diff --git a/server/src/__tests__/plugin-routes-authz.test.ts b/server/src/__tests__/plugin-routes-authz.test.ts index 90371991..460d1e45 100644 --- a/server/src/__tests__/plugin-routes-authz.test.ts +++ b/server/src/__tests__/plugin-routes-authz.test.ts @@ -912,4 +912,144 @@ describe.sequential("plugin tool and bridge authz", () => { expect(res.body).toEqual({ runId: "run-1", jobId: "job-1" }); expect(scheduler.triggerJob).toHaveBeenCalledWith("job-1", "manual"); }); + + // ─── Agent JWT tool execution (cherry-picked from #5549) ───────────────────── + + it("rejects board users with no company memberships from listing plugin tools", async () => { + const listToolsForAgent = vi.fn(() => []); + const { app } = await createApp( + boardActor({ companyIds: [], isInstanceAdmin: false, source: "session" }), + {}, + { + toolDeps: { + toolDispatcher: { + listToolsForAgent, + getTool: vi.fn(), + executeTool: vi.fn(), + }, + }, + }, + ); + + const res = await request(app).get("/api/plugins/tools"); + + expect(res.status).toBe(403); + expect(listToolsForAgent).not.toHaveBeenCalled(); + }); + + it("allows agent JWT to list available plugin tools", async () => { + const listToolsForAgent = vi.fn(() => []); + const { app } = await createApp(agentActor(), {}, { + toolDeps: { + toolDispatcher: { + listToolsForAgent, + getTool: vi.fn(), + executeTool: vi.fn(), + }, + }, + }); + + const res = await request(app).get("/api/plugins/tools"); + + expect(res.status).toBe(200); + expect(listToolsForAgent).toHaveBeenCalled(); + }); + + it("allows agent JWT to execute a tool within its company scope", async () => { + const executeTool = vi.fn().mockResolvedValue({ content: "ok" }); + const { app } = await createApp( + agentActor(), + {}, + { + db: createSelectQueueDb([ + [{ companyId: companyA }], + [{ companyId: companyA, agentId: agentA }], + [{ companyId: companyA }], + ]), + toolDeps: { + toolDispatcher: { + listToolsForAgent: vi.fn(), + getTool: vi.fn(() => ({ name: "paperclip.example:search", pluginDbId: pluginId })), + executeTool, + }, + }, + }, + ); + + const res = await request(app) + .post("/api/plugins/tools/execute") + .send({ + tool: "paperclip.example:search", + parameters: { q: "test" }, + runContext: { agentId: agentA, runId: runA, companyId: companyA, projectId: projectA }, + }); + + expect(res.status).toBe(200); + expect(executeTool).toHaveBeenCalledWith( + "paperclip.example:search", + { q: "test" }, + { agentId: agentA, runId: runA, companyId: companyA, projectId: projectA }, + ); + }); + + it("rejects agent JWT when runContext.companyId is outside the agent's company scope", async () => { + const executeTool = vi.fn(); + const { app } = await createApp( + agentActor(), + {}, + { + db: createSelectQueueDb([]), + toolDeps: { + toolDispatcher: { + listToolsForAgent: vi.fn(), + getTool: vi.fn(() => ({ name: "paperclip.example:search", pluginDbId: pluginId })), + executeTool, + }, + }, + }, + ); + + const res = await request(app) + .post("/api/plugins/tools/execute") + .send({ + tool: "paperclip.example:search", + parameters: {}, + runContext: { agentId: agentA, runId: runA, companyId: companyB, projectId: projectA }, + }); + + expect(res.status).toBe(403); + expect(executeTool).not.toHaveBeenCalled(); + }); + + it("rejects agent JWT when runContext.agentId does not belong to runContext.companyId", async () => { + const otherAgent = "77777777-7777-4777-8777-777777777777"; + const executeTool = vi.fn(); + const { app } = await createApp( + agentActor(), + {}, + { + db: createSelectQueueDb([ + [{ companyId: companyB }], + ]), + toolDeps: { + toolDispatcher: { + listToolsForAgent: vi.fn(), + getTool: vi.fn(() => ({ name: "paperclip.example:search", pluginDbId: pluginId })), + executeTool, + }, + }, + }, + ); + + const res = await request(app) + .post("/api/plugins/tools/execute") + .send({ + tool: "paperclip.example:search", + parameters: {}, + runContext: { agentId: otherAgent, runId: runA, companyId: companyA, projectId: projectA }, + }); + + expect(res.status).toBe(403); + expect(executeTool).not.toHaveBeenCalled(); + }); }); diff --git a/server/src/routes/authz.ts b/server/src/routes/authz.ts index ec6c4962..d51a0993 100644 --- a/server/src/routes/authz.ts +++ b/server/src/routes/authz.ts @@ -31,6 +31,17 @@ export function assertBoardOrgAccess(req: Request) { throw forbidden("Company membership or instance admin access required"); } +export function assertBoardOrAgent(req: Request) { + if (req.actor.type === "agent") { + return; + } + if (req.actor.type === "board") { + assertBoardOrgAccess(req); + return; + } + throw forbidden("Board or agent access required"); +} + export function assertInstanceAdmin(req: Request) { assertBoard(req); if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) { diff --git a/server/src/routes/plugins.ts b/server/src/routes/plugins.ts index c3f6265f..1c01bbba 100644 --- a/server/src/routes/plugins.ts +++ b/server/src/routes/plugins.ts @@ -11,8 +11,9 @@ * - Retrieving UI slot contributions for frontend rendering * - Discovering and executing plugin-contributed agent tools * - * All routes require board-level authentication, and sensitive instance-wide + * Most routes require board-level authentication, and sensitive instance-wide * mutations such as install/upgrade require instance-admin privileges. + * Plugin tool discovery and execution routes allow both board and agent access. * * @module server/routes/plugins * @see doc/plugins/PLUGIN_SPEC.md for the full plugin specification @@ -60,6 +61,7 @@ import { JsonRpcCallError, PLUGIN_RPC_ERROR_CODES } from "@paperclipai/plugin-sd import { assertAuthenticated, assertBoard, + assertBoardOrAgent, assertBoardOrgAccess, assertCompanyAccess, assertInstanceAdmin, @@ -878,7 +880,7 @@ export function pluginRoutes( * Errors: 501 if tool dispatcher is not configured */ router.get("/plugins/tools", async (req, res) => { - assertBoardOrgAccess(req); + assertBoardOrAgent(req); if (!toolDeps) { res.status(501).json({ error: "Plugin tool dispatch is not enabled" }); @@ -912,7 +914,7 @@ export function pluginRoutes( * - 502 if the plugin worker is unavailable or the RPC call fails */ router.post("/plugins/tools/execute", async (req, res) => { - assertBoardOrgAccess(req); + assertBoardOrAgent(req); if (!toolDeps) { res.status(501).json({ error: "Plugin tool dispatch is not enabled" });