await pollFor(
+        async () => {
+          const e = await sdk.api.endusers.getOne(enduser.id)
+          return e.tags?.includes(tag) ? e : undefined
+        },
+        (result): result is Enduser => !!result,
+        `Form Group Completed trigger to apply tag after push-to-portal submissions (${label})`,
+        500,
+        30,
+      )
+
+      await async_test(
+        `Form Group Completed trigger fires for push-to-portal completion (${label})`,
+        () => sdk.api.endusers.getOne(enduser.id),
+        { onResult: (e: Enduser) => !!e.tags?.includes(tag) },
+      )
     }
 
-    // 9. Poll for the trigger's side-effect (tag on enduser)
-    await pollFor(
-      async () => {
-        const e = await sdk.api.endusers.getOne(enduser.id)
-        return e.tags?.includes('form-group-completed-push') ? e : undefined
-      },
-      (result): result is Enduser => !!result,
-      'Form Group Completed trigger to apply tag after push-to-portal submissions',
-      500,
-      30,
-    )
-
-    await async_test(
-      "Form Group Completed trigger fires for push-to-portal completion",
-      () => sdk.api.endusers.getOne(enduser.id),
-      { onResult: (e: Enduser) => !!e.tags?.includes('form-group-completed-push') },
-    )
+    // Admin submitter: simulates a staff user filling in the form on behalf of the patient
+    // (uses a user-scoped DB in submit_form_response).
+    await runFlow({
+      label: 'admin-submit',
+      tag: 'form-group-completed-push-admin',
+      submitAsEnduser: false,
+    })
+
+    // Enduser submitter: simulates the patient submitting via the portal
+    // (uses an enduser-scoped DB in submit_form_response — exercises the path QA caught).
+    await runFlow({
+      label: 'enduser-submit',
+      tag: 'form-group-completed-push-enduser',
+      submitAsEnduser: true,
+    })
 
   } finally {
     for (const id of createdTriggerIds) {