scriptgini 1.5.3__tar.gz → 1.5.4__tar.gz

{scriptgini-1.5.3 → scriptgini-1.5.4}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.5.3
+Version: 1.5.4
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -16,7 +16,7 @@ Description-Content-Type: text/markdown
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
-Current release: v1.5.3 (Sprint 6 complete - 100% test coverage and full audit logging hardening)
+Current release: v1.5.4 (Sprint 6 patch - RBAC enforcement hardening with 100% passing tests and 100% statement coverage)
 
 ---
 

{scriptgini-1.5.3 → scriptgini-1.5.4}/README.md

@@ -2,7 +2,7 @@
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
-Current release: v1.5.3 (Sprint 6 complete - 100% test coverage and full audit logging hardening)
+Current release: v1.5.4 (Sprint 6 patch - RBAC enforcement hardening with 100% passing tests and 100% statement coverage)
 
 ---
 

scriptgini-1.5.4/app/__init__.py

@@ -0,0 +1,3 @@
+__version__ = "1.5.4"
+__api_version__ = "v1.5.4"
+

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/routers/analytics.py

@@ -20,16 +20,23 @@ from app.schemas.analytics import (
     TrendPointResponse,
     TrendsResponse,
 )
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/analytics", tags=["Run Analytics"])
 insights_router = APIRouter(prefix="/analytics", tags=["Run Analytics"])
 
 
 @router.get("/runs", response_model=RunAnalyticsResponse)
-def get_run_analytics(project_id: int, db: Session = Depends(get_db)):
+def get_run_analytics(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     aggregate = (
         db.query(
@@ -98,12 +105,14 @@ def get_trends(
     project_id: int | None = None,
     start_date: date | None = None,
     end_date: date | None = None,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     if project_id is not None:
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     start_dt, end_dt = _resolve_datetime_range(start_date, end_date)
     bucket_expr = func.date(ScriptRun.created_at)
@@ -148,12 +157,14 @@ def get_flakiness(
     start_date: date | None = None,
     end_date: date | None = None,
     min_runs: int = 3,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     if project_id is not None:
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     min_runs = max(1, min_runs)
     start_dt, end_dt = _resolve_datetime_range(start_date, end_date)
@@ -205,6 +216,7 @@ def get_flakiness(
 @insights_router.get("/coverage", response_model=CoverageResponse)
 def get_coverage(
     project_id: int | None = None,
+    current_user=Depends(require_optional_auth_with_scopes({"analytics:read"})),
     db: Session = Depends(get_db),
 ):
     """Map test cases to scripted/executed/passed state, grouped by project module (derived from test case title prefix)."""
@@ -212,6 +224,7 @@ def get_coverage(
         project = db.query(Project).filter(Project.id == project_id).first()
         if not project:
             raise HTTPException(status_code=404, detail="Project not found")
+        rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
 
     tc_query = db.query(TestCase)
     if project_id is not None:

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/routers/bulk_jobs.py

@@ -19,6 +19,8 @@ from app.routers.scripts import (
     _get_project_or_404,
     _run_python_script,
 )
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/scripts", tags=["Bulk Jobs"])
 logger = logging.getLogger(__name__)
@@ -219,9 +221,11 @@ def _run_bulk_execution(job_id: int, request: BulkRunRequest):
 def bulk_generate_scripts(
     project_id: int,
     payload: BulkGenerateRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:write"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     test_cases = _resolve_test_cases(project_id, payload.test_case_ids, db)
     if not test_cases:
         raise HTTPException(status_code=400, detail="No test cases found for bulk generation")
@@ -253,9 +257,11 @@ def bulk_generate_scripts(
 def bulk_run_scripts(
     project_id: int,
     payload: BulkRunRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:write"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     test_cases = _resolve_test_cases(project_id, payload.test_case_ids, db)
     if not test_cases:
         raise HTTPException(status_code=400, detail="No test cases found for bulk run")
@@ -284,7 +290,13 @@ def bulk_run_scripts(
 
 
 @router.get("/bulk-jobs/{job_id}", response_model=BulkJobResponse)
-def get_bulk_job(project_id: int, job_id: int, db: Session = Depends(get_db)):
+def get_bulk_job(
+    project_id: int,
+    job_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"bulk-jobs:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     job = _get_bulk_job_or_404(project_id, job_id, db)
     return _serialize_bulk_job(job, db)

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/routers/projects.py

@@ -6,27 +6,36 @@ from app.models.project import Project
 from app.schemas.membership import ProjectMemberResponse, ProjectMemberUpsertRequest
 from app.schemas.project import ProjectCreate, ProjectUpdate, ProjectResponse
 from app.services import rbac as rbac_service
-from app.services.auth_dependencies import require_auth_with_scopes
+from app.services.auth_dependencies import require_auth_with_scopes, require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects", tags=["Projects"])
 
 
 def _ensure_project_manager(db: Session, project_id: int, user_id: int) -> None:
-    existing_members = rbac_service.list_project_members(db, project_id)
-    if not existing_members:
-        return
-
-    membership = rbac_service.get_user_project_membership(db, project_id, user_id)
-    if membership is None or membership.role not in rbac_service.MANAGER_ROLES:
-        raise HTTPException(status_code=403, detail="Insufficient project role")
+    rbac_service.ensure_project_manager_access(db, project_id, user_id)
 
 
 @router.post("/", response_model=ProjectResponse, status_code=status.HTTP_201_CREATED)
-def create_project(payload: ProjectCreate, db: Session = Depends(get_db)):
+def create_project(
+    payload: ProjectCreate,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = Project(**payload.model_dump())
     db.add(project)
     db.commit()
     db.refresh(project)
+
+    # Auto-bootstrap project owner membership for authenticated creators.
+    if current_user is not None:
+        rbac_service.upsert_project_member(
+            db=db,
+            project_id=project.id,
+            user_id=current_user.id,
+            role=rbac_service.Role.owner,
+            is_active=True,
+        )
+
     return project
 
 
@@ -36,18 +45,29 @@ def list_projects(skip: int = 0, limit: int = 50, db: Session = Depends(get_db))
 
 
 @router.get("/{project_id}", response_model=ProjectResponse)
-def get_project(project_id: int, db: Session = Depends(get_db)):
+def get_project(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:read"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     return project
 
 
 @router.patch("/{project_id}", response_model=ProjectResponse)
-def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depends(get_db)):
+def update_project(
+    project_id: int,
+    payload: ProjectUpdate,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     for field, value in payload.model_dump(exclude_none=True).items():
         setattr(project, field, value)
     db.commit()
@@ -56,10 +76,15 @@ def update_project(project_id: int, payload: ProjectUpdate, db: Session = Depend
 
 
 @router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_project(project_id: int, db: Session = Depends(get_db)):
+def delete_project(
+    project_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"projects:write"})),
+    db: Session = Depends(get_db),
+):
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
         raise HTTPException(status_code=404, detail="Project not found")
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     db.delete(project)
     db.commit()
 
@@ -70,10 +95,7 @@ def list_project_members(
     current_user=Depends(require_auth_with_scopes({"members:read"})),
     db: Session = Depends(get_db),
 ):
-    rbac_service.ensure_project_exists(db, project_id)
-    membership = rbac_service.get_user_project_membership(db, project_id, current_user.id)
-    if membership is None or membership.role not in rbac_service.READ_ROLES:
-        raise HTTPException(status_code=403, detail="Insufficient project role")
+    rbac_service.ensure_project_read_access(db, project_id, current_user.id)
     return rbac_service.list_project_members(db, project_id)
 
 

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/routers/scripts.py

@@ -33,6 +33,8 @@ from app.models.script_revision import ScriptRevision, RevisionChangeType
 from app.agents.script_gini_agent import run_agent
 from app.llm.provider import LLMProvider, get_llm_diagnostics
 from app.services.git_export import export_generated_script
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 from app.tasks import process_script_generation_job
 
 logger = logging.getLogger(__name__)
@@ -174,8 +176,15 @@ def _provider_readiness(provider: LLMProvider) -> tuple[bool, str]:
 
 
 @router.get("/providers/{provider}/ready")
-def provider_ready(project_id: int, tc_id: int, provider: LLMProvider, db: Session = Depends(get_db)):
+def provider_ready(
+    project_id: int,
+    tc_id: int,
+    provider: LLMProvider,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     ok, detail = _provider_readiness(provider)
     return {"ready": ok, "detail": detail}
@@ -464,10 +473,12 @@ def generate_script(
     project_id: int,
     tc_id: int,
     payload: GenerateScriptRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Kick off async script generation. Poll GET /scripts/{id} for the result."""
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
 
     framework = (payload.framework or project.default_framework).value
@@ -506,9 +517,11 @@ def list_scripts(
     tc_id: int,
     skip: int = 0,
     limit: int = 50,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     return (
         db.query(GeneratedScript)
@@ -521,15 +534,29 @@ def list_scripts(
 
 
 @router.get("/{script_id}", response_model=GeneratedScriptResponse)
-def get_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def get_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     return _get_script_or_404(project_id, tc_id, script_id, db)
 
 
 @router.get("/{script_id}/runs", response_model=list[ScriptRunResponse])
-def list_script_runs(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def list_script_runs(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
     return (
@@ -541,8 +568,15 @@ def list_script_runs(project_id: int, tc_id: int, script_id: int, db: Session =
 
 
 @router.post("/{script_id}/run", response_model=ScriptRunResponse)
-def run_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def run_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -582,8 +616,15 @@ def run_script(project_id: int, tc_id: int, script_id: int, db: Session = Depend
 
 
 @router.post("/{script_id}/github-export")
-def github_export_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def github_export_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -619,8 +660,15 @@ def github_export_script(project_id: int, tc_id: int, script_id: int, db: Sessio
 
 
 @router.delete("/{script_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_script(project_id: int, tc_id: int, script_id: int, db: Session = Depends(get_db)):
+def delete_script(
+    project_id: int,
+    tc_id: int,
+    script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     script = _get_script_or_404(project_id, tc_id, script_id, db)
     db.delete(script)
     db.commit()
@@ -666,10 +714,12 @@ def refactor_script(
     tc_id: int,
     script_id: int,
     payload: RefactorScriptRequest,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Submit an error log; the LLM heals the script and saves a new revision."""
     project = _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -727,9 +777,11 @@ def get_version_history(
     project_id: int,
     tc_id: int,
     script_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -752,10 +804,12 @@ def get_revision_diff(
     tc_id: int,
     script_id: int,
     revision_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:read"})),
     db: Session = Depends(get_db),
 ):
     """Return a unified diff between the revision just before `revision_id` and `revision_id`."""
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     _get_script_or_404(project_id, tc_id, script_id, db)
 
@@ -803,10 +857,12 @@ def rollback_script(
     tc_id: int,
     script_id: int,
     revision_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"scripts:write"})),
     db: Session = Depends(get_db),
 ):
     """Restore a script to a previously saved revision and record a rolled_back snapshot."""
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     _get_tc_or_404(project_id, tc_id, db)
     script = _get_script_or_404(project_id, tc_id, script_id, db)
 

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/routers/test_cases.py

@@ -5,6 +5,8 @@ from app.database import get_db
 from app.models.project import Project
 from app.models.test_case import TestCase
 from app.schemas.test_case import TestCaseCreate, TestCaseUpdate, TestCaseResponse
+from app.services import rbac as rbac_service
+from app.services.auth_dependencies import require_optional_auth_with_scopes
 
 router = APIRouter(prefix="/projects/{project_id}/test-cases", tags=["Test Cases"])
 
@@ -17,8 +19,14 @@ def _get_project_or_404(project_id: int, db: Session) -> Project:
 
 
 @router.post("/", response_model=TestCaseResponse, status_code=status.HTTP_201_CREATED)
-def create_test_case(project_id: int, payload: TestCaseCreate, db: Session = Depends(get_db)):
+def create_test_case(
+    project_id: int,
+    payload: TestCaseCreate,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = TestCase(project_id=project_id, **payload.model_dump())
     db.add(tc)
     db.commit()
@@ -27,14 +35,27 @@ def create_test_case(project_id: int, payload: TestCaseCreate, db: Session = Dep
 
 
 @router.get("/", response_model=list[TestCaseResponse])
-def list_test_cases(project_id: int, skip: int = 0, limit: int = 100, db: Session = Depends(get_db)):
+def list_test_cases(
+    project_id: int,
+    skip: int = 0,
+    limit: int = 100,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     return db.query(TestCase).filter(TestCase.project_id == project_id).offset(skip).limit(limit).all()
 
 
 @router.get("/{tc_id}", response_model=TestCaseResponse)
-def get_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
+def get_test_case(
+    project_id: int,
+    tc_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:read"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_read_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")
@@ -42,8 +63,15 @@ def get_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
 
 
 @router.patch("/{tc_id}", response_model=TestCaseResponse)
-def update_test_case(project_id: int, tc_id: int, payload: TestCaseUpdate, db: Session = Depends(get_db)):
+def update_test_case(
+    project_id: int,
+    tc_id: int,
+    payload: TestCaseUpdate,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")
@@ -55,8 +83,14 @@ def update_test_case(project_id: int, tc_id: int, payload: TestCaseUpdate, db: S
 
 
 @router.delete("/{tc_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_test_case(project_id: int, tc_id: int, db: Session = Depends(get_db)):
+def delete_test_case(
+    project_id: int,
+    tc_id: int,
+    current_user=Depends(require_optional_auth_with_scopes({"test-cases:write"})),
+    db: Session = Depends(get_db),
+):
     _get_project_or_404(project_id, db)
+    rbac_service.ensure_project_manager_access(db, project_id, getattr(current_user, "id", None))
     tc = db.query(TestCase).filter(TestCase.project_id == project_id, TestCase.id == tc_id).first()
     if not tc:
         raise HTTPException(status_code=404, detail="Test case not found")

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/services/auth_dependencies.py

@@ -9,6 +9,28 @@ from app.services import auth as auth_service
 from app.services import api_key as api_key_service
 
 security = HTTPBearer()
+optional_security = HTTPBearer(auto_error=False)
+
+
+def _resolve_user_or_api_key_identity(token: str, db: Session):
+    # First try to verify as JWT token.
+    token_data = auth_service.verify_token(token, token_type="access")
+    if token_data:
+        user = auth_service.get_user_by_id(db, token_data.user_id)
+        if user and user.is_active:
+            return user
+
+    # Then try key_id:key_secret API key format.
+    if ":" in token:
+        key_id, key_secret = token.split(":", 1)
+        api_key = api_key_service.verify_api_key(db, key_id, key_secret)
+        if api_key:
+            user = auth_service.get_user_by_id(db, api_key.user_id)
+            if user and user.is_active:
+                user._api_key = api_key
+                return user
+
+    return None
 
 
 def get_current_user(
@@ -66,25 +88,9 @@ def get_current_user_or_api_key(
             return {"user_id": current_user.id}
     """
     token = credentials.credentials
-    
-    # First try to verify as JWT token
-    token_data = auth_service.verify_token(token, token_type="access")
-    if token_data:
-        user = auth_service.get_user_by_id(db, token_data.user_id)
-        if user and user.is_active:
-            return user
-    
-    # Try to parse as API key (key_id:key_secret format)
-    if ":" in token:
-        key_id, key_secret = token.split(":", 1)
-        api_key = api_key_service.verify_api_key(db, key_id, key_secret)
-        if api_key:
-            # Return the user associated with the API key
-            user = auth_service.get_user_by_id(db, api_key.user_id)
-            if user and user.is_active:
-                # Attach api_key to user for scope checking in routes
-                user._api_key = api_key
-                return user
+    user = _resolve_user_or_api_key_identity(token, db)
+    if user is not None:
+        return user
     
     raise HTTPException(
         status_code=status.HTTP_401_UNAUTHORIZED,
@@ -93,6 +99,24 @@ def get_current_user_or_api_key(
     )
 
 
+def get_optional_current_user_or_api_key(
+    credentials: HTTPAuthorizationCredentials | None = Depends(optional_security),
+    db: Session = Depends(get_db),
+):
+    if credentials is None:
+        return None
+
+    user = _resolve_user_or_api_key_identity(credentials.credentials, db)
+    if user is not None:
+        return user
+
+    raise HTTPException(
+        status_code=status.HTTP_401_UNAUTHORIZED,
+        detail="Invalid or expired credentials",
+        headers={"WWW-Authenticate": "Bearer"},
+    )
+
+
 def require_auth_with_scopes(required_scopes: set[str] | None = None) -> Callable:
     required_scopes = required_scopes or set()
 
@@ -108,3 +132,23 @@ def require_auth_with_scopes(required_scopes: set[str] | None = None) -> Callabl
         return current_user
 
     return _dependency
+
+
+def require_optional_auth_with_scopes(required_scopes: set[str] | None = None) -> Callable:
+    required_scopes = required_scopes or set()
+
+    def _dependency(current_user=Depends(get_optional_current_user_or_api_key)):
+        if current_user is None:
+            return None
+
+        api_key = getattr(current_user, "_api_key", None)
+        if api_key is not None:
+            granted_scopes = set(api_key.scopes or [])
+            if not required_scopes.issubset(granted_scopes):
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN,
+                    detail="API key does not have required scopes",
+                )
+        return current_user
+
+    return _dependency

{scriptgini-1.5.3 → scriptgini-1.5.4}/app/services/rbac.py

@@ -1,3 +1,4 @@
+from fastapi import HTTPException, status
 from sqlalchemy.orm import Session
 
 from app.models.membership import ProjectMembership, Role, OrganizationMembership
@@ -53,12 +54,46 @@ def get_user_project_membership(db: Session, project_id: int, user_id: int) -> P
 def ensure_project_exists(db: Session, project_id: int) -> Project:
     project = db.query(Project).filter(Project.id == project_id).first()
     if not project:
-        from fastapi import HTTPException
-
         raise HTTPException(status_code=404, detail="Project not found")
     return project
 
 
+def ensure_project_role(
+    db: Session,
+    project_id: int,
+    user_id: int | None,
+    allowed_roles: set[Role],
+) -> None:
+    """Enforce membership role only when a project has explicit membership records.
+
+    For legacy projects without membership rows, access remains open to preserve
+    backwards compatibility until all projects are bootstrapped.
+    """
+    ensure_project_exists(db, project_id)
+    existing_members = list_project_members(db, project_id)
+    if not existing_members:
+        return
+
+    if user_id is None:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Authentication required for this project",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    membership = get_user_project_membership(db, project_id, user_id)
+    if membership is None or membership.role not in allowed_roles:
+        raise HTTPException(status_code=403, detail="Insufficient project role")
+
+
+def ensure_project_read_access(db: Session, project_id: int, user_id: int | None) -> None:
+    ensure_project_role(db, project_id, user_id, READ_ROLES)
+
+
+def ensure_project_manager_access(db: Session, project_id: int, user_id: int | None) -> None:
+    ensure_project_role(db, project_id, user_id, MANAGER_ROLES)
+
+
 def list_project_members(db: Session, project_id: int) -> list[ProjectMembership]:
     return (
         db.query(ProjectMembership)

{scriptgini-1.5.3 → scriptgini-1.5.4}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "scriptgini"
-version = "1.5.3"
+version = "1.5.4"
 description = "Agentic AI system that converts functional test cases into automation test scripts."
 readme = "README.md"
 requires-python = ">=3.11"
@@ -28,6 +28,7 @@ include = ["app*"]
 exclude = ["tests*", "functional_test_cases*"]
 
 [tool.pytest.ini_options]
+testpaths = ["tests"]
 filterwarnings = [
   "ignore::langchain_core._api.deprecation.LangChainPendingDeprecationWarning",
   "ignore::PendingDeprecationWarning:langgraph\\.cache\\.base\\.__init__",

{scriptgini-1.5.3 → scriptgini-1.5.4}/scriptgini.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: scriptgini
-Version: 1.5.3
+Version: 1.5.4
 Summary: Agentic AI system that converts functional test cases into automation test scripts.
 Author: ScriptGini Team
 License: Proprietary
@@ -16,7 +16,7 @@ Description-Content-Type: text/markdown
 
 > **Enterprise-grade Agentic AI system that converts functional test cases into high-quality, review-ready automation test scripts.**
 
-Current release: v1.5.3 (Sprint 6 complete - 100% test coverage and full audit logging hardening)
+Current release: v1.5.4 (Sprint 6 patch - RBAC enforcement hardening with 100% passing tests and 100% statement coverage)
 
 ---
 

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_auth.py

@@ -310,6 +310,11 @@ class TestAPIKeyManagement:
         assert data["name"] == "Test Key"
         assert "secret_key" not in data  # Secret should not be in response
 
+    def test_get_api_key_not_found(self, auth_headers):
+        """Test getting a missing API key returns 404."""
+        response = client.get("/api/v1/auth/api-keys/99999", headers=auth_headers)
+        assert response.status_code == 404
+
     def test_update_api_key(self, db_session, test_user, auth_headers):
         """Test updating an API key."""
         # Create key

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_infra_services_coverage.py

@@ -460,6 +460,32 @@ def test_auth_dependencies_or_api_key_paths(monkeypatch):
     assert e.value.status_code == 401
 
 
+def test_auth_dependencies_optional_current_user_invalid_credentials(monkeypatch):
+    from app.services import auth_dependencies as deps
+
+    db = object()
+    creds = SimpleNamespace(credentials="invalid_key_format")
+
+    monkeypatch.setattr(deps.auth_service, "verify_token", lambda *a, **k: None)
+
+    with pytest.raises(HTTPException) as exc:
+        deps.get_optional_current_user_or_api_key(creds, db)
+
+    assert exc.value.status_code == 401
+
+
+def test_require_optional_auth_with_scopes_rejects_insufficient_api_key_scopes():
+    from app.services import auth_dependencies as deps
+
+    api_key_user = SimpleNamespace(_api_key=SimpleNamespace(scopes=["scripts:read"]))
+    dependency = deps.require_optional_auth_with_scopes({"scripts:write"})
+
+    with pytest.raises(HTTPException) as exc:
+        dependency(api_key_user)
+
+    assert exc.value.status_code == 403
+
+
 def test_api_key_service_verify_and_crud_paths(db_session, monkeypatch):
     from app.services import api_key as svc
 

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_sprint2_rbac.py

@@ -64,9 +64,10 @@ def _register_and_login(client: TestClient, email: str, password: str = "TestPas
     return user_id, {"Authorization": f"Bearer {token}"}
 
 
-def _create_project(client: TestClient) -> int:
+def _create_project(client: TestClient, headers: dict[str, str] | None = None) -> int:
     resp = client.post(
         "/api/v1/projects/",
+        headers=headers,
         json={
             "name": "RBAC Project",
             "aut_base_url": "https://example.com",
@@ -293,3 +294,88 @@ class TestProjectMembersRBAC:
         )
         assert update_actor.status_code == 200
         assert update_actor.json()["role"] == "admin"
+
+
+class TestCrossDomainProjectRBAC:
+    def test_project_and_testcase_routes_block_outsider(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-domain@example.com")
+        _, outsider_headers = _register_and_login(client, "outsider-domain@example.com")
+
+        project_id = _create_project(client, headers=owner_headers)
+
+        owner_member = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert owner_member.status_code == 200
+
+        get_project = client.get(f"/api/v1/projects/{project_id}", headers=outsider_headers)
+        assert get_project.status_code == 403
+
+        list_test_cases = client.get(
+            f"/api/v1/projects/{project_id}/test-cases/",
+            headers=outsider_headers,
+        )
+        assert list_test_cases.status_code == 403
+
+        create_test_case = client.post(
+            f"/api/v1/projects/{project_id}/test-cases/",
+            headers=outsider_headers,
+            json={"title": "Blocked", "format": "step_based", "content": "Step 1"},
+        )
+        assert create_test_case.status_code == 403
+
+    def test_scripts_bulk_and_analytics_routes_block_outsider(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-domain-2@example.com")
+        _, outsider_headers = _register_and_login(client, "outsider-domain-2@example.com")
+
+        project_id = _create_project(client, headers=owner_headers)
+
+        owner_member = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert owner_member.status_code == 200
+
+        tc_resp = client.post(
+            f"/api/v1/projects/{project_id}/test-cases/",
+            headers=owner_headers,
+            json={"title": "TC-Allowed", "format": "step_based", "content": "Step 1"},
+        )
+        assert tc_resp.status_code == 201
+        tc_id = tc_resp.json()["id"]
+
+        scripts_list = client.get(
+            f"/api/v1/projects/{project_id}/test-cases/{tc_id}/scripts/",
+            headers=outsider_headers,
+        )
+        assert scripts_list.status_code == 403
+
+        bulk_generate = client.post(
+            f"/api/v1/projects/{project_id}/scripts/bulk-generate",
+            headers=outsider_headers,
+            json={"test_case_ids": [tc_id], "framework": "playwright_python", "llm_provider": "openai"},
+        )
+        assert bulk_generate.status_code == 403
+
+        analytics = client.get(
+            f"/api/v1/projects/{project_id}/analytics/runs",
+            headers=outsider_headers,
+        )
+        assert analytics.status_code == 403
+
+    def test_project_route_requires_auth_when_memberships_exist(self, client: TestClient):
+        owner_id, owner_headers = _register_and_login(client, "owner-auth-required@example.com")
+        project_id = _create_project(client, headers=owner_headers)
+
+        owner_member = client.put(
+            f"/api/v1/projects/{project_id}/members/{owner_id}",
+            headers=owner_headers,
+            json={"role": "owner", "is_active": True},
+        )
+        assert owner_member.status_code == 200
+
+        anonymous = client.get(f"/api/v1/projects/{project_id}")
+        assert anonymous.status_code == 401

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_sprint3_execution.py

@@ -83,17 +83,16 @@ def _create_scoped_api_key(client: TestClient, owner_headers: dict[str, str], sc
 def _create_project_with_script(client: TestClient, owner_id: int, owner_headers: dict[str, str]) -> tuple[int, int]:
     project_resp = client.post(
         "/api/v1/projects/",
+        headers=owner_headers,
         json={"name": "Exec Project", "aut_base_url": "https://example.com"},
     )
     assert project_resp.status_code == 201
     project_id = project_resp.json()["id"]
 
     db = TestingSessionLocal()
-    db.add(ProjectMembership(project_id=project_id, user_id=owner_id, role=Role.owner, is_active=True))
-    db.commit()
-
     tc_resp = client.post(
         f"/api/v1/projects/{project_id}/test-cases/",
+        headers=owner_headers,
         json={"title": "TC-Exec", "format": "step_based", "content": "Step 1"},
     )
     assert tc_resp.status_code == 201

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_sprint5_reporting_analytics.py

@@ -85,20 +85,23 @@ def _create_scoped_api_key(client: TestClient, owner_headers: dict[str, str], sc
     return {"Authorization": f"Bearer {key['id']}:{key['secret_key']}"}
 
 
-def _create_project_with_script(client: TestClient, owner_id: int) -> tuple[int, int, int]:
+def _create_project_with_script(
+    client: TestClient,
+    owner_id: int,
+    owner_headers: dict[str, str],
+) -> tuple[int, int, int]:
     project_resp = client.post(
         "/api/v1/projects/",
+        headers=owner_headers,
         json={"name": "Reporting Project", "aut_base_url": "https://example.com"},
     )
     assert project_resp.status_code == 201
     project_id = project_resp.json()["id"]
 
     db = TestingSessionLocal()
-    db.add(ProjectMembership(project_id=project_id, user_id=owner_id, role=Role.owner, is_active=True))
-    db.commit()
-
     tc_resp = client.post(
         f"/api/v1/projects/{project_id}/test-cases/",
+        headers=owner_headers,
         json={"title": "TC-Report", "format": "step_based", "content": "Step 1"},
     )
     assert tc_resp.status_code == 201
@@ -124,7 +127,7 @@ def _create_project_with_script(client: TestClient, owner_id: int) -> tuple[int,
 
 def test_reports_endpoints_return_summary_logs_artifacts_and_download(client: TestClient):
     owner_id, owner_headers = _register_and_login(client, "sprint5-owner@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
     key_headers = _create_scoped_api_key(client, owner_headers, ["execution:read"])
 
     db = TestingSessionLocal()
@@ -182,7 +185,7 @@ def test_reports_endpoints_return_summary_logs_artifacts_and_download(client: Te
 
 def test_reports_download_404_for_missing_artifact(client: TestClient):
     owner_id, owner_headers = _register_and_login(client, "sprint5-missing@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
     key_headers = _create_scoped_api_key(client, owner_headers, ["execution:read"])
 
     db = TestingSessionLocal()
@@ -206,8 +209,8 @@ def test_reports_download_404_for_missing_artifact(client: TestClient):
 
 
 def test_analytics_trends_returns_bucketed_series(client: TestClient):
-    owner_id, _ = _register_and_login(client, "sprint5-trends@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    owner_id, owner_headers = _register_and_login(client, "sprint5-trends@example.com")
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
 
     db = TestingSessionLocal()
     now = datetime.now(timezone.utc)
@@ -244,7 +247,7 @@ def test_analytics_trends_returns_bucketed_series(client: TestClient):
     db.commit()
     db.close()
 
-    resp = client.get(f"/api/v1/analytics/trends?project_id={project_id}")
+    resp = client.get(f"/api/v1/analytics/trends?project_id={project_id}", headers=owner_headers)
     assert resp.status_code == 200
     payload = resp.json()
     assert payload["project_id"] == project_id
@@ -253,8 +256,8 @@ def test_analytics_trends_returns_bucketed_series(client: TestClient):
 
 
 def test_analytics_flakiness_ranks_by_failure_rate(client: TestClient):
-    owner_id, _ = _register_and_login(client, "sprint5-flaky@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    owner_id, owner_headers = _register_and_login(client, "sprint5-flaky@example.com")
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
 
     db = TestingSessionLocal()
     now = datetime.now(timezone.utc)
@@ -305,7 +308,7 @@ def test_analytics_flakiness_ranks_by_failure_rate(client: TestClient):
     db.commit()
     db.close()
 
-    resp = client.get(f"/api/v1/analytics/flakiness?project_id={project_id}&min_runs=3")
+    resp = client.get(f"/api/v1/analytics/flakiness?project_id={project_id}&min_runs=3", headers=owner_headers)
     assert resp.status_code == 200
     payload = resp.json()
     assert payload["project_id"] == project_id
@@ -377,7 +380,7 @@ def test_reports_not_found_and_no_membership_access(client: TestClient):
 def test_reports_access_denied_and_payload_fallbacks(client: TestClient):
     owner_id, owner_headers = _register_and_login(client, "sprint5-owner-denied@example.com")
     outsider_id, outsider_headers = _register_and_login(client, "sprint5-outsider@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
 
     owner_key_headers = _create_scoped_api_key(client, owner_headers, ["execution:read"])
     outsider_key_headers = _create_scoped_api_key(client, outsider_headers, ["execution:read"])
@@ -414,7 +417,7 @@ def test_reports_access_denied_and_payload_fallbacks(client: TestClient):
 
 def test_reports_download_branches_non_list_missing_content_and_invalid_base64(client: TestClient):
     owner_id, owner_headers = _register_and_login(client, "sprint5-download-branches@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
     key_headers = _create_scoped_api_key(client, owner_headers, ["execution:read"])
 
     db = TestingSessionLocal()
@@ -487,8 +490,8 @@ def test_reports_download_branches_non_list_missing_content_and_invalid_base64(c
 
 
 def test_analytics_trends_and_flakiness_not_found_and_date_filters(client: TestClient):
-    owner_id, _ = _register_and_login(client, "sprint5-analytics-filters@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    owner_id, owner_headers = _register_and_login(client, "sprint5-analytics-filters@example.com")
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
 
     db = TestingSessionLocal()
     now = datetime.now(timezone.utc)
@@ -533,12 +536,16 @@ def test_analytics_trends_and_flakiness_not_found_and_date_filters(client: TestC
 
     start_str = (now - timedelta(days=2)).date().isoformat()
     end_str = now.date().isoformat()
-    trends = client.get(f"/api/v1/analytics/trends?project_id={project_id}&start_date={start_str}&end_date={end_str}")
+    trends = client.get(
+        f"/api/v1/analytics/trends?project_id={project_id}&start_date={start_str}&end_date={end_str}",
+        headers=owner_headers,
+    )
     assert trends.status_code == 200
     assert len(trends.json()["points"]) == 1
 
     flakiness = client.get(
-        f"/api/v1/analytics/flakiness?project_id={project_id}&start_date={start_str}&end_date={end_str}&min_runs=0"
+        f"/api/v1/analytics/flakiness?project_id={project_id}&start_date={start_str}&end_date={end_str}&min_runs=0",
+        headers=owner_headers,
     )
     assert flakiness.status_code == 200
     assert flakiness.json()["min_runs"] == 1
@@ -546,7 +553,7 @@ def test_analytics_trends_and_flakiness_not_found_and_date_filters(client: TestC
 
 def test_reports_artifact_non_list_and_download_skips_non_dict(client: TestClient):
     owner_id, owner_headers = _register_and_login(client, "sprint5-branch-lastmile@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
     key_headers = _create_scoped_api_key(client, owner_headers, ["execution:read"])
 
     db = TestingSessionLocal()
@@ -589,8 +596,8 @@ def test_reports_artifact_non_list_and_download_skips_non_dict(client: TestClien
 
 
 def test_cleanup_old_artifacts_real_session_branch(client: TestClient, monkeypatch):
-    owner_id, _ = _register_and_login(client, "sprint5-cleanup@example.com")
-    project_id, tc_id, script_id = _create_project_with_script(client, owner_id)
+    owner_id, owner_headers = _register_and_login(client, "sprint5-cleanup@example.com")
+    project_id, tc_id, script_id = _create_project_with_script(client, owner_id, owner_headers)
 
     db = TestingSessionLocal()
     now = datetime.now(timezone.utc)

{scriptgini-1.5.3 → scriptgini-1.5.4}/tests/test_sprint6_coverage_lifecycle.py

@@ -77,11 +77,6 @@ def _create_project_and_tc(client: TestClient, owner_id: int, title: str = "Logi
     assert proj.status_code == 201
     project_id = proj.json()["id"]
 
-    db = TestingSessionLocal()
-    db.add(ProjectMembership(project_id=project_id, user_id=owner_id, role=Role.owner, is_active=True))
-    db.commit()
-    db.close()
-
     tc = client.post(
         f"/api/v1/projects/{project_id}/test-cases/",
         json={"title": title, "format": "step_based", "content": "Step 1: Open login page"},

scriptgini-1.5.3/app/__init__.py

@@ -1,3 +0,0 @@
-__version__ = "1.5.3"
-__api_version__ = "v1.5.3"
-