boss/tests/audit-permission-logs-route.test.ts

import test from "node:test";
import assert from "node:assert/strict";
import os from "node:os";
import path from "node:path";
import { mkdtemp, rm } from "node:fs/promises";
import { NextRequest } from "next/server";

let runtimeRoot = "";
let data: typeof import("../src/lib/boss-data");
let authCookie = "";
let getPermissionLogs: (typeof import("../src/app/api/v1/audits/permission-logs/route"))["GET"];
let baseState: Awaited<ReturnType<typeof import("../src/lib/boss-data")["readState"]>>;

async function setup() {
  if (runtimeRoot) return;
  runtimeRoot = await mkdtemp(path.join(os.tmpdir(), "boss-audit-permission-logs-"));
  process.env.BOSS_RUNTIME_ROOT = runtimeRoot;
  process.env.BOSS_STATE_FILE = path.join(runtimeRoot, "boss-state.json");
  const [dataModule, authModule, routeModule] = await Promise.all([
    import("../src/lib/boss-data.ts"),
    import("../src/lib/boss-auth.ts"),
    import("../src/app/api/v1/audits/permission-logs/route.ts"),
  ]);
  data = dataModule;
  authCookie = authModule.AUTH_SESSION_COOKIE;
  getPermissionLogs = routeModule.GET;
  baseState = structuredClone(await data.readState());
}

test.after(async () => {
  if (runtimeRoot) await rm(runtimeRoot, { recursive: true, force: true });
});

test.beforeEach(async () => {
  await setup();
  const state = structuredClone(baseState);
  state.permissionAuditLogs = [
    {
      auditId: "audit-008",
      actorAccount: "krisolo",
      action: "task.denied",
      targetAccount: "member@example.com",
      detail: "admin_route:/api/v1/admin/access",
      createdAt: "2026-04-27T10:03:00.000Z",
    },
    {
      auditId: "audit-007",
      actorAccount: "krisolo",
      action: "skill.lifecycle.completed",
      deviceId: "mac-studio",
      skillId: "mac-studio:boss-server-debug",
      detail: "update:failed:git checkout failed",
      createdAt: "2026-04-27T10:02:00.000Z",
    },
    {
      auditId: "audit-006",
      actorAccount: "krisolo",
      action: "skill.assigned",
      targetAccount: "worker@example.com",
      deviceId: "mac-studio",
      projectId: "master-agent",
      skillId: "mac-studio:boss-server-debug",
      permissions: ["skill.view", "skill.use"],
      createdAt: "2026-04-27T10:01:05.000Z",
    },
    {
      auditId: "audit-005",
      actorAccount: "krisolo",
      action: "grant.created",
      targetAccount: "worker@example.com",
      projectId: "master-agent",
      permissions: ["project.view"],
      createdAt: "2026-04-27T10:01:04.000Z",
    },
    {
      auditId: "audit-004",
      actorAccount: "krisolo",
      action: "grant.created",
      targetAccount: "worker@example.com",
      deviceId: "mac-studio",
      permissions: ["device.view"],
      createdAt: "2026-04-27T10:01:03.000Z",
    },
    {
      auditId: "audit-003",
      actorAccount: "krisolo",
      action: "grant.created",
      targetAccount: "worker@example.com",
      deviceId: "mac-studio",
      permissions: ["device.view"],
      createdAt: "2026-04-27T10:01:02.000Z",
    },
    {
      auditId: "audit-002",
      actorAccount: "krisolo",
      action: "grant.created",
      targetAccount: "worker@example.com",
      deviceId: "mac-studio",
      permissions: ["device.view"],
      createdAt: "2026-04-27T10:01:01.000Z",
    },
    {
      auditId: "audit-001",
      actorAccount: "krisolo",
      action: "grant.created",
      targetAccount: "worker@example.com",
      deviceId: "mac-studio",
      permissions: ["device.view"],
      createdAt: "2026-04-27T10:01:00.000Z",
    },
  ];
  state.accountDeviceGrants = [
    {
      grantId: "expired-device-grant",
      account: "worker@example.com",
      deviceId: "mac-studio",
      permissions: ["device.view"],
      grantedBy: "krisolo",
      grantedAt: "2026-04-26T10:00:00.000Z",
      expiresAt: "2026-04-27T09:00:00.000Z",
    },
  ];
  state.accountProjectGrants = [];
  state.accountSkillGrants = [];
  await data.writeState(state);
});

async function authedRequest(
  account: string,
  role: "member" | "admin" | "highest_admin",
  url: string,
) {
  const session = await data.createAuthSession({
    account,
    role,
    displayName: account,
    loginMethod: "password",
  });
  return new NextRequest(url, {
    headers: {
      cookie: `${authCookie}=${session.sessionToken}`,
    },
  });
}

test("highest admin can filter permission audit logs and page with a cursor", async () => {
  const response = await getPermissionLogs(
    await authedRequest(
      "krisolo",
      "highest_admin",
      "http://127.0.0.1:3000/api/v1/audits/permission-logs?action=grant.created&actorAccount=krisolo&targetAccount=worker@example.com&deviceId=mac-studio&limit=2",
    ),
  );
  assert.equal(response.status, 200);
  const payload = await response.json();
  assert.deepEqual(
    payload.logs.map((log: { auditId: string }) => log.auditId),
    ["audit-004", "audit-003"],
  );
  assert.equal(payload.nextCursor, "audit-003");
  assert.equal(payload.riskSummary.totalAlerts >= 1, true);

  const nextResponse = await getPermissionLogs(
    await authedRequest(
      "krisolo",
      "highest_admin",
      `http://127.0.0.1:3000/api/v1/audits/permission-logs?action=grant.created&actorAccount=krisolo&targetAccount=worker@example.com&deviceId=mac-studio&limit=2&cursor=${payload.nextCursor}`,
    ),
  );
  assert.equal(nextResponse.status, 200);
  const nextPayload = await nextResponse.json();
  assert.deepEqual(
    nextPayload.logs.map((log: { auditId: string }) => log.auditId),
    ["audit-002", "audit-001"],
  );
  assert.equal(nextPayload.nextCursor, null);
});

test("highest admin can filter permission audit logs by project and skill", async () => {
  const response = await getPermissionLogs(
    await authedRequest(
      "krisolo",
      "highest_admin",
      "http://127.0.0.1:3000/api/v1/audits/permission-logs?projectId=master-agent&skillId=mac-studio%3Aboss-server-debug",
    ),
  );
  assert.equal(response.status, 200);
  const payload = await response.json();
  assert.deepEqual(
    payload.logs.map((log: { auditId: string }) => log.auditId),
    ["audit-006"],
  );
});

test("permission audit risk summary is deterministic from current logs and grants", async () => {
  const response = await getPermissionLogs(
    await authedRequest(
      "krisolo",
      "highest_admin",
      "http://127.0.0.1:3000/api/v1/audits/permission-logs",
    ),
  );
  assert.equal(response.status, 200);
  const payload = await response.json();
  assert.deepEqual(
    payload.riskSummary.alerts.map((alert: { kind: string }) => alert.kind).sort(),
    [
      "admin_route_denied",
      "expired_grant_present",
      "rapid_permission_grants",
      "skill_lifecycle_failed",
    ],
  );
});

test("ordinary accounts cannot read permission audit logs", async () => {
  const response = await getPermissionLogs(
    await authedRequest(
      "worker@example.com",
      "member",
      "http://127.0.0.1:3000/api/v1/audits/permission-logs",
    ),
  );
  assert.equal(response.status, 403);
});