MrSphay/odysseus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ffb77d7ff21794840b72bf11eb1916e6359cd50d
odysseus/tests
History
Mahdi Salmanzade 66cd44b66d fix(research): gate /api/research/spinoff on session ownership (#878) 
The spinoff endpoint authenticated the caller (_require_user) but never
verified the research session belonged to them before reading the
persisted report and seeding it into a new chat session owned by the
caller. Any authenticated user who knew or guessed another user's
research session ID could exfiltrate that user's full report into their
own session — a cross-user data disclosure (IDOR).

Every other endpoint in this router gates on _owns_in_memory /
_assert_owns_research right after validating the session ID; spinoff was
the lone exception. Add the same _owns_in_memory check (covers both the
in-memory task and the on-disk JSON) so a non-owner gets a 404 before any
data is read or a session is created.

Add regression tests pinning the anonymous (401) and wrong-owner (404)
cases.
2026-06-02 12:26:12 +09:00
..
bombadil-spec.ts
Odysseus v1.0
2026-05-31 23:58:26 +09:00
conftest.py
Odysseus v1.0
2026-05-31 23:58:26 +09:00
test_action_intents.py
Route calendar action requests to tools
2026-06-01 14:32:41 +09:00
test_agent_loop.py
Fix native tool-calling follow-up round on Gemini and Ollama (#867)
2026-06-02 11:39:40 +09:00
test_app_static_mime.py
fix: normalize JS static MIME types on Windows
2026-06-02 01:32:00 +02:00
test_app.py
Fix fresh checkout test failures
2026-06-01 02:22:17 +00:00
test_auth_event_loop.py
Stabilize security regression tests
2026-06-02 05:48:59 +09:00
test_auth_regressions.py
fix(research): gate /api/research/spinoff on session ownership (#878)
2026-06-02 12:26:12 +09:00
test_auth_session_revocation.py
Stabilize auth session revocation tests
2026-06-02 06:02:49 +09:00
test_backup_cli_security.py
Harden backup restore tar extraction
2026-06-02 05:55:03 +09:00
test_calendar_owner_scope.py
Stabilize security regression tests
2026-06-02 05:48:59 +09:00
test_calendar_recurrence.py
Fix YEARLY recurring CalDAV events only showing on DTSTART year (#179)
2026-06-01 13:42:44 +09:00
test_chat_stream_scope.py
Fix chat stream recovery and PDF library indexing (#468)
2026-06-01 22:33:35 +09:00
test_chroma_client.py
fix: ChromaDB unreachable blocks app startup for 30-60s (#326) (#476)
2026-06-01 22:22:41 +09:00
test_companion_readonly.py
Add read-only companion endpoints (ping/info/owner-scoped models) (#863)
2026-06-02 11:20:53 +09:00
test_compare_js.py
Fix duplicate compare modal on repeated clicks (#491)
2026-06-01 22:24:27 +09:00
test_context_compactor.py
Preserve large pasted messages in context
2026-06-01 12:38:35 +09:00
test_cookbook_helpers.py
fix(cookbook): skip pip --user fallback inside virtualenvs (#388) (#889)
2026-06-02 12:23:20 +09:00
test_ddg_redirect_resolution.py
Match host, not substring, when resolving DuckDuckGo redirects (#886)
2026-06-02 12:25:56 +09:00
test_deep_research_extraction_controls.py
Allow longer deep research extraction timeouts (#651)
2026-06-02 11:50:03 +09:00
test_document_deeplink.py
fix: open #document deep-links on refresh and surface load errors (#631)
2026-06-02 11:48:54 +09:00
test_document_tool_owner_scope.py
Scope document tools to caller owner
2026-06-02 06:00:02 +09:00
test_endpoint_resolver.py
Never resolve to a disabled endpoint model (#861)
2026-06-02 11:10:43 +09:00
test_esc_menu_stack_js.py
fix: make transient dropdown/popup menus close on Escape
2026-06-01 14:23:22 -04:00
test_gallery_image_privileges.py
Gate image editor AI endpoints by privilege (#447)
2026-06-01 22:35:24 +09:00
test_history_topics_owner_scope.py
fix(history): scope topic analysis to authenticated owner only (#744)
2026-06-02 11:36:01 +09:00
test_hwfit_macos.py
fix: require GGUF sources for llama downloads (#368)
2026-06-01 22:47:47 +09:00
test_keybind_altgr_js.py
Ignore AltGr keystrokes in Ctrl+Alt keyboard shortcuts (#825)
2026-06-02 11:12:54 +09:00
test_llm_core_anthropic_cache.py
Add Anthropic prompt caching to the agent loop (#812)
2026-06-02 11:14:31 +09:00
test_llm_core_concurrency.py
Make LLM host health maps thread-safe
2026-06-02 05:54:23 +09:00
test_llm_core_fallback.py
Surface silent model fallback instead of masking it (#868)
2026-06-02 11:37:25 +09:00
test_llm_core_ollama.py
Fix native tool-calling follow-up round on Gemini and Ollama (#867)
2026-06-02 11:39:40 +09:00
test_llm_core_reasoning.py
Support vLLM 0.20.2 / NIM reasoning-parser output end-to-end (surface + agent context + render) (#602)
2026-06-02 11:48:17 +09:00
test_llm_core_sanitize_tool_calls.py
Keep no-prose assistant tool-call messages through _sanitize_llm_messages (#862)
2026-06-02 11:17:22 +09:00
test_llm_core_streaming.py
Fix native tool-calling follow-up round on Gemini and Ollama (#867)
2026-06-02 11:39:40 +09:00
test_local_endpoint_js.py
fix: don't bill self-hosted models reached by a container/service hostname (#596)
2026-06-02 11:47:58 +09:00
test_markdown_rendering_js.py
Fix ordered list rendering in markdown preview (#645)
2026-06-02 11:49:44 +09:00
test_markitdown_runtime.py
Add optional markitdown extraction for Office/EPUB documents (#766)
2026-06-02 11:28:52 +09:00
test_mcp_manager.py
fix: add Browser MCP connection diagnostics (#662)
2026-06-02 11:50:17 +09:00
test_memory_bullet_extraction.py
Fix AttributeError on bullet lines in extract_memory_from_chat (#873)
2026-06-02 11:46:06 +09:00
test_memory_extractor_vector_degraded.py
fix: data integrity — deep-research result parsing + memory-extraction durability (#808)
2026-06-02 11:27:31 +09:00
test_model_context.py
Refresh local model context after restart
2026-06-02 05:54:06 +09:00
test_model_routes.py
Improve Ollama endpoint error messages
2026-06-02 05:53:50 +09:00
test_null_owner_gates.py
fix(security): fail closed on null-owner session in sync-chat endpoint (#870)
2026-06-02 11:38:05 +09:00
test_og_image_extraction.py
fix: source thumbnails dropped for http-only og:image URLs (#667)
2026-06-02 11:41:33 +09:00
test_ollama_port_detection.py
Add Ollama port path detection regressions (#883)
2026-06-02 12:24:18 +09:00
test_pdf_runtime.py
Show a clear message when PyMuPDF is missing
2026-06-01 18:27:17 +09:00
test_personal_docs_office_index.py
Add optional markitdown extraction for Office/EPUB documents (#766)
2026-06-02 11:28:52 +09:00
test_personal_docs_pdf_index.py
Fix chat stream recovery and PDF library indexing (#468)
2026-06-01 22:33:35 +09:00
test_personal_upload_isolation.py
Scope personal RAG uploads by owner (#446)
2026-06-01 22:36:53 +09:00
test_provider_detection.py
Provider detection: match by hostname instead of substring (re #768) (#815)
2026-06-02 11:11:17 +09:00
test_rate_limiter.py
Odysseus v1.0
2026-05-31 23:58:26 +09:00
test_reply_recipients_js.py
fix: reply-all Cc's the user's own other addresses (multi-account) (#672)
2026-06-02 11:42:20 +09:00
test_research_query_fallback.py
Deep research: don't treat a bare 'yes' as the research topic (#858)
2026-06-02 11:30:53 +09:00
test_research_service.py
fix: data integrity — deep-research result parsing + memory-extraction durability (#808)
2026-06-02 11:27:31 +09:00
test_research_session_id_validation.py
fix(research): validate session_id to block path traversal
2026-06-01 23:25:38 +01:00
test_research_utils.py
fix: deep research discards valid sources mentioning cookies/copyright (#481)
2026-06-01 22:26:37 +09:00
test_reserved_username_admin_escalation.py
Reserve internal sentinel usernames
2026-06-02 05:58:58 +09:00
test_resolve_endpoint_fallbacks.py
Add resolve_endpoint fallback chain regressions (#890)
2026-06-02 12:24:50 +09:00
test_review_regressions.py
Restrict provider discovery to admins
2026-06-02 05:54:40 +09:00
test_scheduler_restart_doublefire.py
fix(scheduler): push next_run forward on startup to stop restart double-fire (#708)
2026-06-02 11:43:30 +09:00
test_search_cache_invalidation.py
Fix invalidate_search_cache using a key that never matches stored entries (#852)
2026-06-02 10:53:33 +09:00
test_search_query.py
Fix year extraction in research queries
2026-06-01 23:09:41 +09:00
test_search_ranking.py
Odysseus v1.0
2026-05-31 23:58:26 +09:00
test_security_regressions.py
fix: scope chat active-document lookup to the session owner (#569)
2026-06-02 11:46:40 +09:00
test_session_mode_helpers.py
Fix database stubs in regression tests (#301)
2026-06-01 16:55:09 +09:00
test_session_owner_attribution.py
Attribute API-token sessions to the token owner (effective_user) (#871)
2026-06-02 11:39:01 +09:00
test_settings_scrub.py
Deep-scrub secrets from public settings
2026-06-01 23:11:50 +09:00
test_setup_admin_user.py
Normalize setup admin username (#448)
2026-06-01 22:38:56 +09:00
test_shell_routes.py
Expose Cookbook user-install CLIs in Docker (#887)
2026-06-02 12:23:29 +09:00
test_skill_index_prompt_injection.py
fix(agent-loop): wrap matched skills + skill index in untrusted user-role message (#788)
2026-06-02 11:15:45 +09:00
test_skills_manager_owner_isolation.py
fix(skills): scope skill reads to caller owner (#777)
2026-06-02 11:21:27 +09:00
test_speech_service_toggles.py
Honor disabled speech service toggles (#814)
2026-06-02 10:44:39 +09:00
test_task_scheduler_session_delivery.py
Fix test suite: ESM module loading and stub isolation (#844)
2026-06-02 11:29:29 +09:00
test_topic_analyzer.py
fix: topic analysis false-matches keywords as substrings (e.g. 'ai' in 'email') (#687)
2026-06-02 11:42:04 +09:00
test_vault_password_not_in_argv.py
fix(security): stop leaking the vault master password via process argv (#879)
2026-06-02 12:25:43 +09:00
test_vision_model_detection.py
Recognize local vision models so their images aren't dropped (#185)
2026-06-01 13:09:21 +09:00
test_visual_report.py
Fix visual report chapter navigation (#505)
2026-06-01 22:26:13 +09:00
test_webhook_trigger_auth_exempt.py
Exempt task webhook trigger from session auth (#784)
2026-06-02 11:23:40 +09:00