palaryn 0.1.0

package/dist/tests/unit/auth.test.js

@@ -0,0 +1,1382 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
+const auth_1 = require("../../src/middleware/auth");
+// ---------------------------------------------------------------------------
+// Mock jwks-rsa
+// ---------------------------------------------------------------------------
+const mockGetSigningKey = jest.fn();
+jest.mock('jwks-rsa', () => {
+    return {
+        __esModule: true,
+        default: {
+            JwksClient: jest.fn().mockImplementation(() => ({
+                getSigningKey: mockGetSigningKey,
+            })),
+        },
+        JwksClient: jest.fn().mockImplementation(() => ({
+            getSigningKey: mockGetSigningKey,
+        })),
+    };
+});
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const crypto = __importStar(require("crypto"));
+const TEST_SECRET = 'test-secret-key-for-jwt-testing';
+// RSA key pair for JWKS tests (RS256) — prevents algorithm confusion attacks
+const { privateKey: TEST_JWKS_PRIVATE_KEY, publicKey: TEST_JWKS_PUBLIC_KEY } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048, publicKeyEncoding: { type: 'spki', format: 'pem' }, privateKeyEncoding: { type: 'pkcs8', format: 'pem' } });
+function createMockReq(headers = {}, ip) {
+    const addr = ip || '127.0.0.1';
+    return {
+        headers: { ...headers },
+        body: {},
+        ip: addr,
+        socket: { remoteAddress: addr },
+    };
+}
+function createMockRes() {
+    const state = { statusCode: 0, body: null, headers: {} };
+    const res = {
+        status: jest.fn().mockImplementation((code) => {
+            state.statusCode = code;
+            return res;
+        }),
+        json: jest.fn().mockImplementation((data) => {
+            state.body = data;
+            return res;
+        }),
+        setHeader: jest.fn().mockImplementation((key, value) => {
+            state.headers[key] = value;
+            return res;
+        }),
+    };
+    return {
+        res,
+        getStatus: () => state.statusCode,
+        getBody: () => state.body,
+        getHeaders: () => state.headers,
+    };
+}
+function baseAuthConfig(overrides) {
+    return {
+        enabled: true,
+        api_keys: {
+            'valid-key': { workspace_id: 'ws_1', description: 'Test key' },
+        },
+        ...overrides,
+    };
+}
+const RBAC_CONFIG = {
+    enabled: true,
+    roles: {
+        admin: {
+            description: 'Full admin access',
+            permissions: ['admin:full'],
+        },
+        operator: {
+            description: 'Can execute tools and manage approvals',
+            permissions: ['tool:execute', 'approval:manage', 'trace:read', 'policy:read'],
+        },
+        readonly: {
+            description: 'Read-only access',
+            permissions: ['tool:execute:read', 'trace:read', 'policy:read'],
+        },
+        agent: {
+            description: 'AI agent - can execute tools',
+            permissions: ['tool:execute'],
+        },
+    },
+    default_role: 'agent',
+};
+// ===========================================================================
+// Tests
+// ===========================================================================
+// Clear brute-force state between tests
+beforeEach(() => {
+    auth_1.failedAuthAttempts.clear();
+});
+afterAll(() => {
+    (0, auth_1.stopBruteForceCleanup)();
+});
+describe('Auth Middleware', () => {
+    // -------------------------------------------------------------------------
+    // Backward compatibility: auth disabled
+    // -------------------------------------------------------------------------
+    describe('Auth disabled mode', () => {
+        it('should pass through when auth is disabled', async () => {
+            const config = baseAuthConfig({ enabled: false });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq();
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_default');
+        });
+        it('should set auth context with method none when disabled', async () => {
+            const config = baseAuthConfig({ enabled: false });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq();
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            expect(auth).toBeDefined();
+            expect(auth.auth_method).toBe('none');
+            expect(auth.workspace_id).toBe('ws_default');
+            expect(auth.actor_id).toBe('anonymous');
+            expect(auth.roles).toEqual([]);
+            expect(auth.permissions).toEqual([]);
+        });
+        it('should not require any headers when auth is disabled', async () => {
+            const config = baseAuthConfig({ enabled: false, api_keys: {} });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq();
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // API Key auth
+    // -------------------------------------------------------------------------
+    describe('API Key auth', () => {
+        it('should accept valid API key via X-API-Key header', async () => {
+            const config = baseAuthConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'valid-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_1');
+        });
+        it('should accept valid API key via Bearer token', async () => {
+            const config = baseAuthConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: 'Bearer valid-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_1');
+        });
+        it('should return 401 when no key is provided', async () => {
+            const config = baseAuthConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq();
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+            expect(mock.getBody().error).toContain('Missing API key');
+        });
+        it('should return 403 for invalid API key', async () => {
+            const config = baseAuthConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'bad-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('Invalid API key');
+        });
+        it('should return 403 for revoked API key', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'revoked-key': { workspace_id: 'ws_1', revoked: true },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'revoked-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('revoked');
+        });
+        it('should return 403 for expired API key', async () => {
+            const pastDate = new Date(Date.now() - 86400000).toISOString(); // 1 day ago
+            const config = baseAuthConfig({
+                api_keys: {
+                    'expired-key': { workspace_id: 'ws_1', expires_at: pastDate },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'expired-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('expired');
+        });
+        it('should accept non-expired API key', async () => {
+            const futureDate = new Date(Date.now() + 86400000).toISOString(); // 1 day from now
+            const config = baseAuthConfig({
+                api_keys: {
+                    'fresh-key': { workspace_id: 'ws_2', expires_at: futureDate },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'fresh-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_2');
+        });
+        it('should update last_used_at on successful auth', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'track-key': { workspace_id: 'ws_1' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'track-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(config.api_keys['track-key'].last_used_at).toBeDefined();
+        });
+        it('should set auth context for API key auth', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'full-key': { workspace_id: 'ws_3', description: 'Full key', roles: ['admin'] },
+                },
+                rbac: RBAC_CONFIG,
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'full-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            expect(auth).toBeDefined();
+            expect(auth.auth_method).toBe('api_key');
+            expect(auth.workspace_id).toBe('ws_3');
+            expect(auth.roles).toEqual(['admin']);
+            expect(auth.permissions).toContain('admin:full');
+            expect(auth.api_key_id).toBe('full-key');
+        });
+        it('should maintain backward compat with old-style api_keys config', async () => {
+            // Old-style: just { workspace_id, description } - no roles, no expires_at, etc.
+            const config = {
+                enabled: true,
+                api_keys: {
+                    'old-key': { workspace_id: 'ws_legacy', description: 'Legacy key' },
+                },
+            };
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'old-key' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_legacy');
+            expect(req.api_key_description).toBe('Legacy key');
+            const auth = req.auth;
+            expect(auth.auth_method).toBe('api_key');
+            expect(auth.roles).toEqual([]);
+            expect(auth.permissions).toEqual([]);
+        });
+        it('should prefer X-API-Key header over Authorization Bearer', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'header-key': { workspace_id: 'ws_header' },
+                    'bearer-key': { workspace_id: 'ws_bearer' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({
+                'x-api-key': 'header-key',
+                authorization: 'Bearer bearer-key',
+            });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            // X-API-Key should take precedence
+            expect(req.workspace_id).toBe('ws_header');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Hash-based API key lookup (timing attack prevention)
+    // -------------------------------------------------------------------------
+    describe('Hash-based API key lookup', () => {
+        it('should authenticate valid key using hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'hash-test-key-abc': { workspace_id: 'ws_hash', description: 'Hash test key' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'hash-test-key-abc' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_hash');
+        });
+        it('should reject invalid key with hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'real-key-123': { workspace_id: 'ws_1' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'wrong-key-456' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+        });
+        it('should still detect revoked keys after hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'revoked-hash-key': { workspace_id: 'ws_1', revoked: true },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'revoked-hash-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('revoked');
+        });
+        it('should still detect expired keys after hash-based lookup', async () => {
+            const pastDate = new Date(Date.now() - 86400000).toISOString();
+            const config = baseAuthConfig({
+                api_keys: {
+                    'expired-hash-key': { workspace_id: 'ws_1', expires_at: pastDate },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'expired-hash-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('expired');
+        });
+        it('should work with multiple keys using hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'key-alpha': { workspace_id: 'ws_alpha' },
+                    'key-beta': { workspace_id: 'ws_beta' },
+                    'key-gamma': { workspace_id: 'ws_gamma' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            // Test each key matches correctly
+            for (const [key, expectedWs] of [
+                ['key-alpha', 'ws_alpha'],
+                ['key-beta', 'ws_beta'],
+                ['key-gamma', 'ws_gamma'],
+            ]) {
+                const req = createMockReq({ 'x-api-key': key });
+                const { res } = createMockRes();
+                const next = jest.fn();
+                await middleware(req, res, next);
+                expect(next).toHaveBeenCalled();
+                expect(req.workspace_id).toBe(expectedWs);
+            }
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Hash-based API key lookup (timing attack prevention)
+    // -------------------------------------------------------------------------
+    describe('Hash-based API key lookup', () => {
+        it('should authenticate valid key using hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'hash-test-key-abc': { workspace_id: 'ws_hash', description: 'Hash test key' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'hash-test-key-abc' });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            expect(req.workspace_id).toBe('ws_hash');
+        });
+        it('should reject invalid key with hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'real-key-123': { workspace_id: 'ws_1' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'wrong-key-456' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+        });
+        it('should still detect revoked keys after hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'revoked-hash-key': { workspace_id: 'ws_1', revoked: true },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'revoked-hash-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('revoked');
+        });
+        it('should still detect expired keys after hash-based lookup', async () => {
+            const pastDate = new Date(Date.now() - 86400000).toISOString();
+            const config = baseAuthConfig({
+                api_keys: {
+                    'expired-hash-key': { workspace_id: 'ws_1', expires_at: pastDate },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'expired-hash-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+            expect(mock.getBody().error).toContain('expired');
+        });
+        it('should work with multiple keys using hash-based lookup', async () => {
+            const config = baseAuthConfig({
+                api_keys: {
+                    'key-alpha': { workspace_id: 'ws_alpha' },
+                    'key-beta': { workspace_id: 'ws_beta' },
+                    'key-gamma': { workspace_id: 'ws_gamma' },
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            for (const [key, expectedWs] of [
+                ['key-alpha', 'ws_alpha'],
+                ['key-beta', 'ws_beta'],
+                ['key-gamma', 'ws_gamma'],
+            ]) {
+                const req = createMockReq({ 'x-api-key': key });
+                const { res } = createMockRes();
+                const next = jest.fn();
+                await middleware(req, res, next);
+                expect(next).toHaveBeenCalled();
+                expect(req.workspace_id).toBe(expectedWs);
+            }
+        });
+    });
+    // -------------------------------------------------------------------------
+    // JWT auth with static secret
+    // -------------------------------------------------------------------------
+    describe('JWT auth with static secret', () => {
+        function jwtConfig(overrides) {
+            return {
+                enabled: true,
+                api_keys: {},
+                jwt: {
+                    enabled: true,
+                    secret: TEST_SECRET,
+                    algorithms: ['HS256'],
+                },
+                ...overrides,
+            };
+        }
+        it('should authenticate with a valid JWT', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt', roles: ['operator'] }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = jwtConfig({ rbac: RBAC_CONFIG });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            const auth = req.auth;
+            expect(auth.auth_method).toBe('jwt');
+            expect(auth.workspace_id).toBe('ws_jwt');
+            expect(auth.actor_id).toBe('user-1');
+            expect(auth.roles).toEqual(['operator']);
+            expect(auth.permissions).toContain('tool:execute');
+            expect(auth.permissions).toContain('approval:manage');
+        });
+        it('should reject an expired JWT', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt' }, TEST_SECRET, { algorithm: 'HS256', expiresIn: '-1s' });
+            const config = jwtConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+            expect(mock.getBody().error).toContain('JWT verification failed');
+        });
+        it('should reject a JWT with invalid signature', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt' }, 'wrong-secret', { algorithm: 'HS256' });
+            const config = jwtConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+            expect(mock.getBody().error).toContain('JWT verification failed');
+        });
+        it('should use default workspace when workspace claim is missing', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-2' }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = jwtConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            expect(auth.workspace_id).toBe('ws_default');
+        });
+        it('should use custom claim mappings', async () => {
+            const token = jsonwebtoken_1.default.sign({ user_id: 'custom-user', tenant: 'custom-ws', groups: ['admin'] }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = jwtConfig({
+                jwt: {
+                    enabled: true,
+                    secret: TEST_SECRET,
+                    algorithms: ['HS256'],
+                    workspace_claim: 'tenant',
+                    roles_claim: 'groups',
+                    actor_claim: 'user_id',
+                },
+                rbac: RBAC_CONFIG,
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            expect(auth.workspace_id).toBe('custom-ws');
+            expect(auth.actor_id).toBe('custom-user');
+            expect(auth.roles).toEqual(['admin']);
+        });
+        it('should validate issuer when configured', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt' }, TEST_SECRET, { algorithm: 'HS256', issuer: 'wrong-issuer' });
+            const config = jwtConfig({
+                jwt: {
+                    enabled: true,
+                    secret: TEST_SECRET,
+                    algorithms: ['HS256'],
+                    issuer: 'expected-issuer',
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+        });
+        it('should validate audience when configured', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt' }, TEST_SECRET, { algorithm: 'HS256', audience: 'wrong-audience' });
+            const config = jwtConfig({
+                jwt: {
+                    enabled: true,
+                    secret: TEST_SECRET,
+                    algorithms: ['HS256'],
+                    audience: 'expected-audience',
+                },
+            });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+        });
+        it('should set backward compat workspace_id on request', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_jwt_compat' }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = jwtConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(req.workspace_id).toBe('ws_jwt_compat');
+        });
+        it('should handle roles claim that is not an array gracefully', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'user-1', workspace_id: 'ws_1', roles: 'not-an-array' }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = jwtConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            const auth = req.auth;
+            expect(auth.roles).toEqual([]);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // JWT auth with JWKS
+    // -------------------------------------------------------------------------
+    describe('JWT auth with JWKS', () => {
+        beforeEach(() => {
+            mockGetSigningKey.mockReset();
+        });
+        function jwksConfig(overrides) {
+            return {
+                enabled: true,
+                api_keys: {},
+                jwt: {
+                    enabled: true,
+                    jwks_uri: 'https://example.com/.well-known/jwks.json',
+                    algorithms: ['RS256'],
+                },
+                ...overrides,
+            };
+        }
+        it('should authenticate with JWKS-verified JWT', async () => {
+            // Create a token signed with the RSA private key (RS256)
+            const token = jsonwebtoken_1.default.sign({ sub: 'jwks-user', workspace_id: 'ws_jwks', roles: ['admin'] }, TEST_JWKS_PRIVATE_KEY, { algorithm: 'RS256', keyid: 'test-kid' });
+            // Mock JWKS signing key retrieval — returns the public key
+            mockGetSigningKey.mockImplementation((kid, callback) => {
+                callback(null, {
+                    getPublicKey: () => TEST_JWKS_PUBLIC_KEY,
+                });
+            });
+            const config = jwksConfig({ rbac: RBAC_CONFIG });
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            expect(next).toHaveBeenCalled();
+            const auth = req.auth;
+            expect(auth.auth_method).toBe('jwt');
+            expect(auth.workspace_id).toBe('ws_jwks');
+            expect(auth.actor_id).toBe('jwks-user');
+        });
+        it('should reject when JWKS key retrieval fails', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'jwks-user', workspace_id: 'ws_jwks' }, TEST_JWKS_PRIVATE_KEY, { algorithm: 'RS256', keyid: 'test-kid' });
+            mockGetSigningKey.mockImplementation((kid, callback) => {
+                callback(new Error('Unable to find signing key'));
+            });
+            const config = jwksConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+            expect(mock.getBody().error).toContain('JWT verification failed');
+        });
+        it('should reject when JWKS returns no key', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'jwks-user', workspace_id: 'ws_jwks' }, TEST_JWKS_PRIVATE_KEY, { algorithm: 'RS256', keyid: 'test-kid' });
+            mockGetSigningKey.mockImplementation((kid, callback) => {
+                callback(null, undefined);
+            });
+            const config = jwksConfig();
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(401);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // API key takes precedence over JWT
+    // -------------------------------------------------------------------------
+    describe('Multiple auth methods', () => {
+        it('should prefer API key over JWT when key matches', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'jwt-user', workspace_id: 'ws_jwt' }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = {
+                enabled: true,
+                api_keys: {
+                    [token]: { workspace_id: 'ws_apikey', description: 'Token is also a key' },
+                },
+                jwt: { enabled: true, secret: TEST_SECRET, algorithms: ['HS256'] },
+            };
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            // API key should win
+            expect(auth.auth_method).toBe('api_key');
+            expect(auth.workspace_id).toBe('ws_apikey');
+        });
+        it('should fall through to JWT when bearer token is not a valid API key', async () => {
+            const token = jsonwebtoken_1.default.sign({ sub: 'jwt-user', workspace_id: 'ws_jwt' }, TEST_SECRET, { algorithm: 'HS256' });
+            const config = {
+                enabled: true,
+                api_keys: {
+                    'different-key': { workspace_id: 'ws_apikey' },
+                },
+                jwt: { enabled: true, secret: TEST_SECRET, algorithms: ['HS256'] },
+            };
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: `Bearer ${token}` });
+            const { res } = createMockRes();
+            const next = jest.fn();
+            await middleware(req, res, next);
+            const auth = req.auth;
+            expect(auth.auth_method).toBe('jwt');
+            expect(auth.workspace_id).toBe('ws_jwt');
+        });
+        it('should return 403 when bearer is not API key and JWT is not configured', async () => {
+            const config = {
+                enabled: true,
+                api_keys: {
+                    'real-key': { workspace_id: 'ws_1' },
+                },
+            };
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ authorization: 'Bearer not-a-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+        });
+        it('should return 403 when X-API-Key is not valid and JWT not configured', async () => {
+            const config = {
+                enabled: true,
+                api_keys: {
+                    'real-key': { workspace_id: 'ws_1' },
+                },
+            };
+            const middleware = (0, auth_1.createAuthMiddleware)(config);
+            const req = createMockReq({ 'x-api-key': 'bad-key' });
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(next).not.toHaveBeenCalled();
+            expect(mock.getStatus()).toBe(403);
+        });
+    });
+});
+// ===========================================================================
+// resolvePermissions
+// ===========================================================================
+describe('resolvePermissions', () => {
+    it('should return empty when RBAC is not configured', () => {
+        expect((0, auth_1.resolvePermissions)(['admin'], undefined)).toEqual([]);
+    });
+    it('should return empty when RBAC is disabled', () => {
+        const rbac = { enabled: false, roles: { admin: { permissions: ['admin:full'] } } };
+        expect((0, auth_1.resolvePermissions)(['admin'], rbac)).toEqual([]);
+    });
+    it('should resolve single role to permissions', () => {
+        const perms = (0, auth_1.resolvePermissions)(['operator'], RBAC_CONFIG);
+        expect(perms).toContain('tool:execute');
+        expect(perms).toContain('approval:manage');
+        expect(perms).toContain('trace:read');
+        expect(perms).toContain('policy:read');
+    });
+    it('should resolve multiple roles and deduplicate', () => {
+        const perms = (0, auth_1.resolvePermissions)(['operator', 'readonly'], RBAC_CONFIG);
+        // Both have trace:read - should appear only once
+        const traceReadCount = perms.filter(p => p === 'trace:read').length;
+        expect(traceReadCount).toBe(1);
+        // Should have permissions from both roles
+        expect(perms).toContain('tool:execute');
+        expect(perms).toContain('tool:execute:read');
+        expect(perms).toContain('approval:manage');
+    });
+    it('should ignore unknown roles', () => {
+        const perms = (0, auth_1.resolvePermissions)(['nonexistent'], RBAC_CONFIG);
+        expect(perms).toEqual([]);
+    });
+    it('should handle empty roles array', () => {
+        const perms = (0, auth_1.resolvePermissions)([], RBAC_CONFIG);
+        expect(perms).toEqual([]);
+    });
+});
+// ===========================================================================
+// hasPermission
+// ===========================================================================
+describe('hasPermission', () => {
+    it('should return true for exact match', () => {
+        expect((0, auth_1.hasPermission)(['tool:execute', 'trace:read'], 'trace:read')).toBe(true);
+    });
+    it('should return false when permission is missing', () => {
+        expect((0, auth_1.hasPermission)(['trace:read'], 'tool:execute')).toBe(false);
+    });
+    it('should grant everything with admin:full', () => {
+        expect((0, auth_1.hasPermission)(['admin:full'], 'tool:execute')).toBe(true);
+        expect((0, auth_1.hasPermission)(['admin:full'], 'approval:manage')).toBe(true);
+        expect((0, auth_1.hasPermission)(['admin:full'], 'policy:write')).toBe(true);
+        expect((0, auth_1.hasPermission)(['admin:full'], 'tool:execute:admin')).toBe(true);
+        expect((0, auth_1.hasPermission)(['admin:full'], 'trace:read')).toBe(true);
+        expect((0, auth_1.hasPermission)(['admin:full'], 'custom:permission')).toBe(true);
+    });
+    it('should grant tool:execute:* sub-permissions from tool:execute', () => {
+        const perms = ['tool:execute'];
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute:read')).toBe(true);
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute:write')).toBe(true);
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute:delete')).toBe(true);
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute:admin')).toBe(true);
+    });
+    it('should NOT grant tool:execute from tool:execute:read', () => {
+        const perms = ['tool:execute:read'];
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute')).toBe(false);
+        expect((0, auth_1.hasPermission)(perms, 'tool:execute:write')).toBe(false);
+    });
+    it('should handle empty permissions', () => {
+        expect((0, auth_1.hasPermission)([], 'tool:execute')).toBe(false);
+    });
+});
+// ===========================================================================
+// RBAC Middleware
+// ===========================================================================
+describe('RBAC Middleware', () => {
+    const fullRbacConfig = {
+        enabled: true,
+        api_keys: {},
+        rbac: RBAC_CONFIG,
+    };
+    it('should pass through when RBAC is not enabled', () => {
+        const config = { enabled: true, api_keys: {} };
+        const middleware = (0, auth_1.createRBACMiddleware)(config, 'tool:execute');
+        const req = createMockReq();
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should pass through when RBAC config is missing', () => {
+        const config = { enabled: true, api_keys: {} };
+        const middleware = (0, auth_1.createRBACMiddleware)(config, 'tool:execute');
+        const req = createMockReq();
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should return 401 when auth context is missing', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute');
+        const req = createMockReq();
+        const mock = createMockRes();
+        const next = jest.fn();
+        middleware(req, mock.res, next);
+        expect(next).not.toHaveBeenCalled();
+        expect(mock.getStatus()).toBe(401);
+    });
+    it('should pass through when auth method is none', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_default',
+            actor_id: 'anonymous',
+            roles: [],
+            permissions: [],
+            auth_method: 'none',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should allow when user has required permission', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-1',
+            roles: ['operator'],
+            permissions: ['tool:execute', 'approval:manage', 'trace:read', 'policy:read'],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should deny when user lacks required permission', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'policy:write');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-1',
+            roles: ['readonly'],
+            permissions: ['tool:execute:read', 'trace:read', 'policy:read'],
+            auth_method: 'api_key',
+        };
+        const mock = createMockRes();
+        const next = jest.fn();
+        middleware(req, mock.res, next);
+        expect(next).not.toHaveBeenCalled();
+        expect(mock.getStatus()).toBe(403);
+        expect(mock.getBody().error).toContain('Insufficient permissions');
+        expect(mock.getBody().error).toContain('policy:write');
+    });
+    it('should allow admin:full to bypass any permission check', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'policy:write');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'admin-1',
+            roles: ['admin'],
+            permissions: ['admin:full'],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should apply default role when user has no roles', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-no-roles',
+            roles: [],
+            permissions: [],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        // Default role is 'agent' which has 'tool:execute'
+        expect(next).toHaveBeenCalled();
+        const auth = req.auth;
+        expect(auth.roles).toEqual(['agent']);
+        expect(auth.permissions).toContain('tool:execute');
+    });
+    it('should deny when default role does not have required permission', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'policy:write');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-no-roles',
+            roles: [],
+            permissions: [],
+            auth_method: 'api_key',
+        };
+        const mock = createMockRes();
+        const next = jest.fn();
+        middleware(req, mock.res, next);
+        // Default role 'agent' only has 'tool:execute', not 'policy:write'
+        expect(next).not.toHaveBeenCalled();
+        expect(mock.getStatus()).toBe(403);
+    });
+    it('should handle capability-specific permission (readonly can read)', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute:read');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'readonly-user',
+            roles: ['readonly'],
+            permissions: ['tool:execute:read', 'trace:read', 'policy:read'],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+    it('should deny capability-specific permission (readonly cannot write)', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute:write');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'readonly-user',
+            roles: ['readonly'],
+            permissions: ['tool:execute:read', 'trace:read', 'policy:read'],
+            auth_method: 'api_key',
+        };
+        const mock = createMockRes();
+        const next = jest.fn();
+        middleware(req, mock.res, next);
+        expect(next).not.toHaveBeenCalled();
+        expect(mock.getStatus()).toBe(403);
+    });
+    it('should allow operator to execute any tool capability via tool:execute', () => {
+        // operator has 'tool:execute' which should grant 'tool:execute:write', 'tool:execute:delete', etc.
+        const middleware = (0, auth_1.createRBACMiddleware)(fullRbacConfig, 'tool:execute:delete');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'op-user',
+            roles: ['operator'],
+            permissions: ['tool:execute', 'approval:manage', 'trace:read', 'policy:read'],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+    });
+});
+// ===========================================================================
+// Request enrichment (AuthContext on request)
+// ===========================================================================
+describe('Request enrichment', () => {
+    it('should set all AuthContext fields for API key auth', async () => {
+        const config = {
+            enabled: true,
+            api_keys: {
+                'enrichment-key': {
+                    workspace_id: 'ws_enrich',
+                    description: 'Enrichment test',
+                    roles: ['operator'],
+                },
+            },
+            rbac: RBAC_CONFIG,
+        };
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const req = createMockReq({ 'x-api-key': 'enrichment-key' });
+        const { res } = createMockRes();
+        const next = jest.fn();
+        await middleware(req, res, next);
+        const auth = req.auth;
+        expect(auth).toEqual({
+            workspace_id: 'ws_enrich',
+            actor_id: expect.stringContaining('apikey:'),
+            roles: ['operator'],
+            permissions: expect.arrayContaining(['tool:execute', 'approval:manage']),
+            auth_method: 'api_key',
+            api_key_id: 'enrichment-key',
+        });
+    });
+    it('should set all AuthContext fields for JWT auth', async () => {
+        const token = jsonwebtoken_1.default.sign({ sub: 'jwt-actor', workspace_id: 'ws_jwt_enrich', roles: ['admin'] }, TEST_SECRET, { algorithm: 'HS256' });
+        const config = {
+            enabled: true,
+            api_keys: {},
+            jwt: { enabled: true, secret: TEST_SECRET, algorithms: ['HS256'] },
+            rbac: RBAC_CONFIG,
+        };
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const req = createMockReq({ authorization: `Bearer ${token}` });
+        const { res } = createMockRes();
+        const next = jest.fn();
+        await middleware(req, res, next);
+        const auth = req.auth;
+        expect(auth).toEqual({
+            workspace_id: 'ws_jwt_enrich',
+            actor_id: 'jwt-actor',
+            roles: ['admin'],
+            permissions: ['admin:full'],
+            auth_method: 'jwt',
+        });
+    });
+    it('should set both auth and backward-compat workspace_id', async () => {
+        const config = {
+            enabled: true,
+            api_keys: {
+                'compat-key': { workspace_id: 'ws_compat' },
+            },
+        };
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const req = createMockReq({ 'x-api-key': 'compat-key' });
+        const { res } = createMockRes();
+        const next = jest.fn();
+        await middleware(req, res, next);
+        expect(req.workspace_id).toBe('ws_compat');
+        expect(req.auth.workspace_id).toBe('ws_compat');
+    });
+});
+// ===========================================================================
+// Brute-force protection (S8)
+// ===========================================================================
+describe('Brute-force protection', () => {
+    it('should allow auth attempts within the threshold', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const ip = '10.0.0.1';
+        // 4 failed attempts should still be OK
+        for (let i = 0; i < 4; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+            expect(mock.getStatus()).toBe(403);
+        }
+        // 5th attempt should still not be locked (lock happens after 5 failures)
+        const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+        const mock = createMockRes();
+        const next = jest.fn();
+        await middleware(req, mock.res, next);
+        // 5th failure triggers lock, but this attempt itself still gets a 403
+        expect(mock.getStatus()).toBe(403);
+    });
+    it('should return 429 after exceeding failed auth threshold', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const ip = '10.0.0.2';
+        // Generate 5 failed attempts to trigger lockout
+        for (let i = 0; i < 5; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+            const mock = createMockRes();
+            const next = jest.fn();
+            await middleware(req, mock.res, next);
+        }
+        // 6th attempt should be locked out
+        const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+        const mock = createMockRes();
+        const next = jest.fn();
+        await middleware(req, mock.res, next);
+        expect(mock.getStatus()).toBe(429);
+        expect(mock.getBody().error).toContain('Too many failed');
+    });
+    it('should include Retry-After header when locked out', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const ip = '10.0.0.3';
+        // Trigger lockout
+        for (let i = 0; i < 5; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+            const mock = createMockRes();
+            await middleware(req, mock.res, jest.fn());
+        }
+        const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+        const mockRes = {
+            status: jest.fn().mockReturnThis(),
+            json: jest.fn().mockReturnThis(),
+            setHeader: jest.fn(),
+        };
+        await middleware(req, mockRes, jest.fn());
+        expect(mockRes.status).toHaveBeenCalledWith(429);
+        expect(mockRes.setHeader).toHaveBeenCalledWith('Retry-After', expect.any(String));
+    });
+    it('should clear lockout on successful auth', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const ip = '10.0.0.4';
+        // Generate some failures (below threshold)
+        for (let i = 0; i < 3; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key' }, ip);
+            const mock = createMockRes();
+            await middleware(req, mock.res, jest.fn());
+        }
+        // Successful auth should clear the count
+        const req = createMockReq({ 'x-api-key': 'valid-key' }, ip);
+        const { res } = createMockRes();
+        const next = jest.fn();
+        await middleware(req, res, next);
+        expect(next).toHaveBeenCalled();
+        // Verify the entry was cleared
+        expect(auth_1.failedAuthAttempts.has(ip)).toBe(false);
+    });
+    it('should track different IPs independently', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        // Lock out IP1
+        for (let i = 0; i < 5; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key' }, '192.168.1.1');
+            const mock = createMockRes();
+            await middleware(req, mock.res, jest.fn());
+        }
+        // IP1 should be locked
+        const req1 = createMockReq({ 'x-api-key': 'wrong-key' }, '192.168.1.1');
+        const mock1 = createMockRes();
+        await middleware(req1, mock1.res, jest.fn());
+        expect(mock1.getStatus()).toBe(429);
+        // IP2 should still work fine
+        const req2 = createMockReq({ 'x-api-key': 'valid-key' }, '192.168.1.2');
+        const { res: res2 } = createMockRes();
+        const next2 = jest.fn();
+        await middleware(req2, res2, next2);
+        expect(next2).toHaveBeenCalled();
+    });
+    it('should use x-forwarded-for header for IP detection when trusted_proxies is set', async () => {
+        const config = baseAuthConfig({ trusted_proxies: ['127.0.0.1'] });
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const forwardedIp = '203.0.113.50';
+        // Generate failures for the forwarded IP
+        for (let i = 0; i < 5; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key', 'x-forwarded-for': forwardedIp }, '127.0.0.1');
+            const mock = createMockRes();
+            await middleware(req, mock.res, jest.fn());
+        }
+        // The forwarded IP should be locked
+        const req = createMockReq({ 'x-api-key': 'wrong-key', 'x-forwarded-for': forwardedIp }, '127.0.0.1');
+        const mock = createMockRes();
+        await middleware(req, mock.res, jest.fn());
+        expect(mock.getStatus()).toBe(429);
+    });
+    it('should ignore x-forwarded-for when trusted_proxies is not set', async () => {
+        const config = baseAuthConfig();
+        const middleware = (0, auth_1.createAuthMiddleware)(config);
+        const forwardedIp = '203.0.113.50';
+        // Generate failures via XFF - should use socket IP instead
+        for (let i = 0; i < 5; i++) {
+            const req = createMockReq({ 'x-api-key': 'wrong-key', 'x-forwarded-for': forwardedIp }, '10.0.0.99');
+            const mock = createMockRes();
+            await middleware(req, mock.res, jest.fn());
+        }
+        // The forwarded IP should NOT be locked (XFF ignored)
+        // Instead, the socket IP (10.0.0.99) should be locked
+        const req = createMockReq({ 'x-api-key': 'wrong-key', 'x-forwarded-for': forwardedIp }, '10.0.0.99');
+        const mock = createMockRes();
+        await middleware(req, mock.res, jest.fn());
+        expect(mock.getStatus()).toBe(429);
+    });
+});
+// ===========================================================================
+// Salted API key hashing (A6)
+// ===========================================================================
+describe('Salted API key hashing', () => {
+    it('should generate a 32-char hex salt', () => {
+        const salt = (0, auth_1.generateSalt)();
+        expect(salt).toMatch(/^[0-9a-f]{32}$/);
+    });
+    it('should produce different hashes with different salts', () => {
+        const key = 'test-api-key';
+        const salt1 = (0, auth_1.generateSalt)();
+        const salt2 = (0, auth_1.generateSalt)();
+        const hash1 = (0, auth_1.hashKeyWithSalt)(key, salt1);
+        const hash2 = (0, auth_1.hashKeyWithSalt)(key, salt2);
+        expect(hash1).not.toBe(hash2);
+    });
+    it('should produce consistent hashes with the same salt', () => {
+        const key = 'test-api-key';
+        const salt = 'abcdef0123456789abcdef0123456789';
+        const hash1 = (0, auth_1.hashKeyWithSalt)(key, salt);
+        const hash2 = (0, auth_1.hashKeyWithSalt)(key, salt);
+        expect(hash1).toBe(hash2);
+    });
+    it('should produce a 64-char hex string (SHA-256)', () => {
+        const key = 'test-api-key';
+        const salt = (0, auth_1.generateSalt)();
+        const hash = (0, auth_1.hashKeyWithSalt)(key, salt);
+        expect(hash).toMatch(/^[0-9a-f]{64}$/);
+    });
+});
+// ===========================================================================
+// RBAC default_role escalation (S9)
+// ===========================================================================
+describe('RBAC default_role escalation prevention', () => {
+    it('should fall back to readonly when default_role is admin', () => {
+        const rbacConfig = {
+            ...RBAC_CONFIG,
+            default_role: 'admin',
+        };
+        const config = {
+            enabled: true,
+            api_keys: {},
+            rbac: rbacConfig,
+        };
+        const middleware = (0, auth_1.createRBACMiddleware)(config, 'tool:execute');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-no-roles',
+            roles: [],
+            permissions: [],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        // Should have fallen back to 'readonly', which does NOT have tool:execute
+        const auth = req.auth;
+        expect(auth.roles).toEqual(['readonly']);
+        expect(auth.permissions).not.toContain('admin:full');
+    });
+    it('should fall back to readonly when default_role is operator', () => {
+        const rbacConfig = {
+            ...RBAC_CONFIG,
+            default_role: 'operator',
+        };
+        const config = {
+            enabled: true,
+            api_keys: {},
+            rbac: rbacConfig,
+        };
+        const middleware = (0, auth_1.createRBACMiddleware)(config, 'approval:manage');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-no-roles',
+            roles: [],
+            permissions: [],
+            auth_method: 'api_key',
+        };
+        const mock = createMockRes();
+        const next = jest.fn();
+        middleware(req, mock.res, next);
+        // Should fall back to 'readonly', which does not have 'approval:manage'
+        const auth = req.auth;
+        expect(auth.roles).toEqual(['readonly']);
+        expect(auth.permissions).not.toContain('approval:manage');
+        expect(next).not.toHaveBeenCalled();
+        expect(mock.getStatus()).toBe(403);
+    });
+    it('should not modify default_role when it is a safe role', () => {
+        const middleware = (0, auth_1.createRBACMiddleware)({
+            enabled: true,
+            api_keys: {},
+            rbac: RBAC_CONFIG, // default_role: 'agent'
+        }, 'tool:execute');
+        const req = createMockReq();
+        req.auth = {
+            workspace_id: 'ws_1',
+            actor_id: 'user-no-roles',
+            roles: [],
+            permissions: [],
+            auth_method: 'api_key',
+        };
+        const { res } = createMockRes();
+        const next = jest.fn();
+        middleware(req, res, next);
+        const auth = req.auth;
+        expect(auth.roles).toEqual(['agent']);
+        expect(auth.permissions).toContain('tool:execute');
+        expect(next).toHaveBeenCalled();
+    });
+});
+//# sourceMappingURL=auth.test.js.map