test: RBAC marketplace render test + validation stub drift detectors

- test_render_marketplaces_filtered_by_rbac: seeds 2 marketplaces, 2 groups,
  grants, 2 users; asserts each user's rendered output references only their
  group's marketplace/plugins, not the other's (I-3).
- test_validation_stub_matches_build_context_shape in test_welcome_template_api.py:
  asserts _VALIDATION_STUB_CONTEXT top-level and nested keys (instance, server,
  user) match build_context() output so stub drift is caught in CI (I-4).
- test_validation_stub_matches_build_context_shape in test_setup_banner_api.py:
  same shape check against build_setup_banner_context() (I-4).

tests/test_setup_banner_api.py

@@ -1,5 +1,10 @@
 """End-to-end tests for /api/admin/setup-banner endpoints."""
 
+import duckdb
+
+from src.db import _ensure_schema
+from src.setup_banner import build_setup_banner_context
+
 
 def _auth(token: str) -> dict[str, str]:
     return {"Authorization": f"Bearer {token}"}
@@ -102,3 +107,33 @@ def test_preview_rejects_invalid_template(seeded_app):
         headers=admin,
     )
     assert r.status_code == 400
+
+
+def test_validation_stub_matches_build_context_shape(seeded_app, tmp_path, monkeypatch):
+    """If build_setup_banner_context grows new keys, _VALIDATION_STUB_CONTEXT
+    must too — otherwise admins can save templates referencing keys the PUT
+    validator accepts but the live render rejects."""
+    from app.api.setup_banner import _VALIDATION_STUB_CONTEXT
+
+    monkeypatch.setenv("DATA_DIR", str(tmp_path))
+    db_path = tmp_path / "system.duckdb"
+    conn = duckdb.connect(str(db_path))
+    _ensure_schema(conn)
+    conn.close()
+
+    user = {"id": "u1", "email": "admin@test.com", "name": "Admin", "is_admin": True}
+    real_ctx = build_setup_banner_context(user=user, server_url="https://example.com")
+
+    # Top-level keys must match (stub has user=dict, real has user=dict when logged in)
+    assert set(_VALIDATION_STUB_CONTEXT.keys()) == set(real_ctx.keys()), (
+        f"_VALIDATION_STUB_CONTEXT top-level keys differ from build_setup_banner_context output. "
+        f"Stub has: {set(_VALIDATION_STUB_CONTEXT.keys())}, "
+        f"real has: {set(real_ctx.keys())}"
+    )
+
+    # One level deep for nested dicts
+    for key in ("instance", "server", "user"):
+        if isinstance(real_ctx.get(key), dict):
+            assert set(_VALIDATION_STUB_CONTEXT[key].keys()) == set(real_ctx[key].keys()), (
+                f"_VALIDATION_STUB_CONTEXT[{key!r}] drifted from build_setup_banner_context output"
+            )

tests/test_welcome_template_api.py

@@ -1,5 +1,10 @@
 """End-to-end tests for /api/welcome and /api/admin/welcome-template."""
 
+import duckdb
+
+from src.db import _ensure_schema
+from src.welcome_template import build_context
+
 
 def _auth(token: str) -> dict[str, str]:
     return {"Authorization": f"Bearer {token}"}
@@ -155,3 +160,33 @@ def test_preview_requires_admin(seeded_app):
         headers=analyst,
     )
     assert r.status_code == 403
+
+
+def test_validation_stub_matches_build_context_shape(seeded_app, tmp_path, monkeypatch):
+    """If build_context grows new keys, _VALIDATION_STUB_CONTEXT must too —
+    otherwise admins can save templates referencing keys the PUT validator
+    accepts but the live render rejects."""
+    from app.api.welcome import _VALIDATION_STUB_CONTEXT
+
+    monkeypatch.setenv("DATA_DIR", str(tmp_path))
+    db_path = tmp_path / "system.duckdb"
+    conn = duckdb.connect(str(db_path))
+    _ensure_schema(conn)
+
+    user = {"id": "u1", "email": "admin@test.com", "name": "Admin", "is_admin": True, "groups": ["Admin"]}
+    real_ctx = build_context(conn, user=user, server_url="https://example.com")
+    conn.close()
+
+    # Top-level keys must match
+    assert set(_VALIDATION_STUB_CONTEXT.keys()) == set(real_ctx.keys()), (
+        f"_VALIDATION_STUB_CONTEXT top-level keys differ from build_context output. "
+        f"Stub has: {set(_VALIDATION_STUB_CONTEXT.keys())}, "
+        f"real has: {set(real_ctx.keys())}"
+    )
+
+    # One level deep for nested dicts
+    for key in ("instance", "server", "user"):
+        if isinstance(real_ctx.get(key), dict):
+            assert set(_VALIDATION_STUB_CONTEXT[key].keys()) == set(real_ctx[key].keys()), (
+                f"_VALIDATION_STUB_CONTEXT[{key!r}] drifted from build_context output"
+            )

tests/test_welcome_template_renderer.py

@@ -1,5 +1,6 @@
 """Unit tests for the welcome-prompt renderer."""
 
+import uuid
 from pathlib import Path
 
 import duckdb
@@ -56,6 +57,91 @@ def test_context_exposes_documented_keys(conn):
         assert top in ctx, f"missing top-level key: {top}"
 
 
+def test_render_marketplaces_filtered_by_rbac(conn, monkeypatch):
+    """Two users with different group memberships render different marketplace lists."""
+    from app.resource_types import ResourceType
+
+    # ── Seed two marketplaces ────────────────────────────────────────────
+    conn.execute(
+        """INSERT INTO marketplace_registry (id, name, url) VALUES
+           ('mkt-a', 'Marketplace A', 'https://github.com/example/mkt-a'),
+           ('mkt-b', 'Marketplace B', 'https://github.com/example/mkt-b')"""
+    )
+    # Two plugins per marketplace
+    for mkt, plugins in [("mkt-a", ["plugin-1", "plugin-2"]), ("mkt-b", ["plugin-3", "plugin-4"])]:
+        for p in plugins:
+            conn.execute(
+                "INSERT INTO marketplace_plugins (marketplace_id, name) VALUES (?, ?)",
+                [mkt, p],
+            )
+
+    # ── Seed two non-system groups ──────────────────────────────────────
+    gid_a = str(uuid.uuid4())
+    gid_b = str(uuid.uuid4())
+    conn.execute(
+        "INSERT INTO user_groups (id, name) VALUES (?, ?), (?, ?)",
+        [gid_a, "group-a", gid_b, "group-b"],
+    )
+
+    # ── Grant mkt-a/* to group-a and mkt-b/* to group-b ─────────────────
+    rtype = ResourceType.MARKETPLACE_PLUGIN.value
+    for mkt, gid, plugins in [
+        ("mkt-a", gid_a, ["plugin-1", "plugin-2"]),
+        ("mkt-b", gid_b, ["plugin-3", "plugin-4"]),
+    ]:
+        for p in plugins:
+            conn.execute(
+                "INSERT INTO resource_grants (id, group_id, resource_type, resource_id) "
+                "VALUES (?, ?, ?, ?)",
+                [str(uuid.uuid4()), gid, rtype, f"{mkt}/{p}"],
+            )
+
+    # ── Seed two users, each in their own group + Everyone ───────────────
+    everyone_gid = conn.execute(
+        "SELECT id FROM user_groups WHERE name = 'Everyone'"
+    ).fetchone()[0]
+
+    conn.execute(
+        "INSERT INTO users (id, email, name, active) VALUES "
+        "('user-a', 'user-a@example.com', 'User A', TRUE), "
+        "('user-b', 'user-b@example.com', 'User B', TRUE)"
+    )
+    for uid, gid in [("user-a", gid_a), ("user-b", gid_b)]:
+        conn.execute(
+            "INSERT INTO user_group_members (user_id, group_id, source) VALUES (?, ?, ?)",
+            [uid, gid, "admin"],
+        )
+        conn.execute(
+            "INSERT INTO user_group_members (user_id, group_id, source) VALUES (?, ?, ?)",
+            [uid, everyone_gid, "system_seed"],
+        )
+
+    # ── Render for each user ─────────────────────────────────────────────
+    WelcomeTemplateRepository(conn).set(
+        "{% for m in marketplaces %}{{ m.slug }}: "
+        "{% for p in m.plugins %}{{ p.name }} {% endfor %}{% endfor %}",
+        updated_by="admin@example.com",
+    )
+
+    user_a = {"id": "user-a", "email": "user-a@example.com", "name": "User A", "is_admin": False, "groups": ["group-a"]}
+    user_b = {"id": "user-b", "email": "user-b@example.com", "name": "User B", "is_admin": False, "groups": ["group-b"]}
+
+    out_a = render_welcome(conn, user=user_a, server_url="https://example.com")
+    out_b = render_welcome(conn, user=user_b, server_url="https://example.com")
+
+    # user-a sees mkt-a plugins only
+    assert "mkt-a" in out_a
+    assert "plugin-1" in out_a
+    assert "mkt-b" not in out_a
+    assert "plugin-3" not in out_a
+
+    # user-b sees mkt-b plugins only
+    assert "mkt-b" in out_b
+    assert "plugin-3" in out_b
+    assert "mkt-a" not in out_b
+    assert "plugin-1" not in out_b
+
+
 def test_render_tolerates_missing_optional_tables(tmp_path, monkeypatch):
     """A bare DuckDB without table_registry / marketplace_registry must still render."""
     monkeypatch.setenv("DATA_DIR", str(tmp_path))