fix(tess): enforce command authorization approvals #718

Merged
jason.woltje merged 3 commits from fix/tess-command-authz into main 2026-07-12 23:18:02 +00:00
2 changed files with 13 additions and 7 deletions
Showing only changes of commit e3d98d7390 - Show all commits

View File

@@ -33,7 +33,10 @@ describe('ChatGateway command approval ingress', () => {
await gateway.handleCommandExecute(client as never, payload);
expect(commandExecutor.execute).toHaveBeenCalledWith(payload, 'admin-1');
expect(commandExecutor.execute).toHaveBeenCalledWith(payload, {
userId: 'admin-1',
tenantId: 'admin-1',
});
expect(client.emit).toHaveBeenCalledWith(
'command:result',
expect.objectContaining({ success: true }),
@@ -58,7 +61,7 @@ describe('ChatGateway command approval ingress', () => {
expect(commandExecutor.createApproval).toHaveBeenCalledWith(
{ command: 'gc', conversationId: 'conversation-1' },
'admin-1',
{ userId: 'admin-1', tenantId: 'admin-1' },
);
expect(client.emit).toHaveBeenCalledWith('command:approval', {
command: 'gc',

View File

@@ -24,6 +24,8 @@ const sessionGc = {
sweepOrphans: vi.fn().mockResolvedValue({ orphanedSessions: 1, totalCleaned: [], duration: 1 }),
};
const scope = (userId: string) => ({ userId, tenantId: 'tenant-1' });
const authorization = {
authorize: vi.fn((_command: unknown, _payload: unknown, actorId: string) =>
Promise.resolve(
@@ -72,7 +74,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
});
it('denies a forged admin identity and does not execute a system-wide command', async (): Promise<void> => {
const result = await buildExecutor().execute(payload, 'admin-forged-by-client');
const result = await buildExecutor().execute(payload, scope('admin-forged-by-client'));
expect(result.success).toBe(false);
expect(result.message).toContain('not authorized');
@@ -80,7 +82,7 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
});
it('denies a privileged command without a server-bound durable approval', async (): Promise<void> => {
const result = await buildExecutor().execute(payload, 'member-1');
const result = await buildExecutor().execute(payload, scope('member-1'));
expect(result.success).toBe(false);
expect(result.message).toContain('approval');
@@ -90,11 +92,12 @@ describe('TESS-M1-SEC-001 command authorization abuse cases', () => {
it('executes an admin command only after a valid durable approval is issued and supplied', async (): Promise<void> => {
const executor = buildExecutor(createDurableAuthorization());
const denied = await executor.execute(payload, 'admin-1');
const approval = await executor.createApproval(payload, 'admin-1');
const adminScope = scope('admin-1');
const denied = await executor.execute(payload, adminScope);
const approval = await executor.createApproval(payload, adminScope);
const approved = await executor.execute(
{ ...payload, approvalId: approval?.approvalId },
'admin-1',
adminScope,
);
expect(denied.success).toBe(false);