@@ -194,7 +194,7 @@ describe('validateWorkflowAccess', () => {
194194 } )
195195 } )
196196
197- it ( 'returns 403 for workspace api keys scoped to a different workspace' , async ( ) => {
197+ it ( 'returns 404 for workspace api keys scoped to a different workspace' , async ( ) => {
198198 const auth = {
199199 success : true ,
200200 userId : 'user-1' ,
@@ -212,13 +212,34 @@ describe('validateWorkflowAccess', () => {
212212
213213 expect ( result ) . toEqual ( {
214214 error : {
215- message : 'Unauthorized: API key does not have access to this workspace ' ,
216- status : 403 ,
215+ message : 'Workflow not found ' ,
216+ status : 404 ,
217217 } ,
218218 } )
219219 expect ( mockAuthorizeWorkflowByWorkspacePermission ) . not . toHaveBeenCalled ( )
220220 } )
221221
222+ it ( 'preserves session auth semantics for accessible workflows' , async ( ) => {
223+ const workflow = createWorkflow ( { name : 'Session Workflow' } )
224+ const auth = { success : true , userId : 'user-1' , authType : 'session' as const }
225+
226+ mockCheckHybridAuth . mockResolvedValue ( auth )
227+ mockGetActiveWorkflowRecord . mockResolvedValue ( workflow )
228+
229+ const result = await validateWorkflowAccess ( createRequest ( ) , WORKFLOW_ID , {
230+ requireDeployment : false ,
231+ action : 'read' ,
232+ } )
233+
234+ expect ( result ) . toEqual ( { workflow, auth } )
235+ expect ( mockAuthorizeWorkflowByWorkspacePermission ) . toHaveBeenCalledWith ( {
236+ workflowId : WORKFLOW_ID ,
237+ userId : 'user-1' ,
238+ action : 'read' ,
239+ workflow,
240+ } )
241+ } )
242+
222243 it ( 'allows workspace api keys scoped to the same workspace' , async ( ) => {
223244 const workflow = createWorkflow ( { name : 'Scoped Workflow' } )
224245 const auth = {
0 commit comments