From a2f64d895c2d2ca29c0e2ffd968071b279ab96a3 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Wed, 24 Jun 2026 21:53:03 -0500
Subject: [PATCH 01/12] fix(chat): prevent private conversation visibility leak

Scope conversation list/search/trash candidates before ReBAC checks so unshared private chats are not considered visible, and keep conversation discovery grants out of everyone public grants.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 ui/e2e/rbac/chat-share-exposed.spec.ts        | 189 +++++++++++++++++-
 .../chat-conversations-agent-auth.test.ts     |  23 ++-
 .../chat-conversations-remaining-rbac.test.ts |  71 ++++++-
 .../chat-conversations-sa-grant.test.ts       |   8 +
 .../api/__tests__/chat-sharing-public.test.ts |  29 ++-
 .../api/__tests__/chat-sharing-teams.test.ts  |  43 ++--
 ui/src/app/api/chat/conversations/route.ts    |  10 +-
 .../app/api/chat/conversations/trash/route.ts |  12 +-
 ui/src/app/api/chat/search/route.ts           |   9 +-
 ui/src/lib/authz/__tests__/http.test.ts       |  10 +
 ui/src/lib/authz/http.ts                      |   1 -
 .../conversation-implicit-authz.test.ts       |  12 ++
 .../lib/rbac/conversation-implicit-authz.ts   |  14 ++
 13 files changed, 382 insertions(+), 49 deletions(-)

diff --git a/ui/e2e/rbac/chat-share-exposed.spec.ts b/ui/e2e/rbac/chat-share-exposed.spec.ts
index 53dec6f2bf..d49554b371 100644
--- a/ui/e2e/rbac/chat-share-exposed.spec.ts
+++ b/ui/e2e/rbac/chat-share-exposed.spec.ts
@@ -14,13 +14,15 @@
  *   - Private conversations that should never be shared are not displayed
  *   - API requests are made with correct scoping parameters
  *   - Empty states render per tab when there are no matching conversations
+ *   - Related list/search/trash endpoints do not expose unshared private chats
+ *   - The grant API rejects conversation discovery grants to everyone
  *
  * All API calls are mocked so no live backend is required.
  * Enable with: RUN_RBAC_REGRESSION=1 npx playwright test --config=playwright.rbac.config.ts
  */
 
-import { expect, test } from "@playwright/test";
-import { fulfillJson, installMockedRbacApp, mockedRbacEnabled } from "./_mocked-rbac";
+import { expect, test, type Page } from "@playwright/test";
+import { fulfillJson, installMockedRbacApp, mockedRbacEnabled, postJson } from "./_mocked-rbac";
 
 // ─── Fixtures ────────────────────────────────────────────────────────────────
 
@@ -58,7 +60,27 @@ function makeConversation(
   };
 }
 
-function paginatedResponse(items: ReturnType<typeof makeConversation>[]) {
+type ConversationFixture = ReturnType<typeof makeConversation>;
+
+type ApiResult<T = unknown> = {
+  status: number;
+  body: T;
+};
+
+type ConversationListBody = {
+  success?: boolean;
+  data?: {
+    items?: ConversationFixture[];
+  };
+};
+
+type GrantRequestBody = {
+  resource?: { type?: string; id?: string };
+  grantee?: { type?: string; id?: string };
+  capability?: string;
+};
+
+function paginatedResponse(items: ConversationFixture[]) {
   return {
     success: true,
     data: { items, total: items.length, page: 1, page_size: 20 },
@@ -68,15 +90,52 @@ function paginatedResponse(items: ReturnType<typeof makeConversation>[]) {
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 type SharedApiOptions = {
-  items?: ReturnType<typeof makeConversation>[];
+  items?: ConversationFixture[];
+  conversationItems?: ConversationFixture[];
+  searchItems?: ConversationFixture[];
+  trashItems?: ConversationFixture[];
   onRequest?: (url: URL) => void;
+  onConversationRequest?: (url: URL) => void;
+  onSearchRequest?: (url: URL) => void;
+  onTrashRequest?: (url: URL) => void;
 };
 
+async function fetchJson<T = unknown>(page: Page, path: string, init?: RequestInit): Promise<ApiResult<T>> {
+  return page.evaluate(
+    async ({ path: requestPath, init: requestInit }) => {
+      const response = await fetch(requestPath, requestInit);
+      let body: unknown = null;
+      try {
+        body = await response.json();
+      } catch {
+        body = await response.text();
+      }
+      return { status: response.status, body };
+    },
+    { path, init },
+  ) as Promise<ApiResult<T>>;
+}
+
+async function postJsonFromPage<T = unknown>(
+  page: Page,
+  path: string,
+  body: unknown,
+): Promise<ApiResult<T>> {
+  return fetchJson<T>(page, path, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body),
+  });
+}
+
 async function installHomePageMocks(
   page: Parameters<typeof installMockedRbacApp>[0],
   options: SharedApiOptions = {},
 ) {
   const sharedItems = options.items ?? [];
+  const conversationItems = options.conversationItems ?? [];
+  const searchItems = options.searchItems ?? [];
+  const trashItems = options.trashItems ?? [];
 
   // Force MongoDB storage mode so the SharedConversations section renders.
   // The server injects __APP_CONFIG__ via an inline <script> in <head> based
@@ -118,7 +177,38 @@ async function installHomePageMocks(
           return true;
         }
         if (path === "/api/chat/conversations" && method === "GET") {
-          await fulfillJson(route, paginatedResponse([]));
+          options.onConversationRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(conversationItems));
+          return true;
+        }
+        if (path === "/api/chat/search" && method === "GET") {
+          options.onSearchRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(searchItems));
+          return true;
+        }
+        if (path === "/api/chat/conversations/trash" && method === "GET") {
+          options.onTrashRequest?.(new URL(route.request().url()));
+          await fulfillJson(route, paginatedResponse(trashItems));
+          return true;
+        }
+        if (path === "/api/authz/v1/grants" && method === "POST") {
+          const body = await postJson(route) as GrantRequestBody | null;
+          if (
+            body?.resource?.type === "conversation" &&
+            body?.grantee?.type === "everyone" &&
+            body.capability === "discover"
+          ) {
+            await fulfillJson(
+              route,
+              {
+                error: "everyone grants are limited to low-risk resource capabilities",
+                code: "INVALID_REQUEST",
+              },
+              400,
+            );
+            return true;
+          }
+          await fulfillJson(route, { success: true });
           return true;
         }
         if (path === "/api/users/me/stats") {
@@ -261,6 +351,95 @@ test.describe("issue #1979 — shared conversations exposure regression", () =>
     await expect(page.getByText(ownConv.title)).not.toBeVisible();
   });
 
+  // ── Private visibility regression — normal list/search/trash ─────────────
+
+  test("recent chats only render scoped conversation candidates", async ({ page }) => {
+    const ownedConv = makeConversation("conv-owned", "Owned Private Conversation", {}, CALLER_EMAIL);
+    const teamCandidate = makeConversation("conv-team-candidate", "Team Candidate Conversation", {
+      shared_with_teams: ["team-visible"],
+    });
+    const unsharedPrivate = makeConversation("conv-unshared-private", "Unshared Private Conversation");
+    let conversationApiCallCount = 0;
+
+    // assisted-by Codex Codex-sonnet-4-6
+    // Route-level tests verify the Mongo candidate query; this covers the browser contract it feeds.
+    await installHomePageMocks(page, {
+      conversationItems: [ownedConv, teamCandidate],
+      onConversationRequest: () => {
+        conversationApiCallCount++;
+      },
+    });
+
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    await expect(page.getByTestId("recent-chats")).toBeVisible({ timeout: 10_000 });
+    await expect(page.getByText(ownedConv.title)).toBeVisible();
+    await expect(page.getByText(teamCandidate.title)).toBeVisible();
+    await expect(page.getByText(unsharedPrivate.title)).not.toBeVisible();
+    await expect.poll(() => conversationApiCallCount).toBeGreaterThan(0);
+  });
+
+  test("search and trash APIs do not return unshared private conversations", async ({ page }) => {
+    const publicConv = makeConversation("conv-public-search", "Public Search Result", {
+      is_public: true,
+    });
+    const ownedTrash = makeConversation("conv-owned-trash", "Owned Trash Result", {}, CALLER_EMAIL);
+    const unsharedPrivate = makeConversation("conv-private-search", "Private Search Result");
+    let searchRequest: URL | null = null;
+    let trashRequest: URL | null = null;
+
+    await installHomePageMocks(page, {
+      searchItems: [publicConv],
+      trashItems: [ownedTrash],
+      onSearchRequest: (url) => {
+        searchRequest = url;
+      },
+      onTrashRequest: (url) => {
+        trashRequest = url;
+      },
+    });
+
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    const search = await fetchJson<ConversationListBody>(
+      page,
+      "/api/chat/search?q=Private%20Search&page_size=20",
+    );
+    const searchTitles = search.body.data?.items?.map((item) => item.title) ?? [];
+
+    expect(search.status, JSON.stringify(search.body)).toBe(200);
+    expect(searchTitles).toContain(publicConv.title);
+    expect(searchTitles).not.toContain(unsharedPrivate.title);
+    expect(searchRequest?.searchParams.get("q")).toBe("Private Search");
+
+    const trash = await fetchJson<ConversationListBody>(page, "/api/chat/conversations/trash?page_size=20");
+    const trashTitles = trash.body.data?.items?.map((item) => item.title) ?? [];
+
+    expect(trash.status, JSON.stringify(trash.body)).toBe(200);
+    expect(trashTitles).toContain(ownedTrash.title);
+    expect(trashTitles).not.toContain(unsharedPrivate.title);
+    expect(trashRequest?.searchParams.get("page_size")).toBe("20");
+  });
+
+  test("rejects conversation discover grants to everyone", async ({ page }) => {
+    await installHomePageMocks(page);
+    await page.goto("/", { waitUntil: "domcontentloaded" });
+
+    const result = await postJsonFromPage<{ error?: string; code?: string }>(
+      page,
+      "/api/authz/v1/grants",
+      {
+        resource: { type: "conversation", id: "conv-unshared-private" },
+        grantee: { type: "everyone" },
+        capability: "discover",
+      },
+    );
+
+    expect(result.status, JSON.stringify(result.body)).toBe(400);
+    expect(result.body.code).toBe("INVALID_REQUEST");
+    expect(result.body.error).toContain("everyone grants are limited");
+  });
+
   // ── Tab filtering ─────────────────────────────────────────────────────────
 
   test("Shared with me tab is active by default", async ({ page }) => {
diff --git a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
index 5a9a2eb911..734746ae9d 100644
--- a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
@@ -56,6 +56,14 @@ jest.mock("@/lib/mongodb", () => ({
 }));
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
 }));
@@ -87,7 +95,7 @@ describe("POST /api/chat/conversations agent authorization", () => {
     );
   });
 
-  it("lists candidate conversations without legacy team prefiltering before OpenFGA filtering", async () => {
+  it("lists bounded conversation candidates before OpenFGA filtering", async () => {
     const candidate = {
       _id: "conv-openfga-only",
       title: "OpenFGA Only",
@@ -109,8 +117,17 @@ describe("POST /api/chat/conversations agent authorization", () => {
     expect(response.status).toBe(200);
     expect(mockGetUserTeamIds).not.toHaveBeenCalled();
     expect(countDocuments).toHaveBeenCalledWith(
-      expect.not.objectContaining({
-        $or: expect.any(Array),
+      expect.objectContaining({
+        $and: expect.arrayContaining([
+          {
+            $or: [
+              { owner_id: "alice@example.com" },
+              { "sharing.is_public": true },
+              { "sharing.shared_with": "alice@example.com" },
+              { "sharing.shared_with_teams.0": { $exists: true } },
+            ],
+          },
+        ]),
       }),
     );
     expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
diff --git a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
index 216dd33075..35993cf240 100644
--- a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
@@ -28,6 +28,7 @@ jest.mock("@/lib/api-middleware", () => {
   const session = { sub: "alice-sub", role: "user" };
   return {
     ApiError,
+    getAuthFromBearerOrSession: async () => ({ user, session }),
     getPaginationParams: () => ({ page: 1, pageSize: 20, skip: 0 }),
     getUserTeamIds: (...args: unknown[]) => mockGetUserTeamIds(...args),
     paginatedResponse: (items: unknown[], total: number, page: number, pageSize: number) =>
@@ -55,6 +56,14 @@ jest.mock("@/lib/api-middleware", () => {
 });
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
   requireConversationResourcePermission: (...args: unknown[]) =>
@@ -138,7 +147,39 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
     );
   });
 
-  it("search conversations applies text filters before OpenFGA without owner/shared prefilters", async () => {
+  it("conversation list prefilters owned and sharing-configured candidates before OpenFGA authorization", async () => {
+    const candidate = conversation({ owner_id: "alice@example.com" });
+    const conversations = collectionWithItems([candidate]);
+    mockGetCollection.mockImplementation(async (name: string) => {
+      if (name === "conversations") return conversations;
+      return collectionWithItems([]);
+    });
+    const { GET } = await import("../chat/conversations/route");
+
+    const response = await GET(request("/api/chat/conversations"));
+
+    expect(response.status).toBe(200);
+    const mongoQuery = conversations.find.mock.calls[0][0];
+    expect(mongoQuery.$and).toEqual(
+      expect.arrayContaining([
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
+      ]),
+    );
+    expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
+      expect.objectContaining({ sub: "alice-sub" }),
+      "alice@example.com",
+      [candidate],
+    );
+  });
+
+  it("search conversations applies candidate and text filters before OpenFGA", async () => {
     const candidate = conversation({ title: "needle" });
     const conversations = collectionWithItems([candidate]);
     mockGetCollection.mockResolvedValue(conversations);
@@ -148,12 +189,16 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
 
     expect(response.status).toBe(200);
     const mongoQuery = conversations.find.mock.calls[0][0];
-    expect(mongoQuery).not.toHaveProperty("$or", [
-      { owner_id: "alice@example.com" },
-      { "sharing.shared_with": "alice@example.com" },
-    ]);
     expect(mongoQuery.$and).toEqual(
       expect.arrayContaining([
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
         expect.objectContaining({
           $or: expect.arrayContaining([expect.objectContaining({ title: expect.any(Object) })]),
         }),
@@ -166,7 +211,7 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
     );
   });
 
-  it("trash listing is filtered by OpenFGA instead of owner_id", async () => {
+  it("trash listing is bounded to owned and sharing-configured candidates before OpenFGA", async () => {
     const deleted = conversation({ deleted_at: new Date() });
     const conversations = collectionWithItems([deleted]);
     mockGetCollection.mockImplementation(async (name: string) => {
@@ -179,7 +224,19 @@ describe("remaining conversation routes use OpenFGA instead of legacy owner/team
 
     expect(response.status).toBe(200);
     const listQuery = conversations.find.mock.calls[1][0];
-    expect(listQuery).not.toHaveProperty("owner_id");
+    expect(listQuery.$and).toEqual(
+      expect.arrayContaining([
+        { deleted_at: { $exists: true, $ne: null } },
+        {
+          $or: [
+            { owner_id: "alice@example.com" },
+            { "sharing.is_public": true },
+            { "sharing.shared_with": "alice@example.com" },
+            { "sharing.shared_with_teams.0": { $exists: true } },
+          ],
+        },
+      ]),
+    );
     expect(mockFilterConversationsByImplicitOrExplicitPermission).toHaveBeenCalledWith(
       expect.objectContaining({ sub: "alice-sub" }),
       "alice@example.com",
diff --git a/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts b/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
index 42e7d8ef5e..027f94ab56 100644
--- a/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-sa-grant.test.ts
@@ -64,6 +64,14 @@ jest.mock("@/lib/mongodb", () => ({
 }));
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  conversationVisibilityCandidateQuery: (userEmail: string) => ({
+    $or: [
+      { owner_id: userEmail },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": userEmail },
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  }),
   filterConversationsByImplicitOrExplicitPermission: (...args: unknown[]) =>
     mockFilterConversationsByImplicitOrExplicitPermission(...args),
 }));
diff --git a/ui/src/app/api/__tests__/chat-sharing-public.test.ts b/ui/src/app/api/__tests__/chat-sharing-public.test.ts
index 22303a1f99..afbee585d6 100644
--- a/ui/src/app/api/__tests__/chat-sharing-public.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-public.test.ts
@@ -539,12 +539,7 @@ describe('GET /api/chat/conversations — public conversations', () => {
     GET = mod.GET;
   });
 
-  // Spec 098-enterprise-rbac removed the per-user `$or` (owner_id /
-  // sharing.shared_with / sharing.is_public) from
-  // `/api/chat/conversations`. Visibility is now decided by the ReBAC
-  // post-filter (`filterConversationsByImplicitOrExplicitPermission`),
-  // so the Mongo query no longer references legacy sharing fields.
-  it('does NOT include legacy is_public/sharing predicates in the Mongo query', async () => {
+  it('prefilters owned and explicitly shared/public candidates before ReBAC', async () => {
     mockGetServerSession.mockResolvedValue(userSession(VIEWER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -563,9 +558,16 @@ describe('GET /api/chat/conversations — public conversations', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    const serialized = JSON.stringify(findCall);
-    expect(serialized).not.toContain('sharing.is_public');
-    expect(serialized).not.toContain('sharing.shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      {
+        $or: [
+          { owner_id: VIEWER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': VIEWER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      },
+    ]));
   });
 
   it('keeps a stable $and query regardless of caller identity', async () => {
@@ -588,7 +590,14 @@ describe('GET /api/chat/conversations — public conversations', () => {
 
     const findCall = convsCol.find.mock.calls[0][0];
     expect(findCall.$and).toBeDefined();
-    expect(JSON.stringify(findCall)).not.toContain('sharing.is_public');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: expect.arrayContaining([
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': VIEWER_EMAIL },
+        ]),
+      }),
+    ]));
   });
 });
 
diff --git a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
index 47935ef353..3ed983b4ef 100644
--- a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
@@ -433,14 +433,7 @@ describe('GET /api/chat/conversations — team sharing', () => {
     GET = mod.GET;
   });
 
-  // Spec 098-enterprise-rbac moved team-share visibility out of the Mongo
-  // query and into a ReBAC post-filter. The route now fetches non-deleted
-  // candidates and lets `filterConversationsByImplicitOrExplicitPermission`
-  // decide visibility, so the legacy `$or` over `sharing.shared_with_*` is
-  // intentionally gone. These tests now assert the new contract: the query
-  // no longer leaks legacy sharing predicates regardless of the caller's
-  // team memberships.
-  it('does NOT include legacy shared_with_teams predicates in the Mongo query', async () => {
+  it('prefilters owned and sharing-configured candidates before ReBAC', async () => {
     mockGetServerSession.mockResolvedValue(userSession(MEMBER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -459,12 +452,19 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    const serialized = JSON.stringify(findCall);
-    expect(serialized).not.toContain('shared_with_teams');
-    expect(serialized).not.toContain('shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      {
+        $or: [
+          { owner_id: MEMBER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': MEMBER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      },
+    ]));
   });
 
-  it('does NOT include legacy shared_with predicates when user has no teams', async () => {
+  it('uses the same bounded candidate shape when user has no teams', async () => {
     mockGetServerSession.mockResolvedValue(userSession(NON_MEMBER_EMAIL));
 
     const teamsCol = createMockCollection();
@@ -483,7 +483,16 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    expect(JSON.stringify(findCall)).not.toContain('shared_with');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: [
+          { owner_id: NON_MEMBER_EMAIL },
+          { 'sharing.is_public': true },
+          { 'sharing.shared_with': NON_MEMBER_EMAIL },
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ],
+      }),
+    ]));
   });
 
   it('does not branch query shape on the number of teams (ReBAC does the filtering)', async () => {
@@ -508,7 +517,13 @@ describe('GET /api/chat/conversations — team sharing', () => {
     await GET(req);
 
     const findCall = convsCol.find.mock.calls[0][0];
-    expect(JSON.stringify(findCall)).not.toContain('shared_with_teams');
+    expect(findCall.$and).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        $or: expect.arrayContaining([
+          { 'sharing.shared_with_teams.0': { $exists: true } },
+        ]),
+      }),
+    ]));
   });
 
   it('still excludes soft-deleted conversations', async () => {
diff --git a/ui/src/app/api/chat/conversations/route.ts b/ui/src/app/api/chat/conversations/route.ts
index 97e8f812fb..ff34fb2033 100644
--- a/ui/src/app/api/chat/conversations/route.ts
+++ b/ui/src/app/api/chat/conversations/route.ts
@@ -10,7 +10,10 @@ validateRequired,
 withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import {
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import { requireAgentUsePermission } from '@/lib/rbac/openfga-agent-authz';
 import { writeOpenFgaTuples } from '@/lib/rbac/openfga';
 import { buildParticipants } from '@/types/a2a';
@@ -94,11 +97,12 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
   const conversations = await getCollection<Conversation>('conversations');
 
-  // Fetch non-deleted candidates and let the ReBAC filter decide visibility.
-  // Legacy sharing fields are still stored for migration, but no longer prefilter reads.
+  // Fetch only owned or sharing-configured candidates; ReBAC remains the final
+  // visibility check for team shares and explicit conversation grants.
   const query: any = {
     $and: [
       { $or: [{ deleted_at: null }, { deleted_at: { $exists: false } }] },
+      conversationVisibilityCandidateQuery(user.email),
     ],
   };
 
diff --git a/ui/src/app/api/chat/conversations/trash/route.ts b/ui/src/app/api/chat/conversations/trash/route.ts
index 28a5c93d27..bd3ba80d7e 100644
--- a/ui/src/app/api/chat/conversations/trash/route.ts
+++ b/ui/src/app/api/chat/conversations/trash/route.ts
@@ -8,7 +8,10 @@ withAuth,
 withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import {
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import type { Conversation } from '@/types/mongodb';
 import { NextRequest,NextResponse } from 'next/server';
 import { deleteConversationsPermanently } from '../delete-permanently';
@@ -50,8 +53,11 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
     // Query for soft-deleted conversation candidates, then filter by ReBAC.
     const query = {
-      source: { $ne: 'slack' } as any,
-      deleted_at: { $exists: true, $ne: null },
+      $and: [
+        { source: { $ne: 'slack' } as any },
+        { deleted_at: { $exists: true, $ne: null } },
+        conversationVisibilityCandidateQuery(user.email),
+      ],
     };
 
     const total = await conversations.countDocuments(query);
diff --git a/ui/src/app/api/chat/search/route.ts b/ui/src/app/api/chat/search/route.ts
index ec437585ac..aa8039b403 100644
--- a/ui/src/app/api/chat/search/route.ts
+++ b/ui/src/app/api/chat/search/route.ts
@@ -7,7 +7,10 @@ withAuth,
 withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection } from '@/lib/mongodb';
-import { filterConversationsByImplicitOrExplicitPermission } from '@/lib/rbac/conversation-implicit-authz';
+import {
+  conversationVisibilityCandidateQuery,
+  filterConversationsByImplicitOrExplicitPermission,
+} from '@/lib/rbac/conversation-implicit-authz';
 import type { Conversation } from '@/types/mongodb';
 import { NextRequest } from 'next/server';
 
@@ -23,8 +26,8 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
     const conversations = await getCollection<Conversation>('conversations');
 
-    // Build search query from content filters only; OpenFGA filters access below.
-    const searchQuery: any = {};
+    // Build search query from content filters and privacy-safe conversation candidates.
+    const searchQuery: any = { $and: [conversationVisibilityCandidateQuery(user.email)] };
 
     // Add text search if query provided
     if (query) {
diff --git a/ui/src/lib/authz/__tests__/http.test.ts b/ui/src/lib/authz/__tests__/http.test.ts
index 3adeb6f3ad..b3eebcc2c4 100644
--- a/ui/src/lib/authz/__tests__/http.test.ts
+++ b/ui/src/lib/authz/__tests__/http.test.ts
@@ -203,6 +203,16 @@ describe("grant parsing", () => {
     ).toThrow(HttpAuthzError);
   });
 
+  it("parseGrantIntent blocks everyone grants for conversation discovery", () => {
+    expect(() =>
+      parseGrantIntent({
+        resource: { type: "conversation", id: "conv-1" },
+        grantee: { type: "everyone" },
+        capability: "discover",
+      }),
+    ).toThrow(HttpAuthzError);
+  });
+
   it("parseGrantIntent allows everyone use grants for global workflow agent access", () => {
     expect(parseGrantIntent({ resource: { type: "agent", id: "pe" }, grantee: { type: "everyone" }, capability: "use" })).toEqual({
       resource: { type: "agent", id: "pe" },
diff --git a/ui/src/lib/authz/http.ts b/ui/src/lib/authz/http.ts
index 9e5819ebe5..1db584fd56 100644
--- a/ui/src/lib/authz/http.ts
+++ b/ui/src/lib/authz/http.ts
@@ -46,7 +46,6 @@ const PUBLIC_GRANTABLE_EVERYONE_RESOURCE_ACTIONS: ReadonlySet<string> = new Set(
   "agent:discover",
   "agent:use",
   "audit_log:discover",
-  "conversation:discover",
   "data_source:discover",
   "document:discover",
   "external_group:discover",
diff --git a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
index fded157e6d..cda9c70ff8 100644
--- a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
+++ b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
@@ -1,4 +1,5 @@
 import {
+  conversationVisibilityCandidateQuery,
   filterConversationsByImplicitOrExplicitPermission,
   isImplicitConversationOwner,
   requireConversationResourcePermission,
@@ -21,6 +22,17 @@ describe("conversation implicit authorization", () => {
     jest.clearAllMocks();
   });
 
+  it("builds a bounded candidate query for owned and explicitly shared conversations", () => {
+    expect(conversationVisibilityCandidateQuery("alice@example.com")).toEqual({
+      $or: [
+        { owner_id: "alice@example.com" },
+        { "sharing.is_public": true },
+        { "sharing.shared_with": "alice@example.com" },
+        { "sharing.shared_with_teams.0": { $exists: true } },
+      ],
+    });
+  });
+
   it("treats owner_subject and legacy owner_id as implicit ownership", () => {
     expect(
       isImplicitConversationOwner(
diff --git a/ui/src/lib/rbac/conversation-implicit-authz.ts b/ui/src/lib/rbac/conversation-implicit-authz.ts
index b8c72b869d..a56d6f1368 100644
--- a/ui/src/lib/rbac/conversation-implicit-authz.ts
+++ b/ui/src/lib/rbac/conversation-implicit-authz.ts
@@ -15,6 +15,20 @@ function normalizeEmail(email: string | undefined): string {
   return email?.trim().toLowerCase() ?? "";
 }
 
+export function conversationVisibilityCandidateQuery(userEmail: string): { $or: Record<string, unknown>[] } {
+  const email = userEmail.trim();
+  return {
+    $or: [
+      { owner_id: email },
+      { "sharing.is_public": true },
+      { "sharing.shared_with": email },
+      // assisted-by Codex Codex-sonnet-4-6
+      // Team membership is still decided by ReBAC; this only bounds the Mongo candidate set.
+      { "sharing.shared_with_teams.0": { $exists: true } },
+    ],
+  };
+}
+
 export function isImplicitConversationOwner(
   session: ResourceAuthzSession,
   userEmail: string,

From 801629d9dc0e18348cb6750c6915fe99a2f01316 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Wed, 24 Jun 2026 23:38:11 -0500
Subject: [PATCH 02/12] fix(chat): preserve shared chat UI indicators

Carry sharing metadata into direct-open chat store entries and keep timeline warning details expanded after a turn completes.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../(app)/chat/[uuid]/__tests__/page.test.tsx | 41 +++++++++++
 ui/src/components/chat/ChatContainer.tsx      | 10 ++-
 .../components/chat/DynamicAgentTimeline.tsx  | 24 ++++---
 .../__tests__/DynamicAgentTimeline.test.tsx   | 69 +++++++++++++++++++
 .../layout/__tests__/Sidebar.test.tsx         | 42 +++++++++++
 5 files changed, 175 insertions(+), 11 deletions(-)
 create mode 100644 ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx

diff --git a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
index 2d678f529f..f384d1a806 100644
--- a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
+++ b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
@@ -748,6 +748,47 @@ describe("ChatContainer", () => {
     expect(addedConv.title).toBe("From MongoDB");
   });
 
+  it("preserves sharing metadata when a shared conversation is opened directly", async () => {
+    // assisted-by Codex Codex-sonnet-4-6
+    // Direct URL loads bypass the list route, so this metadata must survive the detail fetch.
+    const sharing = {
+      is_public: false,
+      shared_with: [],
+      shared_with_teams: [],
+      share_link_enabled: true,
+    };
+    const findAddedConversation = () =>
+      mockConversations.find((conversation) => conversation.id === mockUuid) as
+        | { owner_id?: string; sharing?: typeof sharing }
+        | undefined;
+
+    render(<ChatContainer />);
+
+    resolveGetConversation({
+      _id: mockUuid,
+      title: "Direct Shared Conversation",
+      owner_id: "owner@example.com",
+      created_at: new Date().toISOString(),
+      updated_at: new Date().toISOString(),
+      participants: [{ type: "agent", id: "agent-1" }],
+      sharing,
+      access_level: "shared_readonly",
+    });
+
+    await waitFor(() => {
+      expect(findAddedConversation()).toBeDefined();
+    });
+
+    await waitFor(() => {
+      expect(mockLoadMessagesFromServer).toHaveBeenCalledWith(mockUuid);
+    });
+    resolveLoadMessages();
+
+    const addedConv = findAddedConversation();
+    expect(addedConv?.owner_id).toBe("owner@example.com");
+    expect(addedConv?.sharing).toEqual(sharing);
+  });
+
   it("adds fallback conversation to store when MongoDB returns 404", async () => {
     // eslint-disable-next-line @typescript-eslint/no-require-imports
     const { useChatStore } = require("@/store/chat-store");
diff --git a/ui/src/components/chat/ChatContainer.tsx b/ui/src/components/chat/ChatContainer.tsx
index 2f455dcc5f..5a80196700 100644
--- a/ui/src/components/chat/ChatContainer.tsx
+++ b/ui/src/components/chat/ChatContainer.tsx
@@ -169,9 +169,9 @@ export function ChatContainer() {
         if (storageMode === 'mongodb') {
           console.log("[ChatContainer] Loading from MongoDB...");
           try {
-            const conv = await apiClient.getConversation(uuid);
-            if ((conv as any).access_level) {
-              setAccessLevel((conv as any).access_level);
+            const conv = await apiClient.getConversation(uuid) as Conversation & { access_level?: string };
+            if (conv.access_level) {
+              setAccessLevel(conv.access_level);
             }
             const localConv: LocalConversation = {
               id: conv._id,
@@ -181,6 +181,10 @@ export function ChatContainer() {
               messages: [],
               streamEvents: [],
               participants: conv.participants || [],
+              // assisted-by Codex Codex-sonnet-4-6
+              // Direct-open shared chats may skip the list route; keep share metadata for sidebar badges.
+              owner_id: conv.owner_id,
+              sharing: conv.sharing,
             };
 
             useChatStore.setState((state) => ({
diff --git a/ui/src/components/chat/DynamicAgentTimeline.tsx b/ui/src/components/chat/DynamicAgentTimeline.tsx
index caeec4e5e5..8210c78f66 100644
--- a/ui/src/components/chat/DynamicAgentTimeline.tsx
+++ b/ui/src/components/chat/DynamicAgentTimeline.tsx
@@ -202,11 +202,14 @@ export function AgentTimeline({
 
   // Determine if turn has ended (not streaming and has final answer)
   const turnEnded = !isStreaming && finalAnswer !== null;
+  const hasWarningsOrErrors = segments.some(s => s.type === "warning" || s.type === "error");
 
-  // Machinery sections collapse after streaming ends (or start collapsed if already ended)
-  const [machineryExpanded, setMachineryExpanded] = useState(!turnEnded);
+  // assisted-by Codex Codex-sonnet-4-6
+  // Collapse completed machinery, but keep warning/error details visible until the user collapses them.
+  const [machineryExpanded, setMachineryExpanded] = useState(!turnEnded || hasWarningsOrErrors);
   const prevStreamingRef = useRef(isStreaming);
   const prevFinalAnswerRef = useRef(finalAnswer);
+  const prevHadWarningsOrErrorsRef = useRef(hasWarningsOrErrors);
   // Track whether this turn transitioned from streaming → final.
   // When true, skip the reveal animation since content was already visible.
   // State (not ref) so the JSX can read it without a react-hooks/refs violation.
@@ -225,25 +228,30 @@ export function AgentTimeline({
       prevPendingHitlRef.current = pendingHitl;
       return;
     }
+    if (hasWarningsOrErrors && !prevHadWarningsOrErrorsRef.current) {
+      // eslint-disable-next-line react-hooks/set-state-in-effect -- intentional: surface new warnings/errors instead of hiding them behind the summary row
+      setMachineryExpanded(true);
+    }
     // Collapse when HITL input is resolved (pendingHitl went true → false)
-    if (prevPendingHitlRef.current) {
+    if (prevPendingHitlRef.current && !hasWarningsOrErrors) {
       // eslint-disable-next-line react-hooks/set-state-in-effect
       setMachineryExpanded(false);
     }
     // Collapse when streaming ends
     if (prevStreamingRef.current && !isStreaming) {
       // eslint-disable-next-line react-hooks/set-state-in-effect -- intentional: collapse when streaming ends and mark streaming-complete for animation
-      setMachineryExpanded(false);
+      setMachineryExpanded(hasWarningsOrErrors);
       setWasStreaming(true);
     }
     // Also collapse when final answer first appears AND streaming has stopped
-    if (!prevFinalAnswerRef.current && finalAnswer && !isStreaming) {
+    if (!prevFinalAnswerRef.current && finalAnswer && !isStreaming && !hasWarningsOrErrors) {
       setMachineryExpanded(false);
     }
     prevStreamingRef.current = isStreaming;
     prevFinalAnswerRef.current = finalAnswer;
+    prevHadWarningsOrErrorsRef.current = hasWarningsOrErrors;
     prevPendingHitlRef.current = pendingHitl;
-  }, [isStreaming, finalAnswer, pendingHitl]);
+  }, [isStreaming, finalAnswer, pendingHitl, hasWarningsOrErrors]);
 
   // Group consecutive tools for compact rendering
   const groupedSegments = groupConsecutiveTools(segments);
@@ -254,8 +262,6 @@ export function AgentTimeline({
   const warningCount = segments.filter(s => s.type === "warning").length;
   const errorCount = segments.filter(s => s.type === "error").length;
 
-  const hasWarningsOrErrors = warningCount > 0 || errorCount > 0;
-
   // Determine if tasks/files sections will actually be shown
   const showTasksSection = tasks.length > 0 && hasTodoToolsInSegments(segments) && (isStreaming || tasks.some(t => t.status !== "completed"));
   const showFilesSection = files.length > 0 && hasFileToolsInSegments(segments);
@@ -1117,6 +1123,8 @@ function TimelineSummary({
 
   return (
     <button
+      type="button"
+      aria-expanded={expanded}
       onClick={onToggle}
       className={cn(
         "w-full flex items-center gap-2 px-3 py-2 rounded-lg text-xs",
diff --git a/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx b/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx
new file mode 100644
index 0000000000..fbe44adb8b
--- /dev/null
+++ b/ui/src/components/chat/__tests__/DynamicAgentTimeline.test.tsx
@@ -0,0 +1,69 @@
+// assisted-by Codex Codex-sonnet-4-6
+
+import { fireEvent, render, screen, waitFor } from "@testing-library/react";
+
+import { AgentTimeline } from "../DynamicAgentTimeline";
+import type { TimelineData } from "@/types/dynamic-agent-timeline";
+
+jest.mock("@/components/shared/timeline", () => ({
+  CollapsibleSection: ({ children }: { children: React.ReactNode }) => <section>{children}</section>,
+  MarkdownRenderer: ({ content }: { content: string }) => <div>{content}</div>,
+  TaskList: () => null,
+}));
+
+jest.mock("@/components/dynamic-agents/AgentAvatar", () => ({
+  AgentAvatar: () => <span data-testid="agent-avatar" />,
+}));
+
+jest.mock("@/components/dynamic-agents/FileTree", () => ({
+  FileTree: () => null,
+}));
+
+jest.mock("../WorkflowRunCard", () => ({
+  WorkflowRunCard: () => null,
+}));
+
+function renderTimeline(data: TimelineData) {
+  return render(
+    <AgentTimeline
+      data={data}
+      files={[]}
+      tasks={[]}
+      isLatestMessage={true}
+    />,
+  );
+}
+
+describe("AgentTimeline", () => {
+  it("keeps completed turns with warnings expanded until the user collapses them", async () => {
+    const data: TimelineData = {
+      isStreaming: false,
+      hasTools: true,
+      finalAnswer: "Ready now.",
+      segments: [
+        {
+          type: "warning",
+          id: "warning-1",
+          message: "MCP server is starting up and not ready yet.",
+        },
+        {
+          type: "status",
+          id: "status-1",
+          status: "done",
+        },
+      ],
+    };
+
+    renderTimeline(data);
+
+    const toggle = screen.getByRole("button", { name: /view execution details/i });
+    expect(toggle).toHaveAttribute("aria-expanded", "true");
+    expect(screen.getByText(/MCP server is starting up/i)).toBeInTheDocument();
+
+    fireEvent.click(toggle);
+
+    await waitFor(() => {
+      expect(toggle).toHaveAttribute("aria-expanded", "false");
+    });
+  });
+});
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 092e061fc7..5cee11ab1f 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -96,6 +96,7 @@ jest.mock('lucide-react', () => ({
   Sparkles: (props: any) => <span data-testid="icon-sparkles" {...props} />,
   Zap: (props: any) => <span data-testid="icon-zap" {...props} />,
   Database: (props: any) => <span data-testid="icon-database" {...props} />,
+  Globe: (props: React.ComponentProps<'span'>) => <span data-testid="icon-globe" {...props} />,
   HardDrive: (props: any) => <span data-testid="icon-hard-drive" {...props} />,
   Users2: (props: any) => <span data-testid="icon-users2" {...props} />,
   Shield: (props: any) => <span data-testid="icon-shield" {...props} />,
@@ -388,6 +389,47 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.queryByText('Live')).not.toBeInTheDocument()
       expect(screen.queryByText('New response')).not.toBeInTheDocument()
     })
+
+    it('shows a shared badge for link-shared conversations', () => {
+      mockConversations = [
+        makeConv('conv-shared-link', 'Shared Link Chat', {
+          owner_id: 'owner@test.com',
+          // assisted-by Codex Codex-sonnet-4-6
+          // Link-shared direct URLs should still render the non-public shared badge.
+          sharing: {
+            is_public: false,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: true,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Shared Link Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+    })
+
+    it('shows a globe badge for public conversations', () => {
+      mockConversations = [
+        makeConv('conv-public', 'Public Chat', {
+          owner_id: 'owner@test.com',
+          sharing: {
+            is_public: true,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Public Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-globe')).toBeInTheDocument()
+    })
   })
 
   // --------------------------------------------------------------------------

From 505bb804100919b65eb2f0b896fd6ee106f9aabc Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Wed, 24 Jun 2026 23:43:59 -0500
Subject: [PATCH 03/12] fix(chat): show shared badge to recipients

Make sidebar shared badges viewer-aware and preserve conversation access levels from direct chat loads so recipients see shared chat indicators without showing recipient badges to owners.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../(app)/chat/[uuid]/__tests__/page.test.tsx |  3 +-
 ui/src/components/chat/ChatContainer.tsx      | 11 +++---
 ui/src/components/layout/Sidebar.tsx          | 30 ++++++++++------
 .../layout/__tests__/Sidebar.test.tsx         | 34 +++++++++++++++++++
 ui/src/types/a2a.ts                           |  3 ++
 5 files changed, 66 insertions(+), 15 deletions(-)

diff --git a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
index f384d1a806..0ea76ba784 100644
--- a/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
+++ b/ui/src/app/(app)/chat/[uuid]/__tests__/page.test.tsx
@@ -759,7 +759,7 @@ describe("ChatContainer", () => {
     };
     const findAddedConversation = () =>
       mockConversations.find((conversation) => conversation.id === mockUuid) as
-        | { owner_id?: string; sharing?: typeof sharing }
+        | { owner_id?: string; sharing?: typeof sharing; accessLevel?: string }
         | undefined;
 
     render(<ChatContainer />);
@@ -786,6 +786,7 @@ describe("ChatContainer", () => {
 
     const addedConv = findAddedConversation();
     expect(addedConv?.owner_id).toBe("owner@example.com");
+    expect(addedConv?.accessLevel).toBe("shared_readonly");
     expect(addedConv?.sharing).toEqual(sharing);
   });
 
diff --git a/ui/src/components/chat/ChatContainer.tsx b/ui/src/components/chat/ChatContainer.tsx
index 5a80196700..880efcb976 100644
--- a/ui/src/components/chat/ChatContainer.tsx
+++ b/ui/src/components/chat/ChatContainer.tsx
@@ -6,7 +6,7 @@ import { apiClient } from "@/lib/api-client";
 import { getConfig } from "@/lib/config";
 import { getStorageMode } from "@/lib/storage-config";
 import { useChatStore } from "@/store/chat-store";
-import type { Conversation as LocalConversation } from "@/types/a2a";
+import type { Conversation as LocalConversation, ConversationAccessLevel } from "@/types/a2a";
 import { getAgentId,isDynamicAgentConversation } from "@/types/a2a";
 import type { DynamicAgentConfig } from "@/types/dynamic-agent";
 import type { Conversation } from "@/types/mongodb";
@@ -73,7 +73,7 @@ export function ChatContainer() {
   const existingHasMessages = !!(existingConv?.messages && existingConv.messages.length > 0);
 
   const [conversation, setConversation] = useState<Conversation | LocalConversation | null>(existingConv || null);
-  const [accessLevel, setAccessLevel] = useState<string | null>(null);
+  const [accessLevel, setAccessLevel] = useState<ConversationAccessLevel | null>(existingConv?.accessLevel ?? null);
   const [fetchInProgress, setFetchInProgress] = useState(
     storageMode === 'mongodb' && !existingHasMessages
   );
@@ -125,7 +125,9 @@ export function ChatContainer() {
         setActiveConversation(uuid);
 
         // Derive access level from store data
-        if (localConv.owner_id && session?.user?.email && localConv.owner_id !== session.user.email) {
+        if (localConv.accessLevel) {
+          setAccessLevel(localConv.accessLevel);
+        } else if (localConv.owner_id && session?.user?.email && localConv.owner_id !== session.user.email) {
           if (localConv.sharing?.is_public) {
             setAccessLevel('shared_readonly');
           } else if (localConv.sharing?.shared_with?.includes(session.user.email) ||
@@ -169,7 +171,7 @@ export function ChatContainer() {
         if (storageMode === 'mongodb') {
           console.log("[ChatContainer] Loading from MongoDB...");
           try {
-            const conv = await apiClient.getConversation(uuid) as Conversation & { access_level?: string };
+            const conv = await apiClient.getConversation(uuid) as Conversation & { access_level?: ConversationAccessLevel };
             if (conv.access_level) {
               setAccessLevel(conv.access_level);
             }
@@ -184,6 +186,7 @@ export function ChatContainer() {
               // assisted-by Codex Codex-sonnet-4-6
               // Direct-open shared chats may skip the list route; keep share metadata for sidebar badges.
               owner_id: conv.owner_id,
+              accessLevel: conv.access_level,
               sharing: conv.sharing,
             };
 
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 2dc8452af0..8e4cb19df2 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -355,13 +355,23 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
             <div className="px-2 space-y-1 pb-4">
               <AnimatePresence mode="popLayout">
                 {conversations.map((conv, index) => {
-                  // Check if conversation is shared
-                  const isShared = conv.sharing && (
-                    conv.sharing.is_public ||
-                    (conv.sharing.shared_with && conv.sharing.shared_with.length > 0) ||
-                    (conv.sharing.shared_with_teams && conv.sharing.shared_with_teams.length > 0) ||
-                    conv.sharing.share_link_enabled
+                  const currentUserEmail = session?.user?.email?.trim().toLowerCase();
+                  const ownerEmail = conv.owner_id?.trim().toLowerCase();
+                  const isOwner = !ownerEmail || (currentUserEmail ? ownerEmail === currentUserEmail : false);
+                  const hasSharingConfig = Boolean(
+                    conv.sharing?.is_public ||
+                    (conv.sharing?.shared_with?.length ?? 0) > 0 ||
+                    (conv.sharing?.shared_with_teams?.length ?? 0) > 0 ||
+                    conv.sharing?.share_link_enabled
                   );
+                  // assisted-by Codex Codex-sonnet-4-6
+                  // The badge is viewer-facing: show it for recipients, not just because the owner shared it.
+                  const isSharedWithViewer = !isOwner && (
+                    conv.accessLevel === "shared" ||
+                    conv.accessLevel === "shared_readonly" ||
+                    hasSharingConfig
+                  );
+                  const isPublicShareForViewer = isSharedWithViewer && conv.sharing?.is_public;
 
                   const isLive = isConversationStreaming(conv.id);
                   const isInputRequired = !isLive && isConversationInputRequired(conv.id);
@@ -387,7 +397,7 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                               ? "bg-blue-500/5 border border-blue-500/25"
                               : activeConversationId === conv.id
                                 ? "bg-primary/10 border border-primary/30"
-                                : isShared
+                                : isSharedWithViewer
                                   ? "hover:bg-muted/50 border border-blue-500/20"
                                   : "hover:bg-muted/50 border border-transparent"
                       )}
@@ -452,11 +462,11 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                             <p className="text-sm font-medium truncate flex-1" title={conv.title}>
                               {truncateText(conv.title, sidebarWidth > 350 ? 40 : sidebarWidth > 320 ? 25 : 20)}
                             </p>
-                            {isShared && (
+                            {isSharedWithViewer && (
                               <TooltipProvider>
                                 <Tooltip>
                                   <TooltipTrigger asChild>
-                                    {conv.sharing?.is_public ? (
+                                    {isPublicShareForViewer ? (
                                       <Globe className="h-3 w-3 text-green-500 shrink-0" />
                                     ) : (
                                       <Users2 className="h-3 w-3 text-blue-500 shrink-0" />
@@ -464,7 +474,7 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                                   </TooltipTrigger>
                                   <TooltipContent side="right">
                                     <p className="text-xs">
-                                      {conv.sharing?.is_public
+                                      {isPublicShareForViewer
                                         ? 'Shared with everyone'
                                         : 'Shared conversation'}
                                     </p>
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 5cee11ab1f..67c796da69 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -412,6 +412,40 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
     })
 
+    it('shows a shared badge for recipient access even without sharing arrays', () => {
+      mockConversations = [
+        makeConv('conv-recipient', 'Recipient Chat', {
+          owner_id: 'owner@test.com',
+          accessLevel: 'shared_readonly',
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Recipient Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+    })
+
+    it('does not show the recipient shared badge to the owner', () => {
+      mockConversations = [
+        makeConv('conv-owner-shared', 'Owner Shared Chat', {
+          owner_id: 'test@test.com',
+          sharing: {
+            is_public: false,
+            shared_with: ['teammate@test.com'],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Owner Shared Chat')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-users2')).not.toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+    })
+
     it('shows a globe badge for public conversations', () => {
       mockConversations = [
         makeConv('conv-public', 'Public Chat', {
diff --git a/ui/src/types/a2a.ts b/ui/src/types/a2a.ts
index 1d7ecbbc29..72bda44b6a 100644
--- a/ui/src/types/a2a.ts
+++ b/ui/src/types/a2a.ts
@@ -8,6 +8,7 @@ import type { Participant } from "@/types/mongodb";
 
 // Turn status for Dynamic Agents (shown in timeline)
 export type TurnStatus = "done" | "interrupted" | "waiting_for_input";
+export type ConversationAccessLevel = "owner" | "shared" | "shared_readonly" | "admin_audit";
 
 // Chat conversation types
 export interface Conversation {
@@ -22,6 +23,8 @@ export interface Conversation {
   participants: Participant[];
   /** Owner email (only for MongoDB conversations) */
   owner_id?: string;
+  /** Current viewer access level returned by the conversation detail API. */
+  accessLevel?: ConversationAccessLevel;
   /** Sharing information (optional, only for MongoDB conversations) */
   sharing?: {
     is_public?: boolean;

From af5e2277f658782dfe454343d95cbd1844c41d1e Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 00:04:35 -0500
Subject: [PATCH 04/12] fix(chat): enable team conversation sharing

Allow chat shares to target teams from the member-visible team endpoint, persist canonical team slugs when available, resolve recipient access through canonical team membership, and write best-effort conversation grants for team recipients.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../__tests__/chat-sharing-readonly.test.ts   |  51 +++++++
 .../api/__tests__/chat-sharing-teams.test.ts  |  66 ++++++++-
 .../chat/conversations/[id]/share/route.ts    | 137 +++++++++++++++---
 ui/src/components/chat/ShareDialog.tsx        |  93 ++++++------
 .../ShareDialogPublicToggle.test.tsx          |  82 +++++++++++
 ui/src/lib/api-middleware.ts                  |  48 +++++-
 6 files changed, 409 insertions(+), 68 deletions(-)

diff --git a/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts b/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
index e07ddfbb7f..1ef4a22187 100644
--- a/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-readonly.test.ts
@@ -64,8 +64,10 @@ const mockCheckOpenFgaTuple = jest.fn().mockImplementation(async (tuple: { relat
   const allowed = new Set(['can_read', 'can_discover', 'can_write', 'can_use', 'can_chat']);
   return { allowed: allowed.has(tuple?.relation ?? '') };
 });
+const mockWriteOpenFgaTuples = jest.fn().mockResolvedValue({ enabled: true, writes: 0, deletes: 0 });
 jest.mock('@/lib/rbac/openfga', () => ({
   checkOpenFgaTuple: (...args: unknown[]) => mockCheckOpenFgaTuple(...args),
+  writeOpenFgaTuples: (...args: unknown[]) => mockWriteOpenFgaTuples(...args),
 }));
 
 jest.mock('@/lib/rbac/resource-authz', () => ({
@@ -686,4 +688,53 @@ describe('POST /api/chat/conversations/[id]/share — permission storage', () =>
     const updateCall = convsCol.updateOne.mock.calls[0][1];
     expect(updateCall.$set['sharing.team_permissions']).toEqual({ [teamIdStr]: 'view' });
   });
+
+  it('stores canonical team slugs and writes team conversation grants', async () => {
+    const teamObjId = new ObjectId();
+    const teamIdStr = teamObjId.toHexString();
+
+    const conv = makeConversation({
+      sharing: { shared_with: [], shared_with_teams: [] },
+    });
+
+    const convsCol = createMockCollection();
+    convsCol.findOne
+      .mockResolvedValueOnce(conv)
+      .mockResolvedValue({ ...conv });
+    mockCollections['conversations'] = convsCol;
+
+    const teamsCol = createMockCollection();
+    teamsCol.findOne.mockResolvedValue({ _id: teamObjId, slug: 'platform', name: 'Platform' });
+    mockCollections['teams'] = teamsCol;
+
+    mockGetServerSession.mockResolvedValue({
+      user: { email: OWNER_EMAIL, name: 'Owner' },
+      sub: 'owner-sub',
+    });
+
+    const { POST } = await import('@/app/api/chat/conversations/[id]/share/route');
+
+    const req = new NextRequest(`http://localhost/api/chat/conversations/${TEST_CONV_ID}/share`, {
+      method: 'POST',
+      body: JSON.stringify({
+        team_ids: [teamIdStr],
+        permission: 'comment',
+      }),
+      headers: { 'Content-Type': 'application/json' },
+    });
+
+    const res = await POST(req, { params: Promise.resolve({ id: conv._id }) });
+
+    expect(res.status).toBe(200);
+    const updateCall = convsCol.updateOne.mock.calls[0][1];
+    expect(updateCall.$set['sharing.shared_with_teams']).toEqual(['platform']);
+    expect(updateCall.$set['sharing.team_permissions']).toEqual({ platform: 'comment' });
+    expect(mockWriteOpenFgaTuples).toHaveBeenCalledWith({
+      writes: expect.arrayContaining([
+        { user: 'team:platform#member', relation: 'reader', object: `conversation:${conv._id}` },
+        { user: 'team:platform#member', relation: 'writer', object: `conversation:${conv._id}` },
+      ]),
+      deletes: [],
+    });
+  });
 });
diff --git a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
index 3ed983b4ef..f944607500 100644
--- a/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
+++ b/ui/src/app/api/__tests__/chat-sharing-teams.test.ts
@@ -180,7 +180,43 @@ describe('getUserTeamIds', () => {
     const result = await getUserTeamIds(MEMBER_EMAIL);
 
     expect(result).toEqual([TEAM_ID_1.toString(), TEAM_ID_2.toString()]);
-    expect(teamsCol.find).toHaveBeenCalledWith({ 'members.user_id': MEMBER_EMAIL });
+    expect(teamsCol.find).toHaveBeenCalledWith({
+      $or: [{ 'members.user_id': MEMBER_EMAIL }],
+    });
+  });
+
+  it('returns canonical team ids and slugs from team_membership_sources', async () => {
+    const sourcesCol = createMockCollection();
+    sourcesCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([
+          { team_id: TEAM_ID_1.toString(), team_slug: 'platform' },
+          { team_id: TEAM_ID_2.toString(), team_slug: 'sre' },
+        ]),
+      }),
+    });
+    mockCollections['team_membership_sources'] = sourcesCol;
+
+    const teamsCol = createMockCollection();
+    teamsCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([]),
+      }),
+    });
+    mockCollections['teams'] = teamsCol;
+
+    const result = await getUserTeamIds(MEMBER_EMAIL);
+
+    expect(result).toEqual([
+      TEAM_ID_1.toString(),
+      'platform',
+      TEAM_ID_2.toString(),
+      'sre',
+    ]);
+    expect(sourcesCol.find).toHaveBeenCalledWith({
+      status: 'active',
+      user_email: MEMBER_EMAIL,
+    });
   });
 
   it('returns empty array when user has no teams', async () => {
@@ -276,6 +312,34 @@ describe('requireConversationAccess — team-based access', () => {
     expect(result.access_level).toBe('shared');
   });
 
+  it('grants access when user belongs to a canonically shared team slug', async () => {
+    const conv = makeConversation({
+      sharing: {
+        shared_with: [],
+        shared_with_teams: ['platform'],
+      },
+    });
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sourcesCol = createMockCollection();
+    sourcesCol.find.mockReturnValue({
+      project: jest.fn().mockReturnValue({
+        toArray: jest.fn().mockResolvedValue([
+          { team_id: TEAM_ID_1.toString(), team_slug: 'platform' },
+        ]),
+      }),
+    });
+    mockCollections['team_membership_sources'] = sourcesCol;
+
+    const result = await requireConversationAccess(conv._id, MEMBER_EMAIL, mockGetCollection);
+
+    expect(result).toBeDefined();
+    expect(result.conversation._id).toBe(conv._id);
+    expect(result.access_level).toBe('shared');
+  });
+
   it('denies access when user does not belong to any shared team', async () => {
     const conv = makeConversation({
       sharing: {
diff --git a/ui/src/app/api/chat/conversations/[id]/share/route.ts b/ui/src/app/api/chat/conversations/[id]/share/route.ts
index daf8b018f3..2dce8fa38b 100644
--- a/ui/src/app/api/chat/conversations/[id]/share/route.ts
+++ b/ui/src/app/api/chat/conversations/[id]/share/route.ts
@@ -12,10 +12,110 @@ withErrorHandler
 } from '@/lib/api-middleware';
 import { getCollection } from '@/lib/mongodb';
 import { requireConversationResourcePermission } from '@/lib/rbac/conversation-implicit-authz';
+import { writeOpenFgaTuples, type OpenFgaTupleKey } from '@/lib/rbac/openfga';
 import type { Conversation,ShareConversationRequest,SharingAccess } from '@/types/mongodb';
 import { ObjectId } from 'mongodb';
 import { NextRequest } from 'next/server';
 
+type SharePermission = 'view' | 'comment';
+
+interface TeamShareDocument {
+  _id?: unknown;
+  slug?: string;
+  name?: string;
+}
+
+interface ResolvedTeamShare {
+  shareRef: string;
+  subjectRef: string;
+  aliases: string[];
+}
+
+function uniqueStrings(values: string[]): string[] {
+  return Array.from(new Set(values.map((value) => value.trim()).filter(Boolean)));
+}
+
+function teamLookupFilter(teamRef: string): Record<string, unknown> {
+  const clauses: Record<string, unknown>[] = [
+    { slug: teamRef },
+    { _id: teamRef },
+  ];
+  if (ObjectId.isValid(teamRef)) {
+    clauses.push({ _id: new ObjectId(teamRef) });
+  }
+  return { $or: clauses };
+}
+
+async function resolveTeamShares(teamRefs: string[]): Promise<ResolvedTeamShare[]> {
+  const teams = await getCollection<TeamShareDocument>('teams');
+  const resolved: ResolvedTeamShare[] = [];
+
+  for (const rawRef of uniqueStrings(teamRefs)) {
+    const team = await teams.findOne(teamLookupFilter(rawRef));
+    if (!team) {
+      throw new ApiError(`Team not found: ${rawRef}`, 404);
+    }
+
+    const id = team._id !== undefined && team._id !== null ? String(team._id) : rawRef;
+    const slug = typeof team.slug === 'string' ? team.slug.trim() : '';
+    // assisted-by Codex Codex-sonnet-4-6
+    // Store canonical slugs for new team shares, while accepting legacy Mongo _id refs.
+    const shareRef = slug || id;
+
+    resolved.push({
+      shareRef,
+      subjectRef: slug || id,
+      aliases: uniqueStrings([rawRef, id, slug]),
+    });
+  }
+
+  return resolved;
+}
+
+function canonicalizeSharedTeamRefs(existingRefs: string[], resolvedTeams: ResolvedTeamShare[]): string[] {
+  const next: string[] = [];
+  for (const existingRef of existingRefs) {
+    const ref = String(existingRef).trim();
+    if (!ref) continue;
+    const resolved = resolvedTeams.find((team) => team.aliases.includes(ref));
+    next.push(resolved?.shareRef ?? ref);
+  }
+  next.push(...resolvedTeams.map((team) => team.shareRef));
+  return uniqueStrings(next);
+}
+
+function mergeTeamPermissions(
+  existing: Record<string, SharePermission> | undefined,
+  resolvedTeams: ResolvedTeamShare[],
+  permission: SharePermission,
+): Record<string, SharePermission> {
+  const next: Record<string, SharePermission> = {};
+  for (const [ref, value] of Object.entries(existing || {})) {
+    const resolved = resolvedTeams.find((team) => team.aliases.includes(ref));
+    next[resolved?.shareRef ?? ref] = value;
+  }
+  for (const team of resolvedTeams) {
+    next[team.shareRef] = permission;
+  }
+  return next;
+}
+
+function teamConversationGrantTuples(
+  conversationId: string,
+  resolvedTeams: ResolvedTeamShare[],
+  permission: SharePermission,
+): OpenFgaTupleKey[] {
+  const tuples: OpenFgaTupleKey[] = [];
+  for (const team of resolvedTeams) {
+    const user = `team:${team.subjectRef}#member`;
+    tuples.push({ user, relation: 'reader', object: `conversation:${conversationId}` });
+    if (permission === 'comment') {
+      tuples.push({ user, relation: 'writer', object: `conversation:${conversationId}` });
+    }
+  }
+  return tuples;
+}
+
 // GET /api/chat/conversations/[id]/share
 export const GET = withErrorHandler(async (
   request: NextRequest,
@@ -78,6 +178,9 @@ export const POST = withErrorHandler(async (
     if ((hasUsers || hasTeams) && !body.permission) {
       throw new ApiError('permission is required when sharing with users or teams', 400);
     }
+    if (body.permission && !['view', 'comment'].includes(body.permission)) {
+      throw new ApiError('permission must be "view" or "comment"', 400);
+    }
 
     const conversations = await getCollection<Conversation>('conversations');
     const conversation = await conversations.findOne({ _id: conversationId });
@@ -126,18 +229,8 @@ export const POST = withErrorHandler(async (
 
     // Handle team sharing
     if (body.team_ids && body.team_ids.length > 0) {
-      // Validate team IDs exist
-      const teams = await getCollection('teams');
-      for (const teamId of body.team_ids) {
-        // Convert string teamId to ObjectId for MongoDB query
-        if (!ObjectId.isValid(teamId)) {
-          throw new ApiError(`Invalid team ID format: ${teamId}`, 400);
-        }
-        const team = await teams.findOne({ _id: new ObjectId(teamId) });
-        if (!team) {
-          throw new ApiError(`Team not found: ${teamId}`, 404);
-        }
-      }
+      const resolvedTeams = await resolveTeamShares(body.team_ids);
+      const permission = body.permission as SharePermission;
 
       // Initialize sharing object if it doesn't exist
       if (!conversation.sharing) {
@@ -146,15 +239,23 @@ export const POST = withErrorHandler(async (
 
       // Update conversation shared_with_teams
       const existingSharedWithTeams = conversation.sharing?.shared_with_teams || [];
-      update['sharing.shared_with_teams'] = [...new Set([...existingSharedWithTeams, ...body.team_ids])];
+      update['sharing.shared_with_teams'] = canonicalizeSharedTeamRefs(existingSharedWithTeams, resolvedTeams);
 
       // Store per-team permission
-      const existingTeamPerms = conversation.sharing?.team_permissions || {};
-      const newTeamPerms = { ...existingTeamPerms };
-      for (const teamId of body.team_ids) {
-        newTeamPerms[teamId] = body.permission;
+      update['sharing.team_permissions'] = mergeTeamPermissions(
+        conversation.sharing?.team_permissions,
+        resolvedTeams,
+        permission,
+      );
+
+      const grantTuples = teamConversationGrantTuples(conversationId, resolvedTeams, permission);
+      if (grantTuples.length > 0) {
+        try {
+          await writeOpenFgaTuples({ writes: grantTuples, deletes: [] });
+        } catch (err) {
+          console.warn('[chat/share] Team conversation grant write failed (best-effort):', err);
+        }
       }
-      update['sharing.team_permissions'] = newTeamPerms;
     }
 
     if (body.is_public !== undefined) {
diff --git a/ui/src/components/chat/ShareDialog.tsx b/ui/src/components/chat/ShareDialog.tsx
index d39b9b4386..5d51db420f 100644
--- a/ui/src/components/chat/ShareDialog.tsx
+++ b/ui/src/components/chat/ShareDialog.tsx
@@ -9,6 +9,7 @@ import { useEffect,useState } from "react";
 import { createPortal } from "react-dom";
 
 type SharePermission = 'view' | 'comment';
+const TEAM_SHARE_SEARCH_ENDPOINT = '/api/dynamic-agents/teams';
 
 interface ShareDialogProps {
   conversationId: string;
@@ -17,6 +18,27 @@ interface ShareDialogProps {
   onOpenChange: (open: boolean) => void;
 }
 
+function teamShareRef(team: Team): string {
+  return team.slug?.trim() || String(team._id);
+}
+
+function teamAliases(team: Team): string[] {
+  return Array.from(new Set([team.slug, team._id].map((value) => String(value || '').trim()).filter(Boolean)));
+}
+
+function isTeamAlreadyShared(team: Team, sharedTeamRefs: string[]): boolean {
+  const sharedRefs = new Set(sharedTeamRefs.map((value) => String(value).trim()).filter(Boolean));
+  return teamAliases(team).some((alias) => sharedRefs.has(alias));
+}
+
+async function fetchShareableTeams(): Promise<Team[]> {
+  const teamsResponse = await fetch(TEAM_SHARE_SEARCH_ENDPOINT);
+  if (!teamsResponse.ok) return [];
+  const teamsData = await teamsResponse.json();
+  if (Array.isArray(teamsData.data)) return teamsData.data;
+  return teamsData.data?.teams || [];
+}
+
 export function ShareDialog({
   conversationId,
   conversationTitle,
@@ -92,18 +114,16 @@ export function ShareDialog({
         // Load team names for display
         if (teamIds.length > 0) {
           try {
-            const teamsResponse = await fetch('/api/admin/teams');
-            if (teamsResponse.ok) {
-              const teamsData = await teamsResponse.json();
-              const allTeams = teamsData.data?.teams || [];
-              const namesMap: Record<string, string> = {};
-              allTeams.forEach((team: Team) => {
-                if (teamIds.includes(team._id)) {
-                  namesMap[team._id] = team.name;
+            const allTeams = await fetchShareableTeams();
+            const namesMap: Record<string, string> = {};
+            allTeams.forEach((team: Team) => {
+              for (const alias of teamAliases(team)) {
+                if (teamIds.includes(alias)) {
+                  namesMap[alias] = team.name;
                 }
-              });
-              setTeamNames(namesMap);
-            }
+              }
+            });
+            setTeamNames(namesMap);
           } catch (err) {
             console.error("Failed to load team names:", err);
           }
@@ -149,37 +169,22 @@ export function ShareDialog({
 
         // Search teams (may require admin access - handle gracefully)
         try {
-          const teamsResponse = await fetch('/api/admin/teams');
-          if (teamsResponse.ok) {
-            const teamsData = await teamsResponse.json();
-            const allTeams = teamsData.data?.teams || [];
-            // Filter teams by name/description matching search input
-            const searchLower = searchInput.toLowerCase();
-            const matchingTeams = allTeams.filter((team: Team) => {
-              const nameMatch = team.name.toLowerCase().includes(searchLower);
-              const descMatch = team.description?.toLowerCase().includes(searchLower);
-              const notAlreadyShared = !sharedWithTeams.includes(team._id);
-              return (nameMatch || descMatch) && notAlreadyShared;
-            });
-            setTeamResults(matchingTeams);
-            
-            // Show no results message if both are empty
-            if (filteredUsers.length === 0 && matchingTeams.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
-          } else if (teamsResponse.status === 403) {
-            // Admin access required - teams search not available
-            setTeamResults([]);
-            // Still check user results
-            if (filteredUsers.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
-          } else {
-            // Other error - still check user results
-            setTeamResults([]);
-            if (filteredUsers.length === 0 && searchInput.length >= 2) {
-              setNoResults(true);
-            }
+          const allTeams = await fetchShareableTeams();
+          // assisted-by Codex Codex-sonnet-4-6
+          // Team chat sharing uses the member-visible team endpoint, not the admin grid API.
+          const searchLower = searchInput.toLowerCase();
+          const matchingTeams = allTeams.filter((team: Team) => {
+            const nameMatch = team.name.toLowerCase().includes(searchLower);
+            const slugMatch = team.slug?.toLowerCase().includes(searchLower);
+            const descMatch = team.description?.toLowerCase().includes(searchLower);
+            const notAlreadyShared = !isTeamAlreadyShared(team, sharedWithTeams);
+            return (nameMatch || slugMatch || descMatch) && notAlreadyShared;
+          });
+          setTeamResults(matchingTeams);
+
+          // Show no results message if both are empty
+          if (filteredUsers.length === 0 && matchingTeams.length === 0 && searchInput.length >= 2) {
+            setNoResults(true);
           }
         } catch (teamErr) {
           console.error("Team search failed:", teamErr);
@@ -588,8 +593,8 @@ export function ShareDialog({
                     <div className="text-xs font-medium text-muted-foreground px-2 py-1">Teams</div>
                     {teamResults.map((team) => (
                       <button
-                        key={team._id}
-                        onClick={() => handleShareTeam(team._id)}
+                        key={teamShareRef(team)}
+                        onClick={() => handleShareTeam(teamShareRef(team))}
                         disabled={loading}
                         className="w-full px-3 py-2 text-left hover:bg-muted flex items-center gap-2 text-sm rounded-md"
                       >
diff --git a/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx b/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
index 42ebfbcf80..840aa6b05c 100644
--- a/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
+++ b/ui/src/components/chat/__tests__/ShareDialogPublicToggle.test.tsx
@@ -282,4 +282,86 @@ describe('ShareDialog — Share with everyone toggle', () => {
     consoleSpy.mockRestore()
     alertSpy.mockRestore()
   })
+
+  it('shares with teams from the member-visible team endpoint', async () => {
+    let sharing = {
+      is_public: false,
+      shared_with: [],
+      shared_with_teams: [] as string[],
+      share_link_enabled: false,
+    }
+
+    ;(global.fetch as jest.Mock).mockImplementation((url: string, opts?: any) => {
+      if (url.includes('/api/dynamic-agents/teams')) {
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({
+            success: true,
+            data: [
+              {
+                _id: 'team-1',
+                slug: 'platform',
+                name: 'Platform Team',
+                description: 'Core platform',
+              },
+            ],
+          }),
+        })
+      }
+      if (url.includes('/share') && (!opts || opts.method !== 'POST')) {
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({
+            data: { sharing },
+          }),
+        })
+      }
+      if (url.includes('/share') && opts?.method === 'POST') {
+        sharing = {
+          ...sharing,
+          shared_with_teams: ['platform'],
+        }
+        return Promise.resolve({
+          ok: true,
+          status: 200,
+          json: async () => ({ data: { sharing } }),
+        })
+      }
+      return Promise.resolve({ ok: true, status: 200, json: async () => ({}) })
+    })
+
+    render(<ShareDialog {...defaultProps} />)
+
+    await waitFor(() => {
+      expect(screen.getByPlaceholderText('Search by email or team name...')).toBeInTheDocument()
+    })
+
+    fireEvent.change(screen.getByPlaceholderText('Search by email or team name...'), {
+      target: { value: 'plat' },
+    })
+
+    await waitFor(() => {
+      expect(screen.getByText('Platform Team')).toBeInTheDocument()
+    })
+
+    fireEvent.click(screen.getByText('Platform Team'))
+
+    await waitFor(() => {
+      const postCalls = (global.fetch as jest.Mock).mock.calls.filter(
+        ([url, opts]: [string, any]) => url.includes('/share') && opts?.method === 'POST'
+      )
+      expect(postCalls.length).toBeGreaterThan(0)
+      const body = JSON.parse(postCalls[0][1].body)
+      expect(body.team_ids).toEqual(['platform'])
+    })
+
+    expect((global.fetch as jest.Mock).mock.calls.some(([url]: [string]) =>
+      url.includes('/api/dynamic-agents/teams')
+    )).toBe(true)
+    expect((global.fetch as jest.Mock).mock.calls.some(([url]: [string]) =>
+      url.includes('/api/admin/teams')
+    )).toBe(false)
+  })
 })
diff --git a/ui/src/lib/api-middleware.ts b/ui/src/lib/api-middleware.ts
index 3fd839ca3a..84ea0305f3 100644
--- a/ui/src/lib/api-middleware.ts
+++ b/ui/src/lib/api-middleware.ts
@@ -7,10 +7,12 @@ import { authOptions, isBootstrapAdmin } from '@/lib/auth-config';
 import { getConfig } from '@/lib/config';
 import { getCollection } from '@/lib/mongodb';
 import type { User } from '@/types/mongodb';
+import type { TeamMembershipSource } from '@/types/identity-group-sync';
 import { validateBearerJWT, validateLocalSkillsJWT } from '@/lib/jwt-validation';
 import { ApiError } from '@/lib/api-error';
 import type { AuthFailureAction, AuthFailureReason } from '@/lib/auth-error';
 import { CredentialError } from '@/lib/credentials/errors';
+import { getRbacCollection } from '@/lib/rbac/mongo-collections';
 import {
   getDevAnonymousSession,
   getDevAnonymousUser,
@@ -1194,19 +1196,55 @@ export function requireOwnership(ownerId: string, userId: string) {
 
 /**
  * Resolve all team IDs that a user belongs to.
- * Looks up the teams collection for teams where the user is a member.
+ * Uses canonical team_membership_sources and falls back to legacy teams.members[].
  */
 export async function getUserTeamIds(userEmail: string): Promise<string[]> {
+  const refs = new Set<string>();
+  const normalizedEmail = userEmail.trim().toLowerCase();
+  if (!normalizedEmail) return [];
+
+  try {
+    // assisted-by Codex Codex-sonnet-4-6
+    // Chat team shares must follow the canonical membership store, not stale embedded team members.
+    const sources = await getRbacCollection<TeamMembershipSource>('teamMembershipSources');
+    const rows = await sources
+      .find({ status: 'active', user_email: normalizedEmail })
+      .project({ team_id: 1, team_slug: 1 })
+      .toArray();
+
+    for (const row of rows) {
+      if (typeof row.team_id === 'string' && row.team_id.trim()) {
+        refs.add(row.team_id.trim());
+      }
+      if (typeof row.team_slug === 'string' && row.team_slug.trim()) {
+        refs.add(row.team_slug.trim());
+      }
+    }
+  } catch {
+    // Fall through to the legacy embedded-members lookup below.
+  }
+
   try {
     const teams = await getCollection('teams');
+    const emailClauses = Array.from(new Set([userEmail.trim(), normalizedEmail].filter(Boolean)));
     const userTeams = await teams
-      .find({ 'members.user_id': userEmail })
-      .project({ _id: 1 })
+      .find({ $or: emailClauses.map((email) => ({ 'members.user_id': email })) })
+      .project({ _id: 1, slug: 1 })
       .toArray();
-    return userTeams.map((t: any) => t._id.toString());
+
+    for (const team of userTeams) {
+      if (team?._id !== undefined && team?._id !== null) {
+        refs.add(team._id.toString());
+      }
+      if (typeof team?.slug === 'string' && team.slug.trim()) {
+        refs.add(team.slug.trim());
+      }
+    }
   } catch {
-    return [];
+    // Ignore legacy lookup failures; sharing should fail closed for non-matches.
   }
+
+  return Array.from(refs);
 }
 
 export type ConversationAccessLevel = 'owner' | 'shared' | 'shared_readonly' | 'admin_audit';

From b34544e65d5118b6629cd6c13625df0c63666166 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 00:22:33 -0500
Subject: [PATCH 05/12] fix(chat): mark shared recipients in sidebar

Annotate conversation list rows with a viewer-specific shared flag after RBAC filtering and carry it through the chat store.

Use that signal in the sidebar so recipients see the shared badge even when owner metadata is missing, while owners stay unbadged.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../chat-conversations-client-type.test.ts    | 80 +++++++++++++++++++
 ui/src/app/api/chat/conversations/route.ts    | 12 +--
 ui/src/components/layout/Sidebar.tsx          | 17 +++-
 .../layout/__tests__/Sidebar.test.tsx         | 20 +++++
 .../conversation-implicit-authz.test.ts       | 27 +++++++
 .../lib/rbac/conversation-implicit-authz.ts   | 19 +++++
 ui/src/store/__tests__/chat-store.test.ts     | 25 ++++++
 ui/src/store/chat-store.ts                    |  1 +
 ui/src/types/a2a.ts                           |  3 +
 ui/src/types/mongodb.ts                       |  3 +
 10 files changed, 198 insertions(+), 9 deletions(-)

diff --git a/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts b/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
index 25b55285ae..2917e4ec7c 100644
--- a/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-client-type.test.ts
@@ -19,6 +19,11 @@ jest.mock('@/lib/config', () => ({
   getConfig: (key: string) => key === 'ssoEnabled',
 }));
 
+jest.mock('@/lib/authz', () => ({
+  authorize: jest.fn().mockResolvedValue({ decision: 'DENY' }),
+  authorizeMany: jest.fn().mockResolvedValue(new Map()),
+}));
+
 const mockCollections: Record<string, any> = {};
 const mockGetCollection = jest.fn((name: string) => {
   if (!mockCollections[name]) {
@@ -65,12 +70,18 @@ function userSession(email = 'user@example.com') {
 
 function resetMocks() {
   mockGetServerSession.mockReset();
+  authorizeMany.mockReset();
+  authorizeMany.mockResolvedValue(new Map());
   mockGetCollection.mockClear();
   Object.keys(mockCollections).forEach((key) => delete mockCollections[key]);
 }
 
 import { GET } from '../chat/conversations/route';
 
+const { authorizeMany } = jest.requireMock('@/lib/authz') as {
+  authorizeMany: jest.Mock;
+};
+
 describe('GET /api/chat/conversations — client_type filtering', () => {
   beforeEach(resetMocks);
 
@@ -156,6 +167,75 @@ describe('GET /api/chat/conversations — client_type filtering', () => {
     });
   });
 
+  it('marks shared recipient rows in the conversations list response', async () => {
+    mockGetServerSession.mockResolvedValue({
+      ...userSession('viewer@example.com'),
+      sub: 'viewer-sub',
+    });
+    authorizeMany.mockResolvedValue(new Map([
+      ['shared-recipient-conv', { decision: 'ALLOW' }],
+    ]));
+
+    const conversationsCol = createMockCollection();
+    conversationsCol.countDocuments.mockResolvedValue(2);
+    conversationsCol.find.mockReturnValue({
+      sort: jest.fn().mockReturnValue({
+        skip: jest.fn().mockReturnValue({
+          limit: jest.fn().mockReturnValue({
+            toArray: jest.fn().mockResolvedValue([
+              {
+                _id: 'owned-conv',
+                title: 'Owned conversation',
+                owner_id: 'viewer@example.com',
+                created_at: new Date(),
+                updated_at: new Date(),
+                metadata: { total_messages: 0 },
+                sharing: { is_public: false, shared_with: [], shared_with_teams: [], share_link_enabled: false },
+                tags: [],
+                is_archived: false,
+                is_pinned: false,
+              },
+              {
+                _id: 'shared-recipient-conv',
+                title: 'Shared recipient conversation',
+                owner_id: 'owner@example.com',
+                created_at: new Date(),
+                updated_at: new Date(),
+                metadata: { total_messages: 0 },
+                sharing: {
+                  is_public: false,
+                  shared_with: ['viewer@example.com'],
+                  shared_with_teams: [],
+                  share_link_enabled: false,
+                },
+                tags: [],
+                is_archived: false,
+                is_pinned: false,
+              },
+            ]),
+          }),
+        }),
+      }),
+    });
+    mockCollections['conversations'] = conversationsCol;
+
+    const req = makeRequest('/api/chat/conversations?page_size=100');
+    const res = await GET(req);
+    const body = await res.json();
+
+    expect(res.status).toBe(200);
+    expect(body.data.items).toEqual(expect.arrayContaining([
+      expect.objectContaining({
+        _id: 'owned-conv',
+        viewer_has_shared_access: false,
+      }),
+      expect.objectContaining({
+        _id: 'shared-recipient-conv',
+        viewer_has_shared_access: true,
+      }),
+    ]));
+  });
+
   it('enriches conversation agent participants with display names', async () => {
     mockGetServerSession.mockResolvedValue(userSession());
 
diff --git a/ui/src/app/api/chat/conversations/route.ts b/ui/src/app/api/chat/conversations/route.ts
index ff34fb2033..1edca9b7e0 100644
--- a/ui/src/app/api/chat/conversations/route.ts
+++ b/ui/src/app/api/chat/conversations/route.ts
@@ -11,6 +11,7 @@ withErrorHandler,
 } from '@/lib/api-middleware';
 import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
 import {
+  annotateConversationsWithViewerSharing,
   conversationVisibilityCandidateQuery,
   filterConversationsByImplicitOrExplicitPermission,
 } from '@/lib/rbac/conversation-implicit-authz';
@@ -23,7 +24,7 @@ import { NextRequest,NextResponse } from 'next/server';
 import { v4 as uuidv4 } from 'uuid';
 import packageJson from '../../../../../package.json';
 
-type ConversationWithAgentDisplay = Conversation & {
+type ConversationWithAgentDisplay<T extends Conversation = Conversation> = T & {
   agent_id?: string;
   agent_name?: string;
 };
@@ -32,9 +33,9 @@ function getConversationAgentId(conversation: Conversation): string | undefined
   return conversation.participants?.find((participant) => participant.type === 'agent')?.id;
 }
 
-async function enrichConversationAgentNames(
-  items: Conversation[],
-): Promise<ConversationWithAgentDisplay[]> {
+async function enrichConversationAgentNames<T extends Conversation>(
+  items: T[],
+): Promise<ConversationWithAgentDisplay<T>[]> {
   const agentIds = Array.from(
     new Set(items.map(getConversationAgentId).filter((id): id is string => Boolean(id))),
   );
@@ -142,9 +143,10 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
     .toArray();
 
   const visibleItems = await filterConversationsByImplicitOrExplicitPermission(session, user.email, items);
+  const visibleItemsWithViewerFlags = annotateConversationsWithViewerSharing(session, user.email, visibleItems);
 
   return paginatedResponse(
-    await enrichConversationAgentNames(visibleItems),
+    await enrichConversationAgentNames(visibleItemsWithViewerFlags),
     visibleItems.length < items.length ? visibleItems.length : total,
     page,
     pageSize
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 8e4cb19df2..49df80a14a 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -357,19 +357,28 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                 {conversations.map((conv, index) => {
                   const currentUserEmail = session?.user?.email?.trim().toLowerCase();
                   const ownerEmail = conv.owner_id?.trim().toLowerCase();
-                  const isOwner = !ownerEmail || (currentUserEmail ? ownerEmail === currentUserEmail : false);
+                  const viewerIsKnownOwner =
+                    conv.accessLevel === "owner" ||
+                    Boolean(ownerEmail && currentUserEmail && ownerEmail === currentUserEmail);
                   const hasSharingConfig = Boolean(
                     conv.sharing?.is_public ||
                     (conv.sharing?.shared_with?.length ?? 0) > 0 ||
                     (conv.sharing?.shared_with_teams?.length ?? 0) > 0 ||
                     conv.sharing?.share_link_enabled
                   );
+                  const sharedByKnownDifferentOwner = Boolean(
+                    ownerEmail &&
+                    currentUserEmail &&
+                    ownerEmail !== currentUserEmail &&
+                    hasSharingConfig
+                  );
                   // assisted-by Codex Codex-sonnet-4-6
-                  // The badge is viewer-facing: show it for recipients, not just because the owner shared it.
-                  const isSharedWithViewer = !isOwner && (
+                  // The badge is viewer-facing, so prefer the server's per-viewer sharing signal.
+                  const isSharedWithViewer = !viewerIsKnownOwner && (
+                    conv.isSharedWithViewer === true ||
                     conv.accessLevel === "shared" ||
                     conv.accessLevel === "shared_readonly" ||
-                    hasSharingConfig
+                    sharedByKnownDifferentOwner
                   );
                   const isPublicShareForViewer = isSharedWithViewer && conv.sharing?.is_public;
 
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 67c796da69..2342344f75 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -426,6 +426,26 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
     })
 
+    it('shows a shared badge from the server viewer flag without owner metadata', () => {
+      mockConversations = [
+        makeConv('conv-flagged-recipient', 'Flagged Recipient Chat', {
+          isSharedWithViewer: true,
+          sharing: {
+            is_public: false,
+            shared_with: [],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+        }),
+      ]
+
+      render(<Sidebar {...defaultProps} />)
+
+      expect(screen.getByText('Flagged Recipient Chat')).toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+    })
+
     it('does not show the recipient shared badge to the owner', () => {
       mockConversations = [
         makeConv('conv-owner-shared', 'Owner Shared Chat', {
diff --git a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
index cda9c70ff8..fd76406a95 100644
--- a/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
+++ b/ui/src/lib/rbac/__tests__/conversation-implicit-authz.test.ts
@@ -1,4 +1,5 @@
 import {
+  annotateConversationsWithViewerSharing,
   conversationVisibilityCandidateQuery,
   filterConversationsByImplicitOrExplicitPermission,
   isImplicitConversationOwner,
@@ -77,6 +78,32 @@ describe("conversation implicit authorization", () => {
     );
   });
 
+  it("annotates viewer sharing for non-owned visible rows", () => {
+    type ViewerFlagRow = {
+      _id: string;
+      owner_id?: string;
+      owner_subject?: string;
+    };
+
+    const rows = annotateConversationsWithViewerSharing<ViewerFlagRow>(
+      { sub: "alice-sub" },
+      "alice@example.com",
+      [
+        { _id: "owned-sub", owner_id: "other@example.com", owner_subject: "alice-sub" },
+        { _id: "owned-email", owner_id: "alice@example.com", owner_subject: undefined },
+        { _id: "shared-no-owner", owner_id: undefined, owner_subject: undefined },
+        { _id: "shared-known-owner", owner_id: "bob@example.com", owner_subject: undefined },
+      ],
+    );
+
+    expect(rows.map((row) => [row._id, row.viewer_has_shared_access])).toEqual([
+      ["owned-sub", false],
+      ["owned-email", false],
+      ["shared-no-owner", true],
+      ["shared-known-owner", true],
+    ]);
+  });
+
   it("requires OpenFGA only when caller is not the implicit owner", async () => {
     await requireConversationResourcePermission(
       { sub: "alice-sub" },
diff --git a/ui/src/lib/rbac/conversation-implicit-authz.ts b/ui/src/lib/rbac/conversation-implicit-authz.ts
index a56d6f1368..7e335c6b11 100644
--- a/ui/src/lib/rbac/conversation-implicit-authz.ts
+++ b/ui/src/lib/rbac/conversation-implicit-authz.ts
@@ -39,6 +39,25 @@ export function isImplicitConversationOwner(
   return Boolean(normalizeEmail(userEmail) && normalizeEmail(conversation.owner_id) === normalizeEmail(userEmail));
 }
 
+export interface ConversationViewerSharingFlag {
+  viewer_has_shared_access: boolean;
+}
+
+export function annotateConversationsWithViewerSharing<
+  T extends Pick<Conversation, "owner_id" | "owner_subject">,
+>(
+  session: ResourceAuthzSession,
+  userEmail: string,
+  conversations: T[],
+): Array<T & ConversationViewerSharingFlag> {
+  return conversations.map((conversation) => ({
+    ...conversation,
+    // assisted-by Codex Codex-sonnet-4-6
+    // Sidebar needs an explicit recipient signal even when owner metadata is absent client-side.
+    viewer_has_shared_access: !isImplicitConversationOwner(session, userEmail, conversation),
+  }));
+}
+
 export async function requireConversationResourcePermission(
   session: ResourceAuthzSession,
   userEmail: string,
diff --git a/ui/src/store/__tests__/chat-store.test.ts b/ui/src/store/__tests__/chat-store.test.ts
index d1237d970e..26d527e5c8 100644
--- a/ui/src/store/__tests__/chat-store.test.ts
+++ b/ui/src/store/__tests__/chat-store.test.ts
@@ -1037,6 +1037,31 @@ describe('chat-store', () => {
       expect(newConv!.messages).toHaveLength(0);
     });
 
+    it('maps the server viewer sharing flag into local conversations', async () => {
+      useChatStore.setState({ conversations: [] });
+
+      mockApiClient.getConversations.mockResolvedValue({
+        items: [
+          {
+            _id: 'shared-recipient',
+            title: 'Shared Recipient',
+            created_at: new Date().toISOString(),
+            updated_at: new Date().toISOString(),
+            viewer_has_shared_access: true,
+          },
+        ],
+        total: 1,
+        page: 1,
+        page_size: 100,
+        has_more: false,
+      });
+
+      await useChatStore.getState().loadConversationsFromServer();
+
+      const sharedConv = useChatStore.getState().conversations.find(c => c.id === 'shared-recipient');
+      expect(sharedConv!.isSharedWithViewer).toBe(true);
+    });
+
     it('does not preserve non-active non-streaming local-only conversations', async () => {
       // Conversations that are neither active nor streaming should be removed
       // when not present in the server response (FR-004).
diff --git a/ui/src/store/chat-store.ts b/ui/src/store/chat-store.ts
index 22919685c8..fc1cd28e23 100644
--- a/ui/src/store/chat-store.ts
+++ b/ui/src/store/chat-store.ts
@@ -758,6 +758,7 @@ const storeImplementation = (set: any, get: any) => ({
               streamEvents: (isStreaming || hasLoadedMessages || isActive) && localConv ? (localConv.streamEvents || []) : [],
               participants: conv.participants || [],
               owner_id: conv.owner_id,
+              isSharedWithViewer: conv.viewer_has_shared_access,
               sharing: conv.sharing,
             };
           });
diff --git a/ui/src/types/a2a.ts b/ui/src/types/a2a.ts
index 72bda44b6a..82f8619c7e 100644
--- a/ui/src/types/a2a.ts
+++ b/ui/src/types/a2a.ts
@@ -25,6 +25,9 @@ export interface Conversation {
   owner_id?: string;
   /** Current viewer access level returned by the conversation detail API. */
   accessLevel?: ConversationAccessLevel;
+  /** Server list says the current viewer sees this row through sharing. */
+  // assisted-by Codex Codex-sonnet-4-6
+  isSharedWithViewer?: boolean;
   /** Sharing information (optional, only for MongoDB conversations) */
   sharing?: {
     is_public?: boolean;
diff --git a/ui/src/types/mongodb.ts b/ui/src/types/mongodb.ts
index 44286e6d39..b394af2ca9 100644
--- a/ui/src/types/mongodb.ts
+++ b/ui/src/types/mongodb.ts
@@ -89,6 +89,9 @@ export interface Conversation {
     share_link_enabled: boolean;
     share_link_expires?: Date;
   };
+  // assisted-by Codex Codex-sonnet-4-6
+  // Response-only: current viewer reached this conversation through sharing, not ownership.
+  viewer_has_shared_access?: boolean;
   tags: string[];
   is_archived: boolean;
   is_pinned: boolean;

From 21d60467e827ee981b85701a506dd8e3bc8a884c Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 07:55:21 -0500
Subject: [PATCH 06/12] fix(chat): show shared-by affordance to recipients

Restore the sidebar share affordance for shared conversation recipients without opening owner-only share management.

Show shared-by details in the shared badge and recipient share tooltip, with recipient clicks copying the conversation link.

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 ui/src/components/chat/ShareButton.tsx        | 29 +++++--
 .../chat/__tests__/ShareButton.test.tsx       | 80 +++++++++++++++++++
 ui/src/components/layout/Sidebar.tsx          | 17 +++-
 .../layout/__tests__/Sidebar.test.tsx         | 19 ++++-
 4 files changed, 133 insertions(+), 12 deletions(-)
 create mode 100644 ui/src/components/chat/__tests__/ShareButton.test.tsx

diff --git a/ui/src/components/chat/ShareButton.tsx b/ui/src/components/chat/ShareButton.tsx
index d9e07c2d4d..8c50abc602 100644
--- a/ui/src/components/chat/ShareButton.tsx
+++ b/ui/src/components/chat/ShareButton.tsx
@@ -7,7 +7,7 @@ TooltipContent,
 TooltipProvider,
 TooltipTrigger,
 } from "@/components/ui/tooltip";
-import { Share2 } from "lucide-react";
+import { Check,Share2 } from "lucide-react";
 import React,{ useState } from "react";
 import { ShareDialog } from "./ShareDialog";
 
@@ -15,12 +15,16 @@ interface ShareButtonProps {
   conversationId: string;
   conversationTitle?: string;
   isOwner?: boolean;
+  isSharedWithViewer?: boolean;
+  sharedBy?: string;
 }
 
 export function ShareButton({ 
   conversationId, 
   conversationTitle = "Conversation",
-  isOwner = true
+  isOwner = true,
+  isSharedWithViewer = false,
+  sharedBy,
 }: ShareButtonProps) {
   const [showDialog, setShowDialog] = useState(false);
   const [copied, setCopied] = useState(false);
@@ -44,24 +48,35 @@ export function ShareButton({
     setShowDialog(true);
   };
 
+  const sharedByText = sharedBy?.trim() ? `Shared by ${sharedBy.trim()}` : "Shared conversation";
+  const shouldShowButton = isOwner || isSharedWithViewer;
+
   return (
     <>
       <TooltipProvider>
-        {/* Single share button that opens dialog */}
-        {isOwner && (
+        {shouldShowButton && (
           <Tooltip>
             <TooltipTrigger asChild>
               <Button
                 variant="ghost"
                 size="icon"
-                onClick={handleOpenDialog}
+                onClick={isOwner ? handleOpenDialog : handleQuickCopy}
                 className="h-6 w-6"
+                aria-label={isOwner ? "Share conversation" : sharedByText}
               >
-                <Share2 className="h-3 w-3" />
+                {copied ? <Check className="h-3 w-3" /> : <Share2 className="h-3 w-3" />}
               </Button>
             </TooltipTrigger>
             <TooltipContent side="left">
-              <p>Share</p>
+              {isOwner ? (
+                <p>Share</p>
+              ) : (
+                <>
+                  {/* assisted-by Codex Codex-sonnet-4-6 */}
+                  <p>{copied ? "Link copied" : sharedByText}</p>
+                  {!copied && <p className="text-xs text-muted-foreground">Click to copy link</p>}
+                </>
+              )}
             </TooltipContent>
           </Tooltip>
         )}
diff --git a/ui/src/components/chat/__tests__/ShareButton.test.tsx b/ui/src/components/chat/__tests__/ShareButton.test.tsx
new file mode 100644
index 0000000000..784b1a7e92
--- /dev/null
+++ b/ui/src/components/chat/__tests__/ShareButton.test.tsx
@@ -0,0 +1,80 @@
+import React from 'react'
+import { fireEvent, render, screen, waitFor } from '@testing-library/react'
+
+const mockShareDialog = jest.fn(() => null)
+
+jest.mock('@/components/ui/button', () => ({
+  Button: ({ children, ...props }: any) => <button {...props}>{children}</button>,
+}))
+
+jest.mock('@/components/ui/tooltip', () => ({
+  Tooltip: ({ children }: any) => <>{children}</>,
+  TooltipContent: ({ children }: any) => <>{children}</>,
+  TooltipProvider: ({ children }: any) => <>{children}</>,
+  TooltipTrigger: ({ children }: any) => <>{children}</>,
+}))
+
+jest.mock('lucide-react', () => ({
+  Check: (props: any) => <span data-testid="icon-check" {...props} />,
+  Share2: (props: any) => <span data-testid="icon-share2" {...props} />,
+}))
+
+jest.mock('../ShareDialog', () => ({
+  ShareDialog: (props: any) => {
+    mockShareDialog(props)
+    return props.open ? <div data-testid="share-dialog" /> : null
+  },
+}))
+
+import { ShareButton } from '../ShareButton'
+
+describe('ShareButton', () => {
+  const writeText = jest.fn().mockResolvedValue(undefined)
+
+  beforeEach(() => {
+    jest.clearAllMocks()
+    Object.defineProperty(navigator, 'clipboard', {
+      configurable: true,
+      value: { writeText },
+    })
+  })
+
+  it('renders recipient share affordance with shared-by tooltip and copies the link', async () => {
+    render(
+      <ShareButton
+        conversationId="conv-recipient"
+        conversationTitle="Recipient Chat"
+        isOwner={false}
+        isSharedWithViewer
+        sharedBy="owner@test.com"
+      />,
+    )
+
+    expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
+    expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+    expect(screen.getByText('Click to copy link')).toBeInTheDocument()
+    expect(screen.getByTestId('icon-share2')).toBeInTheDocument()
+
+    fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
+
+    await waitFor(() => {
+      expect(writeText).toHaveBeenCalledWith(`${window.location.origin}/chat/conv-recipient`)
+    })
+    expect(screen.queryByTestId('share-dialog')).not.toBeInTheDocument()
+    expect(mockShareDialog).not.toHaveBeenCalled()
+  })
+
+  it('opens the share dialog for owners', () => {
+    render(
+      <ShareButton
+        conversationId="conv-owner"
+        conversationTitle="Owner Chat"
+        isOwner
+      />,
+    )
+
+    fireEvent.click(screen.getByRole('button', { name: 'Share conversation' }))
+
+    expect(screen.getByTestId('share-dialog')).toBeInTheDocument()
+  })
+})
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 49df80a14a..430fcb1693 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -381,6 +381,15 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                     sharedByKnownDifferentOwner
                   );
                   const isPublicShareForViewer = isSharedWithViewer && conv.sharing?.is_public;
+                  const sharedByLabel = conv.owner_id?.trim();
+                  const sharedBadgeText = isPublicShareForViewer
+                    ? sharedByLabel
+                      ? `Shared with everyone by ${sharedByLabel}`
+                      : "Shared with everyone"
+                    : sharedByLabel
+                      ? `Shared by ${sharedByLabel}`
+                      : "Shared conversation";
+                  const canManageSharing = viewerIsKnownOwner || (!ownerEmail && !isSharedWithViewer);
 
                   const isLive = isConversationStreaming(conv.id);
                   const isInputRequired = !isLive && isConversationInputRequired(conv.id);
@@ -483,9 +492,7 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                                   </TooltipTrigger>
                                   <TooltipContent side="right">
                                     <p className="text-xs">
-                                      {isPublicShareForViewer
-                                        ? 'Shared with everyone'
-                                        : 'Shared conversation'}
+                                      {sharedBadgeText}
                                     </p>
                                   </TooltipContent>
                                 </Tooltip>
@@ -521,7 +528,9 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                             <ShareButton
                               conversationId={conv.id}
                               conversationTitle={conv.title}
-                              isOwner={!conv.owner_id || conv.owner_id === session?.user?.email}
+                              isOwner={canManageSharing}
+                              isSharedWithViewer={isSharedWithViewer}
+                              sharedBy={sharedByLabel}
                             />
                           </div>
                           <TooltipProvider delayDuration={200}>
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 2342344f75..55c4d50eee 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -144,7 +144,18 @@ jest.mock('@/components/chat/RecycleBinDialog', () => ({
 }))
 
 jest.mock('@/components/chat/ShareButton', () => ({
-  ShareButton: () => null,
+  ShareButton: ({ isOwner, isSharedWithViewer, sharedBy }: any) => (
+    isOwner || isSharedWithViewer ? (
+      <button
+        data-testid="share-button"
+        data-owner={String(Boolean(isOwner))}
+        data-shared-viewer={String(Boolean(isSharedWithViewer))}
+        data-shared-by={sharedBy || ''}
+      >
+        Share
+      </button>
+    ) : null
+  ),
 }))
 
 // NewChatButton is exercised by its own test suite; stub it here so the
@@ -424,6 +435,10 @@ describe('Sidebar — Live Status Indicator', () => {
 
       expect(screen.getByText('Recipient Chat')).toBeInTheDocument()
       expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
+      expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'false')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'true')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-by', 'owner@test.com')
     })
 
     it('shows a shared badge from the server viewer flag without owner metadata', () => {
@@ -444,6 +459,8 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.getByText('Flagged Recipient Chat')).toBeInTheDocument()
       expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
       expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'false')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'true')
     })
 
     it('does not show the recipient shared badge to the owner', () => {

From 24f46f5479cb16c8fd5d5918622a8dd31aa518ff Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 08:22:53 -0500
Subject: [PATCH 07/12] test(chat): cover shared recipient affordance

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 ui/e2e/rbac/_helpers.ts                       | 89 ++++++++++++++++++-
 .../rbac/chat-navigation-regression.spec.ts   | 50 ++++++++++-
 2 files changed, 134 insertions(+), 5 deletions(-)

diff --git a/ui/e2e/rbac/_helpers.ts b/ui/e2e/rbac/_helpers.ts
index 45cf44e9dd..377c4fbdd2 100644
--- a/ui/e2e/rbac/_helpers.ts
+++ b/ui/e2e/rbac/_helpers.ts
@@ -22,21 +22,38 @@ type TestCredentials = {
 type ChatBootMocksOptions = {
   conversationId?: string;
   ownerEmail?: string;
+  title?: string;
   /** When true (default), GET /api/chat/conversations returns the fixture conversation. */
   seedExistingConversation?: boolean;
   /** Artificial delay for the conversation list GET (simulates Sidebar + /chat racing). */
   conversationListDelayMs?: number;
   /** When set, seeds an agent participant on the conversation fixture. */
   agentId?: string;
+  sharing?: {
+    is_public?: boolean;
+    shared_with?: string[];
+    shared_with_teams?: string[];
+    share_link_enabled?: boolean;
+  };
+  viewerHasSharedAccess?: boolean;
+  accessLevel?: "owner" | "shared" | "shared_readonly" | "admin_audit";
   onConversationListRequest?: (url: URL) => void;
   onConversationCreate?: () => void;
 };
 
-function chatConversationFixture(id: string, ownerEmail: string, agentId?: string) {
+function chatConversationFixture(
+  id: string,
+  ownerEmail: string,
+  agentId?: string,
+  options: Pick<
+    ChatBootMocksOptions,
+    "accessLevel" | "sharing" | "title" | "viewerHasSharedAccess"
+  > = {},
+) {
   const now = new Date().toISOString();
   return {
     _id: id,
-    title: "RBAC E2E Conversation",
+    title: options.title ?? "RBAC E2E Conversation",
     client_type: "webui",
     owner_id: ownerEmail,
     participants: agentId ? [{ type: "agent", id: agentId }] : [],
@@ -48,7 +65,10 @@ function chatConversationFixture(id: string, ownerEmail: string, agentId?: strin
       shared_with: [],
       shared_with_teams: [],
       share_link_enabled: false,
+      ...options.sharing,
     },
+    viewer_has_shared_access: options.viewerHasSharedAccess,
+    access_level: options.accessLevel,
     tags: [],
     is_archived: false,
     is_pinned: false,
@@ -63,7 +83,12 @@ export async function installChatBootMocks(
 ): Promise<void> {
   const conversationId = options.conversationId ?? "rbac-e2e-conversation";
   const ownerEmail = options.ownerEmail ?? env.user.email;
-  const conversation = chatConversationFixture(conversationId, ownerEmail, options.agentId);
+  const conversation = chatConversationFixture(conversationId, ownerEmail, options.agentId, {
+    accessLevel: options.accessLevel,
+    sharing: options.sharing,
+    title: options.title,
+    viewerHasSharedAccess: options.viewerHasSharedAccess,
+  });
   const seedExistingConversation = options.seedExistingConversation !== false;
   const conversationListDelayMs = options.conversationListDelayMs ?? 0;
   let created = seedExistingConversation;
@@ -72,10 +97,66 @@ export async function installChatBootMocks(
     await route.fulfill({
       status: 200,
       contentType: "application/json",
-      body: JSON.stringify({ success: true, data: { default_agent_id: null } }),
+      body: JSON.stringify({
+        success: true,
+        data: {
+          default_agent_id: options.agentId ?? null,
+          release_notes: { enabled: false },
+        },
+      }),
     });
   });
 
+  if (options.agentId) {
+    const agent = {
+      _id: options.agentId,
+      name: "RBAC E2E Agent",
+      description: "Mocked dynamic agent for chat browser regressions",
+      enabled: true,
+      skills: [],
+      ui: {},
+    };
+
+    await page.route("**/api/dynamic-agents**", async (route) => {
+      const request = route.request();
+      const requestUrl = new URL(request.url());
+      const method = request.method();
+      const path = requestUrl.pathname;
+
+      if (path === "/api/dynamic-agents/available" && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({ success: true, data: [agent] }),
+        });
+        return;
+      }
+
+      if (path === `/api/dynamic-agents/agents/${options.agentId}` && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({ success: true, data: agent }),
+        });
+        return;
+      }
+
+      if (path === "/api/dynamic-agents" && method === "GET") {
+        await route.fulfill({
+          status: 200,
+          contentType: "application/json",
+          body: JSON.stringify({
+            success: true,
+            data: { items: [agent], total: 1, page: 1, page_size: 20 },
+          }),
+        });
+        return;
+      }
+
+      await route.continue();
+    });
+  }
+
   await page.route("**/api/chat/conversations**", async (route) => {
     const request = route.request();
     const requestUrl = new URL(request.url());
diff --git a/ui/e2e/rbac/chat-navigation-regression.spec.ts b/ui/e2e/rbac/chat-navigation-regression.spec.ts
index 80ccc1773d..d07066dd58 100644
--- a/ui/e2e/rbac/chat-navigation-regression.spec.ts
+++ b/ui/e2e/rbac/chat-navigation-regression.spec.ts
@@ -14,6 +14,8 @@ const CHAT_MEMBER_SESSION = {
   email: "member@caipe.local",
   subject: "playwright-chat-member-sub",
 };
+const CHAT_AGENT_ID = "agent-rbac-e2e";
+const SHARED_OWNER_EMAIL = "owner@caipe.local";
 
 function minimalSessionEnv() {
   return {
@@ -30,7 +32,10 @@ async function bootChatSession(
 ) {
   test.skip(!process.env.NEXTAUTH_SECRET, "NEXTAUTH_SECRET required for chat navigation SSR.");
   const env = minimalSessionEnv();
-  await installChatBootMocks(page, env, options);
+  await installChatBootMocks(page, env, {
+    agentId: CHAT_AGENT_ID,
+    ...options,
+  });
   await installTestSession(page, env, {
     email: CHAT_MEMBER_SESSION.email,
     subject: CHAT_MEMBER_SESSION.subject,
@@ -68,6 +73,49 @@ test.describe("mocked RBAC e2e — chat navigation regression", () => {
     expect(createCallCount).toBe(0);
   });
 
+  test("shows the shared-by affordance to shared conversation recipients", async ({
+    context,
+    page,
+  }) => {
+    const conversationId = "rbac-shared-recipient-conv";
+    const conversationTitle = "Shared Recipient Sidebar Chat";
+    const sharedByText = `Shared by ${SHARED_OWNER_EMAIL}`;
+    const env = await bootChatSession(page, {
+      accessLevel: "shared_readonly",
+      conversationId,
+      ownerEmail: SHARED_OWNER_EMAIL,
+      sharing: { shared_with: [CHAT_MEMBER_SESSION.email] },
+      title: conversationTitle,
+      viewerHasSharedAccess: true,
+    });
+
+    await context.grantPermissions(["clipboard-read", "clipboard-write"], {
+      origin: env.baseUrl,
+    });
+
+    await page.goto(`/chat/${conversationId}`, { waitUntil: "domcontentloaded" });
+    await dismissReleaseUpgradeDialog(page);
+    await expect(page.getByText("View Only")).toBeVisible();
+
+    const sidebarConversationTitle = page.getByTitle(conversationTitle);
+    await expect(sidebarConversationTitle).toBeVisible();
+    await sidebarConversationTitle.hover();
+
+    const recipientShareButton = page.getByRole("button", { name: sharedByText });
+    await expect(recipientShareButton).toBeVisible();
+    await recipientShareButton.hover();
+
+    await expect(page.getByText(sharedByText)).toBeVisible();
+    await expect(page.getByText("Click to copy link")).toBeVisible();
+
+    await recipientShareButton.click();
+    await expect(page.getByText("Link copied")).toBeVisible();
+    await expect(page.getByRole("dialog", { name: /share/i })).toHaveCount(0);
+
+    const copiedUrl = await page.evaluate(() => navigator.clipboard.readText());
+    expect(copiedUrl).toBe(`${env.baseUrl}/chat/${conversationId}`);
+  });
+
   test("waits for a slow conversation list fetch instead of creating a duplicate chat", async ({
     page,
   }) => {

From 76ec4ddf0c2f06a41b4d003df765489fc9e8664d Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 09:10:24 -0500
Subject: [PATCH 08/12] fix(chat): respect shared conversation edit affordance

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../rbac/chat-navigation-regression.spec.ts   | 51 ++++++++--
 ui/src/app/api/chat/conversations/route.ts    | 14 ++-
 ui/src/components/chat/ShareButton.tsx        | 21 +++-
 ui/src/components/chat/ShareDialog.tsx        | 99 ++++++++++++++++---
 .../chat/__tests__/ShareButton.test.tsx       | 30 +++++-
 ui/src/components/layout/Sidebar.tsx          |  2 +
 ui/src/store/chat-store.ts                    |  1 +
 ui/src/types/a2a.ts                           |  2 +
 ui/src/types/mongodb.ts                       |  3 +
 9 files changed, 197 insertions(+), 26 deletions(-)

diff --git a/ui/e2e/rbac/chat-navigation-regression.spec.ts b/ui/e2e/rbac/chat-navigation-regression.spec.ts
index d07066dd58..f733bd5a74 100644
--- a/ui/e2e/rbac/chat-navigation-regression.spec.ts
+++ b/ui/e2e/rbac/chat-navigation-regression.spec.ts
@@ -73,12 +73,12 @@ test.describe("mocked RBAC e2e — chat navigation regression", () => {
     expect(createCallCount).toBe(0);
   });
 
-  test("shows the shared-by affordance to shared conversation recipients", async ({
+  test("copies the link for read-only shared conversation recipients", async ({
     context,
     page,
   }) => {
     const conversationId = "rbac-shared-recipient-conv";
-    const conversationTitle = "Shared Recipient Sidebar Chat";
+    const conversationTitle = "Readonly Shared Recipient Sidebar Chat";
     const sharedByText = `Shared by ${SHARED_OWNER_EMAIL}`;
     const env = await bootChatSession(page, {
       accessLevel: "shared_readonly",
@@ -95,27 +95,64 @@ test.describe("mocked RBAC e2e — chat navigation regression", () => {
 
     await page.goto(`/chat/${conversationId}`, { waitUntil: "domcontentloaded" });
     await dismissReleaseUpgradeDialog(page);
-    await expect(page.getByText("View Only")).toBeVisible();
 
     const sidebarConversationTitle = page.getByTitle(conversationTitle);
     await expect(sidebarConversationTitle).toBeVisible();
-    await sidebarConversationTitle.hover();
 
     const recipientShareButton = page.getByRole("button", { name: sharedByText });
     await expect(recipientShareButton).toBeVisible();
-    await recipientShareButton.hover();
+    await recipientShareButton.hover({ force: true });
 
     await expect(page.getByText(sharedByText)).toBeVisible();
     await expect(page.getByText("Click to copy link")).toBeVisible();
 
-    await recipientShareButton.click();
+    await recipientShareButton.click({ force: true });
     await expect(page.getByText("Link copied")).toBeVisible();
-    await expect(page.getByRole("dialog", { name: /share/i })).toHaveCount(0);
+    await expect(page.getByRole("dialog", { name: /shared conversation/i })).toHaveCount(0);
 
     const copiedUrl = await page.evaluate(() => navigator.clipboard.readText());
     expect(copiedUrl).toBe(`${env.baseUrl}/chat/${conversationId}`);
   });
 
+  test("opens sharing details for edit-mode shared conversation recipients", async ({
+    page,
+  }) => {
+    const conversationId = "rbac-edit-shared-recipient-conv";
+    const conversationTitle = "Edit Shared Recipient Sidebar Chat";
+    const sharedByText = `Shared by ${SHARED_OWNER_EMAIL}`;
+    const env = await bootChatSession(page, {
+      accessLevel: "shared",
+      conversationId,
+      ownerEmail: SHARED_OWNER_EMAIL,
+      sharing: { shared_with: [CHAT_MEMBER_SESSION.email] },
+      title: conversationTitle,
+      viewerHasSharedAccess: true,
+    });
+
+    await page.goto(`/chat/${conversationId}`, { waitUntil: "domcontentloaded" });
+    await dismissReleaseUpgradeDialog(page);
+
+    const sidebarConversationTitle = page.getByTitle(conversationTitle);
+    await expect(sidebarConversationTitle).toBeVisible();
+
+    const recipientShareButton = page.getByRole("button", { name: sharedByText });
+    await expect(recipientShareButton).toBeVisible();
+    await recipientShareButton.hover({ force: true });
+
+    await expect(page.getByText(sharedByText)).toBeVisible();
+    await expect(page.getByText("Click to copy link")).toHaveCount(0);
+
+    await recipientShareButton.click({ force: true });
+    const dialog = page.getByRole("dialog", { name: "Shared Conversation" });
+    await expect(dialog).toBeVisible();
+    await expect(dialog.getByText("Shared by")).toBeVisible();
+    await expect(dialog.getByText(SHARED_OWNER_EMAIL)).toBeVisible();
+    await expect(dialog.getByText("Share Link")).toBeVisible();
+    await expect(dialog.locator('input[readonly]').first()).toHaveValue(`${env.baseUrl}/chat/${conversationId}`);
+    await expect(dialog.getByPlaceholder("Search by email or team name...")).toHaveCount(0);
+    await expect(dialog.getByRole("switch", { name: "Share with everyone" })).toHaveCount(0);
+  });
+
   test("waits for a slow conversation list fetch instead of creating a duplicate chat", async ({
     page,
   }) => {
diff --git a/ui/src/app/api/chat/conversations/route.ts b/ui/src/app/api/chat/conversations/route.ts
index 1edca9b7e0..73722c3fe2 100644
--- a/ui/src/app/api/chat/conversations/route.ts
+++ b/ui/src/app/api/chat/conversations/route.ts
@@ -5,6 +5,7 @@ import {
 getAuthFromBearerOrSession,
 getPaginationParams,
 paginatedResponse,
+requireConversationAccess,
 successResponse,
 validateRequired,
 withErrorHandler,
@@ -144,9 +145,20 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
 
   const visibleItems = await filterConversationsByImplicitOrExplicitPermission(session, user.email, items);
   const visibleItemsWithViewerFlags = annotateConversationsWithViewerSharing(session, user.email, visibleItems);
+  const visibleItemsWithAccessLevel = await Promise.all(
+    visibleItemsWithViewerFlags.map(async (conversation) => {
+      const { access_level } = await requireConversationAccess(
+        conversation._id,
+        user.email,
+        getCollection,
+        session,
+      );
+      return { ...conversation, access_level };
+    }),
+  );
 
   return paginatedResponse(
-    await enrichConversationAgentNames(visibleItemsWithViewerFlags),
+    await enrichConversationAgentNames(visibleItemsWithAccessLevel),
     visibleItems.length < items.length ? visibleItems.length : total,
     page,
     pageSize
diff --git a/ui/src/components/chat/ShareButton.tsx b/ui/src/components/chat/ShareButton.tsx
index 8c50abc602..d1c8e35a03 100644
--- a/ui/src/components/chat/ShareButton.tsx
+++ b/ui/src/components/chat/ShareButton.tsx
@@ -7,6 +7,7 @@ TooltipContent,
 TooltipProvider,
 TooltipTrigger,
 } from "@/components/ui/tooltip";
+import type { Conversation } from "@/types/a2a";
 import { Check,Share2 } from "lucide-react";
 import React,{ useState } from "react";
 import { ShareDialog } from "./ShareDialog";
@@ -17,6 +18,8 @@ interface ShareButtonProps {
   isOwner?: boolean;
   isSharedWithViewer?: boolean;
   sharedBy?: string;
+  sharing?: Conversation["sharing"];
+  accessLevel?: Conversation["accessLevel"];
 }
 
 export function ShareButton({ 
@@ -25,15 +28,17 @@ export function ShareButton({
   isOwner = true,
   isSharedWithViewer = false,
   sharedBy,
+  sharing,
+  accessLevel,
 }: ShareButtonProps) {
   const [showDialog, setShowDialog] = useState(false);
   const [copied, setCopied] = useState(false);
 
   const handleQuickCopy = async (e: React.MouseEvent) => {
     e.stopPropagation();
-    
+
     const shareUrl = `${window.location.origin}/chat/${conversationId}`;
-    
+
     try {
       await navigator.clipboard.writeText(shareUrl);
       setCopied(true);
@@ -50,6 +55,7 @@ export function ShareButton({
 
   const sharedByText = sharedBy?.trim() ? `Shared by ${sharedBy.trim()}` : "Shared conversation";
   const shouldShowButton = isOwner || isSharedWithViewer;
+  const shouldOpenDialog = isOwner || accessLevel === "shared";
 
   return (
     <>
@@ -60,7 +66,7 @@ export function ShareButton({
               <Button
                 variant="ghost"
                 size="icon"
-                onClick={isOwner ? handleOpenDialog : handleQuickCopy}
+                onClick={shouldOpenDialog ? handleOpenDialog : handleQuickCopy}
                 className="h-6 w-6"
                 aria-label={isOwner ? "Share conversation" : sharedByText}
               >
@@ -74,7 +80,9 @@ export function ShareButton({
                 <>
                   {/* assisted-by Codex Codex-sonnet-4-6 */}
                   <p>{copied ? "Link copied" : sharedByText}</p>
-                  {!copied && <p className="text-xs text-muted-foreground">Click to copy link</p>}
+                  {!copied && !shouldOpenDialog && (
+                    <p className="text-xs text-muted-foreground">Click to copy link</p>
+                  )}
                 </>
               )}
             </TooltipContent>
@@ -83,12 +91,15 @@ export function ShareButton({
       </TooltipProvider>
 
       {/* Share dialog */}
-      {isOwner && (
+      {shouldShowButton && shouldOpenDialog && (
         <ShareDialog
           conversationId={conversationId}
           conversationTitle={conversationTitle}
           open={showDialog}
           onOpenChange={setShowDialog}
+          canManageSharing={isOwner}
+          sharedBy={sharedBy}
+          initialSharing={sharing}
         />
       )}
     </>
diff --git a/ui/src/components/chat/ShareDialog.tsx b/ui/src/components/chat/ShareDialog.tsx
index 5d51db420f..ef9c3bbf63 100644
--- a/ui/src/components/chat/ShareDialog.tsx
+++ b/ui/src/components/chat/ShareDialog.tsx
@@ -11,11 +11,23 @@ import { createPortal } from "react-dom";
 type SharePermission = 'view' | 'comment';
 const TEAM_SHARE_SEARCH_ENDPOINT = '/api/dynamic-agents/teams';
 
+type SharingSnapshot = {
+  is_public?: boolean;
+  public_permission?: SharePermission;
+  shared_with?: string[];
+  shared_with_teams?: string[];
+  team_permissions?: Record<string, SharePermission>;
+  share_link_enabled?: boolean;
+};
+
 interface ShareDialogProps {
   conversationId: string;
   conversationTitle: string;
   open: boolean;
   onOpenChange: (open: boolean) => void;
+  canManageSharing?: boolean;
+  sharedBy?: string;
+  initialSharing?: SharingSnapshot;
 }
 
 function teamShareRef(team: Team): string {
@@ -44,6 +56,9 @@ export function ShareDialog({
   conversationTitle,
   open,
   onOpenChange,
+  canManageSharing = true,
+  sharedBy,
+  initialSharing,
 }: ShareDialogProps) {
   const updateConversationSharing = useChatStore((state) => state.updateConversationSharing);
   const [searchInput, setSearchInput] = useState("");
@@ -65,13 +80,26 @@ export function ShareDialog({
   const [publicPermission, setPublicPermission] = useState<SharePermission>('comment');
 
   const shareUrl = `${typeof window !== 'undefined' ? window.location.origin : ''}/chat/${conversationId}`;
+  const sharedByLabel = sharedBy?.trim();
+
+  const applySharingSnapshot = (sharing?: SharingSnapshot) => {
+    setSharedWith(sharing?.shared_with || []);
+    const teamIds = sharing?.shared_with_teams || [];
+    setSharedWithTeams(teamIds);
+    setIsPublic(sharing?.is_public || false);
+    setTeamPermissions(sharing?.team_permissions || {});
+    setPublicPermission(sharing?.public_permission || 'comment');
+  };
 
   // Load current sharing info
   useEffect(() => {
     if (open) {
-      loadSharingInfo();
+      applySharingSnapshot(initialSharing);
+      if (canManageSharing) {
+        loadSharingInfo();
+      }
     }
-  }, [open, conversationId]);
+  }, [open, conversationId, canManageSharing]);
 
   const loadSharingInfo = async () => {
     try {
@@ -152,6 +180,13 @@ export function ShareDialog({
   // Search users and teams as they type
   useEffect(() => {
     const searchPeopleAndTeams = async () => {
+      if (!canManageSharing) {
+        setUserResults([]);
+        setTeamResults([]);
+        setNoResults(false);
+        return;
+      }
+
       if (searchInput.length < 2) {
         setUserResults([]);
         setTeamResults([]);
@@ -206,9 +241,10 @@ export function ShareDialog({
 
     const timer = setTimeout(searchPeopleAndTeams, 300);
     return () => clearTimeout(timer);
-  }, [searchInput, sharedWith, sharedWithTeams]);
+  }, [searchInput, sharedWith, sharedWithTeams, canManageSharing]);
 
   const handleShareUser = async (email: string) => {
+    if (!canManageSharing) return;
     setLoading(true);
     try {
       const updatedConversation = await apiClient.shareConversation(conversationId, {
@@ -249,6 +285,7 @@ export function ShareDialog({
   };
 
   const handleShareTeam = async (teamId: string) => {
+    if (!canManageSharing) return;
     setLoading(true);
     try {
       // Update conversation to include team in shared_with_teams
@@ -305,6 +342,7 @@ export function ShareDialog({
 
   // Handle sharing by email directly (for users not yet in system)
   const handleShareByEmail = async () => {
+    if (!canManageSharing) return;
     // Simple email validation
     const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
     if (!emailRegex.test(searchInput)) {
@@ -329,6 +367,7 @@ export function ShareDialog({
     target: { email?: string; team_id?: string },
     newPermission: SharePermission
   ) => {
+    if (!canManageSharing) return;
     try {
       const response = await fetch(`/api/chat/conversations/${conversationId}/share`, {
         method: 'PATCH',
@@ -348,6 +387,7 @@ export function ShareDialog({
   };
 
   const handlePublicPermissionChange = async (newPermission: SharePermission) => {
+    if (!canManageSharing) return;
     try {
       const response = await fetch(`/api/chat/conversations/${conversationId}/share`, {
         method: 'POST',
@@ -363,6 +403,7 @@ export function ShareDialog({
   };
 
   const handleTogglePublic = async () => {
+    if (!canManageSharing) return;
     setTogglingPublic(true);
     const newPublicState = !isPublic;
     try {
@@ -419,12 +460,17 @@ export function ShareDialog({
     >
       <div 
         className="bg-background rounded-lg shadow-xl w-full max-w-md p-6 mx-auto my-auto"
+        role="dialog"
+        aria-modal="true"
+        aria-labelledby="share-dialog-title"
         onClick={(e) => e.stopPropagation()} // Prevent closing when clicking inside dialog
       >
         {/* Header */}
         <div className="flex items-start justify-between mb-4">
           <div>
-            <h2 className="text-lg font-semibold">Share Conversation</h2>
+            <h2 id="share-dialog-title" className="text-lg font-semibold">
+              {canManageSharing ? 'Share Conversation' : 'Shared Conversation'}
+            </h2>
             <p className="text-sm text-muted-foreground mt-1">
               {conversationTitle}
             </p>
@@ -467,6 +513,13 @@ export function ShareDialog({
           </div>
         ) : (
           <>
+            {!canManageSharing && sharedByLabel && (
+              <div className="mb-4 rounded-md border bg-muted/40 px-3 py-2">
+                <div className="text-xs text-muted-foreground">Shared by</div>
+                <div className="text-sm font-medium truncate">{sharedByLabel}</div>
+              </div>
+            )}
+
             {/* Copy link section */}
         <div className="mb-6">
           <label className="text-sm font-medium mb-2 block">Share Link</label>
@@ -497,6 +550,7 @@ export function ShareDialog({
         </div>
 
         {/* Share with everyone toggle */}
+        {canManageSharing && (
         <div className="mb-6">
           <div className="flex items-center justify-between p-3 border rounded-md">
             <div className="flex items-center gap-3">
@@ -535,8 +589,10 @@ export function ShareDialog({
             </button>
           </div>
         </div>
+        )}
 
         {/* Add people and teams section */}
+        {canManageSharing && (
         <div className="mb-6">
           <label className="text-sm font-medium mb-2 block">
             People, Teams
@@ -647,6 +703,7 @@ export function ShareDialog({
             )}
           </div>
         </div>
+        )}
 
         {/* People and Teams with access */}
         {(sharedWith.length > 0 || sharedWithTeams.length > 0 || isPublic) && (
@@ -667,14 +724,20 @@ export function ShareDialog({
                       <div className="text-xs text-muted-foreground">All organization members</div>
                     </div>
                   </div>
-                  <select
-                    value={publicPermission}
-                    onChange={(e) => handlePublicPermissionChange(e.target.value as SharePermission)}
-                    className="text-xs bg-transparent border border-green-500/30 rounded px-1.5 py-1 text-muted-foreground hover:text-foreground cursor-pointer focus:outline-none focus:ring-1 focus:ring-primary/50"
-                  >
-                    <option value="view">Can view</option>
-                    <option value="comment">Can edit</option>
-                  </select>
+                  {canManageSharing ? (
+                    <select
+                      value={publicPermission}
+                      onChange={(e) => handlePublicPermissionChange(e.target.value as SharePermission)}
+                      className="text-xs bg-transparent border border-green-500/30 rounded px-1.5 py-1 text-muted-foreground hover:text-foreground cursor-pointer focus:outline-none focus:ring-1 focus:ring-primary/50"
+                    >
+                      <option value="view">Can view</option>
+                      <option value="comment">Can edit</option>
+                    </select>
+                  ) : (
+                    <span className="text-xs text-muted-foreground">
+                      {publicPermission === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               )}
               {/* People */}
@@ -689,6 +752,7 @@ export function ShareDialog({
                     </div>
                     <div className="text-sm truncate">{email}</div>
                   </div>
+                  {canManageSharing ? (
                   <div className="flex items-center gap-1.5 shrink-0">
                     <select
                       value={userPermissions[email] || 'view'}
@@ -708,6 +772,11 @@ export function ShareDialog({
                       <Trash2 className="h-4 w-4" />
                     </button>
                   </div>
+                  ) : (
+                    <span className="text-xs text-muted-foreground shrink-0">
+                      {(userPermissions[email] || 'view') === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               ))}
               {/* Teams */}
@@ -724,6 +793,7 @@ export function ShareDialog({
                       {teamNames[teamId] || `Team: ${teamId}`}
                     </div>
                   </div>
+                  {canManageSharing ? (
                   <div className="flex items-center gap-1.5 shrink-0">
                     <select
                       value={teamPermissions[teamId] || 'view'}
@@ -743,6 +813,11 @@ export function ShareDialog({
                       <Trash2 className="h-4 w-4" />
                     </button>
                   </div>
+                  ) : (
+                    <span className="text-xs text-muted-foreground shrink-0">
+                      {(teamPermissions[teamId] || 'view') === 'comment' ? 'Can edit' : 'Can view'}
+                    </span>
+                  )}
                 </div>
               ))}
             </div>
diff --git a/ui/src/components/chat/__tests__/ShareButton.test.tsx b/ui/src/components/chat/__tests__/ShareButton.test.tsx
index 784b1a7e92..b790192742 100644
--- a/ui/src/components/chat/__tests__/ShareButton.test.tsx
+++ b/ui/src/components/chat/__tests__/ShareButton.test.tsx
@@ -39,7 +39,7 @@ describe('ShareButton', () => {
     })
   })
 
-  it('renders recipient share affordance with shared-by tooltip and copies the link', async () => {
+  it('copies the link for read-only shared recipients', async () => {
     render(
       <ShareButton
         conversationId="conv-recipient"
@@ -47,6 +47,7 @@ describe('ShareButton', () => {
         isOwner={false}
         isSharedWithViewer
         sharedBy="owner@test.com"
+        accessLevel="shared_readonly"
       />,
     )
 
@@ -64,6 +65,33 @@ describe('ShareButton', () => {
     expect(mockShareDialog).not.toHaveBeenCalled()
   })
 
+  it('opens sharing details for edit-mode shared recipients', async () => {
+    render(
+      <ShareButton
+        conversationId="conv-edit-recipient"
+        conversationTitle="Editable Recipient Chat"
+        isOwner={false}
+        isSharedWithViewer
+        sharedBy="owner@test.com"
+        accessLevel="shared"
+      />,
+    )
+
+    expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
+    expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
+    expect(screen.queryByText('Click to copy link')).not.toBeInTheDocument()
+
+    fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
+
+    await waitFor(() => expect(screen.getByTestId('share-dialog')).toBeInTheDocument())
+    expect(writeText).not.toHaveBeenCalled()
+    expect(mockShareDialog).toHaveBeenLastCalledWith(expect.objectContaining({
+      canManageSharing: false,
+      open: true,
+      sharedBy: 'owner@test.com',
+    }))
+  })
+
   it('opens the share dialog for owners', () => {
     render(
       <ShareButton
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 430fcb1693..771aa97695 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -531,6 +531,8 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                               isOwner={canManageSharing}
                               isSharedWithViewer={isSharedWithViewer}
                               sharedBy={sharedByLabel}
+                              sharing={conv.sharing}
+                              accessLevel={conv.accessLevel}
                             />
                           </div>
                           <TooltipProvider delayDuration={200}>
diff --git a/ui/src/store/chat-store.ts b/ui/src/store/chat-store.ts
index fc1cd28e23..b1d5360828 100644
--- a/ui/src/store/chat-store.ts
+++ b/ui/src/store/chat-store.ts
@@ -758,6 +758,7 @@ const storeImplementation = (set: any, get: any) => ({
               streamEvents: (isStreaming || hasLoadedMessages || isActive) && localConv ? (localConv.streamEvents || []) : [],
               participants: conv.participants || [],
               owner_id: conv.owner_id,
+              accessLevel: conv.access_level,
               isSharedWithViewer: conv.viewer_has_shared_access,
               sharing: conv.sharing,
             };
diff --git a/ui/src/types/a2a.ts b/ui/src/types/a2a.ts
index 82f8619c7e..4c4e090814 100644
--- a/ui/src/types/a2a.ts
+++ b/ui/src/types/a2a.ts
@@ -31,8 +31,10 @@ export interface Conversation {
   /** Sharing information (optional, only for MongoDB conversations) */
   sharing?: {
     is_public?: boolean;
+    public_permission?: "view" | "comment";
     shared_with?: string[];
     shared_with_teams?: string[];
+    team_permissions?: Record<string, "view" | "comment">;
     share_link_enabled?: boolean;
   };
 }
diff --git a/ui/src/types/mongodb.ts b/ui/src/types/mongodb.ts
index b394af2ca9..61dca1e264 100644
--- a/ui/src/types/mongodb.ts
+++ b/ui/src/types/mongodb.ts
@@ -92,6 +92,9 @@ export interface Conversation {
   // assisted-by Codex Codex-sonnet-4-6
   // Response-only: current viewer reached this conversation through sharing, not ownership.
   viewer_has_shared_access?: boolean;
+  // assisted-by Codex Codex-sonnet-4-6
+  // Response-only: current viewer's effective access level for UI affordances.
+  access_level?: 'owner' | 'shared' | 'shared_readonly' | 'admin_audit';
   tags: string[];
   is_archived: boolean;
   is_pinned: boolean;

From 7a842d14084b781e1300833c325cbef0d028b967 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 09:31:21 -0500
Subject: [PATCH 09/12] fix(chat): preserve owner share controls

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 .../api/__tests__/admin-audit-access.test.ts  | 52 +++++++++++++++++++
 ui/src/components/layout/Sidebar.tsx          |  7 ++-
 ui/src/lib/api-middleware.ts                  | 34 ++++++++++--
 3 files changed, 87 insertions(+), 6 deletions(-)

diff --git a/ui/src/app/api/__tests__/admin-audit-access.test.ts b/ui/src/app/api/__tests__/admin-audit-access.test.ts
index 1c4865601a..6dee5d7eed 100644
--- a/ui/src/app/api/__tests__/admin-audit-access.test.ts
+++ b/ui/src/app/api/__tests__/admin-audit-access.test.ts
@@ -130,6 +130,58 @@ describe('requireConversationAccess — admin audit', () => {
     expect(result.conversation).toEqual(conv);
   });
 
+  it('returns access_level owner for case-insensitive owner email matches', async () => {
+    const conv = {
+      _id: CONV_ID,
+      owner_id: 'Owner@Example.com',
+      title: 'Test',
+      sharing: { shared_with: ['owner@example.com'], shared_with_teams: [] },
+    };
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sharingAccessCol = createMockCollection();
+    sharingAccessCol.findOne.mockResolvedValue({ permission: 'view' });
+    mockCollections['sharing_access'] = sharingAccessCol;
+
+    const result = await requireConversationAccess(
+      CONV_ID,
+      'owner@example.com',
+      mockGetCollection
+    );
+
+    expect(result.access_level).toBe('owner');
+    expect(sharingAccessCol.findOne).not.toHaveBeenCalled();
+  });
+
+  it('returns access_level owner when owner_subject matches the session subject', async () => {
+    const conv = {
+      _id: CONV_ID,
+      owner_id: 'legacy-owner@example.com',
+      owner_subject: 'owner-subject',
+      title: 'Test',
+      sharing: { shared_with: ['viewer@example.com'], shared_with_teams: [] },
+    };
+    const convsCol = createMockCollection();
+    convsCol.findOne.mockResolvedValue(conv);
+    mockCollections['conversations'] = convsCol;
+
+    const sharingAccessCol = createMockCollection();
+    sharingAccessCol.findOne.mockResolvedValue({ permission: 'view' });
+    mockCollections['sharing_access'] = sharingAccessCol;
+
+    const result = await requireConversationAccess(
+      CONV_ID,
+      'viewer@example.com',
+      mockGetCollection,
+      { sub: 'owner-subject' }
+    );
+
+    expect(result.access_level).toBe('owner');
+    expect(sharingAccessCol.findOne).not.toHaveBeenCalled();
+  });
+
   it('returns access_level shared when user is in shared_with', async () => {
     const conv = {
       _id: CONV_ID,
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 771aa97695..25bf0511cb 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -524,7 +524,12 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                         </div>
 
                         <div className="flex items-center gap-0.5 shrink-0">
-                          <div className="opacity-0 group-hover:opacity-100 transition-opacity">
+                          <div
+                            className={cn(
+                              "transition-opacity",
+                              activeConversationId === conv.id ? "opacity-100" : "opacity-0 group-hover:opacity-100",
+                            )}
+                          >
                             <ShareButton
                               conversationId={conv.id}
                               conversationTitle={conv.title}
diff --git a/ui/src/lib/api-middleware.ts b/ui/src/lib/api-middleware.ts
index 84ea0305f3..46a49a2683 100644
--- a/ui/src/lib/api-middleware.ts
+++ b/ui/src/lib/api-middleware.ts
@@ -1254,6 +1254,24 @@ interface ConversationAccessResult {
   access_level: ConversationAccessLevel;
 }
 
+function normalizedIdentity(value: unknown): string {
+  return typeof value === 'string' ? value.trim().toLowerCase() : '';
+}
+
+function sessionSubject(session: { sub?: unknown } | undefined): string {
+  return typeof session?.sub === 'string' ? session.sub.trim() : '';
+}
+
+function isConversationOwnerForAccess(
+  conversation: { owner_id?: unknown; owner_subject?: unknown },
+  userId: string,
+  session?: { sub?: unknown },
+): boolean {
+  const subject = sessionSubject(session);
+  if (subject && conversation.owner_subject === subject) return true;
+  return Boolean(normalizedIdentity(userId) && normalizedIdentity(conversation.owner_id) === normalizedIdentity(userId));
+}
+
 /**
  * Check if user has access to a conversation (owner, shared with directly,
  * shared with one of their teams, via sharing_access records, or admin audit).
@@ -1265,7 +1283,7 @@ export async function requireConversationAccess(
   conversationId: string,
   userId: string,
   getCollectionFn: (name: string) => Promise<any>,
-  session?: { role?: string }
+  session?: { role?: string; sub?: string }
 ): Promise<ConversationAccessResult> {
   const conversations = await getCollectionFn('conversations');
   const conversation = await conversations.findOne({ _id: conversationId });
@@ -1274,8 +1292,10 @@ export async function requireConversationAccess(
     throw new ApiError('Conversation not found', 404, 'NOT_FOUND');
   }
 
-  // Check if user is owner
-  if (conversation.owner_id === userId) {
+  // Check if user is owner. Newer conversations may carry owner_subject; older
+  // records rely on owner_id email and should be compared case-insensitively.
+  // assisted-by Codex Codex-sonnet-4-6
+  if (isConversationOwnerForAccess(conversation, userId, session)) {
     return { conversation, access_level: 'owner' };
   }
 
@@ -1291,11 +1311,15 @@ export async function requireConversationAccess(
   }
 
   // Check if conversation is shared with user directly
-  if (conversation.sharing?.shared_with?.includes(userId)) {
+  const normalizedUserId = normalizedIdentity(userId);
+  const directShareMatch = conversation.sharing?.shared_with?.some(
+    (email: unknown) => normalizedIdentity(email) === normalizedUserId,
+  );
+  if (directShareMatch) {
     const sharingAccess = await getCollectionFn('sharing_access');
     const accessRecord = await sharingAccess.findOne({
       conversation_id: conversationId,
-      granted_to: userId,
+      granted_to: { $in: [userId, normalizedUserId] },
       revoked_at: null,
     });
     // Default to 'comment' (full access) for backward compatibility with

From 2d654a7f2a41b61a3b998f31b3674e228d647f82 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 10:44:28 -0500
Subject: [PATCH 10/12] fix(chat): use shared icon for share control

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 ui/src/components/chat/ShareButton.tsx        | 16 +++++++--
 .../chat/__tests__/ShareButton.test.tsx       |  7 ++--
 ui/src/components/layout/Sidebar.tsx          | 34 +++----------------
 .../layout/__tests__/Sidebar.test.tsx         | 25 +++++++++++---
 4 files changed, 43 insertions(+), 39 deletions(-)

diff --git a/ui/src/components/chat/ShareButton.tsx b/ui/src/components/chat/ShareButton.tsx
index d1c8e35a03..f3134bac3b 100644
--- a/ui/src/components/chat/ShareButton.tsx
+++ b/ui/src/components/chat/ShareButton.tsx
@@ -8,7 +8,7 @@ TooltipProvider,
 TooltipTrigger,
 } from "@/components/ui/tooltip";
 import type { Conversation } from "@/types/a2a";
-import { Check,Share2 } from "lucide-react";
+import { Check, Globe, Users2 } from "lucide-react";
 import React,{ useState } from "react";
 import { ShareDialog } from "./ShareDialog";
 
@@ -56,6 +56,18 @@ export function ShareButton({
   const sharedByText = sharedBy?.trim() ? `Shared by ${sharedBy.trim()}` : "Shared conversation";
   const shouldShowButton = isOwner || isSharedWithViewer;
   const shouldOpenDialog = isOwner || accessLevel === "shared";
+  const hasSharingConfig = Boolean(
+    sharing?.is_public ||
+    (sharing?.shared_with?.length ?? 0) > 0 ||
+    (sharing?.shared_with_teams?.length ?? 0) > 0 ||
+    sharing?.share_link_enabled
+  );
+  const Icon = sharing?.is_public ? Globe : Users2;
+  const iconClassName = sharing?.is_public
+    ? "h-3 w-3 text-green-500"
+    : isOwner || isSharedWithViewer || hasSharingConfig
+      ? "h-3 w-3 text-blue-500"
+      : "h-3 w-3";
 
   return (
     <>
@@ -70,7 +82,7 @@ export function ShareButton({
                 className="h-6 w-6"
                 aria-label={isOwner ? "Share conversation" : sharedByText}
               >
-                {copied ? <Check className="h-3 w-3" /> : <Share2 className="h-3 w-3" />}
+                {copied ? <Check className="h-3 w-3" /> : <Icon className={iconClassName} />}
               </Button>
             </TooltipTrigger>
             <TooltipContent side="left">
diff --git a/ui/src/components/chat/__tests__/ShareButton.test.tsx b/ui/src/components/chat/__tests__/ShareButton.test.tsx
index b790192742..921f33dd6a 100644
--- a/ui/src/components/chat/__tests__/ShareButton.test.tsx
+++ b/ui/src/components/chat/__tests__/ShareButton.test.tsx
@@ -16,7 +16,8 @@ jest.mock('@/components/ui/tooltip', () => ({
 
 jest.mock('lucide-react', () => ({
   Check: (props: any) => <span data-testid="icon-check" {...props} />,
-  Share2: (props: any) => <span data-testid="icon-share2" {...props} />,
+  Globe: (props: any) => <span data-testid="icon-globe" {...props} />,
+  Users2: (props: any) => <span data-testid="icon-users2" {...props} />,
 }))
 
 jest.mock('../ShareDialog', () => ({
@@ -54,7 +55,7 @@ describe('ShareButton', () => {
     expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
     expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
     expect(screen.getByText('Click to copy link')).toBeInTheDocument()
-    expect(screen.getByTestId('icon-share2')).toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
 
     fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
 
@@ -80,6 +81,7 @@ describe('ShareButton', () => {
     expect(screen.getByRole('button', { name: 'Shared by owner@test.com' })).toBeInTheDocument()
     expect(screen.getByText('Shared by owner@test.com')).toBeInTheDocument()
     expect(screen.queryByText('Click to copy link')).not.toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
 
     fireEvent.click(screen.getByRole('button', { name: 'Shared by owner@test.com' }))
 
@@ -104,5 +106,6 @@ describe('ShareButton', () => {
     fireEvent.click(screen.getByRole('button', { name: 'Share conversation' }))
 
     expect(screen.getByTestId('share-dialog')).toBeInTheDocument()
+    expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
   })
 })
diff --git a/ui/src/components/layout/Sidebar.tsx b/ui/src/components/layout/Sidebar.tsx
index 25bf0511cb..3af6c2bdfe 100644
--- a/ui/src/components/layout/Sidebar.tsx
+++ b/ui/src/components/layout/Sidebar.tsx
@@ -23,7 +23,6 @@ ArchiveRestore,
 ChevronLeft,
 ChevronRight,
 Database,
-Globe,
 HardDrive,
 History,
 MessageCircleQuestion,
@@ -34,8 +33,7 @@ RefreshCw,
 Shield,
 Sparkles,
 TrendingUp,
-Users,
-Users2
+Users
 } from "lucide-react";
 import { useSession } from "next-auth/react";
 import { useRouter } from "next/navigation";
@@ -380,15 +378,7 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                     conv.accessLevel === "shared_readonly" ||
                     sharedByKnownDifferentOwner
                   );
-                  const isPublicShareForViewer = isSharedWithViewer && conv.sharing?.is_public;
                   const sharedByLabel = conv.owner_id?.trim();
-                  const sharedBadgeText = isPublicShareForViewer
-                    ? sharedByLabel
-                      ? `Shared with everyone by ${sharedByLabel}`
-                      : "Shared with everyone"
-                    : sharedByLabel
-                      ? `Shared by ${sharedByLabel}`
-                      : "Shared conversation";
                   const canManageSharing = viewerIsKnownOwner || (!ownerEmail && !isSharedWithViewer);
 
                   const isLive = isConversationStreaming(conv.id);
@@ -480,24 +470,6 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                             <p className="text-sm font-medium truncate flex-1" title={conv.title}>
                               {truncateText(conv.title, sidebarWidth > 350 ? 40 : sidebarWidth > 320 ? 25 : 20)}
                             </p>
-                            {isSharedWithViewer && (
-                              <TooltipProvider>
-                                <Tooltip>
-                                  <TooltipTrigger asChild>
-                                    {isPublicShareForViewer ? (
-                                      <Globe className="h-3 w-3 text-green-500 shrink-0" />
-                                    ) : (
-                                      <Users2 className="h-3 w-3 text-blue-500 shrink-0" />
-                                    )}
-                                  </TooltipTrigger>
-                                  <TooltipContent side="right">
-                                    <p className="text-xs">
-                                      {sharedBadgeText}
-                                    </p>
-                                  </TooltipContent>
-                                </Tooltip>
-                              </TooltipProvider>
-                            )}
                           </div>
                           <p className={cn(
                             "text-xs truncate",
@@ -527,7 +499,9 @@ export function Sidebar({ activeTab, onTabChange, collapsed, onCollapse, onUseCa
                           <div
                             className={cn(
                               "transition-opacity",
-                              activeConversationId === conv.id ? "opacity-100" : "opacity-0 group-hover:opacity-100",
+                              activeConversationId === conv.id || hasSharingConfig || isSharedWithViewer
+                                ? "opacity-100"
+                                : "opacity-0 group-hover:opacity-100",
                             )}
                           >
                             <ShareButton
diff --git a/ui/src/components/layout/__tests__/Sidebar.test.tsx b/ui/src/components/layout/__tests__/Sidebar.test.tsx
index 55c4d50eee..6669726cf8 100644
--- a/ui/src/components/layout/__tests__/Sidebar.test.tsx
+++ b/ui/src/components/layout/__tests__/Sidebar.test.tsx
@@ -144,18 +144,31 @@ jest.mock('@/components/chat/RecycleBinDialog', () => ({
 }))
 
 jest.mock('@/components/chat/ShareButton', () => ({
-  ShareButton: ({ isOwner, isSharedWithViewer, sharedBy }: any) => (
-    isOwner || isSharedWithViewer ? (
+  ShareButton: ({ isOwner, isSharedWithViewer, sharedBy, sharing }: any) => {
+    const hasSharingConfig = Boolean(
+      sharing?.is_public ||
+      (sharing?.shared_with?.length ?? 0) > 0 ||
+      (sharing?.shared_with_teams?.length ?? 0) > 0 ||
+      sharing?.share_link_enabled
+    )
+
+    return isOwner || isSharedWithViewer ? (
       <button
         data-testid="share-button"
         data-owner={String(Boolean(isOwner))}
         data-shared-viewer={String(Boolean(isSharedWithViewer))}
         data-shared-by={sharedBy || ''}
       >
+        {sharing?.is_public ? (
+          <span data-testid="icon-globe" />
+        ) : (isOwner || isSharedWithViewer || hasSharingConfig) ? (
+          <span data-testid="icon-users2" />
+        ) : null}
         Share
+        {isSharedWithViewer && sharedBy ? <span>Shared by {sharedBy}</span> : null}
       </button>
     ) : null
-  ),
+  },
 }))
 
 // NewChatButton is exercised by its own test suite; stub it here so the
@@ -463,7 +476,7 @@ describe('Sidebar — Live Status Indicator', () => {
       expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'true')
     })
 
-    it('does not show the recipient shared badge to the owner', () => {
+    it('shows the shared action icon to the owner without marking them as a recipient', () => {
       mockConversations = [
         makeConv('conv-owner-shared', 'Owner Shared Chat', {
           owner_id: 'test@test.com',
@@ -479,8 +492,10 @@ describe('Sidebar — Live Status Indicator', () => {
       render(<Sidebar {...defaultProps} />)
 
       expect(screen.getByText('Owner Shared Chat')).toBeInTheDocument()
-      expect(screen.queryByTestId('icon-users2')).not.toBeInTheDocument()
+      expect(screen.getByTestId('icon-users2')).toBeInTheDocument()
       expect(screen.queryByTestId('icon-globe')).not.toBeInTheDocument()
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-owner', 'true')
+      expect(screen.getByTestId('share-button')).toHaveAttribute('data-shared-viewer', 'false')
     })
 
     it('shows a globe badge for public conversations', () => {

From b615af9674312a9eb26806513fc5cf450edd1ce4 Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 11:21:01 -0500
Subject: [PATCH 11/12] fix(chat): show recipient share permissions

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 ui/e2e/rbac/_helpers.ts                       | 24 ++++++
 .../rbac/chat-navigation-regression.spec.ts   |  1 +
 .../chat/conversations/[id]/share/route.ts    | 15 ++--
 ui/src/components/chat/ShareDialog.tsx        |  5 +-
 .../__tests__/ShareDialogPermissions.test.tsx | 74 +++++++++++++++++++
 5 files changed, 108 insertions(+), 11 deletions(-)
 create mode 100644 ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx

diff --git a/ui/e2e/rbac/_helpers.ts b/ui/e2e/rbac/_helpers.ts
index 377c4fbdd2..0d0216a892 100644
--- a/ui/e2e/rbac/_helpers.ts
+++ b/ui/e2e/rbac/_helpers.ts
@@ -31,8 +31,10 @@ type ChatBootMocksOptions = {
   agentId?: string;
   sharing?: {
     is_public?: boolean;
+    public_permission?: "view" | "comment";
     shared_with?: string[];
     shared_with_teams?: string[];
+    team_permissions?: Record<string, "view" | "comment">;
     share_link_enabled?: boolean;
   };
   viewerHasSharedAccess?: boolean;
@@ -92,6 +94,7 @@ export async function installChatBootMocks(
   const seedExistingConversation = options.seedExistingConversation !== false;
   const conversationListDelayMs = options.conversationListDelayMs ?? 0;
   let created = seedExistingConversation;
+  const directSharePermission = options.accessLevel === "shared_readonly" ? "view" : "comment";
 
   await page.route("**/api/admin/platform-config", async (route) => {
     await route.fulfill({
@@ -209,6 +212,27 @@ export async function installChatBootMocks(
       return;
     }
 
+    if (path === `/api/chat/conversations/${conversationId}/share` && method === "GET") {
+      await route.fulfill({
+        status: 200,
+        contentType: "application/json",
+        body: JSON.stringify({
+          success: true,
+          data: {
+            sharing: conversation.sharing,
+            access_list: (conversation.sharing.shared_with ?? []).map((email: string) => ({
+              conversation_id: conversationId,
+              granted_by: ownerEmail,
+              granted_to: email,
+              permission: directSharePermission,
+              granted_at: new Date().toISOString(),
+            })),
+          },
+        }),
+      });
+      return;
+    }
+
     if (
       (path === `/api/chat/conversations/${conversationId}/turns` ||
         path === `/api/chat/conversations/${conversationId}/messages`) &&
diff --git a/ui/e2e/rbac/chat-navigation-regression.spec.ts b/ui/e2e/rbac/chat-navigation-regression.spec.ts
index f733bd5a74..b49fb24b6f 100644
--- a/ui/e2e/rbac/chat-navigation-regression.spec.ts
+++ b/ui/e2e/rbac/chat-navigation-regression.spec.ts
@@ -149,6 +149,7 @@ test.describe("mocked RBAC e2e — chat navigation regression", () => {
     await expect(dialog.getByText(SHARED_OWNER_EMAIL)).toBeVisible();
     await expect(dialog.getByText("Share Link")).toBeVisible();
     await expect(dialog.locator('input[readonly]').first()).toHaveValue(`${env.baseUrl}/chat/${conversationId}`);
+    await expect(dialog.getByText("Can edit")).toBeVisible();
     await expect(dialog.getByPlaceholder("Search by email or team name...")).toHaveCount(0);
     await expect(dialog.getByRole("switch", { name: "Share with everyone" })).toHaveCount(0);
   });
diff --git a/ui/src/app/api/chat/conversations/[id]/share/route.ts b/ui/src/app/api/chat/conversations/[id]/share/route.ts
index 2dce8fa38b..1ef3ef5619 100644
--- a/ui/src/app/api/chat/conversations/[id]/share/route.ts
+++ b/ui/src/app/api/chat/conversations/[id]/share/route.ts
@@ -4,6 +4,7 @@
 
 import {
 ApiError,
+requireConversationAccess,
 successResponse,
 validateEmail,
 validateUUID,
@@ -129,14 +130,12 @@ export const GET = withErrorHandler(async (
       throw new ApiError('Invalid conversation ID format', 400);
     }
 
-    const conversations = await getCollection<Conversation>('conversations');
-    const conversation = await conversations.findOne({ _id: conversationId });
-
-    if (!conversation) {
-      throw new ApiError('Conversation not found', 404);
-    }
-
-    await requireConversationResourcePermission(session, user.email, conversation, 'share');
+    const { conversation } = await requireConversationAccess(
+      conversationId,
+      user.email,
+      getCollection,
+      session,
+    );
 
     const sharingAccess = await getCollection<SharingAccess>('sharing_access');
     const accessList = await sharingAccess
diff --git a/ui/src/components/chat/ShareDialog.tsx b/ui/src/components/chat/ShareDialog.tsx
index ef9c3bbf63..a1d0627b58 100644
--- a/ui/src/components/chat/ShareDialog.tsx
+++ b/ui/src/components/chat/ShareDialog.tsx
@@ -89,15 +89,14 @@ export function ShareDialog({
     setIsPublic(sharing?.is_public || false);
     setTeamPermissions(sharing?.team_permissions || {});
     setPublicPermission(sharing?.public_permission || 'comment');
+    setUserPermissions({});
   };
 
   // Load current sharing info
   useEffect(() => {
     if (open) {
       applySharingSnapshot(initialSharing);
-      if (canManageSharing) {
-        loadSharingInfo();
-      }
+      loadSharingInfo();
     }
   }, [open, conversationId, canManageSharing]);
 
diff --git a/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx b/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx
new file mode 100644
index 0000000000..fa52cb23cb
--- /dev/null
+++ b/ui/src/components/chat/__tests__/ShareDialogPermissions.test.tsx
@@ -0,0 +1,74 @@
+// assisted-by Codex Codex-sonnet-4-6
+
+import { render, screen, waitFor } from '@testing-library/react'
+
+const mockUpdateConversationSharing = jest.fn()
+
+jest.mock('@/store/chat-store', () => ({
+  useChatStore: (selector: any) => selector({
+    updateConversationSharing: mockUpdateConversationSharing,
+  }),
+}))
+
+jest.mock('@/lib/api-client', () => ({
+  apiClient: {
+    searchUsers: jest.fn().mockResolvedValue([]),
+    shareConversation: jest.fn(),
+  },
+}))
+
+import { ShareDialog } from '../ShareDialog'
+
+describe('ShareDialog permissions', () => {
+  beforeEach(() => {
+    jest.clearAllMocks()
+  })
+
+  it('shows direct edit permission in the shared-recipient details modal', async () => {
+    ;(global.fetch as jest.Mock).mockResolvedValue({
+      ok: true,
+      status: 200,
+      json: async () => ({
+        data: {
+          sharing: {
+            is_public: false,
+            shared_with: ['recipient@example.com'],
+            shared_with_teams: [],
+            share_link_enabled: false,
+          },
+          access_list: [
+            {
+              granted_to: 'recipient@example.com',
+              permission: 'comment',
+            },
+          ],
+        },
+      }),
+    })
+
+    render(
+      <ShareDialog
+        conversationId="conv-123"
+        conversationTitle="Shared edit chat"
+        open
+        onOpenChange={jest.fn()}
+        canManageSharing={false}
+        sharedBy="owner@example.com"
+        initialSharing={{
+          is_public: false,
+          shared_with: ['recipient@example.com'],
+          shared_with_teams: [],
+          share_link_enabled: false,
+        }}
+      />
+    )
+
+    await waitFor(() => {
+      expect(screen.getByText('recipient@example.com')).toBeInTheDocument()
+      expect(screen.getByText('Can edit')).toBeInTheDocument()
+    })
+
+    expect(screen.getByText('Shared by')).toBeInTheDocument()
+    expect(screen.queryByPlaceholderText('Search by email or team name...')).not.toBeInTheDocument()
+  })
+})

From 875a99a55486ee0d2d2331af4d95f3a4e36cdefe Mon Sep 17 00:00:00 2001
From: Sri Aradhyula <sraradhy@cisco.com>
Date: Thu, 25 Jun 2026 13:37:35 -0500
Subject: [PATCH 12/12] fix(chat): stabilize shared conversation list access

Signed-off-by: Sri Aradhyula <sraradhy@cisco.com>
---
 docs/docs/security/rbac/file-map.md           |   1 +
 .../chat-conversations-agent-auth.test.ts     |   5 +
 .../chat-conversations-remaining-rbac.test.ts |   5 +
 ui/src/app/api/chat/conversations/route.ts    | 117 +++++++++++++++---
 4 files changed, 112 insertions(+), 16 deletions(-)

diff --git a/docs/docs/security/rbac/file-map.md b/docs/docs/security/rbac/file-map.md
index 067a68841c..b5195b64a3 100644
--- a/docs/docs/security/rbac/file-map.md
+++ b/docs/docs/security/rbac/file-map.md
@@ -31,6 +31,7 @@ When you need to change something in the auth path, this table tells you which f
 | Dynamic agents JWT validation & userinfo | `ai_platform_engineering/dynamic_agents/src/dynamic_agents/auth/auth.py` |
 | Dynamic Agents Web UI backend execution proxy auth and UI shell: session/bearer authentication, stable subject and role propagation, `X-User-Context` browser-session fallback when the server-side Keycloak token cache is missing, backend bearer forwarding when available, W3C `traceparent` forwarding, no `OIDC_REQUIRED_DYNAMIC_AGENTS_GROUP`/admin-only UI gate for the Agents page, Conversations tab shown only when OpenFGA admin audit-log access is granted, the Models tab uses the LLM provider credential surface plus the OpenFGA-filtered model list, and conversation-scoped file proxies gated by `dynamic_agent#invoke` | `ui/src/lib/da-proxy.ts`, `ui/src/lib/auth-config.ts`, `ui/src/components/layout/AppHeader.tsx`, `ui/src/app/(app)/dynamic-agents/page.tsx`, `ui/src/app/(app)/dynamic-agents/__tests__/page.test.tsx`, `ui/src/components/dynamic-agents/LLMProvidersTab.tsx`, `ui/src/components/dynamic-agents/__tests__/LLMProvidersTab.test.tsx`, `ui/src/components/layout/__tests__/AppHeader.test.tsx`, `ui/src/app/api/dynamic-agents/conversations/[id]/files/list/route.ts`, `ui/src/app/api/dynamic-agents/conversations/[id]/files/content/route.ts`, `ui/src/lib/__tests__/da-proxy-auth-result.test.ts`, `ui/src/lib/__tests__/auth-config.test.ts` |
 | Dynamic Agents Web UI backend OpenFGA execution, picker, and conversation binding gates: subject-first, email-fallback `can_use agent:<agent_id>` checks for start/invoke/resume/cancel, chat agent selection, subagent selection, and new conversation agent bindings; implicit-owner-or-explicit conversation checks on chat routes; authz trace creation and `openfga_rebac` audit emission | `ui/src/lib/rbac/openfga-agent-authz.ts`, `ui/src/lib/rbac/authz-tracing.ts`, `ui/src/lib/rbac/resource-authz.ts`, `ui/src/lib/rbac/conversation-implicit-authz.ts`, `ui/src/app/api/v1/chat/_conversation-authz.ts`, `ui/src/app/api/dynamic-agents/available/route.ts`, `ui/src/app/api/dynamic-agents/available-subagents/route.ts`, `ui/src/app/api/chat/conversations/route.ts`, `ui/src/lib/rbac/__tests__/resource-authz.test.ts`, `ui/src/lib/rbac/__tests__/openfga-agent-authz.test.ts`, `ui/src/lib/rbac/__tests__/authz-tracing.test.ts`, `ui/src/lib/rbac/__tests__/audit-tracing.test.ts`, `ui/src/app/api/v1/chat/stream/start/route.ts`, `ui/src/app/api/v1/chat/invoke/route.ts`, `ui/src/app/api/v1/chat/stream/resume/route.ts`, `ui/src/app/api/v1/chat/stream/cancel/route.ts`, `ui/src/app/api/v1/chat/__tests__/routes.test.ts`, `ui/src/app/api/dynamic-agents/__tests__/route-rbac.test.ts`, `ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts` |
+| Chat conversation list sharing metadata — `GET /api/chat/conversations` bounds Mongo candidates, filters through ReBAC, marks `viewer_has_shared_access`, and returns a display-only `access_level` for the sidebar/share-button UX. Direct and team recipients still derive read-only vs edit from `sharing_access` / `sharing.team_permissions`; detail, message, turn, and share routes keep using `requireConversationAccess` for authoritative enforcement. | `ui/src/app/api/chat/conversations/route.ts`, `ui/src/lib/rbac/conversation-implicit-authz.ts`, `ui/src/lib/api-middleware.ts`, `ui/src/components/layout/Sidebar.tsx`, `ui/src/components/chat/ShareButton.tsx`, `ui/src/app/api/__tests__/chat-conversations-client-type.test.ts`, `ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts`, `ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts`, `ui/e2e/rbac/chat-share-exposed.spec.ts` |
 | Connections & Secrets credential management: feature flag, signed-in-only and `organization:<org>#can_use` page gate, MongoDB envelope store, env/ESO OAuth connector startup bootstrap, browser guardrails for raw retrieval, service-to-service retrieve/exchange APIs with service JWT validation, JWT-`sub` provider-key exchange, future AgentGateway credential injector route, and `secret_ref:provider_connection:<id>#can_use`, browser-safe OAuth profile validators and automatic refresh endpoints that return only redacted provider/refresh metadata, deep-linked user My Secrets/My Connections tabs, user-visible enabled OAuth connector list with Connect/Relink and Check Profile actions, per-user OAuth scope selection at connect time (My Connections "Advanced settings" lets a user narrow within the connector's allowed `scopes`; the connect route accepts `?scopes=`, `startConnection` bounds it via `boundScopes`, and the choice is persisted as `requestedScopes`/`grantedScopes` on `provider_connections` so relink pre-fills it), Dynamic Agents LLM provider credentials saved as OpenFGA-governed credential secrets, OpenFGA-backed global admin secret metadata management with per-secret row-level audit details, deep-linked OAuth connector/admin secret tabs, Dynamic Agents MCP provider credential-ref resolution, and Jira MCP provider-token header consumption | `ui/src/lib/feature-flags/credentials.ts`, `ui/src/lib/credentials/`, `ui/src/lib/seed-config.ts`, `ui/src/app/(app)/credentials/page.tsx`, `ui/src/app/(app)/credentials/__tests__/page.test.tsx`, `ui/src/app/api/credentials/`, `ui/src/app/api/credentials/inject/[provider]/route.ts`, `ui/src/app/api/credentials/inject/[provider]/__tests__/route.test.ts`, `ui/src/app/api/credentials/connections/[connection_id]/profile/route.ts`, `ui/src/app/api/credentials/connections/[connection_id]/profile/__tests__/route.test.ts`, `ui/src/app/api/credentials/connections/[connection_id]/refresh/route.ts`, `ui/src/app/api/credentials/connections/[connection_id]/refresh/__tests__/route.test.ts`, `ui/src/app/api/admin/credentials/secrets/route.ts`, `ui/src/app/api/admin/credentials/secrets/[secret_id]/route.ts`, `ui/src/app/api/admin/credentials/oauth-connectors/route.ts`, `ui/src/app/api/admin/credentials/oauth-connectors/[connector_id]/route.ts`, `ui/src/app/api/admin/credentials/audit/route.ts`, `ui/src/components/credentials/`, `ui/src/components/dynamic-agents/LLMProvidersTab.tsx`, `docker-compose.dev.yaml`, `docker-compose.yaml`, `charts/ai-platform-engineering/charts/caipe-ui/values.yaml`, `charts/ai-platform-engineering/values.yaml`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/services/credential_exchange.py`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/services/mcp_client.py`, `ai_platform_engineering/dynamic_agents/src/dynamic_agents/models.py`, `ai_platform_engineering/agents/jira/mcp/mcp_jira/api/client.py`, `ai_platform_engineering/agents/jira/mcp/tests/test_client.py` |
 | Remaining OpenFGA cutovers for conversations, skills, workflow runs, MCP servers, and RAG tools: shared/search/trash conversation candidate filtering, conversation share/pin/archive/restore resource checks, skill nested route/import authorization, workflow-run parent-config checks, self-service `mcp_server` owner/team tuples, and concrete RAG `tool` checks | `ui/src/app/api/chat/shared/route.ts`, `ui/src/app/api/chat/search/route.ts`, `ui/src/app/api/chat/conversations/trash/route.ts`, `ui/src/app/api/chat/conversations/[id]/share/route.ts`, `ui/src/app/api/chat/conversations/[id]/pin/route.ts`, `ui/src/app/api/chat/conversations/[id]/archive/route.ts`, `ui/src/app/api/chat/conversations/[id]/restore/route.ts`, `ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts`, `ui/src/lib/agent-skill-visibility.ts`, `ui/src/app/api/skills/configs/route.ts`, `ui/src/app/api/skills/configs/import-zip/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/[revisionId]/route.ts`, `ui/src/app/api/skills/configs/[id]/revisions/[revisionId]/restore/route.ts`, `ui/src/app/api/skills/configs/[id]/export/route.ts`, `ui/src/app/api/skills/configs/[id]/clone/route.ts`, `ui/src/app/api/__tests__/agent-skill-subroutes-rbac.test.ts`, `ui/src/app/api/skills/configs/__tests__/route-rbac.test.ts`, `ui/src/app/api/skills/configs/import-zip/__tests__/route.test.ts`, `ui/src/app/api/workflow-runs/route.ts`, `ui/src/app/api/workflow-runs/[id]/resume/route.ts`, `ui/src/app/api/workflow-runs/[id]/cancel/route.ts`, `ui/src/app/api/__tests__/workflow-runs-rbac.test.ts`, `ui/src/app/api/mcp-servers/route.ts`, `ui/src/lib/rbac/openfga-owned-resources.ts`, `ui/src/app/api/__tests__/mcp-servers-rbac.test.ts`, `ui/src/app/api/rag/tools/route.ts`, `ui/src/app/api/rag/tools/[toolId]/route.ts` |
 | Web UI message/metadata persistence — forwards cookie-session or first-party bearer access tokens to the backend and uses implicit-owner-or-explicit conversation read/write checks, including Slack OBO thread metadata updates | `ui/src/app/api/chat/conversations/[id]/messages/route.ts`, `ui/src/app/api/chat/conversations/[id]/metadata/route.ts`, `ui/src/app/api/__tests__/chat-conversation-metadata-auth.test.ts`, `ui/src/app/api/__tests__/owner-id-denormalization.test.ts` |
diff --git a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
index 734746ae9d..12f1dec4cb 100644
--- a/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-agent-auth.test.ts
@@ -56,6 +56,11 @@ jest.mock("@/lib/mongodb", () => ({
 }));
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  annotateConversationsWithViewerSharing: (_session: unknown, userEmail: string, items: Array<{ owner_id?: string }>) =>
+    items.map((item) => ({
+      ...item,
+      viewer_has_shared_access: item.owner_id?.toLowerCase() !== userEmail.toLowerCase(),
+    })),
   conversationVisibilityCandidateQuery: (userEmail: string) => ({
     $or: [
       { owner_id: userEmail },
diff --git a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
index 35993cf240..ed8963f8f3 100644
--- a/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
+++ b/ui/src/app/api/__tests__/chat-conversations-remaining-rbac.test.ts
@@ -56,6 +56,11 @@ jest.mock("@/lib/api-middleware", () => {
 });
 
 jest.mock("@/lib/rbac/conversation-implicit-authz", () => ({
+  annotateConversationsWithViewerSharing: (_session: unknown, userEmail: string, items: Array<{ owner_id?: string }>) =>
+    items.map((item) => ({
+      ...item,
+      viewer_has_shared_access: item.owner_id?.toLowerCase() !== userEmail.toLowerCase(),
+    })),
   conversationVisibilityCandidateQuery: (userEmail: string) => ({
     $or: [
       { owner_id: userEmail },
diff --git a/ui/src/app/api/chat/conversations/route.ts b/ui/src/app/api/chat/conversations/route.ts
index 73722c3fe2..435c2e9e1c 100644
--- a/ui/src/app/api/chat/conversations/route.ts
+++ b/ui/src/app/api/chat/conversations/route.ts
@@ -2,15 +2,16 @@
 // POST /api/chat/conversations - Create new conversation (or return existing via upsert)
 
 import {
-getAuthFromBearerOrSession,
-getPaginationParams,
-paginatedResponse,
-requireConversationAccess,
-successResponse,
-validateRequired,
-withErrorHandler,
+  getAuthFromBearerOrSession,
+  getPaginationParams,
+  getUserTeamIds,
+  paginatedResponse,
+  successResponse,
+  validateRequired,
+  withErrorHandler,
 } from '@/lib/api-middleware';
-import { getCollection,isMongoDBConfigured } from '@/lib/mongodb';
+import type { ConversationAccessLevel } from '@/lib/api-middleware';
+import { getCollection, isMongoDBConfigured } from '@/lib/mongodb';
 import {
   annotateConversationsWithViewerSharing,
   conversationVisibilityCandidateQuery,
@@ -19,9 +20,9 @@ import {
 import { requireAgentUsePermission } from '@/lib/rbac/openfga-agent-authz';
 import { writeOpenFgaTuples } from '@/lib/rbac/openfga';
 import { buildParticipants } from '@/types/a2a';
-import type { ClientType,Conversation,CreateConversationRequest } from '@/types/mongodb';
+import type { ClientType, Conversation, CreateConversationRequest } from '@/types/mongodb';
 import { VALID_CLIENT_TYPES } from '@/types/mongodb';
-import { NextRequest,NextResponse } from 'next/server';
+import { NextRequest, NextResponse } from 'next/server';
 import { v4 as uuidv4 } from 'uuid';
 import packageJson from '../../../../../package.json';
 
@@ -30,6 +31,95 @@ type ConversationWithAgentDisplay<T extends Conversation = Conversation> = T & {
   agent_name?: string;
 };
 
+function normalizeIdentity(value: unknown): string {
+  return typeof value === 'string' ? value.trim().toLowerCase() : '';
+}
+
+function permissionToAccessLevel(permission: unknown): ConversationAccessLevel {
+  return permission === 'view' ? 'shared_readonly' : 'shared';
+}
+
+function isListConversationOwner(
+  conversation: Pick<Conversation, 'owner_id' | 'owner_subject'>,
+  userEmail: string,
+  session?: { sub?: unknown },
+): boolean {
+  const subject = typeof session?.sub === 'string' ? session.sub.trim() : '';
+  if (subject && conversation.owner_subject === subject) return true;
+  return Boolean(
+    normalizeIdentity(userEmail) &&
+    normalizeIdentity(conversation.owner_id) === normalizeIdentity(userEmail),
+  );
+}
+
+async function getDirectSharePermission(
+  conversationId: string,
+  userEmail: string,
+): Promise<'view' | 'comment' | undefined> {
+  try {
+    const sharingAccess = await getCollection<{ permission?: 'view' | 'comment' }>('sharing_access');
+    const normalizedEmail = normalizeIdentity(userEmail);
+    const identities = Array.from(new Set([userEmail, normalizedEmail].filter(Boolean)));
+    const accessRecord = await sharingAccess.findOne({
+      conversation_id: conversationId,
+      granted_to: { $in: identities },
+      revoked_at: null,
+    });
+    return accessRecord?.permission;
+  } catch {
+    return undefined;
+  }
+}
+
+async function getTeamSharePermission(
+  conversation: Conversation,
+  userEmail: string,
+): Promise<'view' | 'comment' | undefined> {
+  const sharedTeams = conversation.sharing?.shared_with_teams;
+  if (!sharedTeams?.length) return undefined;
+
+  try {
+    const userTeamIds = await getUserTeamIds(userEmail);
+    const matchedTeamId = sharedTeams.find((teamId) => userTeamIds.includes(teamId));
+    if (!matchedTeamId) return undefined;
+    return conversation.sharing?.team_permissions?.[matchedTeamId] ?? 'comment';
+  } catch {
+    return undefined;
+  }
+}
+
+async function resolveListConversationAccessLevel(
+  conversation: Conversation,
+  userEmail: string,
+  session?: { role?: unknown; sub?: unknown },
+): Promise<ConversationAccessLevel> {
+  // assisted-by Codex Codex-sonnet-4-6
+  // The list already passed ReBAC filtering; derive display-level access without refetching the row.
+  if (isListConversationOwner(conversation, userEmail, session)) return 'owner';
+
+  if (conversation.sharing?.is_public) {
+    return permissionToAccessLevel(conversation.sharing.public_permission ?? 'view');
+  }
+
+  const normalizedEmail = normalizeIdentity(userEmail);
+  const directShareMatch = conversation.sharing?.shared_with?.some(
+    (email) => normalizeIdentity(email) === normalizedEmail,
+  );
+  if (directShareMatch) {
+    const permission = await getDirectSharePermission(conversation._id, userEmail);
+    return permissionToAccessLevel(permission ?? 'comment');
+  }
+
+  const teamPermission = await getTeamSharePermission(conversation, userEmail);
+  if (teamPermission) {
+    return permissionToAccessLevel(teamPermission);
+  }
+
+  if (session?.role === 'admin') return 'admin_audit';
+
+  return 'shared';
+}
+
 function getConversationAgentId(conversation: Conversation): string | undefined {
   return conversation.participants?.find((participant) => participant.type === 'agent')?.id;
 }
@@ -147,12 +237,7 @@ export const GET = withErrorHandler(async (request: NextRequest) => {
   const visibleItemsWithViewerFlags = annotateConversationsWithViewerSharing(session, user.email, visibleItems);
   const visibleItemsWithAccessLevel = await Promise.all(
     visibleItemsWithViewerFlags.map(async (conversation) => {
-      const { access_level } = await requireConversationAccess(
-        conversation._id,
-        user.email,
-        getCollection,
-        session,
-      );
+      const access_level = await resolveListConversationAccessLevel(conversation, user.email, session);
       return { ...conversation, access_level };
     }),
   );