chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
762 Commits 13 Branches 1 Tag
ff53ea7da9188142a774873d40eaa11eefc897bf
Commit Graph

3 Commits

Author SHA1 Message Date
chihlasm
ff53ea7da9 fix: return 404 (not 403) for get_documentation cross-user access; add missing Task 6 tests 
get_documentation was revealing session existence via 403. Added pre-check
query filtering by session_id AND user_id before calling the engine.

Also add cross-tenant isolation tests for steps, tags, step_categories,
and maintenance_schedules endpoints fixed in Task 6 (TDD was skipped).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 04:12:59 +00:00
chihlasm
8a4c870cd9 test: add cross-tenant isolation tests for Task 6 UUID audit 
Tests cover:
- Tree GET/PUT returns 404 for cross-account access
- Session GET returns 404 for cross-user access
- AI session GET returns 404 for cross-user access
- AI session retry-psa-push requires ownership
- Upload URL returns 404 for cross-account access
- Share revoke returns 404 for cross-user access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 04:02:14 +00:00
chihlasm
057c0abe16 fix: scope analytics/flows/{tree_id} to requesting account 
Any authenticated user could read flow analytics (session counts,
completion rates, CSAT) for any tree UUID. Now returns 404 if the
tree doesn't belong to the requesting account.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-04-09 03:53:57 +00:00