test: add tenant isolation coverage for agent run lifecycle

WordClaw Agent · WordClaw Agent · commit e026b97208a4 · 2026-02-28T23:41:36.000+01:00
diff --git a/src/__tests__/api-tenant.test.ts b/src/__tests__/api-tenant.test.ts
@@ -1,7 +1,7 @@
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import Fastify from 'fastify';
 import { db } from '../db/index.js';
-import { apiKeys, domains, contentItems, contentTypes } from '../db/schema.js';
+import { agentRuns, apiKeys, domains, contentItems, contentTypes } from '../db/schema.js';
 import { eq, sql } from 'drizzle-orm';
 import apiRoutes from '../api/routes.js';
 import { errorHandler } from '../api/error-handler.js';
@@ -325,4 +325,65 @@ describe('Multi-Tenant Domain Isolation Tests', () => {
             }
         }
     });
+
+    it('agent-run lifecycle routes enforce tenant scoping for read and control', async () => {
+        let domain1RunId: number | null = null;
+
+        try {
+            const createRun = await fastify.inject({
+                method: 'POST',
+                url: '/api/agent-runs',
+                headers: { 'x-api-key': rawKey1 },
+                payload: {
+                    goal: `domain1-run-${crypto.randomUUID()}`,
+                    runType: 'review_backlog_manager',
+                    requireApproval: true
+                }
+            });
+
+            expect(createRun.statusCode).toBe(201);
+            const createPayload = JSON.parse(createRun.payload) as {
+                data: { id: number; status: string };
+            };
+            domain1RunId = createPayload.data.id;
+            expect(createPayload.data.status).toBe('waiting_approval');
+
+            const domain1Read = await fastify.inject({
+                method: 'GET',
+                url: `/api/agent-runs/${domain1RunId}`,
+                headers: { 'x-api-key': rawKey1 }
+            });
+            expect(domain1Read.statusCode).toBe(200);
+
+            const domain2Read = await fastify.inject({
+                method: 'GET',
+                url: `/api/agent-runs/${domain1RunId}`,
+                headers: { 'x-api-key': rawKey2 }
+            });
+            expect(domain2Read.statusCode).toBe(404);
+            expect(JSON.parse(domain2Read.payload).code).toBe('AGENT_RUN_NOT_FOUND');
+
+            const domain2Control = await fastify.inject({
+                method: 'POST',
+                url: `/api/agent-runs/${domain1RunId}/control`,
+                headers: { 'x-api-key': rawKey2 },
+                payload: { action: 'cancel' }
+            });
+            expect(domain2Control.statusCode).toBe(404);
+            expect(JSON.parse(domain2Control.payload).code).toBe('AGENT_RUN_NOT_FOUND');
+
+            const domain1Approve = await fastify.inject({
+                method: 'POST',
+                url: `/api/agent-runs/${domain1RunId}/control`,
+                headers: { 'x-api-key': rawKey1 },
+                payload: { action: 'approve' }
+            });
+            expect(domain1Approve.statusCode).toBe(200);
+            expect(JSON.parse(domain1Approve.payload).data.status).toBe('running');
+        } finally {
+            if (domain1RunId) {
+                await db.delete(agentRuns).where(eq(agentRuns.id, domain1RunId));
+            }
+        }
+    });
 });
diff --git a/src/graphql/tenant-isolation-graphql.test.ts b/src/graphql/tenant-isolation-graphql.test.ts
@@ -4,7 +4,7 @@ import { afterAll, beforeAll, describe, expect, it } from 'vitest';
 import { eq } from 'drizzle-orm';
 
 import { db } from '../db/index.js';
-import { contentItems, contentTypes, domains } from '../db/schema.js';
+import { agentRuns, contentItems, contentTypes, domains } from '../db/schema.js';
 import { resolvers } from './resolvers.js';
 import { schema } from './schema.js';
 
@@ -14,6 +14,7 @@ describe('GraphQL Tenant Isolation', () => {
     let domain2TypeId: number;
     let domain1ItemId: number;
     let domain2ItemId: number;
+    let domain1RunId: number;
 
     beforeAll(async () => {
         const [domain1] = await db.select().from(domains).where(eq(domains.id, 1));
@@ -76,6 +77,15 @@ describe('GraphQL Tenant Isolation', () => {
         }).returning();
         domain2ItemId = item2.id;
 
+        const [run1] = await db.insert(agentRuns).values({
+            domainId: 1,
+            goal: `domain-one-tenant-graphql-run-${Date.now()}`,
+            runType: 'review_backlog_manager',
+            status: 'waiting_approval',
+            requestedBy: 'tenant-1'
+        }).returning();
+        domain1RunId = run1.id;
+
         app = Fastify({ logger: false });
         app.register(mercurius, {
             schema,
@@ -117,6 +127,9 @@ describe('GraphQL Tenant Isolation', () => {
         if (domain2TypeId) {
             await db.delete(contentTypes).where(eq(contentTypes.id, domain2TypeId));
         }
+        if (domain1RunId) {
+            await db.delete(agentRuns).where(eq(agentRuns.id, domain1RunId));
+        }
     });
 
     it('rejects assigning a cross-tenant content type on updateContentItem', async () => {
@@ -219,4 +232,55 @@ describe('GraphQL Tenant Isolation', () => {
         expect(payload.data?.updateContentItemsBatch?.results[0]?.ok).toBe(false);
         expect(payload.data?.updateContentItemsBatch?.results[0]?.code).toBe('CONTENT_ITEM_NOT_FOUND');
     });
+
+    it('hides cross-tenant agent runs and rejects cross-tenant control actions', async () => {
+        const queryResponse = await app.inject({
+            method: 'POST',
+            url: '/graphql',
+            headers: {
+                'x-domain-id': '2'
+            },
+            payload: {
+                query: `
+                  query AgentRun($id: ID!) {
+                    agentRun(id: $id) { id status }
+                  }
+                `,
+                variables: {
+                    id: String(domain1RunId)
+                }
+            }
+        });
+
+        expect(queryResponse.statusCode).toBe(200);
+        const queryPayload = queryResponse.json() as {
+            data?: { agentRun?: { id: string } | null };
+        };
+        expect(queryPayload.data?.agentRun).toBeNull();
+
+        const controlResponse = await app.inject({
+            method: 'POST',
+            url: '/graphql',
+            headers: {
+                'x-domain-id': '2'
+            },
+            payload: {
+                query: `
+                  mutation ControlRun($id: ID!, $action: String!) {
+                    controlAgentRun(id: $id, action: $action) { id status }
+                  }
+                `,
+                variables: {
+                    id: String(domain1RunId),
+                    action: 'cancel'
+                }
+            }
+        });
+
+        expect(controlResponse.statusCode).toBe(200);
+        const controlPayload = controlResponse.json() as {
+            errors?: Array<{ extensions?: { code?: string } }>;
+        };
+        expect(controlPayload.errors?.[0]?.extensions?.code).toBe('AGENT_RUN_NOT_FOUND');
+    });
 });
