diff --git a/apps/gateway/src/chat/chat.gateway-command-approval.spec.ts b/apps/gateway/src/chat/chat.gateway-command-approval.spec.ts index 94b217f..ac29759 100644 --- a/apps/gateway/src/chat/chat.gateway-command-approval.spec.ts +++ b/apps/gateway/src/chat/chat.gateway-command-approval.spec.ts @@ -33,7 +33,10 @@ describe('ChatGateway command approval ingress', () => { await gateway.handleCommandExecute(client as never, payload); - expect(commandExecutor.execute).toHaveBeenCalledWith(payload, 'admin-1'); + expect(commandExecutor.execute).toHaveBeenCalledWith(payload, { + userId: 'admin-1', + tenantId: 'admin-1', + }); expect(client.emit).toHaveBeenCalledWith( 'command:result', expect.objectContaining({ success: true }), @@ -58,7 +61,7 @@ describe('ChatGateway command approval ingress', () => { expect(commandExecutor.createApproval).toHaveBeenCalledWith( { command: 'gc', conversationId: 'conversation-1' }, - 'admin-1', + { userId: 'admin-1', tenantId: 'admin-1' }, ); expect(client.emit).toHaveBeenCalledWith('command:approval', { command: 'gc', diff --git a/apps/gateway/src/commands/command-executor-tess-security.spec.ts b/apps/gateway/src/commands/command-executor-tess-security.spec.ts index 23a3d35..2fe5550 100644 --- a/apps/gateway/src/commands/command-executor-tess-security.spec.ts +++ b/apps/gateway/src/commands/command-executor-tess-security.spec.ts @@ -24,6 +24,8 @@ const sessionGc = { sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }), }; +const scope = (userId: string) => ({ userId, tenantId: 'tenant-1' }); + const authorization = { authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) => Promise.resolve( @@ -72,7 +74,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => { }); it('denies a forged admin identity and does not execute a system-wide command', async (): Promise => { - const result = await buildExecutor().execute(payload, 'admin-forged-by-client'); + const result = await buildExecutor().execute(payload, scope('admin-forged-by-client')); expect(result.success).toBe(false); expect(result.message).toContain('not authorized'); @@ -80,7 +82,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => { }); it('denies a privileged command without a server-bound durable approval', async (): Promise => { - const result = await buildExecutor().execute(payload, 'member-1'); + const result = await buildExecutor().execute(payload, scope('member-1')); expect(result.success).toBe(false); expect(result.message).toContain('approval'); @@ -90,11 +92,12 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => { it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise => { const executor = buildExecutor(createDurableAuthorization()); - const denied = await executor.execute(payload, 'admin-1'); - const approval = await executor.createApproval(payload, 'admin-1'); + const adminScope = scope('admin-1'); + const denied = await executor.execute(payload, adminScope); + const approval = await executor.createApproval(payload, adminScope); const approved = await executor.execute( { ...payload, approvalId: approval?.approvalId }, - 'admin-1', + adminScope, ); expect(denied.success).toBe(false);