Fix staging impersonation and integration timeouts

julianknutsen · julianknutsen · commit da4ae1a23cf3 · 2026-04-08T07:05:00.000+02:00
diff --git a/Makefile b/Makefile
@@ -18,6 +18,7 @@ BUILD_TIME := $(shell date -u +"%Y-%m-%dT%H:%M:%SZ")
 
 # Set to "true" to enable inference UI in CLI and web.
 INFER_ENABLED ?= false
+INTEGRATION_TIMEOUT ?= 45m
 
 LDFLAGS := -X main.version=$(VERSION) \
            -X main.commit=$(COMMIT) \
@@ -78,11 +79,11 @@ test:
 
 ## test-integration: run all tests including integration
 test-integration:
-	go test -tags integration -timeout 20m ./...
+	go test -tags integration -timeout $(INTEGRATION_TIMEOUT) ./...
 
 ## test-integration-offline: run offline integration tests only (no network, requires dolt)
 test-integration-offline:
-	go test -tags integration -v -timeout 20m ./internal/remote/ ./test/integration/offline/
+	go test -tags integration -v -timeout $(INTEGRATION_TIMEOUT) ./internal/remote/ ./test/integration/offline/
 
 ## test-cover: run tests with coverage output
 test-cover:
diff --git a/cmd/wl/cmd_accept.go b/cmd/wl/cmd_accept.go
@@ -29,6 +29,9 @@ The item must be in 'in_review' status.
 A stamp is created with quality and optional reliability ratings (1-5),
 severity (leaf/branch/root), and optional skill tags.
 
+Self-stamps are not allowed. If you completed the item yourself, use
+'wl close' instead.
+
 In wild-west mode the commit is auto-pushed to upstream and origin.
 Use --no-push to skip pushing (offline work).
 
@@ -114,7 +117,11 @@ func runAccept(cmd *cobra.Command, stdout, _ io.Writer, wantedID string, quality
 	}
 
 	renderMutationResult(stdout, "Accepted", wantedID, result, extras...)
-	printNextHint(stdout, "Next: stamp issued. View: wl status "+wantedID)
+	nextHint := "Next: stamp issued. View: wl status " + wantedID
+	if result.Detail == nil || result.Detail.Stamp == nil {
+		nextHint = "Next: item completed without a stamp. View: wl status " + wantedID
+	}
+	printNextHint(stdout, nextHint)
 
 	return nil
 }
diff --git a/cmd/wl/cmd_accept_upstream.go b/cmd/wl/cmd_accept_upstream.go
@@ -28,6 +28,9 @@ This adopts the submitter's upstream PR into the main wanted item, creates a
 completion record, and issues a stamp. The submitter must currently have an
 in-review upstream submission for the wanted item.
 
+Self-stamps are not allowed. If the submitter is you, use 'wl close-upstream'
+instead.
+
 Examples:
   wl accept-upstream w-abc123 charlie --quality 4
   wl accept-upstream w-abc123 charlie --quality 5 --reliability 4 --severity branch
diff --git a/internal/commons/lifecycle.go b/internal/commons/lifecycle.go
@@ -157,7 +157,7 @@ func CanPerformTransition(item *WantedItem, t Transition, actor string) bool {
 	case TransitionDone:
 		return item.ClaimedBy == actor
 	case TransitionAccept:
-		return isPoster || isAdmin
+		return (isPoster || isAdmin) && item.ClaimedBy != actor
 	case TransitionReject:
 		return isPoster || isAdmin
 	case TransitionClose:
diff --git a/internal/commons/lifecycle_test.go b/internal/commons/lifecycle_test.go
@@ -122,8 +122,8 @@ func TestCanPerformTransition_Accept(t *testing.T) {
 		PostedBy:  "poster",
 		ClaimedBy: "poster",
 	}
-	if !CanPerformTransition(selfItem, TransitionAccept, "poster") {
-		t.Error("poster should be able to accept own claimed work")
+	if CanPerformTransition(selfItem, TransitionAccept, "poster") {
+		t.Error("poster should not be able to accept own claimed work")
 	}
 	if CanPerformTransition(item, TransitionAccept, "claimer") {
 		t.Error("claimer should not be able to accept without poster/admin rights")
@@ -161,8 +161,8 @@ func TestCanPerformTransition_Admin(t *testing.T) {
 		PostedBy:  "poster",
 		ClaimedBy: "csells",
 	}
-	if !CanPerformTransition(selfItem, TransitionAccept, "csells") {
-		t.Error("admin who claimed should be able to accept")
+	if CanPerformTransition(selfItem, TransitionAccept, "csells") {
+		t.Error("admin who claimed should not be able to accept")
 	}
 	// Admin cannot delete (poster-only).
 	openItem := &WantedItem{
diff --git a/internal/hosted/auth.go b/internal/hosted/auth.go
@@ -143,13 +143,9 @@ func (s *Server) AuthMiddleware(next http.Handler) http.Handler {
 		s.sessions.RememberActiveUpstream(sessionID, upstream)
 		r.Header.Set("X-Wasteland", upstream)
 
-		// Staging-only impersonation: X-Impersonate header overrides rig handle
-		// for read-only requests so operators can see the UI as another user.
+		// Staging-only impersonation: X-Impersonate overrides the rig handle so
+		// operators can exercise the UI and backend flows as another user.
 		if impersonate := r.Header.Get("X-Impersonate"); impersonate != "" && s.environment == "staging" {
-			if r.Method != http.MethodGet {
-				writeJSON(w, http.StatusForbidden, map[string]string{"error": "impersonation is read-only"})
-				return
-			}
 			slog.Info("staging impersonation active", "real", client.RigHandle(), "impersonate", impersonate)
 			client = client.WithRigHandle(impersonate)
 		}
diff --git a/internal/hosted/auth_test.go b/internal/hosted/auth_test.go
@@ -997,7 +997,7 @@ func TestAuthMiddleware_Impersonate_Staging_PreservesResolvedViewerIdentity(t *t
 	}
 }
 
-func TestAuthMiddleware_Impersonate_Staging_POST_Blocked(t *testing.T) {
+func TestAuthMiddleware_Impersonate_Staging_POST_Allowed(t *testing.T) {
 	sessions, ts := setupStagingTestServer(t)
 	sessionID, _ := sessions.Create("conn-1")
 
@@ -1012,9 +1012,18 @@ func TestAuthMiddleware_Impersonate_Staging_POST_Blocked(t *testing.T) {
 	}
 	defer resp.Body.Close() //nolint:errcheck // test cleanup
 
-	if resp.StatusCode != http.StatusForbidden {
+	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)
-		t.Errorf("expected 403, got %d: %s", resp.StatusCode, string(body))
+		t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result map[string]string
+	_ = json.NewDecoder(resp.Body).Decode(&result)
+	if result["rig_handle"] != "bob" {
+		t.Errorf("expected impersonated rig_handle=bob, got %s", result["rig_handle"])
+	}
+	if result["viewer"] != "alice" {
+		t.Errorf("expected resolved viewer=alice, got %s", result["viewer"])
 	}
 }
 
diff --git a/internal/hosted/authservice_integration_test.go b/internal/hosted/authservice_integration_test.go
@@ -138,6 +138,91 @@ func (f *fakeAuthService) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	http.Error(w, "not found", http.StatusNotFound)
 }
 
+func setupAuthServiceStagingMiddlewareTestServer(t *testing.T) (*SessionStore, *httptest.Server) {
+	t.Helper()
+
+	authStub := &fakeAuthService{t: t}
+	authTS := httptest.NewServer(authStub)
+	t.Cleanup(authTS.Close)
+
+	authClient := dolthubauth.NewClient(dolthubauth.ClientConfig{
+		BaseURL:      authTS.URL,
+		TenantID:     "tenant-1",
+		Environment:  "staging",
+		KeyID:        "kid-1",
+		SharedSecret: "shared-secret",
+		Now: func() time.Time {
+			return time.Date(2026, 4, 8, 12, 0, 0, 0, time.UTC)
+		},
+	})
+
+	sessions := NewSessionStore()
+	resolver := NewAuthServiceWorkspaceResolver(authClient, sessions)
+	t.Cleanup(resolver.Stop)
+
+	hostedServer := NewAuthServiceServer(resolver, sessions, authClient, "session-secret", "subject-secret", "staging")
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		client, ok := ClientFromContext(r.Context())
+		if !ok {
+			w.WriteHeader(http.StatusInternalServerError)
+			return
+		}
+		scope, _ := api.ResolvedReadIdentityFromContext(r.Context())
+		writeJSON(w, http.StatusOK, map[string]string{
+			"rig_handle": client.RigHandle(),
+			"upstream":   scope.Upstream,
+			"viewer":     scope.Viewer,
+		})
+	})
+
+	mux := http.NewServeMux()
+	mux.Handle("/", hostedServer.AuthMiddleware(inner))
+	ts := httptest.NewServer(mux)
+	t.Cleanup(ts.Close)
+	return sessions, ts
+}
+
+func TestAuthServiceAuthMiddleware_Impersonate_Staging_POST_Allowed(t *testing.T) {
+	sessions, ts := setupAuthServiceStagingMiddlewareTestServer(t)
+	sessionID, err := sessions.CreateWithSubject("conn-1", "subject-1")
+	if err != nil {
+		t.Fatalf("CreateWithSubject() error = %v", err)
+	}
+
+	req, err := http.NewRequest(http.MethodPost, ts.URL+"/api/wanted", nil)
+	if err != nil {
+		t.Fatalf("new request: %v", err)
+	}
+	req.AddCookie(&http.Cookie{Name: cookieName, Value: SignSessionCookie(sessionID, "conn-1", "session-secret")})
+	req.AddCookie(&http.Cookie{Name: subjectCookieName, Value: SignSubjectID("subject-1", "subject-secret")})
+	req.Header.Set("X-Wasteland", "hop/wl-commons")
+	req.Header.Set("X-Impersonate", "bob")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		t.Fatalf("POST /api/wanted: %v", err)
+	}
+	defer func() { _ = resp.Body.Close() }()
+	if resp.StatusCode != http.StatusOK {
+		body, _ := io.ReadAll(resp.Body)
+		t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(body))
+	}
+
+	var result map[string]string
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if result["rig_handle"] != "bob" {
+		t.Fatalf("rig_handle = %q, want bob", result["rig_handle"])
+	}
+	if result["viewer"] != "alice" {
+		t.Fatalf("viewer = %q, want alice", result["viewer"])
+	}
+	if result["upstream"] == "" {
+		t.Fatal("expected resolved upstream to be set")
+	}
+}
+
 func TestAuthServiceHostedEndToEnd(t *testing.T) {
 	authStub := &fakeAuthService{t: t}
 	authTS := httptest.NewServer(authStub)
diff --git a/internal/hosted/authservice_server.go b/internal/hosted/authservice_server.go
@@ -547,10 +547,6 @@ func (s *AuthServiceServer) AuthMiddleware(next http.Handler) http.Handler {
 		r.Header.Set("X-Wasteland", upstream)
 
 		if impersonate := r.Header.Get("X-Impersonate"); impersonate != "" && s.environment == "staging" {
-			if r.Method != http.MethodGet {
-				writeJSON(w, http.StatusForbidden, map[string]string{"error": "impersonation is read-only"})
-				return
-			}
 			client = client.WithRigHandle(impersonate)
 		}
 
diff --git a/internal/sdk/additional_test.go b/internal/sdk/additional_test.go
@@ -851,6 +851,42 @@ func TestCloseUpstream(t *testing.T) {
 	}
 }
 
+func TestCloseUpstream_SelfAllowed(t *testing.T) {
+	db := newFakeDB()
+	db.seedItem(fakeItem{ID: "w-1", Title: "Fix bug", Status: "in_review", PostedBy: "alice", EffortLevel: "medium"})
+
+	c := New(ClientConfig{
+		DB:        db,
+		RigHandle: "charlie",
+		Mode:      "wild-west",
+		ListPendingItems: pendingItems(map[string][]PendingItem{
+			"w-1": {{
+				RigHandle:   "charlie",
+				Status:      "in_review",
+				CompletedBy: "charlie",
+				Evidence:    "proof",
+			}},
+		}),
+	})
+
+	result, err := c.CloseUpstream("w-1", "charlie")
+	if err != nil {
+		t.Fatalf("CloseUpstream() error = %v", err)
+	}
+	if result.Detail == nil || result.Detail.Item == nil {
+		t.Fatal("CloseUpstream() should return detail with item")
+	}
+	if result.Detail.Item.Status != "completed" {
+		t.Fatalf("status = %q, want completed", result.Detail.Item.Status)
+	}
+	if db.completions["w-1"].CompletedBy != "charlie" {
+		t.Fatalf("completion = %q, want charlie", db.completions["w-1"].CompletedBy)
+	}
+	if db.completions["w-1"].StampID != "" {
+		t.Fatalf("stamp_id = %q, want empty", db.completions["w-1"].StampID)
+	}
+}
+
 func TestFindUpstreamSubmissionErrorsAndLeaderboard(t *testing.T) {
 	t.Run("find upstream submission errors", func(t *testing.T) {
 		c := New(ClientConfig{DB: newFakeDB(), RigHandle: "alice"})
diff --git a/internal/sdk/lifecycle_test.go b/internal/sdk/lifecycle_test.go
@@ -73,7 +73,7 @@ func TestAvailableActions(t *testing.T) {
 		{"in_review/poster", "in_review", "alice", "bob", "alice", []string{"accept", "reject", "close"}},
 		{"in_review/claimer", "in_review", "alice", "bob", "bob", []string{}},
 		{"in_review/other", "in_review", "alice", "bob", "carol", []string{}},
-		{"in_review/poster=claimer", "in_review", "alice", "alice", "alice", []string{"accept", "reject", "close"}},
+		{"in_review/poster=claimer", "in_review", "alice", "alice", "alice", []string{"reject", "close"}},
 
 		// --- completed ---
 		{"completed/poster", "completed", "alice", "bob", "alice", []string{}},
diff --git a/internal/sdk/mutations.go b/internal/sdk/mutations.go
@@ -74,6 +74,11 @@ func (c *Client) Accept(wantedID string, input AcceptInput) (*MutationResult, er
 	if completion == nil {
 		return nil, fmt.Errorf("no completion found for item %s", wantedID)
 	}
+	if completion.CompletedBy == c.rigHandle {
+		return nil, &commons.ConflictError{
+			Message: fmt.Sprintf("cannot issue a stamp to yourself; use \"wl close %s\"", wantedID),
+		}
+	}
 
 	stamp := &commons.Stamp{
 		ID:          commons.GeneratePrefixedID("s", wantedID, c.rigHandle),
@@ -128,6 +133,11 @@ func (c *Client) AcceptUpstream(wantedID, submitterHandle string, input AcceptIn
 	if match.CompletedBy == "" {
 		return nil, fmt.Errorf("submission has no completion data")
 	}
+	if match.CompletedBy == c.rigHandle {
+		return nil, &commons.ConflictError{
+			Message: fmt.Sprintf("cannot issue a stamp to yourself; use \"wl close-upstream %s %s\"", wantedID, submitterHandle),
+		}
+	}
 
 	completionID := commons.GeneratePrefixedID("c", wantedID, match.CompletedBy)
 	stamp := &commons.Stamp{
@@ -184,9 +194,6 @@ func (c *Client) CloseUpstream(wantedID, submitterHandle string) (*MutationResul
 	if match.CompletedBy == "" {
 		return nil, fmt.Errorf("submission has no completion data")
 	}
-	if submitterHandle == c.rigHandle {
-		return nil, fmt.Errorf("cannot close your own completion")
-	}
 
 	completionID := commons.GeneratePrefixedID("c", wantedID, match.CompletedBy)
 	stmts := commons.CloseUpstreamDML(wantedID, completionID, match.CompletedBy, match.Evidence, c.hopURI)
diff --git a/internal/sdk/sdk_test.go b/internal/sdk/sdk_test.go
@@ -1,6 +1,7 @@
 package sdk
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"strings"
@@ -1609,6 +1610,27 @@ func TestClose_WildWest(t *testing.T) {
 	}
 }
 
+func TestAccept_SelfRequiresClose(t *testing.T) {
+	db := newFakeDB()
+	db.seedItem(fakeItem{ID: "w-1", Title: "Fix bug", Status: "in_review", ClaimedBy: "alice", PostedBy: "alice", EffortLevel: "medium"})
+	db.completions["w-1"] = &fakeCompletion{ID: "c-1", WantedID: "w-1", CompletedBy: "alice", Evidence: "proof"}
+
+	c := New(ClientConfig{DB: db, RigHandle: "alice", Mode: "wild-west"})
+
+	_, err := c.Accept("w-1", AcceptInput{Quality: 4, Reliability: 4})
+	if err == nil {
+		t.Fatal("expected error, got nil")
+	}
+
+	var conflict *commons.ConflictError
+	if !errors.As(err, &conflict) {
+		t.Fatalf("expected ConflictError, got %T: %v", err, err)
+	}
+	if got, want := conflict.Error(), `cannot issue a stamp to yourself; use "wl close w-1"`; got != want {
+		t.Fatalf("conflict = %q, want %q", got, want)
+	}
+}
+
 func TestDelete_WildWest(t *testing.T) {
 	db := newFakeDB()
 	db.seedItem(fakeItem{ID: "w-1", Title: "Fix bug", Status: "open", PostedBy: "alice", EffortLevel: "medium"})
@@ -2082,7 +2104,7 @@ func TestAcceptUpstream_MainInReview_ForkInReview(t *testing.T) {
 	}
 }
 
-func TestAcceptUpstream_SelfAcceptAllowed(t *testing.T) {
+func TestAcceptUpstream_SelfRequiresCloseUpstream(t *testing.T) {
 	db := newFakeDB()
 	db.seedItem(fakeItem{ID: "w-1", Title: "Fix bug", Status: "in_review", PostedBy: "alice", EffortLevel: "medium"})
 
@@ -2095,21 +2117,17 @@ func TestAcceptUpstream_SelfAcceptAllowed(t *testing.T) {
 		}),
 	})
 
-	result, err := c.AcceptUpstream("w-1", "charlie", AcceptInput{Quality: 4, Reliability: 4, Severity: "leaf"})
-	if err != nil {
-		t.Fatalf("AcceptUpstream: %v", err)
-	}
-	if result.Detail.Item.Status != "completed" {
-		t.Errorf("expected completed, got %s", result.Detail.Item.Status)
-	}
-	if db.completions["w-1"].CompletedBy != "charlie" {
-		t.Errorf("expected charlie completion, got %s", db.completions["w-1"].CompletedBy)
+	_, err := c.AcceptUpstream("w-1", "charlie", AcceptInput{Quality: 4, Reliability: 4, Severity: "leaf"})
+	if err == nil {
+		t.Fatal("expected error, got nil")
 	}
-	if db.completions["w-1"].ValidatedBy != "charlie" {
-		t.Errorf("validated_by = %q, want %q", db.completions["w-1"].ValidatedBy, "charlie")
+
+	var conflict *commons.ConflictError
+	if !errors.As(err, &conflict) {
+		t.Fatalf("expected ConflictError, got %T: %v", err, err)
 	}
-	if db.completions["w-1"].StampID == "" {
-		t.Fatal("expected stamp id to be recorded")
+	if got, want := conflict.Error(), `cannot issue a stamp to yourself; use "wl close-upstream w-1 charlie"`; got != want {
+		t.Fatalf("conflict = %q, want %q", got, want)
 	}
 }
 
diff --git a/internal/tui/tui_test.go b/internal/tui/tui_test.go
diff --git a/test/integration/offline/lifecycle_test.go b/test/integration/offline/lifecycle_test.go
diff --git a/web/src/components/Layout.test.tsx b/web/src/components/Layout.test.tsx
diff --git a/web/src/components/Layout.tsx b/web/src/components/Layout.tsx

Original file line number	Diff line number	Diff line change
`@@ -122,8 +122,8 @@ func TestCanPerformTransition_Accept(t *testing.T) {`
`122`	`122`	`PostedBy: "poster",`
`123`	`123`	`ClaimedBy: "poster",`
`124`	`124`	`}`
`125`		`- if !CanPerformTransition(selfItem, TransitionAccept, "poster") {`
`126`		`- t.Error("poster should be able to accept own claimed work")`
	`125`	`+ if CanPerformTransition(selfItem, TransitionAccept, "poster") {`
	`126`	`+ t.Error("poster should not be able to accept own claimed work")`
`127`	`127`	`}`
`128`	`128`	`if CanPerformTransition(item, TransitionAccept, "claimer") {`
`129`	`129`	`t.Error("claimer should not be able to accept without poster/admin rights")`
`@@ -161,8 +161,8 @@ func TestCanPerformTransition_Admin(t *testing.T) {`
`161`	`161`	`PostedBy: "poster",`
`162`	`162`	`ClaimedBy: "csells",`
`163`	`163`	`}`
`164`		`- if !CanPerformTransition(selfItem, TransitionAccept, "csells") {`
`165`		`- t.Error("admin who claimed should be able to accept")`
	`164`	`+ if CanPerformTransition(selfItem, TransitionAccept, "csells") {`
	`165`	`+ t.Error("admin who claimed should not be able to accept")`
`166`	`166`	`}`
`167`	`167`	`// Admin cannot delete (poster-only).`
`168`	`168`	`openItem := &WantedItem{`
Original file line number	Diff line number	Diff line change
`@@ -997,7 +997,7 @@ func TestAuthMiddleware_Impersonate_Staging_PreservesResolvedViewerIdentity(t *t`
`997`	`997`	`}`
`998`	`998`	`}`
`999`	`999`
`1000`		`-func TestAuthMiddleware_Impersonate_Staging_POST_Blocked(t *testing.T) {`
	`1000`	`+func TestAuthMiddleware_Impersonate_Staging_POST_Allowed(t *testing.T) {`
`1001`	`1001`	`sessions, ts := setupStagingTestServer(t)`
`1002`	`1002`	`sessionID, _ := sessions.Create("conn-1")`
`1003`	`1003`
`@@ -1012,9 +1012,18 @@ func TestAuthMiddleware_Impersonate_Staging_POST_Blocked(t *testing.T) {`
`1012`	`1012`	`}`
`1013`	`1013`	`defer resp.Body.Close() //nolint:errcheck // test cleanup`
`1014`	`1014`
`1015`		`- if resp.StatusCode != http.StatusForbidden {`
	`1015`	`+ if resp.StatusCode != http.StatusOK {`
`1016`	`1016`	`body, _ := io.ReadAll(resp.Body)`
`1017`		`- t.Errorf("expected 403, got %d: %s", resp.StatusCode, string(body))`
	`1017`	`+ t.Fatalf("expected 200, got %d: %s", resp.StatusCode, string(body))`
	`1018`	`+ }`
	`1019`	`+`
	`1020`	`+ var result map[string]string`
	`1021`	`+ _ = json.NewDecoder(resp.Body).Decode(&result)`
	`1022`	`+ if result["rig_handle"] != "bob" {`
	`1023`	`+ t.Errorf("expected impersonated rig_handle=bob, got %s", result["rig_handle"])`
	`1024`	`+ }`
	`1025`	`+ if result["viewer"] != "alice" {`
	`1026`	`+ t.Errorf("expected resolved viewer=alice, got %s", result["viewer"])`
`1018`	`1027`	`}`
`1019`	`1028`	`}`
`1020`	`1029`
Original file line number	Diff line number	Diff line change
`@@ -547,10 +547,6 @@ func (s *AuthServiceServer) AuthMiddleware(next http.Handler) http.Handler {`
`547`	`547`	`r.Header.Set("X-Wasteland", upstream)`
`548`	`548`
`549`	`549`	`if impersonate := r.Header.Get("X-Impersonate"); impersonate != "" && s.environment == "staging" {`
`550`		`- if r.Method != http.MethodGet {`
`551`		`- writeJSON(w, http.StatusForbidden, map[string]string{"error": "impersonation is read-only"})`
`552`		`- return`
`553`		`- }`
`554`	`550`	`client = client.WithRigHandle(impersonate)`
`555`	`551`	`}`
`556`	`552`