npm - @tellescope/sdk - Versions diffs - 1.251.0 → 1.252.1 - Mend

@tellescope/sdk 1.251.0 → 1.252.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js ADDED Viewed

@@ -0,0 +1,148 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitize_user_html_xss_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0013 / F-0014 (pattern 06 — XSS via dangerouslySetInnerHTML).
+// sanitize_user_html is the canonical render-time sanitizer that replaced remove_script_tags
+// at every dangerouslySetInnerHTML sink. This asserts it neutralizes XSS vectors (incl. encoded /
+// whitespace / mixed-case / iframe-srcdoc bypass variants) while preserving legitimate
+// customization HTML (tables, headings, lists, links, images, inline styles).
+//
+// Pure-function test — no Session needed. Runs as part of the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js
+var fail = function (msg) { throw new Error(msg); };
+var has_no_executable_vector = function (out) {
+    var o = out.toLowerCase();
+    // A handler smuggled into an attribute VALUE (e.g. title="&lt;img onerror=...&gt;") is inert
+    // text — strip quoted values before checking for *live* on*= attributes to avoid false positives.
+    var withoutValues = o.replace(/"[^"]*"/g, '""').replace(/'[^']*'/g, "''");
+    return !/\son[a-z]+\s*=/.test(withoutValues) // no live on*= event-handler attribute
+        && !o.includes('javascript:') // dropped schemes never appear in safe output
+        && !o.includes('vbscript:')
+        && !o.includes('<script') // literal dangerous tags (encoded &lt;script is fine)
+        && !o.includes('<iframe')
+        && !o.includes('<svg')
+        && !o.includes('<math')
+        && !o.includes('<object')
+        && !o.includes('<embed')
+        && !o.includes('<form')
+        && !o.includes('<noscript')
+        && !o.includes('<template');
+};
+var sanitize_user_html_xss_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var xssPayloads, _i, xssPayloads_1, _a, name_1, payload, out, clobber, heading, table, list, link, img, dataimg, fmt, mixed;
+    return __generator(this, function (_b) {
+        console.log("Running F-0013/F-0014 sanitize_user_html XSS regression tests");
+        xssPayloads = [
+            ['img onerror', "<img src=x onerror=\"alert(document.domain)\">"],
+            ['svg onload', "<svg onload=\"alert(1)\"></svg>"],
+            ['svg animate onbegin', "<svg><animate onbegin=\"alert(1)\" attributeName=\"x\" dur=\"1s\"></svg>"],
+            ['details ontoggle', "<details open ontoggle=\"alert(1)\"></details>"],
+            ['input onfocus autofocus', "<input autofocus onfocus=\"alert(1)\">"],
+            ['body onpageshow', "<body onpageshow=\"alert(1)\">"],
+            ['a javascript scheme', "<a href=\"javascript:alert(1)\">x</a>"],
+            ['a javascript entity-encoded', "<a href=\"jav&#x09;ascript:alert(1)\">x</a>"],
+            ['iframe javascript src', "<iframe src=\"javascript:alert(1)\"></iframe>"],
+            ['iframe srcdoc nested', "<iframe srcdoc=\"<img src=x onerror=alert(1)>\"></iframe>"],
+            ['script tag', "<script>alert(1)</script>"],
+            ['onerror newline before =', "<img src=x onerror\n=\"alert(1)\">"],
+            ['onerror mixed case', "<IMG SRC=x OnErRoR=\"alert(1)\">"],
+            ['marquee onstart', "<marquee onstart=\"alert(1)\">x</marquee>"],
+            // mutation / namespace confusion — svg/math/noscript/template must be stripped
+            ['mathml mglyph style mxss', "<math><mtext><table><mglyph><style><!--</style><img src=x onerror=alert(1)>"],
+            ['svg foreignObject', "<svg><foreignObject><img src=x onerror=alert(1)></foreignObject></svg>"],
+            ['noscript context confusion', "<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">"],
+            ['template content', "<template><img src=x onerror=alert(1)></template>"],
+            // comment / CDATA confusion
+            ['comment confusion', "<!--><img src=x onerror=alert(1)>-->"],
+            ['cdata confusion', "<![CDATA[<img src=x onerror=alert(1)>]]>"],
+            // markup smuggled inside an attribute value must stay inert
+            ['markup inside attr value', "<img src=\"x\" alt=\"<script>alert(1)</script>\">"],
+            // protocol obfuscation
+            ['vbscript scheme', "<a href=\"vbscript:msgbox(1)\">x</a>"],
+            ['data text/html href', "<a href=\"data:text/html,<script>alert(1)</script>\">x</a>"],
+            ['javascript decimal entity', "<a href=\"&#74;avascript:alert(1)\">x</a>"],
+            ['javascript newline entity', "<a href=\"jav&#x0A;ascript:alert(1)\">x</a>"],
+        ];
+        for (_i = 0, xssPayloads_1 = xssPayloads; _i < xssPayloads_1.length; _i++) {
+            _a = xssPayloads_1[_i], name_1 = _a[0], payload = _a[1];
+            out = (0, utilities_1.sanitize_user_html)(payload);
+            if (!has_no_executable_vector(out))
+                fail("XSS not neutralized [".concat(name_1, "] -> ").concat(out));
+        }
+        clobber = (0, utilities_1.sanitize_user_html)("<a id=\"x\" name=\"getElementById\">link</a><img name=\"y\">");
+        if (/\b(id|name)\s*=/.test(clobber))
+            fail("id/name not stripped (DOM clobbering): ".concat(clobber));
+        heading = (0, utilities_1.sanitize_user_html)("<h1>Welcome</h1><h3 style=\"color:#333\">Sub</h3>");
+        if (!(heading.includes('<h1>') && heading.includes('<h3') && heading.toLowerCase().includes('color')))
+            fail("headings/style stripped: ".concat(heading));
+        table = (0, utilities_1.sanitize_user_html)("<table><thead><tr><th>H</th></tr></thead><tbody><tr><td style=\"padding:4px\" colspan=\"2\">cell</td></tr></tbody></table>");
+        if (!(table.includes('<table') && table.includes('<td') && table.includes('colspan')))
+            fail("table stripped: ".concat(table));
+        list = (0, utilities_1.sanitize_user_html)("<ul><li>a</li></ul><ol start=\"3\"><li>c</li></ol>");
+        if (!(list.includes('<ul') && list.includes('<li') && list.includes('<ol')))
+            fail("list stripped: ".concat(list));
+        link = (0, utilities_1.sanitize_user_html)("<a href=\"https://example.com\">link</a>");
+        if (!link.includes('href="https://example.com"'))
+            fail("safe link stripped: ".concat(link));
+        if (!link.toLowerCase().includes('noopener'))
+            fail("external link not hardened: ".concat(link));
+        img = (0, utilities_1.sanitize_user_html)("<img src=\"https://cdn.example.com/a.png\" alt=\"pic\" width=\"200\">");
+        if (!(img.includes('src="https://cdn.example.com/a.png"') && img.includes('alt="pic"')))
+            fail("http image stripped: ".concat(img));
+        dataimg = (0, utilities_1.sanitize_user_html)("<img src=\"data:image/png;base64,iVBORw0KGgo=\">");
+        if (!dataimg.includes('data:image/png'))
+            fail("data: image stripped: ".concat(dataimg));
+        fmt = (0, utilities_1.sanitize_user_html)("<p><strong>b</strong> <em>i</em> <span style=\"font-size:14px\">s</span></p><blockquote>q</blockquote>");
+        if (!(fmt.includes('<strong>') && fmt.includes('<span') && fmt.toLowerCase().includes('font-size')))
+            fail("formatting stripped: ".concat(fmt));
+        mixed = (0, utilities_1.sanitize_user_html)("<p>Hello <b>name</b></p><img src=x onerror=\"steal()\">");
+        if (!(mixed.includes('<b>name</b>') && !/\son[a-z]+\s*=/.test(mixed.toLowerCase())))
+            fail("mixed content not handled: ".concat(mixed));
+        console.log("✅ F-0013/F-0014 sanitize_user_html XSS regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.sanitize_user_html_xss_tests = sanitize_user_html_xss_tests;
+if (require.main === module) {
+    (0, exports.sanitize_user_html_xss_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0013-sanitize-user-html.test.js.map

package/lib/cjs/tests/api_tests/security/F-0013-sanitize-user-html.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0013-sanitize-user-html.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0013-sanitize-user-html.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAA0D;AAE1D,sFAAsF;AACtF,6FAA6F;AAC7F,kGAAkG;AAClG,uFAAuF;AACvF,8EAA8E;AAC9E,EAAE;AACF,yFAAyF;AACzF,yIAAyI;AAEzI,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAEtD,IAAM,wBAAwB,GAAG,UAAC,GAAW;IAC3C,IAAM,CAAC,GAAG,GAAG,CAAC,WAAW,EAAE,CAAA;IAC3B,6FAA6F;IAC7F,kGAAkG;IAClG,IAAM,aAAa,GAAG,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,UAAU,EAAE,IAAI,CAAC,CAAA;IAC3E,OAAO,CAAC,gBAAgB,CAAC,IAAI,CAAC,aAAa,CAAC,CAAG,uCAAuC;WAC/E,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAc,8CAA8C;WACtF,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAkB,sDAAsD;WAC9F,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;WACnB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;WACtB,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;WACrB,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;WACpB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC;WACxB,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;AACjC,CAAC,CAAA;AAEM,IAAM,4BAA4B,GAAG;;;QAC1C,OAAO,CAAC,GAAG,CAAC,+DAA+D,CAAC,CAAA;QAEtE,WAAW,GAAuB;YACtC,CAAC,aAAa,EAAE,gDAA8C,CAAC;YAC/D,CAAC,YAAY,EAAE,iCAA+B,CAAC;YAC/C,CAAC,qBAAqB,EAAE,0EAAoE,CAAC;YAC7F,CAAC,kBAAkB,EAAE,gDAA8C,CAAC;YACpE,CAAC,yBAAyB,EAAE,wCAAsC,CAAC;YACnE,CAAC,iBAAiB,EAAE,gCAA8B,CAAC;YACnD,CAAC,qBAAqB,EAAE,uCAAqC,CAAC;YAC9D,CAAC,6BAA6B,EAAE,6CAA2C,CAAC;YAC5E,CAAC,uBAAuB,EAAE,+CAA6C,CAAC;YACxE,CAAC,sBAAsB,EAAE,2DAAyD,CAAC;YACnF,CAAC,YAAY,EAAE,2BAA2B,CAAC;YAC3C,CAAC,0BAA0B,EAAE,oCAAkC,CAAC;YAChE,CAAC,oBAAoB,EAAE,kCAAgC,CAAC;YACxD,CAAC,iBAAiB,EAAE,2CAAyC,CAAC;YAC9D,+EAA+E;YAC/E,CAAC,0BAA0B,EAAE,6EAA6E,CAAC;YAC3G,CAAC,mBAAmB,EAAE,wEAAwE,CAAC;YAC/F,CAAC,4BAA4B,EAAE,iEAA+D,CAAC;YAC/F,CAAC,kBAAkB,EAAE,mDAAmD,CAAC;YACzE,4BAA4B;YAC5B,CAAC,mBAAmB,EAAE,sCAAsC,CAAC;YAC7D,CAAC,iBAAiB,EAAE,0CAA0C,CAAC;YAC/D,4DAA4D;YAC5D,CAAC,0BAA0B,EAAE,mDAA+C,CAAC;YAC7E,uBAAuB;YACvB,CAAC,iBAAiB,EAAE,sCAAoC,CAAC;YACzD,CAAC,qBAAqB,EAAE,4DAA0D,CAAC;YACnF,CAAC,2BAA2B,EAAE,2CAAyC,CAAC;YACxE,CAAC,2BAA2B,EAAE,6CAA2C,CAAC;SAC3E,CAAA;QACD,WAAyC,EAAX,2BAAW,EAAX,yBAAW,EAAX,IAAW,EAAE;YAAhC,sBAAe,EAAd,cAAI,EAAE,OAAO,QAAA;YACjB,GAAG,GAAG,IAAA,8BAAkB,EAAC,OAAO,CAAC,CAAA;YACvC,IAAI,CAAC,wBAAwB,CAAC,GAAG,CAAC;gBAAE,IAAI,CAAC,+BAAwB,MAAI,kBAAQ,GAAG,CAAE,CAAC,CAAA;SACpF;QAGK,OAAO,GAAG,IAAA,8BAAkB,EAAC,8DAAwD,CAAC,CAAA;QAC5F,IAAI,iBAAiB,CAAC,IAAI,CAAC,OAAO,CAAC;YAAE,IAAI,CAAC,iDAA0C,OAAO,CAAE,CAAC,CAAA;QAGxF,OAAO,GAAG,IAAA,8BAAkB,EAAC,mDAAiD,CAAC,CAAA;QACrF,IAAI,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YAAE,IAAI,CAAC,mCAA4B,OAAO,CAAE,CAAC,CAAA;QAE5I,KAAK,GAAG,IAAA,8BAAkB,EAAC,4HAAwH,CAAC,CAAA;QAC1J,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;YAAE,IAAI,CAAC,0BAAmB,KAAK,CAAE,CAAC,CAAA;QAEjH,IAAI,GAAG,IAAA,8BAAkB,EAAC,oDAAkD,CAAC,CAAA;QACnF,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;YAAE,IAAI,CAAC,yBAAkB,IAAI,CAAE,CAAC,CAAA;QAErG,IAAI,GAAG,IAAA,8BAAkB,EAAC,0CAAwC,CAAC,CAAA;QACzE,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,4BAA4B,CAAC;YAAE,IAAI,CAAC,8BAAuB,IAAI,CAAE,CAAC,CAAA;QACrF,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC;YAAE,IAAI,CAAC,sCAA+B,IAAI,CAAE,CAAC,CAAA;QAEnF,GAAG,GAAG,IAAA,8BAAkB,EAAC,uEAAiE,CAAC,CAAA;QACjG,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,qCAAqC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAEtH,OAAO,GAAG,IAAA,8BAAkB,EAAC,kDAAgD,CAAC,CAAA;QACpF,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,gBAAgB,CAAC;YAAE,IAAI,CAAC,gCAAyB,OAAO,CAAE,CAAC,CAAA;QAE3E,GAAG,GAAG,IAAA,8BAAkB,EAAC,wGAAsG,CAAC,CAAA;QACtI,IAAI,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;YAAE,IAAI,CAAC,+BAAwB,GAAG,CAAE,CAAC,CAAA;QAElI,KAAK,GAAG,IAAA,8BAAkB,EAAC,yDAAuD,CAAC,CAAA;QACzF,IAAI,CAAC,CAAC,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAAE,IAAI,CAAC,qCAA8B,KAAK,CAAE,CAAC,CAAA;QAEhI,OAAO,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAA;;;KAC9E,CAAA;AAtEY,QAAA,4BAA4B,gCAsExC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,oCAA4B,GAAE;SAC3B,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ export declare const prototype_pollution_tests: () => Promise<void>;
2	+ //# sourceMappingURL=F-0016-prototype-pollution.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0016-prototype-pollution.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":"AAWA,eAAO,MAAM,yBAAyB,qBAgCrC,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js ADDED Viewed

@@ -0,0 +1,88 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.prototype_pollution_tests = void 0;
+var utilities_1 = require("@tellescope/utilities");
+// Regression test for F-0016 (pattern 17 — prototype pollution).
+// add_value_for_dotted_key must NOT write through __proto__/constructor/prototype path segments
+// (which would pollute Object.prototype process-wide), while still performing legitimate dotted assignment.
+//
+// Pure-function test — no Session needed. Runs in the main suite and standalone:
+//   ./build_cjs.sh && cd packages/public/sdk && node -r dotenv/config lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js
+var fail = function (msg) { throw new Error(msg); };
+var prototype_pollution_tests = function () { return __awaiter(void 0, void 0, void 0, function () {
+    var leakedA, leakedB, leakedC, obj, flat;
+    return __generator(this, function (_a) {
+        console.log("Running F-0016 prototype-pollution regression tests");
+        // 1. __proto__ path must not pollute Object.prototype
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.__proto__.__pp_a__', 'polluted');
+        leakedA = {}.__pp_a__;
+        delete Object.prototype.__pp_a__; // clean up regardless, so a failure here can't contaminate the rest of the suite
+        if (leakedA !== undefined)
+            fail('Object.prototype polluted via __proto__ path');
+        // 2. constructor.prototype path must not pollute
+        (0, utilities_1.add_value_for_dotted_key)({ insurance: {} }, 'insurance.constructor.prototype.__pp_b__', 'polluted');
+        leakedB = {}.__pp_b__;
+        delete Object.prototype.__pp_b__;
+        if (leakedB !== undefined)
+            fail('Object.prototype polluted via constructor.prototype path');
+        // 3. a leading __proto__ segment must not pollute either
+        (0, utilities_1.add_value_for_dotted_key)({}, '__proto__.__pp_c__', 'polluted');
+        leakedC = {}.__pp_c__;
+        delete Object.prototype.__pp_c__;
+        if (leakedC !== undefined)
+            fail('Object.prototype polluted via leading __proto__ segment');
+        obj = { a: { b: {} } };
+        (0, utilities_1.add_value_for_dotted_key)(obj, 'a.b.c', 42);
+        if (obj.a.b.c !== 42)
+            fail('legitimate dotted assignment broke');
+        flat = {};
+        (0, utilities_1.add_value_for_dotted_key)(flat, 'name', 'ok');
+        if (flat.name !== 'ok')
+            fail('single-key assignment broke');
+        console.log("✅ F-0016 prototype-pollution regression tests passed");
+        return [2 /*return*/];
+    });
+}); };
+exports.prototype_pollution_tests = prototype_pollution_tests;
+if (require.main === module) {
+    (0, exports.prototype_pollution_tests)()
+        .then(function () { console.log("✅ suite completed"); process.exit(0); })
+        .catch(function (err) { console.error("❌ suite failed:", err); process.exit(1); });
+}
+//# sourceMappingURL=F-0016-prototype-pollution.test.js.map

package/lib/cjs/tests/api_tests/security/F-0016-prototype-pollution.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0016-prototype-pollution.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0016-prototype-pollution.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,mDAAgE;AAEhE,iEAAiE;AACjE,gGAAgG;AAChG,4GAA4G;AAC5G,EAAE;AACF,iFAAiF;AACjF,0IAA0I;AAE1I,IAAM,IAAI,GAAG,UAAC,GAAW,IAAO,MAAM,IAAI,KAAK,CAAC,GAAG,CAAC,CAAA,CAAC,CAAC,CAAA;AAE/C,IAAM,yBAAyB,GAAG;;;QACvC,OAAO,CAAC,GAAG,CAAC,qDAAqD,CAAC,CAAA;QAElE,sDAAsD;QACtD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,8BAA8B,EAAE,UAAU,CAAC,CAAA;QACxF,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA,CAAC,iFAAiF;QAC3H,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,8CAA8C,CAAC,CAAA;QAE/E,iDAAiD;QACjD,IAAA,oCAAwB,EAAC,EAAE,SAAS,EAAE,EAAE,EAAS,EAAE,0CAA0C,EAAE,UAAU,CAAC,CAAA;QACpG,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,0DAA0D,CAAC,CAAA;QAE3F,yDAAyD;QACzD,IAAA,oCAAwB,EAAC,EAAS,EAAE,oBAAoB,EAAE,UAAU,CAAC,CAAA;QAC/D,OAAO,GAAI,EAAU,CAAC,QAAQ,CAAA;QACpC,OAAQ,MAAM,CAAC,SAAiB,CAAC,QAAQ,CAAA;QACzC,IAAI,OAAO,KAAK,SAAS;YAAE,IAAI,CAAC,yDAAyD,CAAC,CAAA;QAGpF,GAAG,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,EAAE,EAAS,CAAA;QACnC,IAAA,oCAAwB,EAAC,GAAG,EAAE,OAAO,EAAE,EAAE,CAAC,CAAA;QAC1C,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,IAAI,CAAC,oCAAoC,CAAC,CAAA;QAG1D,IAAI,GAAG,EAAS,CAAA;QACtB,IAAA,oCAAwB,EAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,CAAA;QAC5C,IAAI,IAAI,CAAC,IAAI,KAAK,IAAI;YAAE,IAAI,CAAC,6BAA6B,CAAC,CAAA;QAE3D,OAAO,CAAC,GAAG,CAAC,sDAAsD,CAAC,CAAA;;;KACpE,CAAA;AAhCY,QAAA,yBAAyB,6BAgCrC;AAED,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,IAAA,iCAAyB,GAAE;SACxB,IAAI,CAAC,cAAQ,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC;SACjE,KAAK,CAAC,UAAC,GAAG,IAAO,OAAO,CAAC,KAAK,CAAC,iBAAiB,EAAE,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA,CAAC,CAAC,CAAC,CAAA;CAC9E"}

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.d.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { Session } from "../../../sdk";
+/**
+ * Tenant-boundary guard for cascade_role_rename (relates to security-audit finding F-0053,
+ * which was investigated and closed as a FALSE POSITIVE — see that file for the code trace).
+ *
+ * The `cascade_role_rename` side-effect handler
+ * ([event_handlers_v2/role_based_access_permissions.ts](packages/private/api/api/v1/event_handlers_v2/role_based_access_permissions.ts))
+ * runs when a `role_based_access_permissions` doc's `role` field changes. It finds every user
+ * with the old role name (via `DBUnrestricted.users`) and rewrites their `roles` array, then
+ * deauthenticates them. F-0053 hypothesized this query was globally cross-tenant. It is NOT:
+ * `DBUnrestricted` bypasses per-user/per-role RBAC but is STILL scoped to the acting session's
+ * `businessId` (see `modifyFilterForAccessConstraint` injecting `{ businessId }` at
+ * database.ts:1761-1763, reached via the `unrestricted: true` branch at database.ts:2137-2144).
+ *
+ * This test locks that boundary in place so a future refactor of `DBUnrestricted` semantics
+ * can't silently turn the cascade into a cross-tenant write:
+ *   1. Tenant A creates a role `ROLE_OLD` and assigns it to a Tenant A user (positive control).
+ *   2. Tenant B (separate businessId) has a user whose roles include the SAME `ROLE_OLD`.
+ *   3. Tenant A renames the role `ROLE_OLD` -> `ROLE_NEW`.
+ *   4. Assert the Tenant B user's roles are UNCHANGED (still `[ROLE_OLD]`)  <-- guards the tenant boundary.
+ *   5. Assert the Tenant A user's roles ARE renamed to `[ROLE_NEW]`         <-- same-tenant cascade works.
+ *
+ * Expected on current (correct) code: BOTH assertions pass. A regression that drops the
+ * `businessId` scoping would flip assertion #4 to red (Tenant B user becomes `[ROLE_NEW]`).
+ *
+ * A collision-proof unique role name (timestamped) is used so the test never touches real roles.
+ */
+export declare const cascade_role_rename_cross_tenant_tests: ({ sdk }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=F-0053-cascade-role-rename-cross-tenant.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0053-cascade-role-rename-cross-tenant.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAetC;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,sCAAsC;SAA2B,OAAO;iBAAe,OAAO;mBA+F1G,CAAA"}

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.js ADDED Viewed

@@ -0,0 +1,237 @@
+"use strict";
+var __assign = (this && this.__assign) || function () {
+    __assign = Object.assign || function(t) {
+        for (var s, i = 1, n = arguments.length; i < n; i++) {
+            s = arguments[i];
+            for (var p in s) if (Object.prototype.hasOwnProperty.call(s, p))
+                t[p] = s[p];
+        }
+        return t;
+    };
+    return __assign.apply(this, arguments);
+};
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __generator = (this && this.__generator) || function (thisArg, body) {
+    var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
+    return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
+    function verb(n) { return function (v) { return step([n, v]); }; }
+    function step(op) {
+        if (f) throw new TypeError("Generator is already executing.");
+        while (g && (g = 0, op[0] && (_ = 0)), _) try {
+            if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
+            if (y = 0, t) op = [op[0] & 2, t.value];
+            switch (op[0]) {
+                case 0: case 1: t = op; break;
+                case 4: _.label++; return { value: op[1], done: false };
+                case 5: _.label++; y = op[1]; op = [0]; continue;
+                case 7: op = _.ops.pop(); _.trys.pop(); continue;
+                default:
+                    if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
+                    if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
+                    if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
+                    if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
+                    if (t[2]) _.ops.pop();
+                    _.trys.pop(); continue;
+            }
+            op = body.call(thisArg, _);
+        } catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
+        if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
+    }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.cascade_role_rename_cross_tenant_tests = void 0;
+require('source-map-support').install();
+var sdk_1 = require("../../../sdk");
+var testing_1 = require("@tellescope/testing");
+var setup_1 = require("../../setup");
+var constants_1 = require("@tellescope/constants");
+var host = process.env.API_URL || 'http://localhost:8080';
+// Separate tenant (different businessId), reusing the same hardcoded apiKey that
+// multi_tenant_tests relies on in tests.ts.
+var OTHER_TENANT_API_KEY = "ba745e25162bb95a795c5fa1af70df188d93c4d3aac9c48b34a5c8c9dd7b80f7";
+/**
+ * Tenant-boundary guard for cascade_role_rename (relates to security-audit finding F-0053,
+ * which was investigated and closed as a FALSE POSITIVE — see that file for the code trace).
+ *
+ * The `cascade_role_rename` side-effect handler
+ * ([event_handlers_v2/role_based_access_permissions.ts](packages/private/api/api/v1/event_handlers_v2/role_based_access_permissions.ts))
+ * runs when a `role_based_access_permissions` doc's `role` field changes. It finds every user
+ * with the old role name (via `DBUnrestricted.users`) and rewrites their `roles` array, then
+ * deauthenticates them. F-0053 hypothesized this query was globally cross-tenant. It is NOT:
+ * `DBUnrestricted` bypasses per-user/per-role RBAC but is STILL scoped to the acting session's
+ * `businessId` (see `modifyFilterForAccessConstraint` injecting `{ businessId }` at
+ * database.ts:1761-1763, reached via the `unrestricted: true` branch at database.ts:2137-2144).
+ *
+ * This test locks that boundary in place so a future refactor of `DBUnrestricted` semantics
+ * can't silently turn the cascade into a cross-tenant write:
+ *   1. Tenant A creates a role `ROLE_OLD` and assigns it to a Tenant A user (positive control).
+ *   2. Tenant B (separate businessId) has a user whose roles include the SAME `ROLE_OLD`.
+ *   3. Tenant A renames the role `ROLE_OLD` -> `ROLE_NEW`.
+ *   4. Assert the Tenant B user's roles are UNCHANGED (still `[ROLE_OLD]`)  <-- guards the tenant boundary.
+ *   5. Assert the Tenant A user's roles ARE renamed to `[ROLE_NEW]`         <-- same-tenant cascade works.
+ *
+ * Expected on current (correct) code: BOTH assertions pass. A regression that drops the
+ * `businessId` scoping would flip assertion #4 to red (Tenant B user becomes `[ROLE_NEW]`).
+ *
+ * A collision-proof unique role name (timestamped) is used so the test never touches real roles.
+ */
+var cascade_role_rename_cross_tenant_tests = function (_a) {
+    var sdk = _a.sdk;
+    return __awaiter(void 0, void 0, void 0, function () {
+        var stamp, ROLE_OLD, ROLE_NEW, sdkOther, rbapId, controlUserId, victimUserId, tenantABusinessId, rbap, controlUser, victimUser, victimBefore, controlBefore, victimAfter, controlAfter, _b, _c, _d;
+        return __generator(this, function (_e) {
+            switch (_e.label) {
+                case 0:
+                    (0, testing_1.log_header)("F-0053: cascade role rename cross-tenant regression");
+                    stamp = Date.now();
+                    ROLE_OLD = "XTenantRename_".concat(stamp);
+                    ROLE_NEW = "".concat(ROLE_OLD, "_renamed");
+                    sdkOther = new sdk_1.Session({ host: host, apiKey: OTHER_TENANT_API_KEY });
+                    _e.label = 1;
+                case 1:
+                    _e.trys.push([1, , 13, 26]);
+                    tenantABusinessId = sdk.userInfo.businessId;
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.createOne({
+                            role: ROLE_OLD,
+                            permissions: __assign({}, constants_1.PROVIDER_PERMISSIONS),
+                        })];
+                case 2:
+                    rbap = _e.sent();
+                    rbapId = rbap.id;
+                    return [4 /*yield*/, sdk.api.users.createOne({
+                            email: "f0053-control-".concat(stamp, "@example.com"),
+                            notificationEmailsDisabled: true,
+                        })];
+                case 3:
+                    controlUser = _e.sent();
+                    controlUserId = controlUser.id;
+                    return [4 /*yield*/, sdk.api.users.updateOne(controlUserId, { roles: [ROLE_OLD] }, { replaceObjectFields: true })
+                        // 3. Tenant B: create a throwaway victim user holding the SAME ROLE_OLD.
+                    ];
+                case 4:
+                    _e.sent();
+                    return [4 /*yield*/, sdkOther.api.users.createOne({
+                            email: "f0053-victim-".concat(stamp, "@example.com"),
+                            notificationEmailsDisabled: true,
+                        })];
+                case 5:
+                    victimUser = _e.sent();
+                    victimUserId = victimUser.id;
+                    return [4 /*yield*/, sdkOther.api.users.updateOne(victimUserId, { roles: [ROLE_OLD] }, { replaceObjectFields: true })
+                        // 4. Setup sanity: tenants are distinct and both users actually hold ROLE_OLD before the rename.
+                        //    (Distinguishes a setup failure from the security assertion below.)
+                    ];
+                case 6:
+                    _e.sent();
+                    // 4. Setup sanity: tenants are distinct and both users actually hold ROLE_OLD before the rename.
+                    //    (Distinguishes a setup failure from the security assertion below.)
+                    (0, testing_1.assert)(victimUser.businessId !== tenantABusinessId, "Victim user shares businessId with Tenant A (".concat(victimUser.businessId, ") \u2014 not a cross-tenant scenario"), 'F-0053 setup: tenants are distinct');
+                    return [4 /*yield*/, sdkOther.api.users.getOne(victimUserId)];
+                case 7:
+                    victimBefore = _e.sent();
+                    return [4 /*yield*/, sdk.api.users.getOne(controlUserId)];
+                case 8:
+                    controlBefore = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(victimBefore.roles) === JSON.stringify([ROLE_OLD])
+                        && JSON.stringify(controlBefore.roles) === JSON.stringify([ROLE_OLD]), "Setup failed: expected both users to hold [".concat(ROLE_OLD, "] (victim=").concat(JSON.stringify(victimBefore.roles), ", control=").concat(JSON.stringify(controlBefore.roles), ")"), 'F-0053 setup: both users hold ROLE_OLD');
+                    // 5. Tenant A renames the role. This triggers cascade_role_rename.
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.updateOne(rbapId, { role: ROLE_NEW })];
+                case 9:
+                    // 5. Tenant A renames the role. This triggers cascade_role_rename.
+                    _e.sent();
+                    return [4 /*yield*/, (0, testing_1.wait)(undefined, 1500)
+                        // 6. SECURITY ASSERTION — the Tenant B victim must be untouched by Tenant A's rename.
+                    ]; // let the side effect run
+                case 10:
+                    _e.sent(); // let the side effect run
+                    return [4 /*yield*/, sdkOther.api.users.getOne(victimUserId)];
+                case 11:
+                    victimAfter = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(victimAfter.roles) === JSON.stringify([ROLE_OLD]), "CROSS-TENANT LEAK: Tenant B victim roles changed to ".concat(JSON.stringify(victimAfter.roles), " ")
+                        + "after Tenant A renamed its role. Expected [".concat(ROLE_OLD, "]."), 'F-0053: Tenant B user roles unaffected by other-tenant role rename');
+                    return [4 /*yield*/, sdk.api.users.getOne(controlUserId)];
+                case 12:
+                    controlAfter = _e.sent();
+                    (0, testing_1.assert)(JSON.stringify(controlAfter.roles) === JSON.stringify([ROLE_NEW]), "Same-tenant cascade broken: Tenant A control roles are ".concat(JSON.stringify(controlAfter.roles), ", ")
+                        + "expected [".concat(ROLE_NEW, "]."), 'F-0053: Tenant A user roles renamed by same-tenant cascade');
+                    return [3 /*break*/, 26];
+                case 13:
+                    if (!victimUserId) return [3 /*break*/, 17];
+                    _e.label = 14;
+                case 14:
+                    _e.trys.push([14, 16, , 17]);
+                    return [4 /*yield*/, sdkOther.api.users.deleteOne(victimUserId)];
+                case 15:
+                    _e.sent();
+                    return [3 /*break*/, 17];
+                case 16:
+                    _b = _e.sent();
+                    return [3 /*break*/, 17];
+                case 17:
+                    if (!controlUserId) return [3 /*break*/, 21];
+                    _e.label = 18;
+                case 18:
+                    _e.trys.push([18, 20, , 21]);
+                    return [4 /*yield*/, sdk.api.users.deleteOne(controlUserId)];
+                case 19:
+                    _e.sent();
+                    return [3 /*break*/, 21];
+                case 20:
+                    _c = _e.sent();
+                    return [3 /*break*/, 21];
+                case 21:
+                    if (!rbapId) return [3 /*break*/, 25];
+                    _e.label = 22;
+                case 22:
+                    _e.trys.push([22, 24, , 25]);
+                    return [4 /*yield*/, sdk.api.role_based_access_permissions.deleteOne(rbapId)];
+                case 23:
+                    _e.sent();
+                    return [3 /*break*/, 25];
+                case 24:
+                    _d = _e.sent();
+                    return [3 /*break*/, 25];
+                case 25: return [7 /*endfinally*/];
+                case 26: return [2 /*return*/];
+            }
+        });
+    });
+};
+exports.cascade_role_rename_cross_tenant_tests = cascade_role_rename_cross_tenant_tests;
+// Allow running this test file independently
+if (require.main === module) {
+    console.log("\uD83C\uDF10 Using API URL: ".concat(host));
+    var sdk_2 = new sdk_1.Session({ host: host });
+    var sdkNonAdmin_1 = new sdk_1.Session({ host: host });
+    var runTests = function () { return __awaiter(void 0, void 0, void 0, function () {
+        return __generator(this, function (_a) {
+            switch (_a.label) {
+                case 0: return [4 /*yield*/, (0, setup_1.setup_tests)(sdk_2, sdkNonAdmin_1)];
+                case 1:
+                    _a.sent();
+                    return [4 /*yield*/, (0, exports.cascade_role_rename_cross_tenant_tests)({ sdk: sdk_2, sdkNonAdmin: sdkNonAdmin_1 })];
+                case 2:
+                    _a.sent();
+                    return [2 /*return*/];
+            }
+        });
+    }); };
+    runTests()
+        .then(function () {
+        console.log("✅ F-0053 cascade role rename cross-tenant test suite completed successfully");
+        process.exit(0);
+    })
+        .catch(function (error) {
+        console.error("❌ F-0053 cascade role rename cross-tenant test suite failed:", error);
+        process.exit(1);
+    });
+}
+//# sourceMappingURL=F-0053-cascade-role-rename-cross-tenant.test.js.map

package/lib/cjs/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"F-0053-cascade-role-rename-cross-tenant.test.js","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0053-cascade-role-rename-cross-tenant.test.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,CAAC,oBAAoB,CAAC,CAAC,OAAO,EAAE,CAAC;AAExC,oCAAsC;AACtC,+CAI4B;AAC5B,qCAAyC;AACzC,mDAA4D;AAE5D,IAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,uBAAgC,CAAA;AAEpE,iFAAiF;AACjF,4CAA4C;AAC5C,IAAM,oBAAoB,GAAG,kEAAkE,CAAA;AAE/F;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACI,IAAM,sCAAsC,GAAG,UAAO,EAAgD;QAA9C,GAAG,SAAA;;;;;;oBAChE,IAAA,oBAAU,EAAC,qDAAqD,CAAC,CAAA;oBAE3D,KAAK,GAAG,IAAI,CAAC,GAAG,EAAE,CAAA;oBAClB,QAAQ,GAAG,wBAAiB,KAAK,CAAE,CAAA;oBACnC,QAAQ,GAAG,UAAG,QAAQ,aAAU,CAAA;oBAIhC,QAAQ,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC,CAAA;;;;oBAY5D,iBAAiB,GAAG,GAAG,CAAC,QAAQ,CAAC,UAAU,CAAA;oBAGpC,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC;4BACjE,IAAI,EAAE,QAAQ;4BACd,WAAW,eAAO,gCAAoB,CAAE;yBACzC,CAAC,EAAA;;oBAHI,IAAI,GAAG,SAGX;oBACF,MAAM,GAAG,IAAI,CAAC,EAAE,CAAA;oBAGI,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;4BAChD,KAAK,EAAE,wBAAiB,KAAK,iBAAc;4BAC3C,0BAA0B,EAAE,IAAI;yBAC1B,CAAC,EAAA;;oBAHH,WAAW,GAAG,SAGX;oBACT,aAAa,GAAG,WAAW,CAAC,EAAE,CAAA;oBAC9B,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC;wBAElG,yEAAyE;sBAFyB;;oBAAlG,SAAkG,CAAA;oBAG/E,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC;4BACpD,KAAK,EAAE,uBAAgB,KAAK,iBAAc;4BAC1C,0BAA0B,EAAE,IAAI;yBAC1B,CAAC,EAAA;;oBAHH,UAAU,GAAG,SAGV;oBACT,YAAY,GAAG,UAAU,CAAC,EAAE,CAAA;oBAC5B,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,EAAE,EAAE,KAAK,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC;wBAEtG,iGAAiG;wBACjG,wEAAwE;sBAH8B;;oBAAtG,SAAsG,CAAA;oBAEtG,iGAAiG;oBACjG,wEAAwE;oBACxE,IAAA,gBAAM,EACJ,UAAU,CAAC,UAAU,KAAK,iBAAiB,EAC3C,uDAAgD,UAAU,CAAC,UAAU,yCAAiC,EACtG,oCAAoC,CACrC,CAAA;oBACoB,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAA;;oBAA5D,YAAY,GAAG,SAA6C;oBAC5C,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,EAAA;;oBAAzD,aAAa,GAAG,SAAyC;oBAC/D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC;2BAC5D,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EACvE,qDAA8C,QAAQ,uBAAa,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,uBAAa,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,KAAK,CAAC,MAAG,EACxJ,wCAAwC,CACzC,CAAA;oBAED,mEAAmE;oBACnE,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC,MAAM,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC,EAAA;;oBADjF,mEAAmE;oBACnE,SAAiF,CAAA;oBACjF,qBAAM,IAAA,cAAI,EAAC,SAAS,EAAE,IAAI,CAAC;wBAE3B,sFAAsF;sBAF3D,CAAC,0BAA0B;;oBAAtD,SAA2B,CAAA,CAAC,0BAA0B;oBAGlC,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,YAAY,CAAC,EAAA;;oBAA3D,WAAW,GAAG,SAA6C;oBACjE,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EAChE,8DAAuD,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,KAAK,CAAC,MAAG;0BACvF,qDAA8C,QAAQ,OAAI,EAC9D,oEAAoE,CACrE,CAAA;oBAGoB,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,aAAa,CAAC,EAAA;;oBAAxD,YAAY,GAAG,SAAyC;oBAC9D,IAAA,gBAAM,EACJ,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,KAAK,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC,EACjE,iEAA0D,IAAI,CAAC,SAAS,CAAC,YAAY,CAAC,KAAK,CAAC,OAAI;0BAC5F,oBAAa,QAAQ,OAAI,EAC7B,4DAA4D,CAC7D,CAAA;;;yBAGG,YAAY,EAAZ,yBAAY;;;;oBACR,qBAAM,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,YAAY,CAAC,EAAA;;oBAAhD,SAAgD,CAAA;;;;;;yBAEpD,aAAa,EAAb,yBAAa;;;;oBACT,qBAAM,GAAG,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,aAAa,CAAC,EAAA;;oBAA5C,SAA4C,CAAA;;;;;;yBAEhD,MAAM,EAAN,yBAAM;;;;oBACF,qBAAM,GAAG,CAAC,GAAG,CAAC,6BAA6B,CAAC,SAAS,CAAC,MAAM,CAAC,EAAA;;oBAA7D,SAA6D,CAAA;;;;;;;;;;CAGxE,CAAA;AA/FY,QAAA,sCAAsC,0CA+FlD;AAED,6CAA6C;AAC7C,IAAI,OAAO,CAAC,IAAI,KAAK,MAAM,EAAE;IAC3B,OAAO,CAAC,GAAG,CAAC,sCAAqB,IAAI,CAAE,CAAC,CAAA;IACxC,IAAM,KAAG,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IACjC,IAAM,aAAW,GAAG,IAAI,aAAO,CAAC,EAAE,IAAI,MAAA,EAAE,CAAC,CAAA;IAEzC,IAAM,QAAQ,GAAG;;;wBACf,qBAAM,IAAA,mBAAW,EAAC,KAAG,EAAE,aAAW,CAAC,EAAA;;oBAAnC,SAAmC,CAAA;oBACnC,qBAAM,IAAA,8CAAsC,EAAC,EAAE,GAAG,OAAA,EAAE,WAAW,eAAA,EAAE,CAAC,EAAA;;oBAAlE,SAAkE,CAAA;;;;SACnE,CAAA;IAED,QAAQ,EAAE;SACP,IAAI,CAAC;QACJ,OAAO,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAA;QAC1F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC;SACD,KAAK,CAAC,UAAC,KAAK;QACX,OAAO,CAAC,KAAK,CAAC,8DAA8D,EAAE,KAAK,CAAC,CAAA;QACpF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;IACjB,CAAC,CAAC,CAAA;CACL"}

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.d.ts ADDED Viewed

@@ -0,0 +1,38 @@
+import { Session } from "../../../sdk";
+/**
+ * Self-role privilege-escalation guard (relates to security-audit finding F-0076, which was
+ * investigated and closed as a FALSE POSITIVE — see that file for the full code trace).
+ *
+ * F-0076 hypothesized that a non-admin staff user could `PATCH /v1/users/{their-own-id}` with
+ * `{ roles: ['Admin'] }` and self-promote to Admin, because the FIRST `users` relationship
+ * constraint ("Only admin users can set the admin role",
+ * [schema.ts:3446](packages/public/schema/src/schema.ts#L3446)) has a self-exception
+ * (`if (_id === session.id) return`).
+ *
+ * That analysis missed the SECOND constraint, "Only admin users can update user roles"
+ * ([schema.ts:3486](packages/public/schema/src/schema.ts#L3486)), which has NO self-exception.
+ * Relationship constraints are AND-evaluated — `validateRelationshipConstraints`
+ * ([routing.ts:1240-1252](packages/private/api/api/modules/routing.ts#L1240)) loops the whole
+ * array and throws 400 on the FIRST evaluator that returns a string. So a non-admin self-update
+ * that includes `roles` passes constraint #1 (self-exception) but is rejected by constraint #2.
+ * The self-promotion is blocked.
+ *
+ * This test locks that boundary in place so a future refactor of the role constraints can't
+ * silently reintroduce the escalation. A dedicated throwaway non-admin user is used as the
+ * "attacker" (we never mutate the shared sdkNonAdmin's roles):
+ *   1. Admin creates a throwaway user and assigns it a non-admin role (`['Provider']`).
+ *   2. Authenticate AS that user via a freshly-minted auth token.
+ *   3. As the attacker, attempt four self-role mutations — ['Admin'], ['Provider','Admin'],
+ *      an arbitrary role, and [] — and assert EACH is blocked.       <-- the security assertions
+ *   4. Confirm (as admin) the attacker's roles are still ['Provider'] — nothing slipped through.
+ *   5. Positive control: admin CAN update the throwaway user's roles. <-- guards against an
+ *      over-restrictive regression that would block legitimate admin role management.
+ *
+ * Expected on current (correct) code: all assertions pass. A regression that made the self-update
+ * path role-writable by non-admins would flip the step-3/step-4 assertions to red.
+ */
+export declare const self_admin_role_assignment_tests: ({ sdk }: {
+    sdk: Session;
+    sdkNonAdmin: Session;
+}) => Promise<void>;
+//# sourceMappingURL=F-0076-self-admin-role-assignment.test.d.ts.map

package/lib/cjs/tests/api_tests/security/F-0076-self-admin-role-assignment.test.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"F-0076-self-admin-role-assignment.test.d.ts","sourceRoot":"","sources":["../../../../../src/tests/api_tests/security/F-0076-self-admin-role-assignment.test.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,MAAM,cAAc,CAAA;AAUtC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,gCAAgC;SAA2B,OAAO;iBAAe,OAAO;mBAkGpG,CAAA"}