import json from conftest import client, use_jwt_auth, use_work_vault def test_path_restricted_token_allows_daily_command_from_obsidian_config(monkeypatch, tmp_path): vault = tmp_path / "vault" config = vault / ".obsidian" config.mkdir(parents=True) (config / "daily-notes.json").write_text(json.dumps({"folder": "00. Journal", "format": "YYYY-MM-DD"})) use_work_vault(monkeypatch, vault) token = use_jwt_auth(monkeypatch, {"sub": "daily", "commands": ["daily:append"], "vaults": ["work"], "paths": ["00. Journal/"]}) response = client.post( "/commands", headers={"Authorization": f"Bearer {token}"}, json={"args": ["vault=work", "daily:append", "content=ok"], "cwd": str(vault)}, ) assert response.status_code == 200 assert response.json()["command"] == ["python", "vault=work", "daily:append", "content=ok"] def test_path_restricted_token_allows_vault_info_command(monkeypatch): token = use_jwt_auth(monkeypatch, {"sub": "daily", "commands": ["daily:append", "vault", "vaults"], "vaults": ["*"], "paths": ["00. Journal/"]}) response = client.post( "/commands", headers={"Authorization": f"Bearer {token}"}, json={"args": ["vault"]}, ) assert response.status_code == 200 assert response.json()["command"] == ["python", "vault"] response = client.post( "/commands", headers={"Authorization": f"Bearer {token}"}, json={"args": ["vaults"]}, ) assert response.status_code == 200 assert response.json()["command"] == ["python", "vaults"] def test_path_restricted_token_denies_daily_command_outside_obsidian_config(monkeypatch, tmp_path): vault = tmp_path / "vault" config = vault / ".obsidian" config.mkdir(parents=True) (config / "daily-notes.json").write_text(json.dumps({"folder": "Journal", "format": "YYYY-MM-DD"})) use_work_vault(monkeypatch, vault) token = use_jwt_auth(monkeypatch, {"sub": "daily", "commands": ["daily:append"], "vaults": ["work"], "paths": ["00. Journal/"]}) response = client.post( "/commands", headers={"Authorization": f"Bearer {token}"}, json={"args": ["vault=work", "daily:append", "content=ok"], "cwd": str(vault)}, ) assert response.status_code == 403 assert response.json()["detail"].startswith("token is not allowed to access path: Journal/")