piper-utils 1.1.67 → 1.1.69

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "piper-utils",
-    "version": "1.1.67",
+    "version": "1.1.69",
     "description": "Utility library for Piper",
     "main": "bin/main.js",
     "scripts": {

package/src/audit/audit.js

@@ -239,6 +239,15 @@ export function bindAuditRequest(event, businessId, models) {
     const user = getCurrentUser(event);
     const auditEnabled = !!(getCompanySettings(event) || {}).auditEnabled;
     _.forEach(models, (model) => {
+        // Lazily ensure the audit table model + hooks are wired in this Lambda
+        // process. `attachAudit` is idempotent — first call registers, subsequent
+        // calls are no-ops. The returned sync() promise is intentionally not
+        // awaited; the table is expected to already exist from the migration
+        // Lambda, and the synchronous registration is what the request needs.
+        const attachPromise = attachAudit(model);
+        if (attachPromise && typeof attachPromise.catch === 'function') {
+            attachPromise.catch((err) => console.error('attachAudit sync failed for', model.name, err));
+        }
         modelOptions[model.name] = { user, businessId, auditEnabled };
     });
 }
@@ -280,6 +289,11 @@ export function bindAuditRequest(event, businessId, models) {
 export function bindAuditRequestForUser(user, businessId, models, opts = {}) {
     const auditEnabled = opts.auditEnabled !== false;
     _.forEach(models, (model) => {
+        // See bindAuditRequest for why this is here.
+        const attachPromise = attachAudit(model);
+        if (attachPromise && typeof attachPromise.catch === 'function') {
+            attachPromise.catch((err) => console.error('attachAudit sync failed for', model.name, err));
+        }
         modelOptions[model.name] = { user, businessId, auditEnabled };
     });
 }

package/src/audit/audit.test.js

@@ -29,9 +29,16 @@ const resetState = () => {
 
 describe('audit', () => {
     describe('bindAuditRequest', () => {
+        // Pre-populate auditModels so attachAudit's idempotency check skips the
+        // sequelize wiring; these tests focus on the bind/state behavior only.
+        const preAttachedModel = (name) => {
+            auditModels[name] = { create: () => Promise.resolve() };
+            return { name };
+        };
+
         it('binds user from JWT claims and businessId from arg', () => {
             resetState();
-            const Model = { name: 'Customer' };
+            const Model = preAttachedModel('Customer');
             const event = buildEvent({ uid: '7', email: 'kevin@test.com', auditEnabled: true });
 
             bindAuditRequest(event, 'BIZ-1', [Model]);
@@ -44,7 +51,7 @@ describe('audit', () => {
 
         it('reads auditEnabled=false from custom:SET claim', () => {
             resetState();
-            const Model = { name: 'Customer' };
+            const Model = preAttachedModel('Customer');
             const event = buildEvent({ auditEnabled: false });
 
             bindAuditRequest(event, 'BIZ-1', [Model]);
@@ -54,14 +61,36 @@ describe('audit', () => {
 
         it('binds multiple models in one call', () => {
             resetState();
-            const A = { name: 'ModelA' };
-            const B = { name: 'ModelB' };
+            const A = preAttachedModel('ModelA');
+            const B = preAttachedModel('ModelB');
 
             bindAuditRequest(buildEvent(), 'BIZ-1', [A, B]);
 
             expect(modelOptions['ModelA']).toBeDefined();
             expect(modelOptions['ModelB']).toBeDefined();
         });
+
+        it('lazily calls attachAudit when the model is not yet registered (cold-start regression)', () => {
+            resetState();
+            const definedAudit = { belongsTo: jasmine.createSpy('belongsTo'), sync: jasmine.createSpy('sync').and.resolveTo() };
+            const Model = {
+                name: 'Widget',
+                addHook: jasmine.createSpy('addHook'),
+                sequelize: {
+                    define: jasmine.createSpy('define').and.returnValue(definedAudit),
+                    Sequelize: { STRING: 'STRING_TYPE' }
+                }
+            };
+
+            bindAuditRequest(buildEvent(), 'BIZ-1', [Model]);
+
+            // attachAudit ran: hooks wired, model registered
+            expect(Model.sequelize.define).toHaveBeenCalled();
+            expect(Model.addHook).toHaveBeenCalledWith('afterCreate', jasmine.any(Function));
+            expect(auditModels['Widget']).toBeDefined();
+            // and the per-request state is set
+            expect(modelOptions['Widget']).toBeDefined();
+        });
     });
 
     describe('attachAudit', () => {

package/src/database/dbUtils/partnerAccess/accessScope.js

@@ -1,99 +1,99 @@
-import _ from 'lodash';
-import { ensurePartnerScope } from './accessContext.js';
-import { errorList } from '../../../requestResponse/errorCodes.js';
-
-/**
- * Scope a WHERE clause to the partner's own business (partnerBusinessId).
- * Use for "mine" resources: deal, activity, application, template.
- *
- *   global   → deletes where.businessId (super sees everything)
- *   partner  → sets where.businessId = partnerBusinessId
- *              throws partnerNotConfigured if partnerBusinessId is missing
- *   standard → no-op (createFilters already handled)
- *
- * @param {object} where  - Sequelize WHERE clause to mutate.
- * @param {object} access - Access object from resolveAccess.
- * @param {{ getPartnerById: Function }} deps
- */
-export async function scopeToOwnBusiness(where, access, { getPartnerById } = {}) {
-    if (!access) {
-        throw errorList.unauthorized;
-    }
-    if (access.level === 'global') {
-        delete where.businessId;
-        return;
-    }
-    if (access.level === 'partner') {
-        await ensurePartnerScope(access, { getPartnerById });
-        if (!access.partnerBusinessId) {
-            throw errorList.partnerNotConfigured;
-        }
-        where.businessId = access.partnerBusinessId;
-        return;
-    }
-    // standard → no-op (createFilters already injected from JWT)
-}
-
-/**
- * Scope a WHERE clause to the partner's portfolio (businessIds array).
- * Use for "book" resources (future transaction lists, merchant inbox views).
- *
- *   global   → deletes where.businessId
- *   partner  → sets where.businessId = businessIds[]
- *   standard → no-op
- *
- * @param {object} where  - Sequelize WHERE clause to mutate.
- * @param {object} access - Access object from resolveAccess.
- * @param {{ getPartnerById: Function }} deps
- */
-export async function scopeToPartnerBook(where, access, { getPartnerById } = {}) {
-    if (!access) {
-        throw errorList.unauthorized;
-    }
-    if (access.level === 'global') {
-        delete where.businessId;
-        return;
-    }
-    if (access.level === 'partner') {
-        await ensurePartnerScope(access, { getPartnerById });
-        where.businessId = access.businessIds || [];
-        return;
-    }
-    // standard → no-op
-}
-
-/**
- * Scope to the union of partnerBusinessId + businessIds.
- * Use for tickets — partner sees own tickets + portfolio merchants' tickets.
- *
- *   global   → deletes where.businessId
- *   partner  → sets where.businessId = [partnerBusinessId, ...businessIds]
- *   standard → sets where.businessId = access.businessIds
- *              (explicitly handled here because ticket routes may not call
- *               createFilters before scoping, e.g. delete/resolve handlers)
- *
- * @param {object} where  - Sequelize WHERE clause to mutate.
- * @param {object} access - Access object from resolveAccess.
- * @param {{ getPartnerById: Function }} deps
- */
-export async function scopeToBookUnionOwn(where, access, { getPartnerById } = {}) {
-    if (!access) {
-        throw errorList.unauthorized;
-    }
-    if (access.level === 'global') {
-        delete where.businessId;
-        return;
-    }
-    if (access.level === 'partner') {
-        await ensurePartnerScope(access, { getPartnerById });
-        const ids = _.uniq(
-            [access.partnerBusinessId, ...(access.businessIds || [])].filter(Boolean)
-        );
-        where.businessId = ids;
-        return;
-    }
-    if (access.level === 'standard') {
-        where.businessId = access.businessIds;
-        return;
-    }
-}
+import _ from 'lodash';
+import { ensurePartnerScope } from './accessContext.js';
+import { errorList } from '../../../requestResponse/errorCodes.js';
+
+/**
+ * Scope a WHERE clause to the partner's own business (partnerBusinessId).
+ * Use for "mine" resources: deal, activity, application, template.
+ *
+ *   global   → deletes where.businessId (super sees everything)
+ *   partner  → sets where.businessId = partnerBusinessId
+ *              throws partnerNotConfigured if partnerBusinessId is missing
+ *   standard → no-op (createFilters already handled)
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */
+export async function scopeToOwnBusiness(where, access, { getPartnerById } = {}) {
+    if (!access) {
+        throw errorList.unauthorized;
+    }
+    if (access.level === 'global') {
+        delete where.businessId;
+        return;
+    }
+    if (access.level === 'partner') {
+        await ensurePartnerScope(access, { getPartnerById });
+        if (!access.partnerBusinessId) {
+            throw errorList.partnerNotConfigured;
+        }
+        where.businessId = access.partnerBusinessId;
+        return;
+    }
+    // standard → no-op (createFilters already injected from JWT)
+}
+
+/**
+ * Scope a WHERE clause to the partner's portfolio (businessIds array).
+ * Use for "book" resources (future transaction lists, merchant inbox views).
+ *
+ *   global   → deletes where.businessId
+ *   partner  → sets where.businessId = businessIds[]
+ *   standard → no-op
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */
+export async function scopeToPartnerBook(where, access, { getPartnerById } = {}) {
+    if (!access) {
+        throw errorList.unauthorized;
+    }
+    if (access.level === 'global') {
+        delete where.businessId;
+        return;
+    }
+    if (access.level === 'partner') {
+        await ensurePartnerScope(access, { getPartnerById });
+        where.businessId = access.businessIds || [];
+        return;
+    }
+    // standard → no-op
+}
+
+/**
+ * Scope to the union of partnerBusinessId + businessIds.
+ * Use for tickets — partner sees own tickets + portfolio merchants' tickets.
+ *
+ *   global   → deletes where.businessId
+ *   partner  → sets where.businessId = [partnerBusinessId, ...businessIds]
+ *   standard → sets where.businessId = access.businessIds
+ *              (explicitly handled here because ticket routes may not call
+ *               createFilters before scoping, e.g. delete/resolve handlers)
+ *
+ * @param {object} where  - Sequelize WHERE clause to mutate.
+ * @param {object} access - Access object from resolveAccess.
+ * @param {{ getPartnerById: Function }} deps
+ */
+export async function scopeToBookUnionOwn(where, access, { getPartnerById } = {}) {
+    if (!access) {
+        throw errorList.unauthorized;
+    }
+    if (access.level === 'global') {
+        delete where.businessId;
+        return;
+    }
+    if (access.level === 'partner') {
+        await ensurePartnerScope(access, { getPartnerById });
+        const ids = _.uniq(
+            [access.partnerBusinessId, ...(access.businessIds || [])].filter(Boolean)
+        );
+        where.businessId = ids;
+        return;
+    }
+    if (access.level === 'standard') {
+        where.businessId = access.businessIds;
+        return;
+    }
+}

package/src/database/dbUtils/partnerAccess/accessScope.test.js

@@ -0,0 +1,287 @@
+import {
+    scopeToOwnBusiness,
+    scopeToPartnerBook,
+    scopeToBookUnionOwn
+} from './accessScope.js';
+import { errorList } from '../../../requestResponse/errorCodes.js';
+
+// Why these tests exist
+// ---------------------
+// The three scope helpers were rewritten to accept an explicit `requested`
+// businessIds array from the caller's query string, and to intersect that
+// against the role's allowed set instead of unconditionally overwriting
+// where.businessId. The header "My Business" filter for super users depends
+// on the new intersection — these tests pin the contract.
+//
+// "requested" is what the route handler extracts via getRequestedBusinessIds(event)
+// and forwards. Empty array = no explicit filter (back-compat path).
+
+describe('accessScope helpers', () => {
+
+    describe('scopeToBookUnionOwn — global (super)', () => {
+        it('deletes where.businessId when no explicit filter is requested', async () => {
+            // Arrange — super with no header pick → caller sends nothing
+            const where = { businessId: 'pre-existing-set-by-createFilters', active: true };
+            const access = { level: 'global' };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, []);
+
+            // Assert — businessId stripped so the query is unconstrained;
+            // unrelated keys (active) survive
+            expect(where.businessId).toBeUndefined();
+            expect(where.active).toBe(true);
+        });
+
+        it('honors the requested businessIds when super passes them explicitly', async () => {
+            // Arrange — super picked business "X" in the header pill
+            const where = {};
+            const access = { level: 'global' };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, ['X']);
+
+            // Assert — backend respects the explicit filter (the symptom from
+            // the user-reported "Deals list doesn't filter to My Business" bug)
+            expect(where.businessId).toEqual(['X']);
+        });
+    });
+
+    describe('scopeToBookUnionOwn — partner', () => {
+        it('returns the full union when no explicit filter is requested', async () => {
+            // Arrange — partner with own=O and portfolio=[A, B]; pre-resolved scope
+            const where = {};
+            const access = {
+                level: 'partner',
+                partnerBusinessId: 'O',
+                businessIds: ['A', 'B']
+            };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, []);
+
+            // Assert — union preserved (own + portfolio, unique)
+            expect(where.businessId).toEqual(['O', 'A', 'B']);
+        });
+
+        it('intersects requested with the union when partner filters explicitly', async () => {
+            // Arrange — partner asks for A only, A is in portfolio
+            const where = {};
+            const access = {
+                level: 'partner',
+                partnerBusinessId: 'O',
+                businessIds: ['A', 'B']
+            };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, ['A']);
+
+            // Assert — only the requested+allowed entry survives
+            expect(where.businessId).toEqual(['A']);
+        });
+
+        it('returns empty when requested business is outside the partner union', async () => {
+            // Arrange — partner asks for Z which is not in own or portfolio
+            const where = {};
+            const access = {
+                level: 'partner',
+                partnerBusinessId: 'O',
+                businessIds: ['A', 'B']
+            };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, ['Z']);
+
+            // Assert — empty array → IN () → silent zero rows. Intentional;
+            // confirms a partner can't sneak past their scope via query param.
+            expect(where.businessId).toEqual([]);
+        });
+
+        it('lazy-loads partnerBusinessId/businessIds via getPartnerById on first call', async () => {
+            // Arrange — access is "fresh" (nulls), like resolveAccess hands out
+            const where = {};
+            const access = { level: 'partner', partnerId: 'p1', partnerBusinessId: null, businessIds: null };
+            const getPartnerById = jasmine.createSpy('getPartnerById').and.resolveTo({
+                partnerBusinessId: 'O',
+                businessIds: ['A']
+            });
+
+            // Act
+            await scopeToBookUnionOwn(where, access, [], { getPartnerById });
+
+            // Assert — DB hit happened and where.businessId is the resolved union
+            expect(getPartnerById).toHaveBeenCalledWith('p1');
+            expect(where.businessId).toEqual(['O', 'A']);
+        });
+    });
+
+    describe('scopeToBookUnionOwn — standard (merchant)', () => {
+        it('falls back to access.businessIds when no explicit filter is requested', async () => {
+            // Arrange — standard merchant has JWT businesses S1, S2
+            const where = {};
+            const access = { level: 'standard', businessIds: ['S1', 'S2'] };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, []);
+
+            // Assert
+            expect(where.businessId).toEqual(['S1', 'S2']);
+        });
+
+        it('intersects requested with JWT businesses when standard filters explicitly', async () => {
+            // Arrange — merchant asks for S1 (in their JWT)
+            const where = {};
+            const access = { level: 'standard', businessIds: ['S1', 'S2'] };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, ['S1']);
+
+            // Assert
+            expect(where.businessId).toEqual(['S1']);
+        });
+
+        it('returns empty when standard asks for a business outside their JWT', async () => {
+            // Arrange — IDOR attempt: merchant on S1 asks for someone else's business "X"
+            const where = {};
+            const access = { level: 'standard', businessIds: ['S1', 'S2'] };
+
+            // Act
+            await scopeToBookUnionOwn(where, access, ['X']);
+
+            // Assert — empty result, no cross-tenant leak
+            expect(where.businessId).toEqual([]);
+        });
+    });
+
+    describe('scopeToBookUnionOwn — defensive', () => {
+        it('throws unauthorized when access is null', async () => {
+            // Arrange — never expected to happen, but guard rather than corrupt the query
+            let thrown;
+
+            // Act
+            try {
+                await scopeToBookUnionOwn({}, null, []);
+            } catch (e) {
+                thrown = e;
+            }
+
+            // Assert
+            expect(thrown).toBe(errorList.unauthorized);
+        });
+    });
+
+    describe('scopeToOwnBusiness', () => {
+        it('sets where.businessId to partnerBusinessId for partners (no explicit filter)', async () => {
+            // Arrange
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: 'O', businessIds: ['A'] };
+
+            // Act
+            await scopeToOwnBusiness(where, access, []);
+
+            // Assert — own resource scope is single-value, not union
+            expect(where.businessId).toBe('O');
+        });
+
+        it('intersects requested with the partner own businessId', async () => {
+            // Arrange — partner asks for "O" (their own) — valid
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: 'O', businessIds: ['A'] };
+
+            // Act
+            await scopeToOwnBusiness(where, access, ['O']);
+
+            // Assert — intersection ['O'] ∩ ['O'] = ['O']
+            expect(where.businessId).toEqual(['O']);
+        });
+
+        it('returns empty when requested business is not the partner own', async () => {
+            // Arrange — partner asks for portfolio business "A" but this is the OWN scope
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: 'O', businessIds: ['A'] };
+
+            // Act
+            await scopeToOwnBusiness(where, access, ['A']);
+
+            // Assert — own scope rejects even valid-for-them businesses outside "own"
+            expect(where.businessId).toEqual([]);
+        });
+
+        it('throws partnerNotConfigured when partnerBusinessId is missing', async () => {
+            // Arrange — bad partner setup: portfolio set but no own businessId.
+            // Threw originally too, but now after the new requested param flows through.
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: null, businessIds: ['A'] };
+            let thrown;
+
+            // Act
+            try {
+                await scopeToOwnBusiness(where, access, []);
+            } catch (e) {
+                thrown = e;
+            }
+
+            // Assert
+            expect(thrown).toBe(errorList.partnerNotConfigured);
+        });
+
+        it('global with explicit request → where.businessId = requested', async () => {
+            // Arrange
+            const where = {};
+
+            // Act
+            await scopeToOwnBusiness(where, { level: 'global' }, ['X']);
+
+            // Assert
+            expect(where.businessId).toEqual(['X']);
+        });
+
+        it('global with no request → where.businessId deleted', async () => {
+            // Arrange
+            const where = { businessId: 'stale' };
+
+            // Act
+            await scopeToOwnBusiness(where, { level: 'global' }, []);
+
+            // Assert
+            expect(where.businessId).toBeUndefined();
+        });
+    });
+
+    describe('scopeToPartnerBook', () => {
+        it('returns full portfolio for partners with no explicit request', async () => {
+            // Arrange
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: 'O', businessIds: ['A', 'B'] };
+
+            // Act
+            await scopeToPartnerBook(where, access, []);
+
+            // Assert — book is portfolio only (no own)
+            expect(where.businessId).toEqual(['A', 'B']);
+        });
+
+        it('intersects requested with portfolio (excludes partner own)', async () => {
+            // Arrange — partner asks for "O" (own) and "A" (portfolio)
+            const where = {};
+            const access = { level: 'partner', partnerBusinessId: 'O', businessIds: ['A', 'B'] };
+
+            // Act
+            await scopeToPartnerBook(where, access, ['O', 'A']);
+
+            // Assert — book scope drops "own" even when explicitly requested
+            expect(where.businessId).toEqual(['A']);
+        });
+
+        it('global no request → deletes where.businessId', async () => {
+            // Arrange
+            const where = { businessId: 'stale' };
+
+            // Act
+            await scopeToPartnerBook(where, { level: 'global' }, []);
+
+            // Assert
+            expect(where.businessId).toBeUndefined();
+        });
+    });
+});

package/src/database/dbUtils/partnerAccess/createAccessHelpers.js

@@ -1,38 +1,38 @@
-import { ensurePartnerScope } from './accessContext.js';
-import { scopeToOwnBusiness, scopeToPartnerBook, scopeToBookUnionOwn } from './accessScope.js';
-import {
-    assertCanWriteOwnBusiness,
-    assertCanWriteBookBusiness,
-    assertCanWriteBookUnionOwn,
-    stampOwnBusinessId
-} from './accessWrites.js';
-
-/**
- * Factory that pre-binds getPartnerById into all scope/assert/stamp helpers.
- * Bind once at module level, then call without repeating the injection:
- *
- *   import { createAccessHelpers } from 'piper-utils';
- *   import { getPartnerById } from '../partner/partner.js';
- *
- *   const {
- *       scopeToOwnBusiness,
- *       stampOwnBusinessId,
- *       assertCanWriteOwnBusiness
- *   } = createAccessHelpers({ getPartnerById });
- *
- * @param {{ getPartnerById: Function }} deps
- * @returns {object} Pre-bound helpers.
- */
-export function createAccessHelpers({ getPartnerById }) {
-    const deps = { getPartnerById };
-    return {
-        ensurePartnerScope: (access) => ensurePartnerScope(access, deps),
-        scopeToOwnBusiness: (where, access) => scopeToOwnBusiness(where, access, deps),
-        scopeToPartnerBook: (where, access) => scopeToPartnerBook(where, access, deps),
-        scopeToBookUnionOwn: (where, access) => scopeToBookUnionOwn(where, access, deps),
-        assertCanWriteOwnBusiness: (access, businessId) => assertCanWriteOwnBusiness(access, businessId, deps),
-        assertCanWriteBookBusiness: (access, businessId) => assertCanWriteBookBusiness(access, businessId, deps),
-        assertCanWriteBookUnionOwn: (access, businessId) => assertCanWriteBookUnionOwn(access, businessId, deps),
-        stampOwnBusinessId: (access, body) => stampOwnBusinessId(access, body, deps)
-    };
-}
+import { ensurePartnerScope } from './accessContext.js';
+import { scopeToOwnBusiness, scopeToPartnerBook, scopeToBookUnionOwn } from './accessScope.js';
+import {
+    assertCanWriteOwnBusiness,
+    assertCanWriteBookBusiness,
+    assertCanWriteBookUnionOwn,
+    stampOwnBusinessId
+} from './accessWrites.js';
+
+/**
+ * Factory that pre-binds getPartnerById into all scope/assert/stamp helpers.
+ * Bind once at module level, then call without repeating the injection:
+ *
+ *   import { createAccessHelpers } from 'piper-utils';
+ *   import { getPartnerById } from '../partner/partner.js';
+ *
+ *   const {
+ *       scopeToOwnBusiness,
+ *       stampOwnBusinessId,
+ *       assertCanWriteOwnBusiness
+ *   } = createAccessHelpers({ getPartnerById });
+ *
+ * @param {{ getPartnerById: Function }} deps
+ * @returns {object} Pre-bound helpers.
+ */
+export function createAccessHelpers({ getPartnerById }) {
+    const deps = { getPartnerById };
+    return {
+        ensurePartnerScope: (access) => ensurePartnerScope(access, deps),
+        scopeToOwnBusiness: (where, access) => scopeToOwnBusiness(where, access, deps),
+        scopeToPartnerBook: (where, access) => scopeToPartnerBook(where, access, deps),
+        scopeToBookUnionOwn: (where, access) => scopeToBookUnionOwn(where, access, deps),
+        assertCanWriteOwnBusiness: (access, businessId) => assertCanWriteOwnBusiness(access, businessId, deps),
+        assertCanWriteBookBusiness: (access, businessId) => assertCanWriteBookBusiness(access, businessId, deps),
+        assertCanWriteBookUnionOwn: (access, businessId) => assertCanWriteBookUnionOwn(access, businessId, deps),
+        stampOwnBusinessId: (access, body) => stampOwnBusinessId(access, body, deps)
+    };
+}