Testing
Commands
npm run typecheck
npm test
For database-backed tests, prepare the test database first:
npm run test:db:setup
Department-Isolation Harness
tests/department-isolation.test.ts is the regression harness for ADR-002.
It seeds two departments with separate users, namespaces, knowledge bases, documents, chunks, approvals, conversations, employee profiles, agent tasks, and traces. Then it checks that a department-A user cannot reach department-B data through:
- REST list endpoints;
departmentIdquery filters;- REST detail endpoints;
- REST mutation endpoints;
- analytics dashboard data;
- vector, question-vector, and keyword RAG retrieval;
- WebSocket subscriptions and stale namespace broadcasts.
Add new department-scoped endpoints to this harness before relying on manual review. The test should prove both sides:
- non-global users only get data inside their effective department scope;
- global users keep intentional cross-department access where the product needs it.
Focused Security Tests
tests/auth.test.tscovers registration role stripping, JWT expiry config, and auth failures.tests/cors.test.tscovers exact-originALLOWED_ORIGINSbehavior.tests/errorHandler.test.tscovers structured provider and application error envelopes.tests/department-scope-plugin.test.tscovers request decoration for employee and global scopes.tests/websocket.test.tscovers first-message JWT authentication and agent-task event delivery.