From c2560483665b53fb7602825c26f96d8a311e1848 Mon Sep 17 00:00:00 2001 From: Asher Fink Date: Mon, 8 Jun 2026 22:59:07 -0400 Subject: [PATCH] fix(events): collapse unauthorized-agent list to 404 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The list_events route gates on the parent agent via DAuthorizedQuery, which collapses a denied agent check to 404 — consistent with the other agent-gated routes — so the events filter can't be used to probe cross-tenant agent existence. Align the integration test, which still asserted 403, with this behavior. --- .../tests/integration/api/events/test_events_authz_api.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/agentex/tests/integration/api/events/test_events_authz_api.py b/agentex/tests/integration/api/events/test_events_authz_api.py index 37463856..9ae02ce1 100644 --- a/agentex/tests/integration/api/events/test_events_authz_api.py +++ b/agentex/tests/integration/api/events/test_events_authz_api.py @@ -248,7 +248,7 @@ async def test_list_events_authorized_returns_200( "src.domain.services.authorization_service.AuthorizationService.is_enabled", return_value=True, ) - async def test_list_events_unauthorized_agent_returns_403( + async def test_list_events_unauthorized_agent_returns_404( self, is_enabled_authorization_mock, is_enabled_mock, @@ -257,7 +257,6 @@ async def test_list_events_unauthorized_agent_returns_403( test_agent, test_task, ): - """Direct-resource denials surface as 403 (convention from #249/#255).""" with patch( "src.utils.http_request_handler.HttpRequestHandler.post_with_error_handling", side_effect=_mock_post_factory(deny_agent_ids={test_agent.id}), @@ -265,4 +264,6 @@ async def test_list_events_unauthorized_agent_returns_403( response = await isolated_client.get( f"/events?task_id={test_task.id}&agent_id={test_agent.id}" ) - assert response.status_code == 403 + # Agent denial collapses to 404 so the filter can't reveal cross-tenant + # agent existence. + assert response.status_code == 404