From 8bcf08ae06d8b248f74c59c3e0c9bea932a0f881 Mon Sep 17 00:00:00 2001
From: chihlasm <michael@chihlas.com>
Date: Thu, 9 Apr 2026 17:18:38 +0000
Subject: [PATCH] fix: persist account ownership for script templates and
 generations

---
 backend/app/api/endpoints/scripts.py   |  2 ++
 backend/tests/test_script_templates.py |  5 +++++
 backend/tests/test_scripts.py          | 21 ++++++++++++++++-----
 3 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/backend/app/api/endpoints/scripts.py b/backend/app/api/endpoints/scripts.py
index 180c0d43..3db7175d 100644
--- a/backend/app/api/endpoints/scripts.py
+++ b/backend/app/api/endpoints/scripts.py
@@ -197,6 +197,7 @@ async def create_template(
     template = ScriptTemplate(
         category_id=data.category_id,
         team_id=current_user.team_id,
+        account_id=current_user.account_id,
         created_by=current_user.id,
         name=data.name,
         slug=slug,
@@ -364,6 +365,7 @@ async def generate_script(
     generation = ScriptGeneration(
         template_id=template.id,
         user_id=current_user.id,
+        account_id=current_user.account_id,
         team_id=current_user.team_id,
         session_id=data.session_id,
         ai_session_id=data.ai_session_id,
diff --git a/backend/tests/test_script_templates.py b/backend/tests/test_script_templates.py
index 868bf10e..ae7501dd 100644
--- a/backend/tests/test_script_templates.py
+++ b/backend/tests/test_script_templates.py
@@ -1,4 +1,6 @@
 """Integration tests for Script Template Editor permissions and share endpoint."""
+from uuid import UUID as PyUUID
+
 import pytest
 from httpx import AsyncClient
 from sqlalchemy import select
@@ -65,6 +67,9 @@ class TestScriptTemplatePermissions:
         data = resp.json()
         assert data["name"] == "Test Template"
         assert data["created_by"] is not None
+        result = await test_db.execute(select(ScriptTemplate).where(ScriptTemplate.id == PyUUID(data["id"])))
+        template = result.scalar_one()
+        assert template.account_id is not None
 
     @pytest.mark.asyncio
     async def test_engineer_can_edit_own_template(self, client, auth_headers, test_db):
diff --git a/backend/tests/test_scripts.py b/backend/tests/test_scripts.py
index eb31c79f..cf17f9a4 100644
--- a/backend/tests/test_scripts.py
+++ b/backend/tests/test_scripts.py
@@ -6,14 +6,18 @@ from datetime import datetime, timezone
 import pytest
 import sqlalchemy as sa
 
+from app.models.script_template import ScriptGeneration
+from app.models.user import User
 
 # ── Fixtures ──────────────────────────────────────────────────────────────
 
 @pytest.fixture
-async def seed_script_data(test_db):
+async def seed_script_data(test_db, test_user):
     """Seed script categories and templates into the test database."""
     now = datetime.now(timezone.utc)
     cat_id = uuid.UUID("00000000-0000-0000-0000-000000000001")
+    user_result = await test_db.execute(sa.select(User).where(User.email == test_user["email"]))
+    user = user_result.scalar_one()
 
     # Insert category
     await test_db.execute(
@@ -142,20 +146,20 @@ async def seed_script_data(test_db):
         await test_db.execute(
             sa.text("""
                 INSERT INTO script_templates (
-                    id, category_id, name, slug, description,
+                    id, category_id, account_id, name, slug, description,
                     script_body, parameters_schema, default_values, validation_rules,
                     tags, complexity, estimated_runtime, requires_elevation,
                     requires_modules, version, is_verified, is_active, usage_count,
                     created_at, updated_at
                 ) VALUES (
-                    :id, :category_id, :name, :slug, :description,
+                    :id, :category_id, :account_id, :name, :slug, :description,
                     :script_body, CAST(:parameters_schema AS jsonb), '{}'::jsonb, '{}'::jsonb,
                     CAST(:tags AS jsonb), :complexity, :estimated_runtime, :requires_elevation,
                     '[]'::jsonb, 1, true, true, 0,
                     :now, :now
                 )
             """),
-            {**tmpl, "category_id": cat_id, "now": now},
+            {**tmpl, "category_id": cat_id, "account_id": user.account_id, "now": now},
         )
 
     await test_db.commit()
@@ -245,7 +249,7 @@ async def test_get_template_detail_not_found(client, auth_headers):
 # ── Generate ──────────────────────────────────────────────────────────────
 
 @pytest.mark.asyncio
-async def test_generate_script_success(client, auth_headers, seed_script_data):
+async def test_generate_script_success(client, auth_headers, seed_script_data, test_db, test_user):
     list_resp = await client.get(
         "/api/v1/scripts/templates?search=unlock",
         headers=auth_headers,
@@ -265,6 +269,13 @@ async def test_generate_script_success(client, auth_headers, seed_script_data):
     assert "script" in data
     assert "jsmith" in data["script"]
     assert "id" in data
+    generation_result = await test_db.execute(
+        sa.select(ScriptGeneration).where(ScriptGeneration.id == uuid.UUID(data["id"]))
+    )
+    generation = generation_result.scalar_one()
+    user_result = await test_db.execute(sa.select(User).where(User.email == test_user["email"]))
+    user = user_result.scalar_one()
+    assert generation.account_id == user.account_id
 
 
 @pytest.mark.asyncio