scriptgini 1.0.7__tar.gz → 1.2.0__tar.gz

{scriptgini-1.0.7 → scriptgini-1.2.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.0.7
+Version: 1.2.0
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -436,8 +436,8 @@ The project follows an **enterprise-grade development roadmap** with 6 sprints c
 
 | Sprint | Focus | Effort | Status |
 |--------|-------|--------|--------|
-| **Sprint 1** | IAM Core | 30-36pts | 🔲 Pending (User model, JWT, auth middleware) |
-| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🔲 Pending (Org/team models, RBAC enforcement) |
+| **Sprint 1** | IAM Core | 30-36pts | 🟡 Core delivered (auth hardening pending) |
+| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🟡 Core delivered (RBAC hardening pending) |
 | **Sprint 3** | Durable Execution | 34-40pts | 🔲 Pending (Redis + Celery/Arq setup) |
 | **Sprint 4** | Security & Hardening | 30-36pts | 🔲 Pending (Container sandbox, audit logging) |
 | **Sprint 5** | Reporting & Analytics | 28-34pts | 🔲 Pending (Artifact storage, dashboards) |

{scriptgini-1.0.7 → scriptgini-1.2.0}/README.md

@@ -422,8 +422,8 @@ The project follows an **enterprise-grade development roadmap** with 6 sprints c
 
 | Sprint | Focus | Effort | Status |
 |--------|-------|--------|--------|
-| **Sprint 1** | IAM Core | 30-36pts | 🔲 Pending (User model, JWT, auth middleware) |
-| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🔲 Pending (Org/team models, RBAC enforcement) |
+| **Sprint 1** | IAM Core | 30-36pts | 🟡 Core delivered (auth hardening pending) |
+| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🟡 Core delivered (RBAC hardening pending) |
 | **Sprint 3** | Durable Execution | 34-40pts | 🔲 Pending (Redis + Celery/Arq setup) |
 | **Sprint 4** | Security & Hardening | 30-36pts | 🔲 Pending (Container sandbox, audit logging) |
 | **Sprint 5** | Reporting & Analytics | 28-34pts | 🔲 Pending (Artifact storage, dashboards) |

scriptgini-1.2.0/app/__init__.py

@@ -0,0 +1,3 @@
+__version__ = "1.2.0"
+__api_version__ = "v1.2.0"
+

{scriptgini-1.0.7 → scriptgini-1.2.0}/app/main.py

@@ -7,9 +7,10 @@ from fastapi.responses import FileResponse
 from fastapi.middleware.cors import CORSMiddleware
 from fastapi.staticfiles import StaticFiles
 
+from app import __version__
 from app.config import settings
 from app.llm.provider import get_llm_diagnostics
-from app.routers import projects, test_cases, scripts, bulk_jobs, analytics, demo, auth, api_key
+from app.routers import projects, test_cases, scripts, bulk_jobs, analytics, demo, auth, api_key, organizations
 
 logging.basicConfig(level=logging.DEBUG if settings.DEBUG else logging.INFO)
 logger = logging.getLogger(__name__)
@@ -36,7 +37,7 @@ app = FastAPI(
         "Enterprise-grade Agentic AI system that converts functional test cases "
         "into high-quality automation scripts."
     ),
-    version="1.0.7",
+    version=__version__,
     lifespan=lifespan,
 )
 
@@ -56,6 +57,7 @@ app.include_router(analytics.router, prefix="/api/v1")
 app.include_router(demo.router, prefix="/api/v1")
 app.include_router(auth.router, prefix="/api/v1")
 app.include_router(api_key.router, prefix="/api/v1")
+app.include_router(organizations.router, prefix="/api/v1")
 app.mount("/static", StaticFiles(directory=static_dir), name="static")
 
 

scriptgini-1.2.0/app/models/membership.py

@@ -0,0 +1,54 @@
+import enum
+from datetime import datetime, timezone
+
+from sqlalchemy import DateTime, Boolean, ForeignKey, Enum as SAEnum, UniqueConstraint
+from sqlalchemy.orm import Mapped, mapped_column
+
+from app.database import Base
+
+
+class Role(str, enum.Enum):
+    owner = "owner"
+    admin = "admin"
+    member = "member"
+    viewer = "viewer"
+
+
+class OrganizationMembership(Base):
+    __tablename__ = "organization_memberships"
+    __table_args__ = (UniqueConstraint("organization_id", "user_id", name="uq_org_membership_org_user"),)
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    organization_id: Mapped[int] = mapped_column(ForeignKey("organizations.id"), nullable=False, index=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id"), nullable=False, index=True)
+    role: Mapped[Role] = mapped_column(SAEnum(Role), nullable=False, default=Role.member)
+    is_active: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+
+
+
+class ProjectMembership(Base):
+    __tablename__ = "project_memberships"
+    __table_args__ = (UniqueConstraint("project_id", "user_id", name="uq_project_membership_project_user"),)
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    project_id: Mapped[int] = mapped_column(ForeignKey("projects.id"), nullable=False, index=True)
+    user_id: Mapped[int] = mapped_column(ForeignKey("users.id"), nullable=False, index=True)
+    role: Mapped[Role] = mapped_column(SAEnum(Role), nullable=False, default=Role.member)
+    is_active: Mapped[bool] = mapped_column(Boolean, nullable=False, default=True)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+

scriptgini-1.2.0/app/models/organization.py

@@ -0,0 +1,24 @@
+from datetime import datetime, timezone
+
+from sqlalchemy import String, Text, DateTime, ForeignKey
+from sqlalchemy.orm import Mapped, mapped_column
+
+from app.database import Base
+
+
+class Organization(Base):
+    __tablename__ = "organizations"
+
+    id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    name: Mapped[str] = mapped_column(String(255), nullable=False, unique=True, index=True)
+    description: Mapped[str | None] = mapped_column(Text, nullable=True)
+    created_by_user_id: Mapped[int] = mapped_column(ForeignKey("users.id"), nullable=False, index=True)
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), default=lambda: datetime.now(timezone.utc)
+    )
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        default=lambda: datetime.now(timezone.utc),
+        onupdate=lambda: datetime.now(timezone.utc),
+    )
+

{scriptgini-1.0.7 → scriptgini-1.2.0}/app/models/project.py

@@ -1,7 +1,7 @@
 import enum
 from datetime import datetime, timezone
 
-from sqlalchemy import String, Text, DateTime, Enum as SAEnum
+from sqlalchemy import String, Text, DateTime, Enum as SAEnum, ForeignKey
 from sqlalchemy.orm import Mapped, mapped_column
 
 from app.database import Base
@@ -26,6 +26,7 @@ class Project(Base):
     __tablename__ = "projects"
 
     id: Mapped[int] = mapped_column(primary_key=True, index=True)
+    organization_id: Mapped[int | None] = mapped_column(ForeignKey("organizations.id"), nullable=True, index=True)
     name: Mapped[str] = mapped_column(String(255), nullable=False)
     description: Mapped[str | None] = mapped_column(Text, nullable=True)
     aut_base_url: Mapped[str] = mapped_column(String(2048), nullable=False)
@@ -44,3 +45,4 @@ class Project(Base):
         default=lambda: datetime.now(timezone.utc),
         onupdate=lambda: datetime.now(timezone.utc),
     )
+

scriptgini-1.2.0/app/routers/organizations.py

@@ -0,0 +1,36 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.exc import IntegrityError
+from sqlalchemy.orm import Session
+
+from app.database import get_db
+from app.schemas.organization import OrganizationCreate, OrganizationResponse
+from app.services.auth_dependencies import require_auth_with_scopes
+from app.services import rbac as rbac_service
+
+router = APIRouter(prefix="/organizations", tags=["Organizations"])
+
+
+@router.post("", response_model=OrganizationResponse, status_code=status.HTTP_201_CREATED)
+def create_organization(
+    payload: OrganizationCreate,
+    current_user=Depends(require_auth_with_scopes({"org:write"})),
+    db: Session = Depends(get_db),
+):
+    try:
+        return rbac_service.create_organization(
+            db=db,
+            user_id=current_user.id,
+            name=payload.name,
+            description=payload.description,
+        )
+    except IntegrityError as exc:
+        db.rollback()
+        raise HTTPException(status_code=400, detail="Organization already exists") from exc
+
+
+@router.get("", response_model=list[OrganizationResponse])
+def list_organizations(
+    current_user=Depends(require_auth_with_scopes({"org:read"})),
+    db: Session = Depends(get_db),
+):
+    return rbac_service.list_user_organizations(db, current_user.id)

scriptgini-1.2.0/app/routers/projects.py

@@ -0,0 +1,113 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+
+from app.database import get_db
+from app.models.project import Project
+from app.schemas.membership import ProjectMemberResponse, ProjectMemberUpsertRequest
+from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_auth_with_scopes
+
+router = APIRouter(prefix="/projects", tags=["Projects"])
+
+
+def _ensure_project_manager(db: Session, project_id: int, user_id: int) -> None:
+    existing_members = rbac_service.list_project_members(db, project_id)
+    if not existing_members:
+        return
+
+    membership = rbac_service.get_user_project_membership(db, project_id, user_id)
+    if membership is None or membership.role not in rbac_service.MANAGER_ROLES:
+        raise HTTPException(status_code=403, detail="Insufficient project role")
+
+
+@router.post("/", response_model=ProjectResponse, status_code=status.HTTP_201_CREATED)
+def create_project(payload: ProjectCreate, db: Session = Depends(get_db)):
+    project = Project(**payload.model_dump())
+    db.add(project)
+    db.commit()
+    db.refresh(project)
+    return project
+
+
+@router.get("/", response_model=list[ProjectResponse])
+def list_projects(skip: int = 0, limit: int = 50, db: Session = Depends(get_db)):
+    return db.query(Project).offset(skip).limit(limit).all()
+
+
+@router.get("/{project_id}", response_model=ProjectResponse)
+def get_project(project_id: int, db: Session = Depends(get_db)):
+    project = db.query(Project).filter(Project.id == project_id).first()
+    if not project:
+        raise HTTPException(status_code=404, detail="Project not found")
+    return project
+
+
+@router.patch("/{project_id}", response_model=ProjectResponse)
+def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depends(get_db)):
+    project = db.query(Project).filter(Project.id == project_id).first()
+    if not project:
+        raise HTTPException(status_code=404, detail="Project not found")
+    for field, value in payload.model_dump(exclude_none=True).items():
+        setattr(project, field, value)
+    db.commit()
+    db.refresh(project)
+    return project
+
+
+@router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_project(project_id: int, db: Session = Depends(get_db)):
+    project = db.query(Project).filter(Project.id == project_id).first()
+    if not project:
+        raise HTTPException(status_code=404, detail="Project not found")
+    db.delete(project)
+    db.commit()
+
+
+@router.get("/{project_id}/members", response_model=list[ProjectMemberResponse])
+def list_project_members(
+    project_id: int,
+    current_user=Depends(require_auth_with_scopes({"members:read"})),
+    db: Session = Depends(get_db),
+):
+    rbac_service.ensure_project_exists(db, project_id)
+    membership = rbac_service.get_user_project_membership(db, project_id, current_user.id)
+    if membership is None or membership.role not in rbac_service.READ_ROLES:
+        raise HTTPException(status_code=403, detail="Insufficient project role")
+    return rbac_service.list_project_members(db, project_id)
+
+
+@router.put("/{project_id}/members/{user_id}", response_model=ProjectMemberResponse)
+def upsert_project_member(
+    project_id: int,
+    user_id: int,
+    payload: ProjectMemberUpsertRequest,
+    current_user=Depends(require_auth_with_scopes({"members:write"})),
+    db: Session = Depends(get_db),
+):
+    rbac_service.ensure_project_exists(db, project_id)
+    _ensure_project_manager(db, project_id, current_user.id)
+
+    return rbac_service.upsert_project_member(
+        db=db,
+        project_id=project_id,
+        user_id=user_id,
+        role=payload.role,
+        is_active=payload.is_active,
+    )
+
+
+@router.delete("/{project_id}/members/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
+def delete_project_member(
+    project_id: int,
+    user_id: int,
+    current_user=Depends(require_auth_with_scopes({"members:write"})),
+    db: Session = Depends(get_db),
+):
+    rbac_service.ensure_project_exists(db, project_id)
+    _ensure_project_manager(db, project_id, current_user.id)
+
+    if not rbac_service.remove_project_member(db, project_id, user_id):
+        raise HTTPException(status_code=404, detail="Project member not found")
+
+    return None

scriptgini-1.2.0/app/schemas/membership.py

@@ -0,0 +1,22 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+
+from app.models.membership import Role
+
+
+class ProjectMemberUpsertRequest(BaseModel):
+    role: Role
+    is_active: bool = True
+
+
+class ProjectMemberResponse(BaseModel):
+    id: int
+    project_id: int
+    user_id: int
+    role: Role
+    is_active: bool
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = {"from_attributes": True}

scriptgini-1.2.0/app/schemas/organization.py

@@ -0,0 +1,19 @@
+from datetime import datetime
+
+from pydantic import BaseModel, Field
+
+
+class OrganizationCreate(BaseModel):
+    name: str = Field(..., min_length=2, max_length=255)
+    description: str | None = None
+
+
+class OrganizationResponse(BaseModel):
+    id: int
+    name: str
+    description: str | None
+    created_by_user_id: int
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = {"from_attributes": True}

{scriptgini-1.0.7 → scriptgini-1.2.0}/app/schemas/project.py

@@ -5,6 +5,7 @@ from app.models.project import TestFramework, SelectorPreference
 
 
 class ProjectCreate(BaseModel):
+    organization_id: int | None = None
     name: str = Field(..., max_length=255)
     description: str | None = None
     aut_base_url: str = Field(..., description="Base URL of the Application Under Test")
@@ -14,6 +15,7 @@ class ProjectCreate(BaseModel):
 
 
 class ProjectUpdate(BaseModel):
+    organization_id: int | None = None
     name: str | None = Field(None, max_length=255)
     description: str | None = None
     aut_base_url: str | None = None
@@ -24,6 +26,7 @@ class ProjectUpdate(BaseModel):
 
 class ProjectResponse(BaseModel):
     id: int
+    organization_id: int | None
     name: str
     description: str | None
     aut_base_url: str

{scriptgini-1.0.7 → scriptgini-1.2.0}/app/services/auth_dependencies.py

@@ -1,3 +1,5 @@
+from collections.abc import Callable
+
 from fastapi import Depends, HTTPException, status
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
 from sqlalchemy.orm import Session
@@ -89,3 +91,20 @@ def get_current_user_or_api_key(
         detail="Invalid or expired credentials",
         headers={"WWW-Authenticate": "Bearer"},
     )
+
+
+def require_auth_with_scopes(required_scopes: set[str] | None = None) -> Callable:
+    required_scopes = required_scopes or set()
+
+    def _dependency(current_user=Depends(get_current_user_or_api_key)):
+        api_key = getattr(current_user, "_api_key", None)
+        if api_key is not None:
+            granted_scopes = set(api_key.scopes or [])
+            if not required_scopes.issubset(granted_scopes):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="API key does not have required scopes",
+                )
+        return current_user
+
+    return _dependency

scriptgini-1.2.0/app/services/rbac.py

@@ -0,0 +1,118 @@
+from sqlalchemy.orm import Session
+
+from app.models.membership import ProjectMembership, Role, OrganizationMembership
+from app.models.organization import Organization
+from app.models.project import Project
+
+
+MANAGER_ROLES = {Role.owner, Role.admin}
+READ_ROLES = {Role.owner, Role.admin, Role.member, Role.viewer}
+
+
+def create_organization(db: Session, user_id: int, name: str, description: str | None = None) -> Organization:
+    organization = Organization(name=name, description=description, created_by_user_id=user_id)
+    db.add(organization)
+    db.flush()
+
+    owner_membership = OrganizationMembership(
+        organization_id=organization.id,
+        user_id=user_id,
+        role=Role.owner,
+        is_active=True,
+    )
+    db.add(owner_membership)
+    db.commit()
+    db.refresh(organization)
+    return organization
+
+
+def list_user_organizations(db: Session, user_id: int) -> list[Organization]:
+    return (
+        db.query(Organization)
+        .join(OrganizationMembership, OrganizationMembership.organization_id == Organization.id)
+        .filter(
+            OrganizationMembership.user_id == user_id,
+            OrganizationMembership.is_active.is_(True),
+        )
+        .all()
+    )
+
+
+def get_user_project_membership(db: Session, project_id: int, user_id: int) -> ProjectMembership | None:
+    return (
+        db.query(ProjectMembership)
+        .filter(
+            ProjectMembership.project_id == project_id,
+            ProjectMembership.user_id == user_id,
+            ProjectMembership.is_active.is_(True),
+        )
+        .first()
+    )
+
+
+def ensure_project_exists(db: Session, project_id: int) -> Project:
+    project = db.query(Project).filter(Project.id == project_id).first()
+    if not project:
+        from fastapi import HTTPException
+
+        raise HTTPException(status_code=404, detail="Project not found")
+    return project
+
+
+def list_project_members(db: Session, project_id: int) -> list[ProjectMembership]:
+    return (
+        db.query(ProjectMembership)
+        .filter(ProjectMembership.project_id == project_id)
+        .order_by(ProjectMembership.id.asc())
+        .all()
+    )
+
+
+def upsert_project_member(
+    db: Session,
+    project_id: int,
+    user_id: int,
+    role: Role,
+    is_active: bool,
+) -> ProjectMembership:
+    membership = (
+        db.query(ProjectMembership)
+        .filter(
+            ProjectMembership.project_id == project_id,
+            ProjectMembership.user_id == user_id,
+        )
+        .first()
+    )
+
+    if membership is None:
+        membership = ProjectMembership(
+            project_id=project_id,
+            user_id=user_id,
+            role=role,
+            is_active=is_active,
+        )
+        db.add(membership)
+    else:
+        membership.role = role
+        membership.is_active = is_active
+
+    db.commit()
+    db.refresh(membership)
+    return membership
+
+
+def remove_project_member(db: Session, project_id: int, user_id: int) -> bool:
+    membership = (
+        db.query(ProjectMembership)
+        .filter(
+            ProjectMembership.project_id == project_id,
+            ProjectMembership.user_id == user_id,
+        )
+        .first()
+    )
+    if not membership:
+        return False
+
+    db.delete(membership)
+    db.commit()
+    return True

{scriptgini-1.0.7 → scriptgini-1.2.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "scriptgini"
-version = "1.0.7"
+version = "1.2.0"
 description = "Agentic AI system that converts functional test cases into automation test scripts."
 readme = "README.md"
 requires-python = ">=3.11"

{scriptgini-1.0.7 → scriptgini-1.2.0}/scriptgini.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.0.7
+Version: 1.2.0
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -436,8 +436,8 @@ The project follows an **enterprise-grade development roadmap** with 6 sprints c
 
 | Sprint | Focus | Effort | Status |
 |--------|-------|--------|--------|
-| **Sprint 1** | IAM Core | 30-36pts | 🔲 Pending (User model, JWT, auth middleware) |
-| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🔲 Pending (Org/team models, RBAC enforcement) |
+| **Sprint 1** | IAM Core | 30-36pts | 🟡 Core delivered (auth hardening pending) |
+| **Sprint 2** | RBAC + Multi-Tenancy | 32-38pts | 🟡 Core delivered (RBAC hardening pending) |
 | **Sprint 3** | Durable Execution | 34-40pts | 🔲 Pending (Redis + Celery/Arq setup) |
 | **Sprint 4** | Security & Hardening | 30-36pts | 🔲 Pending (Container sandbox, audit logging) |
 | **Sprint 5** | Reporting & Analytics | 28-34pts | 🔲 Pending (Artifact storage, dashboards) |

{scriptgini-1.0.7 → scriptgini-1.2.0}/scriptgini.egg-info/SOURCES.txt

@@ -16,6 +16,8 @@ app/models/__init__.py
 app/models/api_key.py
 app/models/bulk_job.py
 app/models/generated_script.py
+app/models/membership.py
+app/models/organization.py
 app/models/project.py
 app/models/script_run.py
 app/models/test_case.py
@@ -26,6 +28,7 @@ app/routers/api_key.py
 app/routers/auth.py
 app/routers/bulk_jobs.py
 app/routers/demo.py
+app/routers/organizations.py
 app/routers/projects.py
 app/routers/scripts.py
 app/routers/test_cases.py
@@ -35,12 +38,15 @@ app/schemas/api_key.py
 app/schemas/auth.py
 app/schemas/bulk_job.py
 app/schemas/generated_script.py
+app/schemas/membership.py
+app/schemas/organization.py
 app/schemas/project.py
 app/schemas/test_case.py
 app/services/api_key.py
 app/services/auth.py
 app/services/auth_dependencies.py
 app/services/git_export.py
+app/services/rbac.py
 scriptgini.egg-info/PKG-INFO
 scriptgini.egg-info/SOURCES.txt
 scriptgini.egg-info/dependency_links.txt
@@ -48,4 +54,5 @@ scriptgini.egg-info/top_level.txt
 tests/test_api.py
 tests/test_auth.py
 tests/test_coverage.py
-tests/test_infra_services_coverage.py
+tests/test_infra_services_coverage.py
+tests/test_sprint2_rbac.py

scriptgini-1.2.0/tests/test_sprint2_rbac.py

@@ -0,0 +1,295 @@
+import pytest
+from fastapi.testclient import TestClient
+from sqlalchemy import create_engine
+from sqlalchemy.orm import sessionmaker
+from sqlalchemy.pool import StaticPool
+
+import app.models.user  # noqa: F401
+import app.models.api_key  # noqa: F401
+import app.models.project  # noqa: F401
+import app.models.organization  # noqa: F401
+import app.models.membership  # noqa: F401
+
+from app.database import Base, get_db
+from app.main import app as fastapi_app
+
+TEST_DATABASE_URL = "sqlite:///:memory:"
+
+engine = create_engine(
+    TEST_DATABASE_URL,
+    connect_args={"check_same_thread": False},
+    poolclass=StaticPool,
+)
+TestingSessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
+
+
+@pytest.fixture(autouse=True)
+def setup_db():
+    Base.metadata.create_all(bind=engine)
+
+    def override_get_db():
+        db = TestingSessionLocal()
+        try:
+            yield db
+        finally:
+            db.close()
+
+    fastapi_app.dependency_overrides[get_db] = override_get_db
+    try:
+        yield
+    finally:
+        fastapi_app.dependency_overrides.clear()
+        Base.metadata.drop_all(bind=engine)
+
+
+@pytest.fixture
+def client():
+    return TestClient(fastapi_app)
+
+
+def _register_and_login(client: TestClient, email: str, password: str = "TestPassword123!") -> tuple[int, dict[str, str]]:
+    register_resp = client.post(
+        "/api/v1/auth/register",
+        json={"email": email, "password": password},
+    )
+    assert register_resp.status_code == 201
+    user_id = register_resp.json()["id"]
+
+    login_resp = client.post(
+        "/api/v1/auth/login",
+        json={"email": email, "password": password},
+    )
+    assert login_resp.status_code == 200
+    token = login_resp.json()["access_token"]
+    return user_id, {"Authorization": f"Bearer {token}"}
+
+
+def _create_project(client: TestClient) -> int:
+    resp = client.post(
+        "/api/v1/projects/",
+        json={
+            "name": "RBAC Project",
+            "aut_base_url": "https://example.com",
+        },
+    )
+    assert resp.status_code == 201
+    return resp.json()["id"]
+
+
+class TestOrganizationEndpoints:
+    def test_jwt_create_and_list_organizations(self, client: TestClient):
+        _, headers = _register_and_login(client, "org-admin@example.com")
+
+        create_resp = client.post(
+            "/api/v1/organizations",
+            headers=headers,
+            json={"name": "Acme QA", "description": "Org for QA"},
+        )
+        assert create_resp.status_code == 201
+
+        list_resp = client.get("/api/v1/organizations", headers=headers)
+        assert list_resp.status_code == 200
+        assert len(list_resp.json()) == 1
+        assert list_resp.json()[0]["name"] == "Acme QA"
+
+    def test_api_key_scope_enforced_on_organizations(self, client: TestClient):
+        _, headers = _register_and_login(client, "api-key-org@example.com")
+
+        create_key_resp = client.post(
+            "/api/v1/auth/api-keys",
+            headers=headers,
+            json={"name": "Org Writer", "scopes": ["org:write"]},
+        )
+        assert create_key_resp.status_code == 201
+        key_data = create_key_resp.json()
+        auth_header = {"Authorization": f"Bearer {key_data['id']}:{key_data['secret_key']}"}
+
+        create_org = client.post(
+            "/api/v1/organizations",
+            headers=auth_header,
+            json={"name": "Scoped Org", "description": "Scoped create"},
+        )
+        assert create_org.status_code == 201
+
+        list_orgs_forbidden = client.get("/api/v1/organizations", headers=auth_header)
+        assert list_orgs_forbidden.status_code == 403
+
+    def test_duplicate_organization_name_returns_400(self, client: TestClient):
+        _, headers = _register_and_login(client, "org-dup@example.com")
+
+        first = client.post(
+            "/api/v1/organizations",
+            headers=headers,
+            json={"name": "Duplicate Org", "description": "first"},
+        )
+        assert first.status_code == 201
+
+        second = client.post(
+            "/api/v1/organizations",
+            headers=headers,
+            json={"name": "Duplicate Org", "description": "second"},
+        )
+        assert second.status_code == 400
+
+
+class TestProjectMembersRBAC:
+    @pytest.mark.parametrize(
+        "role,expected_put,expected_delete",
+        [
+            ("owner", 200, 204),
+            ("admin", 200, 204),
+            ("member", 403, 403),
+            ("viewer", 403, 403),
+        ],
+    )
+    def test_role_matrix_for_member_management(
+        self,
+        client: TestClient,
+        role: str,
+        expected_put: int,
+        expected_delete: int,
+    ):
+        owner_id, owner_headers = _register_and_login(client, "owner@example.com")
+        actor_id, actor_headers = _register_and_login(client, f"actor-{role}@example.com")
+        target_id, _ = _register_and_login(client, f"target-{role}@example.com")
+
+        project_id = _create_project(client)
+
+        bootstrap_owner = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert bootstrap_owner.status_code == 200
+
+        add_actor = client.put(
+            f"/api/v1/projects/{project_id}/members/{actor_id}",
+            headers=owner_headers,
+            json={"role": role, "is_active": True},
+        )
+        assert add_actor.status_code == 200
+
+        list_resp = client.get(
+            f"/api/v1/projects/{project_id}/members",
+            headers=actor_headers,
+        )
+        assert list_resp.status_code == 200
+
+        mutate_resp = client.put(
+            f"/api/v1/projects/{project_id}/members/{target_id}",
+            headers=actor_headers,
+            json={"role": "viewer", "is_active": True},
+        )
+        assert mutate_resp.status_code == expected_put
+
+        if expected_put == 200:
+            delete_resp = client.delete(
+                f"/api/v1/projects/{project_id}/members/{target_id}",
+                headers=actor_headers,
+            )
+            assert delete_resp.status_code == expected_delete
+        else:
+            # Non-manager roles should not be able to delete members either.
+            delete_resp = client.delete(
+                f"/api/v1/projects/{project_id}/members/{owner_id}",
+                headers=actor_headers,
+            )
+            assert delete_resp.status_code == expected_delete
+
+    def test_project_members_requires_scoped_api_key(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-api-key@example.com")
+        project_id = _create_project(client)
+
+        bootstrap_owner = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert bootstrap_owner.status_code == 200
+
+        create_key_resp = client.post(
+            "/api/v1/auth/api-keys",
+            headers=owner_headers,
+            json={"name": "Read members", "scopes": ["members:read"]},
+        )
+        assert create_key_resp.status_code == 201
+        key_data = create_key_resp.json()
+
+        key_headers = {"Authorization": f"Bearer {key_data['id']}:{key_data['secret_key']}"}
+        list_resp = client.get(f"/api/v1/projects/{project_id}/members", headers=key_headers)
+        assert list_resp.status_code == 200
+
+        put_resp = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=key_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert put_resp.status_code == 403
+
+    def test_list_members_forbidden_for_non_member(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-forbidden@example.com")
+        _, outsider_headers = _register_and_login(client, "outsider@example.com")
+        project_id = _create_project(client)
+
+        bootstrap_owner = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert bootstrap_owner.status_code == 200
+
+        forbidden = client.get(
+            f"/api/v1/projects/{project_id}/members",
+            headers=outsider_headers,
+        )
+        assert forbidden.status_code == 403
+
+    def test_list_members_missing_project_returns_404(self, client: TestClient):
+        _, headers = _register_and_login(client, "owner-missing-project@example.com")
+        resp = client.get("/api/v1/projects/99999/members", headers=headers)
+        assert resp.status_code == 404
+
+    def test_delete_missing_member_returns_404(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-delete-missing@example.com")
+        project_id = _create_project(client)
+
+        bootstrap_owner = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert bootstrap_owner.status_code == 200
+
+        delete_missing = client.delete(
+            f"/api/v1/projects/{project_id}/members/99999",
+            headers=owner_headers,
+        )
+        assert delete_missing.status_code == 404
+
+    def test_upsert_existing_member_updates_role(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-update-member@example.com")
+        actor_id, _ = _register_and_login(client, "actor-update-member@example.com")
+        project_id = _create_project(client)
+
+        bootstrap_owner = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert bootstrap_owner.status_code == 200
+
+        add_actor = client.put(
+            f"/api/v1/projects/{project_id}/members/{actor_id}",
+            headers=owner_headers,
+            json={"role": "viewer", "is_active": True},
+        )
+        assert add_actor.status_code == 200
+        assert add_actor.json()["role"] == "viewer"
+
+        update_actor = client.put(
+            f"/api/v1/projects/{project_id}/members/{actor_id}",
+            headers=owner_headers,
+            json={"role": "admin", "is_active": True},
+        )
+        assert update_actor.status_code == 200
+        assert update_actor.json()["role"] == "admin"

scriptgini-1.0.7/app/routers/projects.py

@@ -1,51 +0,0 @@
-from fastapi import APIRouter, Depends, HTTPException, status
-from sqlalchemy.orm import Session
-
-from app.database import get_db
-from app.models.project import Project
-from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse
-
-router = APIRouter(prefix="/projects", tags=["Projects"])
-
-
-@router.post("/", response_model=ProjectResponse, status_code=status.HTTP_201_CREATED)
-def create_project(payload: ProjectCreate, db: Session = Depends(get_db)):
-    project = Project(**payload.model_dump())
-    db.add(project)
-    db.commit()
-    db.refresh(project)
-    return project
-
-
-@router.get("/", response_model=list[ProjectResponse])
-def list_projects(skip: int = 0, limit: int = 50, db: Session = Depends(get_db)):
-    return db.query(Project).offset(skip).limit(limit).all()
-
-
-@router.get("/{project_id}", response_model=ProjectResponse)
-def get_project(project_id: int, db: Session = Depends(get_db)):
-    project = db.query(Project).filter(Project.id == project_id).first()
-    if not project:
-        raise HTTPException(status_code=404, detail="Project not found")
-    return project
-
-
-@router.patch("/{project_id}", response_model=ProjectResponse)
-def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depends(get_db)):
-    project = db.query(Project).filter(Project.id == project_id).first()
-    if not project:
-        raise HTTPException(status_code=404, detail="Project not found")
-    for field, value in payload.model_dump(exclude_none=True).items():
-        setattr(project, field, value)
-    db.commit()
-    db.refresh(project)
-    return project
-
-
-@router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_project(project_id: int, db: Session = Depends(get_db)):
-    project = db.query(Project).filter(Project.id == project_id).first()
-    if not project:
-        raise HTTPException(status_code=404, detail="Project not found")
-    db.delete(project)
-    db.commit()