scriptgini 1.5.2__tar.gz → 1.5.4__tar.gz

{scriptgini-1.5.2 → scriptgini-1.5.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.5.2
+Version: 1.5.4
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -16,7 +16,7 @@ Description-Content-Type: text/markdown
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
-Current release: v1.5.2 (Sprint 6 hardening + API key audit/revocation patch)
+Current release: v1.5.4 (Sprint 6 patch - RBAC enforcement hardening with 100% passing tests and 100% statement coverage)
 
 ---
 

{scriptgini-1.5.2 → scriptgini-1.5.4}/README.md

@@ -2,7 +2,7 @@
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
-Current release: v1.5.2 (Sprint 6 hardening + API key audit/revocation patch)
+Current release: v1.5.4 (Sprint 6 patch - RBAC enforcement hardening with 100% passing tests and 100% statement coverage)
 
 ---
 

scriptgini-1.5.4/app/__init__.py

@@ -0,0 +1,3 @@
+__version__ = "1.5.4"
+__api_version__ = "v1.5.4"
+

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/analytics.py

@@ -20,16 +20,23 @@ from app.schemas.analytics import (
     TrendPointResponse,
     TrendsResponse,
 )
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/analytics", tags=["Run Analytics"])
 insights_router = APIRouter(prefix="/analytics", tags=["Run Analytics"])
 
 
 @router.get("/runs", response_model=RunAnalyticsResponse)
-def get_run_analytics(project_id: int, db: Session = Depends(get_db)):
+def get_run_analytics(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     aggregate = (
         db.query(
@@ -98,12 +105,14 @@ def get_trends(
     project_id: int | None = None,
     start_date: date | None = None,
     end_date: date | None = None,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     if project_id is not None:
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     start_dt, end_dt = _resolve_datetime_range(start_date, end_date)
     bucket_expr = func.date(ScriptRun.created_at)
@@ -148,12 +157,14 @@ def get_flakiness(
     start_date: date | None = None,
     end_date: date | None = None,
     min_runs: int = 3,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     if project_id is not None:
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     min_runs = max(1, min_runs)
     start_dt, end_dt = _resolve_datetime_range(start_date, end_date)
@@ -205,6 +216,7 @@ def get_flakiness(
 @insights_router.get("/coverage", response_model=CoverageResponse)
 def get_coverage(
     project_id: int | None = None,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     """Map test cases to scripted/executed/passed state, grouped by project module (derived from test case title prefix)."""
@@ -212,6 +224,7 @@ def get_coverage(
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     tc_query = db.query(TestCase)
     if project_id is not None:

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/api_key.py

@@ -118,6 +118,7 @@ def update_api_key(
     
     # Check that the key belongs to the current user
     if existing_key.user_id != current_user.id:
+        _audit_api_key_event("api_key_revoked", current_user.id, existing_key.id, existing_key.prefix, "forbidden")
         raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Not authorized to update this API key")
     
     api_key = api_key_service.update_api_key(
@@ -141,6 +142,7 @@ def delete_api_key(
     existing_key = api_key_service.get_api_key_by_id(db, key_id)
     
     if not existing_key:
+        _audit_api_key_event("api_key_revoked", current_user.id, key_id, None, "not_found")
         raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="API key not found")
     
     # Check that the key belongs to the current user

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/bulk_jobs.py

@@ -19,6 +19,8 @@ from app.routers.scripts import (
     _get_project_or_404,
     _run_python_script,
 )
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/scripts", tags=["Bulk Jobs"])
 logger = logging.getLogger(__name__)
@@ -219,9 +221,11 @@ def _run_bulk_execution(job_id: int, request: BulkRunRequest):
 def bulk_generate_scripts(
     project_id: int,
     payload: BulkGenerateRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:write"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     test_cases = _resolve_test_cases(project_id, payload.test_case_ids, db)
     if not test_cases:
         raise HTTPException(status_code=400, detail="No test cases found for bulk generation")
@@ -253,9 +257,11 @@ def bulk_generate_scripts(
 def bulk_run_scripts(
     project_id: int,
     payload: BulkRunRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:write"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     test_cases = _resolve_test_cases(project_id, payload.test_case_ids, db)
     if not test_cases:
         raise HTTPException(status_code=400, detail="No test cases found for bulk run")
@@ -284,7 +290,13 @@ def bulk_run_scripts(
 
 
 @router.get("/bulk-jobs/{job_id}", response_model=BulkJobResponse)
-def get_bulk_job(project_id: int, job_id: int, db: Session = Depends(get_db)):
+def get_bulk_job(
+    project_id: int,
+    job_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     job = _get_bulk_job_or_404(project_id, job_id, db)
     return _serialize_bulk_job(job, db)

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/projects.py

@@ -6,27 +6,36 @@ from app.models.project import Project
 from app.schemas.membership import ProjectMemberResponse, ProjectMemberUpsertRequest
 from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse
 from app.services import rbac as rbac_service
-from app.services.auth_dependencies import require_auth_with_scopes
+from app.services.auth_dependencies import require_auth_with_scopes, require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects", tags=["Projects"])
 
 
 def _ensure_project_manager(db: Session, project_id: int, user_id: int) -> None:
-    existing_members = rbac_service.list_project_members(db, project_id)
-    if not existing_members:
-        return
-
-    membership = rbac_service.get_user_project_membership(db, project_id, user_id)
-    if membership is None or membership.role not in rbac_service.MANAGER_ROLES:
-        raise HTTPException(status_code=403, detail="Insufficient project role")
+    rbac_service.ensure_project_manager_access(db, project_id, user_id)
 
 
 @router.post("/", response_model=ProjectResponse, status_code=status.HTTP_201_CREATED)
-def create_project(payload: ProjectCreate, db: Session = Depends(get_db)):
+def create_project(
+    payload: ProjectCreate,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = Project(**payload.model_dump())
     db.add(project)
     db.commit()
     db.refresh(project)
+
+    # Auto-bootstrap project owner membership for authenticated creators.
+    if current_user is not None:
+        rbac_service.upsert_project_member(
+            db=db,
+            project_id=project.id,
+            user_id=current_user.id,
+            role=rbac_service.Role.owner,
+            is_active=True,
+        )
+
     return project
 
 
@@ -36,18 +45,29 @@ def list_projects(skip: int = 0, limit: int = 50, db: Session = Depends(get_db))
 
 
 @router.get("/{project_id}", response_model=ProjectResponse)
-def get_project(project_id: int, db: Session = Depends(get_db)):
+def get_project(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:read"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     return project
 
 
 @router.patch("/{project_id}", response_model=ProjectResponse)
-def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depends(get_db)):
+def update_project(
+    project_id: int,
+    payload: ProjectUpdate,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     for field, value in payload.model_dump(exclude_none=True).items():
         setattr(project, field, value)
     db.commit()
@@ -56,10 +76,15 @@ def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depend
 
 
 @router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_project(project_id: int, db: Session = Depends(get_db)):
+def delete_project(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     db.delete(project)
     db.commit()
 
@@ -70,10 +95,7 @@ def list_project_members(
     current_user=Depends(require_auth_with_scopes({"members:read"})),
     db: Session = Depends(get_db),
 ):
-    rbac_service.ensure_project_exists(db, project_id)
-    membership = rbac_service.get_user_project_membership(db, project_id, current_user.id)
-    if membership is None or membership.role not in rbac_service.READ_ROLES:
-        raise HTTPException(status_code=403, detail="Insufficient project role")
+    rbac_service.ensure_project_read_access(db, project_id, current_user.id)
     return rbac_service.list_project_members(db, project_id)
 
 

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/scripts.py

@@ -33,6 +33,8 @@ from app.models.script_revision import ScriptRevision, RevisionChangeType
 from app.agents.script_gini_agent import run_agent
 from app.llm.provider import LLMProvider, get_llm_diagnostics
 from app.services.git_export import export_generated_script
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 from app.tasks import process_script_generation_job
 
 logger = logging.getLogger(__name__)
@@ -174,8 +176,15 @@ def _provider_readiness(provider: LLMProvider) -> tuple[bool, str]:
 
 
 @router.get("/providers/{provider}/ready")
-def provider_ready(project_id: int, tc_id: int, provider: LLMProvider, db: Session = Depends(get_db)):
+def provider_ready(
+    project_id: int,
+    tc_id: int,
+    provider: LLMProvider,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     ok, detail = _provider_readiness(provider)
     return {"ready": ok, "detail": detail}
@@ -464,10 +473,12 @@ def generate_script(
     project_id: int,
     tc_id: int,
     payload: GenerateScriptRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Kick off async script generation. Poll GET /scripts/{id} for the result."""
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
 
     framework = (payload.framework or project.default_framework).value
@@ -506,9 +517,11 @@ def list_scripts(
     tc_id: int,
     skip: int = 0,
     limit: int = 50,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     return (
         db.query(GeneratedScript)
@@ -521,15 +534,29 @@ def list_scripts(
 
 
 @router.get("/{script_id}", response_model=GeneratedScriptResponse)
-def get_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def get_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     return _get_script_or_404(project_id, tc_id, script_id, db)
 
 
 @router.get("/{script_id}/runs", response_model=list[ScriptRunResponse])
-def list_script_runs(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def list_script_runs(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
     return (
@@ -541,8 +568,15 @@ def list_script_runs(project_id: int, tc_id: int, script_id: int, db: Session =
 
 
 @router.post("/{script_id}/run", response_model=ScriptRunResponse)
-def run_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def run_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -582,8 +616,15 @@ def run_script(project_id: int, tc_id: int, script_id: int, db: Session = Depend
 
 
 @router.post("/{script_id}/github-export")
-def github_export_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def github_export_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -619,8 +660,15 @@ def github_export_script(project_id: int, tc_id: int, script_id: int, db: Sessio
 
 
 @router.delete("/{script_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def delete_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     script = _get_script_or_404(project_id, tc_id, script_id, db)
     db.delete(script)
     db.commit()
@@ -666,10 +714,12 @@ def refactor_script(
     tc_id: int,
     script_id: int,
     payload: RefactorScriptRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Submit an error log; the LLM heals the script and saves a new revision."""
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -727,9 +777,11 @@ def get_version_history(
     project_id: int,
     tc_id: int,
     script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -752,10 +804,12 @@ def get_revision_diff(
     tc_id: int,
     script_id: int,
     revision_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     """Return a unified diff between the revision just before `revision_id` and `revision_id`."""
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -803,10 +857,12 @@ def rollback_script(
     tc_id: int,
     script_id: int,
     revision_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Restore a script to a previously saved revision and record a rolled_back snapshot."""
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/routers/test_cases.py

@@ -5,6 +5,8 @@ from app.database import get_db
 from app.models.project import Project
 from app.models.test_case import TestCase
 from app.schemas.test_case import TestCaseCreate, TestCaseUpdate, TestCaseResponse
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/test-cases", tags=["Test Cases"])
 
@@ -17,8 +19,14 @@ def _get_project_or_404(project_id: int, db: Session) -> Project:
 
 
 @router.post("/", response_model=TestCaseResponse, status_code=status.HTTP_201_CREATED)
-def create_test_case(project_id: int, payload: TestCaseCreate, db: Session = Depends(get_db)):
+def create_test_case(
+    project_id: int,
+    payload: TestCaseCreate,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = TestCase(project_id=project_id, **payload.model_dump())
     db.add(tc)
     db.commit()
@@ -27,14 +35,27 @@ def create_test_case(project_id: int, payload: TestCaseCreate, db: Session = Dep
 
 
 @router.get("/", response_model=list[TestCaseResponse])
-def list_test_cases(project_id: int, skip: int = 0, limit: int = 100, db: Session = Depends(get_db)):
+def list_test_cases(
+    project_id: int,
+    skip: int = 0,
+    limit: int = 100,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     return db.query(TestCase).filter(TestCase.project_id == project_id).offset(skip).limit(limit).all()
 
 
 @router.get("/{tc_id}", response_model=TestCaseResponse)
-def get_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
+def get_test_case(
+    project_id: int,
+    tc_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")
@@ -42,8 +63,15 @@ def get_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
 
 
 @router.patch("/{tc_id}", response_model=TestCaseResponse)
-def update_test_case(project_id: int, tc_id: int, payload: TestCaseUpdate, db: Session = Depends(get_db)):
+def update_test_case(
+    project_id: int,
+    tc_id: int,
+    payload: TestCaseUpdate,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")
@@ -55,8 +83,14 @@ def update_test_case(project_id: int, tc_id: int, payload: TestCaseUpdate, db: S
 
 
 @router.delete("/{tc_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
+def delete_test_case(
+    project_id: int,
+    tc_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")

{scriptgini-1.5.2 → scriptgini-1.5.4}/app/services/auth_dependencies.py

@@ -9,6 +9,28 @@ from app.services import auth as auth_service
 from app.services import api_key as api_key_service
 
 security = HTTPBearer()
+optional_security = HTTPBearer(auto_error=False)
+
+
+def _resolve_user_or_api_key_identity(token: str, db: Session):
+    # First try to verify as JWT token.
+    token_data = auth_service.verify_token(token, token_type="access")
+    if token_data:
+        user = auth_service.get_user_by_id(db, token_data.user_id)
+        if user and user.is_active:
+            return user
+
+    # Then try key_id:key_secret API key format.
+    if ":" in token:
+        key_id, key_secret = token.split(":", 1)
+        api_key = api_key_service.verify_api_key(db, key_id, key_secret)
+        if api_key:
+            user = auth_service.get_user_by_id(db, api_key.user_id)
+            if user and user.is_active:
+                user._api_key = api_key
+                return user
+
+    return None
 
 
 def get_current_user(
@@ -66,25 +88,9 @@ def get_current_user_or_api_key(
             return {"user_id": current_user.id}
     """
     token = credentials.credentials
-    
-    # First try to verify as JWT token
-    token_data = auth_service.verify_token(token, token_type="access")
-    if token_data:
-        user = auth_service.get_user_by_id(db, token_data.user_id)
-        if user and user.is_active:
-            return user
-    
-    # Try to parse as API key (key_id:key_secret format)
-    if ":" in token:
-        key_id, key_secret = token.split(":", 1)
-        api_key = api_key_service.verify_api_key(db, key_id, key_secret)
-        if api_key:
-            # Return the user associated with the API key
-            user = auth_service.get_user_by_id(db, api_key.user_id)
-            if user and user.is_active:
-                # Attach api_key to user for scope checking in routes
-                user._api_key = api_key
-                return user
+    user = _resolve_user_or_api_key_identity(token, db)
+    if user is not None:
+        return user
     
     raise HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
@@ -93,6 +99,24 @@ def get_current_user_or_api_key(
     )
 
 
+def get_optional_current_user_or_api_key(
+    credentials: HTTPAuthorizationCredentials | None = Depends(optional_security),
+    db: Session = Depends(get_db),
+):
+    if credentials is None:
+        return None
+
+    user = _resolve_user_or_api_key_identity(credentials.credentials, db)
+    if user is not None:
+        return user
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or expired credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+
 def require_auth_with_scopes(required_scopes: set[str] | None = None) -> Callable:
     required_scopes = required_scopes or set()
 
@@ -108,3 +132,23 @@ def require_auth_with_scopes(required_scopes: set[str] | None = None) -> Callabl
         return current_user
 
     return _dependency
+
+
+def require_optional_auth_with_scopes(required_scopes: set[str] | None = None) -> Callable:
+    required_scopes = required_scopes or set()
+
+    def _dependency(current_user=Depends(get_optional_current_user_or_api_key)):
+        if current_user is None:
+            return None
+
+        api_key = getattr(current_user, "_api_key", None)
+        if api_key is not None:
+            granted_scopes = set(api_key.scopes or [])
+            if not required_scopes.issubset(granted_scopes):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="API key does not have required scopes",
+                )
+        return current_user
+
+    return _dependency