feat(rbac): Test suite

[jordan-umusu]

Summary by cubic

Expands the RBAC test suite with high-priority coverage for tenant isolation and scope boundary edge cases, and updates expectations so org-level scope queries include workspace-scoped assignments. This tightens cross-tenant separation and clarifies wildcard/action matching and error semantics.

• New Features

  • Backend: scope-based auth with @require_scope, action execution checks, user scopes endpoint (OSS), EE APIs for roles/groups/assignments, audit events, RBAC feature flag, and automatic seeding of system/preset roles and registry action scopes.
  • Frontend: ScopeProvider/ScopeGuard for gating, new Access control pages (org: roles, groups, scopes, assignments; workspace: roles, groups), updated Members and Invitations (role_id), create role/group dialogs, scoped sidebars, and error UI polish.
  • Tests: Added suites for tenant isolation (cross-org roles/groups/assignments visibility, wrong‑org workspace assignment, custom scope isolation), scope boundaries (wildcard and dot-prefix matching, exact segment matching, scope validation, error semantics, action scope checks, role hierarchy, per-request decision isolation), and aligned tests to include workspace‑scoped assignments in org‑level scope queries.

• Migration

  • Auth: Endpoints now require scopes—ensure users have appropriate roles/groups before rollout.
  • API: Invitations/assignments use role_id (not role); OrgMemberRead.role is now nullable/derived—update clients.
  • Seeding: System scopes and preset roles seed on startup; run registry sync to seed action scopes.
  • Dependencies: React and react-dom upgraded to 19—verify extensions/custom components for compatibility.

^{Written for commit b5d71f0. Summary will update on new commits.}

[blacksmith-sh]

Found 93 test failures on Blacksmith runners:

Failures

Test	View Logs
test_install_and_run_custom_remote_registry_flow/test_remote_custom_registry_repo	View Logs
test_scatter_interval/test_nested_scatter_with_intervals	View Logs
test_scatter_interval/test_scatter_interval_rate_limiting_use_case	View Logs
test_scatter_interval/test_scatter_interval_with_downstream_tasks	View Logs
test_scatter_interval/test_scatter_with_interval_basic	View Logs
test_scatter_interval/test_scatter_with_zero_interval	View Logs
test_scatter_interval/test_scatter_without_interval	View Logs
test_workflows/test_child_workflow_alias_with_loop[basic_alias]	View Logs
test_workflows/test_child_workflow_alias_with_loop[batch_size_2]	View Logs
test_workflows/test_child_workflow_alias_with_loop[sequential_alias]	View Logs
test_workflows/test_child_workflow_context_passing	View Logs
test_workflows/test_child_workflow_loop[batch]	View Logs
test_workflows/test_child_workflow_loop[parallel]	View Logs
test_workflows/test_child_workflow_loop[sequential]	View Logs
test_workflows/test_child_workflow_success	View Logs
test_workflows/test_child_workflow_with_expression_alias	View Logs
test_workflows/test_multiple_child_workflow_environments_have_correct_defaults	View Logs
test_workflows/test_multiple_child_workflow_override_environment_correct	View Logs
test_workflows/test_pull_based_workflow_fetches_latest_version	View Logs
test_workflows/test_scatter_with_child_workflow	View Logs
test_workflows/test_single_child_workflow_alias	View Logs
test_workflows/test_single_child_workflow_environment_has_correct_default	View Logs
test_workflows/test_single_child_workflow_get_correct_secret_environment	View Logs
test_workflows/test_single_child_workflow_override_environment_correct	View Logs
test_workflows/test_workflow_can_access_workspace_variables	View Logs
test_workflows/test_workflow_can_run_from_yaml[shared_adder_tree]	View Logs
test_workflows/test_workflow_can_run_from_yaml[shared_kite]	View Logs
test_workflows/test_workflow_can_run_from_yaml[shared_tree]	View Logs
test_workflows/ test_workflow_completes_and_correct[unit_conditional_adder_diamond_skip_with_join_weak_ dep]	View Logs
test_workflows/ test_workflow_completes_and_correct[unit_conditional_adder_tree_continues]	View Logs
test_workflows/ test_workflow_completes_and_correct[unit_conditional_adder_tree_skip_propagates]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_conditional_adder_tree_skips]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_filter_dict]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_arrange]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_arrange_loop]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_loop]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_loop_chained]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_map_loop]	View Logs
test_workflows/test_workflow_completes_and_correct[unit_transform_reshape_zip]	View Logs
test_workflows/test_workflow_default_environment_correct	View Logs
test_workflows/test_workflow_detached_child_workflow	View Logs
test_workflows/test_workflow_env_and_trigger_access_in_stream	View Logs
test_workflows/test_workflow_environment_override	View Logs
test_workflows/test_workflow_error_handler_success[alias]	View Logs
test_workflows/test_workflow_error_handler_success[id]	View Logs
test_workflows/test_workflow_error_path[diamond_join_right_error-expected8]	View Logs
test_workflows/test_workflow_error_path[diamond_join_success-expected7]	View Logs
test_workflows/test_workflow_error_path[join_on_same_node_OK-expected6]	View Logs
test_workflows/test_workflow_error_path[multiple_errors_skipped_OK-expected4]	View Logs
test_workflows/test_workflow_error_path[run_if_skips_few_OK-expected1]	View Logs
test_workflows/test_workflow_error_path[run_if_skips_one_OK-expected5]	View Logs
test_workflows/test_workflow_error_path[simple_skip_error_OK-expected3]	View Logs
test_workflows/test_workflow_error_path[simple_skip_ok_ERR-expected2]	View Logs
test_workflows/test_workflow_error_path[simple_skip_ok_ERR_check_error_info-expected0]	View Logs
test_workflows/test_workflow_insert_table_row_success	View Logs
test_workflows/test_workflow_lookup_table_missing_value	View Logs
test_workflows/test_workflow_lookup_table_success	View Logs
test_workflows/test_workflow_multiple_entrypoints	View Logs
test_workflows/test_workflow_ordering_is_correct[unit_ordering_kite2]	View Logs
test_workflows/test_workflow_ordering_is_correct[unit_ordering_kite]	View Logs
test_workflows/test_workflow_override_environment_correct	View Logs
test_workflows/test_workflow_return_strategy[context-strategy]	View Logs
test_workflows/test_workflow_return_strategy[minimal-strategy]	View Logs
test_workflows/test_workflow_runs_template_for_each	View Logs
test_workflows/test_workflow_scatter_gather[1d-scatter-multi-condition]	View Logs
test_workflows/test_workflow_scatter_gather[2d-scatter-dag-inside]	View Logs
test_workflows/test_workflow_scatter_gather[basic-error-handling-include]	View Logs
test_workflows/test_workflow_scatter_gather[basic-error-handling-partition]	View Logs
test_workflows/test_workflow_scatter_gather[basic-for-loop]	View Logs
test_workflows/test_workflow_scatter_gather[empty-nonempty-parallel]	View Logs
test_workflows/test_workflow_scatter_gather[mixed-data-types]	View Logs
test_workflows/test_workflow_scatter_gather[nested-for-loop]	View Logs
test_workflows/test_workflow_scatter_gather[nested-mixed-empty-nonempty]	View Logs
test_workflows/test_workflow_scatter_gather[nested-scatter-empty-collection-inside]	View Logs
test_workflows/test_workflow_scatter_gather[nested-varying-sizes]	View Logs
test_workflows/test_workflow_scatter_gather[parallel-different-sizes]	View Logs
test_workflows/test_workflow_scatter_gather[parallel-scatter-gather-join]	View Logs
test_workflows/test_workflow_scatter_gather[run-if-stream-aware-context]	View Logs
test_workflows/test_workflow_scatter_gather[scatter-empty-collection-between]	View Logs
test_workflows/test_workflow_scatter_gather[scatter-gather-with-surrounding-actions]	View Logs
test_workflows/ test_workflow_scatter_gather[scatter-reshape-even-gather-drop-nulls-with-nones]	View Logs
test_workflows/test_workflow_scatter_gather[scatter-reshape-even-gather-drop-nulls]	View Logs
test_workflows/test_workflow_scatter_gather[scatter-reshape-even-gather]	View Logs
test_workflows/test_workflow_scatter_gather[scope-shadowing-stream-lookup]	View Logs
test_workflows/test_workflow_scatter_gather[sequential-scatter-gather]	View Logs
test_workflows/test_workflow_scatter_gather[skip-scatter-directly-only-first-runs]	View Logs
test_workflows/test_workflow_scatter_gather[variable-nesting-depths]	View Logs
test_workflows/test_workflow_set_environment_correct	View Logs
test_workflows/test_workflow_table_actions_in_loop	View Logs
test_workflows/test_workflow_time_anchor_deterministic_time_functions	View Logs
test_workflows/test_workflow_time_anchor_inherited_by_child_workflow	View Logs
test_workflows/test_workflow_trigger_defaults	View Logs
TestFailureScenarios/test_execute_raises_when_tarball_missing	View Logs

[jordan-umusu]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat(rbac): Test suite #2036 👈 (View in Graphite)
• feat(rbac): Add rbac frontend #1988
• feat(rbac): Add @require_scope decorators to all API endpoints #1987
• feat(rbac): Add RBAC service and API routers #1986
• feat(rbac): Seed registry scopes during sync #1985
• feat(rbac): RBAC auth layer #1984
• feat(rbac): Add database schema for RBAC tables #1983
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.