@agentmeshhq/agent 0.4.5 → 0.4.10

package/dist/__tests__/auth-doctor-integration.test.d.ts

@@ -0,0 +1,14 @@
+/**
+ * Integration test: auth-sync stale profile → repair → success
+ *
+ * Simulates the full Epic #470 recovery path:
+ *   1. Agent has a stale regular-file auth.json (not a symlink).
+ *   2. Canonical auth.json exists and is valid.
+ *   3. ensureAuthLink detects the stale file, backs it up, and creates a symlink.
+ *   4. preflightAuth now passes.
+ *   5. A second call to ensureAuthLink is idempotent (symlink-ok).
+ *
+ * All functions accept an optional `homeDir` parameter so tests can sandbox
+ * operations under a tmp directory instead of touching the real home directory.
+ */
+export {};

package/dist/__tests__/auth-doctor-integration.test.js

@@ -0,0 +1,130 @@
+/**
+ * Integration test: auth-sync stale profile → repair → success
+ *
+ * Simulates the full Epic #470 recovery path:
+ *   1. Agent has a stale regular-file auth.json (not a symlink).
+ *   2. Canonical auth.json exists and is valid.
+ *   3. ensureAuthLink detects the stale file, backs it up, and creates a symlink.
+ *   4. preflightAuth now passes.
+ *   5. A second call to ensureAuthLink is idempotent (symlink-ok).
+ *
+ * All functions accept an optional `homeDir` parameter so tests can sandbox
+ * operations under a tmp directory instead of touching the real home directory.
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { ensureAuthLink, getAuthLinkStatus, preflightAuth } from "../core/auth-sync.js";
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+function makeTmpDir() {
+    return fs.mkdtempSync(path.join(os.tmpdir(), "auth-doctor-integration-"));
+}
+function agentAuthPathFor(base, agentName) {
+    return path.join(base, ".agentmesh", "opencode-data", agentName, "opencode", "auth.json");
+}
+function canonicalPathFor(base) {
+    return path.join(base, ".local", "share", "opencode", "auth.json");
+}
+// ─── Integration test ────────────────────────────────────────────────────────
+describe("Auth stale-profile → repair → pass (integration)", () => {
+    let base;
+    let canonical;
+    const AGENT = "forge-dev-1";
+    beforeEach(() => {
+        base = makeTmpDir();
+        canonical = canonicalPathFor(base);
+        // Create canonical auth with valid provider entry
+        fs.mkdirSync(path.dirname(canonical), { recursive: true });
+        fs.writeFileSync(canonical, JSON.stringify({ anthropic: { token: "tok-abc123" } }), "utf-8");
+        fs.chmodSync(canonical, 0o600);
+    });
+    afterEach(() => {
+        fs.rmSync(base, { recursive: true, force: true });
+    });
+    it("repairs a stale regular-file and creates a correct symlink", () => {
+        const agentAuth = agentAuthPathFor(base, AGENT);
+        const agentDir = path.dirname(agentAuth);
+        // Plant a stale regular file (simulating drift — old token copy)
+        fs.mkdirSync(agentDir, { recursive: true });
+        fs.writeFileSync(agentAuth, JSON.stringify({ anthropic: { token: "STALE" } }), "utf-8");
+        // Verify the stale state
+        const stale = fs.lstatSync(agentAuth);
+        expect(stale.isFile()).toBe(true);
+        expect(stale.isSymbolicLink()).toBe(false);
+        // Run repair with sandboxed homeDir
+        const result = ensureAuthLink(AGENT, canonical, base);
+        expect(result.ok).toBe(true);
+        expect(result.action).toBe("symlink-replaced-file");
+        // Verify symlink now in place
+        const repaired = fs.lstatSync(agentAuth);
+        expect(repaired.isSymbolicLink()).toBe(true);
+        expect(fs.readlinkSync(agentAuth)).toBe(canonical);
+        // Verify backup exists
+        const backups = fs.readdirSync(agentDir).filter((f) => f.startsWith("auth.json.bak."));
+        expect(backups.length).toBe(1);
+        // Verify symlink resolves to valid canonical content
+        const content = JSON.parse(fs.readFileSync(agentAuth, "utf-8"));
+        expect(content.anthropic).toBeDefined();
+        // Token should now be from canonical, not stale
+        expect(content.anthropic.token).toBe("tok-abc123");
+    });
+    it("preflightAuth passes after repair", () => {
+        const agentAuth = agentAuthPathFor(base, AGENT);
+        const agentDir = path.dirname(agentAuth);
+        // Plant stale file, then explicitly repair it first (ensureAuthLink converts
+        // the stale regular-file to a symlink). preflightAuth auto-repairs only missing
+        // or broken symlinks — a readable regular file is considered linkOk by design.
+        fs.mkdirSync(agentDir, { recursive: true });
+        fs.writeFileSync(agentAuth, JSON.stringify({ anthropic: { token: "STALE" } }), "utf-8");
+        ensureAuthLink(AGENT, canonical, base);
+        // Now preflightAuth on the already-repaired state should pass cleanly
+        const result = preflightAuth(AGENT, canonical, base);
+        expect(result.passed).toBe(true);
+        expect(result.linkOk).toBe(true);
+        expect(result.canonicalOk).toBe(true);
+        expect(result.contentOk).toBe(true);
+        // Verify the symlink is in place at the sandboxed path
+        const lstat = fs.lstatSync(agentAuth);
+        expect(lstat.isSymbolicLink()).toBe(true);
+        expect(fs.readlinkSync(agentAuth)).toBe(canonical);
+    });
+    it("is idempotent — second ensureAuthLink call returns symlink-ok", () => {
+        const agentAuth = agentAuthPathFor(base, AGENT);
+        const agentDir = path.dirname(agentAuth);
+        // First: create symlink (homeDir sandboxed to base)
+        fs.mkdirSync(agentDir, { recursive: true });
+        const r1 = ensureAuthLink(AGENT, canonical, base);
+        expect(r1.ok).toBe(true);
+        expect(r1.action).toBe("symlink-created");
+        // Second: already correct symlink
+        const r2 = ensureAuthLink(AGENT, canonical, base);
+        expect(r2.ok).toBe(true);
+        expect(r2.action).toBe("symlink-ok");
+        // Exactly one symlink, no extra backups
+        const entries = fs.readdirSync(agentDir);
+        expect(entries.filter((f) => f.startsWith("auth.json.bak."))).toHaveLength(0);
+    });
+    it("handles missing canonical gracefully — returns no-op", () => {
+        const agentAuth = agentAuthPathFor(base, AGENT);
+        const agentDir = path.dirname(agentAuth);
+        fs.mkdirSync(agentDir, { recursive: true });
+        const missingCanonical = path.join(base, ".local", "share", "opencode", "DOES_NOT_EXIST.json");
+        const result = ensureAuthLink(AGENT, missingCanonical, base);
+        expect(result.ok).toBe(false);
+        expect(result.action).toBe("no-op");
+    });
+    it("getAuthLinkStatus reflects post-repair state accurately", () => {
+        const agentAuth = agentAuthPathFor(base, AGENT);
+        const agentDir = path.dirname(agentAuth);
+        // Plant stale file then repair (homeDir sandboxed to base)
+        fs.mkdirSync(agentDir, { recursive: true });
+        fs.writeFileSync(agentAuth, '{"old":true}', "utf-8");
+        ensureAuthLink(AGENT, canonical, base);
+        // Use getAuthLinkStatus with the same sandbox
+        const status = getAuthLinkStatus(AGENT, canonical, base);
+        expect(status.isSymlink).toBe(true);
+        expect(status.pointsToCanonical).toBe(true);
+    });
+});
+//# sourceMappingURL=auth-doctor-integration.test.js.map

package/dist/__tests__/auth-doctor-integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-doctor-integration.test.js","sourceRoot":"","sources":["../../src/__tests__/auth-doctor-integration.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,cAAc,EAAE,iBAAiB,EAAE,aAAa,EAAE,MAAM,sBAAsB,CAAC;AAExF,gFAAgF;AAEhF,SAAS,UAAU;IACjB,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,0BAA0B,CAAC,CAAC,CAAC;AAC5E,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY,EAAE,SAAiB;IACvD,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,YAAY,EAAE,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,gBAAgB,CAAC,IAAY;IACpC,OAAO,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;AACrE,CAAC;AAED,gFAAgF;AAEhF,QAAQ,CAAC,kDAAkD,EAAE,GAAG,EAAE;IAChE,IAAI,IAAY,CAAC;IACjB,IAAI,SAAiB,CAAC;IACtB,MAAM,KAAK,GAAG,aAAa,CAAC;IAE5B,UAAU,CAAC,GAAG,EAAE;QACd,IAAI,GAAG,UAAU,EAAE,CAAC;QACpB,SAAS,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;QAEnC,kDAAkD;QAClD,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QAC7F,EAAE,CAAC,SAAS,CAAC,SAAS,EAAE,KAAK,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACpD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEzC,iEAAiE;QACjE,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QAExF,yBAAyB;QACzB,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAClC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAE3C,oCAAoC;QACpC,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACtD,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,uBAAuB,CAAC,CAAC;QAEpD,8BAA8B;QAC9B,MAAM,QAAQ,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACzC,MAAM,CAAC,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC7C,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAEnD,uBAAuB;QACvB,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC;QACvF,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QAE/B,qDAAqD;QACrD,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,EAAE,OAAO,CAAC,CAA4B,CAAC;QAC3F,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,WAAW,EAAE,CAAC;QACxC,gDAAgD;QAChD,MAAM,CAAE,OAAO,CAAC,SAA+B,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;IAC5E,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mCAAmC,EAAE,GAAG,EAAE;QAC3C,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEzC,6EAA6E;QAC7E,gFAAgF;QAChF,+EAA+E;QAC/E,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,SAAS,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;QACxF,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAEvC,sEAAsE;QACtE,MAAM,MAAM,GAAG,aAAa,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACrD,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtC,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEpC,uDAAuD;QACvD,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC1C,MAAM,CAAC,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+DAA+D,EAAE,GAAG,EAAE;QACvE,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEzC,oDAAoD;QACpD,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzB,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAE1C,kCAAkC;QAClC,MAAM,EAAE,GAAG,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAClD,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACzB,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAErC,wCAAwC;QACxC,MAAM,OAAO,GAAG,EAAE,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAChF,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,GAAG,EAAE;QAC9D,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QACzC,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE5C,MAAM,gBAAgB,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,EAAE,UAAU,EAAE,qBAAqB,CAAC,CAAC;QAC/F,MAAM,MAAM,GAAG,cAAc,CAAC,KAAK,EAAE,gBAAgB,EAAE,IAAI,CAAC,CAAC;QAE7D,MAAM,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC9B,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,GAAG,EAAE;QACjE,MAAM,SAAS,GAAG,gBAAgB,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;QAChD,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;QAEzC,2DAA2D;QAC3D,EAAE,CAAC,SAAS,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5C,EAAE,CAAC,aAAa,CAAC,SAAS,EAAE,cAAc,EAAE,OAAO,CAAC,CAAC;QACrD,cAAc,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QAEvC,8CAA8C;QAC9C,MAAM,MAAM,GAAG,iBAAiB,CAAC,KAAK,EAAE,SAAS,EAAE,IAAI,CAAC,CAAC;QACzD,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACpC,MAAM,CAAC,MAAM,CAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/auth-guard.integration.test.d.ts

@@ -0,0 +1,12 @@
+/**
+ * Integration test: Auth drift -> doctor repair -> success
+ * Epic #470
+ *
+ * Simulates the real incident:
+ *  1. Agent starts with stale per-agent auth (regular file, old tokens)
+ *  2. Global auth is refreshed (new token written to canonical)
+ *  3. Doctor runs with --repair
+ *  4. Per-agent auth now points to fresh canonical via symlink
+ *  5. Subsequent reads see fresh token — drift eliminated
+ */
+export {};

package/dist/__tests__/auth-guard.integration.test.js

@@ -0,0 +1,132 @@
+/**
+ * Integration test: Auth drift -> doctor repair -> success
+ * Epic #470
+ *
+ * Simulates the real incident:
+ *  1. Agent starts with stale per-agent auth (regular file, old tokens)
+ *  2. Global auth is refreshed (new token written to canonical)
+ *  3. Doctor runs with --repair
+ *  4. Per-agent auth now points to fresh canonical via symlink
+ *  5. Subsequent reads see fresh token — drift eliminated
+ */
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { afterEach, beforeEach, describe, expect, it } from "vitest";
+import { isValidAuthSymlink, linkAgentAuth, validateCanonicalAuth, } from "../core/auth-guard.js";
+function makeTmpDir() {
+    return fs.mkdtempSync(path.join(os.tmpdir(), "am-auth-integ-"));
+}
+function writeJson(filePath, data) {
+    fs.mkdirSync(path.dirname(filePath), { recursive: true });
+    fs.writeFileSync(filePath, JSON.stringify(data, null, 2));
+}
+describe("Auth drift -> repair -> success (integration)", () => {
+    let tmp;
+    let canonicalPath;
+    let agentAuthFile;
+    beforeEach(() => {
+        tmp = makeTmpDir();
+        canonicalPath = path.join(tmp, "global", "opencode", "auth.json");
+        agentAuthFile = path.join(tmp, "opencode-data", "forge-dev-1", "opencode", "auth.json");
+    });
+    afterEach(() => {
+        fs.rmSync(tmp, { recursive: true, force: true });
+    });
+    it("simulates stale regular file -> symlink repair -> fresh token visible", () => {
+        // Step 1: Agent was started before global auth was refreshed
+        // Per-agent auth.json exists as a regular file with OLD token material
+        const staleToken = { provider: "anthropic", accessToken: "old_token_STALE_400" };
+        writeJson(agentAuthFile, staleToken);
+        expect(fs.lstatSync(agentAuthFile).isSymbolicLink()).toBe(false);
+        // Step 2: Global auth is refreshed (user re-authenticated)
+        const freshToken = { provider: "anthropic", accessToken: "new_token_FRESH_OK" };
+        writeJson(canonicalPath, freshToken);
+        expect(validateCanonicalAuth(canonicalPath)).toBe(true);
+        // At this point, agent still sees the stale token (drift!)
+        const staleRead = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(staleRead.accessToken).toBe("old_token_STALE_400");
+        // Step 3: Doctor/repair runs — replace regular file with symlink
+        const repairResult = linkAgentAuth(agentAuthFile, canonicalPath);
+        expect(repairResult.linked).toBe(true);
+        expect(repairResult.backedUp).toBeDefined();
+        expect(fs.lstatSync(agentAuthFile).isSymbolicLink()).toBe(true);
+        // Step 4: Post-repair — agent now sees fresh token via symlink
+        expect(isValidAuthSymlink(agentAuthFile)).toBe(true);
+        const freshRead = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(freshRead.accessToken).toBe("new_token_FRESH_OK");
+        // Step 5: Any subsequent global auth refresh is immediately visible
+        const newerToken = { provider: "anthropic", accessToken: "newer_token_ALSO_OK" };
+        writeJson(canonicalPath, newerToken);
+        const newerRead = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(newerRead.accessToken).toBe("newer_token_ALSO_OK");
+        // Backup of stale file preserved
+        const backedUpContent = JSON.parse(fs.readFileSync(repairResult.backedUp, "utf-8"));
+        expect(backedUpContent.accessToken).toBe("old_token_STALE_400");
+    });
+    it("symlink-first: new agent always gets fresh token immediately", () => {
+        // Global auth exists before agent ever starts
+        const freshToken = { provider: "anthropic", accessToken: "initial_fresh_token" };
+        writeJson(canonicalPath, freshToken);
+        // Agent profile dir created (simulates prepareOpenCodeRuntime)
+        fs.mkdirSync(path.dirname(agentAuthFile), { recursive: true });
+        // ensureAgentAuthLink creates the symlink (no prior file)
+        const result = linkAgentAuth(agentAuthFile, canonicalPath);
+        expect(result.linked).toBe(true);
+        expect(result.backedUp).toBeUndefined(); // nothing to back up
+        // Token is immediately visible
+        const read = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(read.accessToken).toBe("initial_fresh_token");
+        // Update global -> agent sees it with zero extra steps
+        writeJson(canonicalPath, { provider: "anthropic", accessToken: "rotated_token" });
+        const read2 = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(read2.accessToken).toBe("rotated_token");
+    });
+    it("multi-agent: all agents see same fresh token via individual symlinks", () => {
+        const agents = ["forge-dev-1", "forge-dev-2", "forge-dev-3"];
+        const freshToken = { provider: "anthropic", accessToken: "shared_fresh" };
+        writeJson(canonicalPath, freshToken);
+        // Set up symlinks for all agents
+        for (const agentName of agents) {
+            const authPath = path.join(tmp, "opencode-data", agentName, "opencode", "auth.json");
+            fs.mkdirSync(path.dirname(authPath), { recursive: true });
+            const res = linkAgentAuth(authPath, canonicalPath);
+            expect(res.linked).toBe(true);
+        }
+        // All see fresh token
+        for (const agentName of agents) {
+            const authPath = path.join(tmp, "opencode-data", agentName, "opencode", "auth.json");
+            const content = JSON.parse(fs.readFileSync(authPath, "utf-8"));
+            expect(content.accessToken).toBe("shared_fresh");
+        }
+        // Rotate global token — all agents immediately see new value
+        writeJson(canonicalPath, { provider: "anthropic", accessToken: "rotated_all" });
+        for (const agentName of agents) {
+            const authPath = path.join(tmp, "opencode-data", agentName, "opencode", "auth.json");
+            const content = JSON.parse(fs.readFileSync(authPath, "utf-8"));
+            expect(content.accessToken).toBe("rotated_all");
+        }
+    });
+    it("healthcheck watcher detects broken symlink and emits degraded event", async () => {
+        // Create initial valid symlink for agent
+        writeJson(canonicalPath, { provider: "anthropic", accessToken: "ok_token" });
+        fs.mkdirSync(path.dirname(agentAuthFile), { recursive: true });
+        linkAgentAuth(agentAuthFile, canonicalPath);
+        expect(isValidAuthSymlink(agentAuthFile)).toBe(true);
+        // Now simulate canonical being deleted (e.g., moved/rotated)
+        fs.unlinkSync(canonicalPath);
+        expect(isValidAuthSymlink(agentAuthFile)).toBe(false);
+        // Collect events from watcher — using a manual check rather than timers
+        // since we can't override AGENTMESH_OPENCODE_DATA_ROOT
+        // Test directly: broken symlink should be detected as invalid
+        const lstat = fs.lstatSync(agentAuthFile);
+        expect(lstat.isSymbolicLink()).toBe(true);
+        // Restore canonical
+        writeJson(canonicalPath, { provider: "anthropic", accessToken: "restored_token" });
+        expect(isValidAuthSymlink(agentAuthFile)).toBe(true);
+        // Agent now sees restored token
+        const content = JSON.parse(fs.readFileSync(agentAuthFile, "utf-8"));
+        expect(content.accessToken).toBe("restored_token");
+    });
+});
+//# sourceMappingURL=auth-guard.integration.test.js.map

package/dist/__tests__/auth-guard.integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-guard.integration.test.js","sourceRoot":"","sources":["../../src/__tests__/auth-guard.integration.test.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,SAAS,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAEL,kBAAkB,EAClB,aAAa,EAGb,qBAAqB,GACtB,MAAM,uBAAuB,CAAC;AAE/B,SAAS,UAAU;IACjB,OAAO,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,gBAAgB,CAAC,CAAC,CAAC;AAClE,CAAC;AAED,SAAS,SAAS,CAAC,QAAgB,EAAE,IAAa;IAChD,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAC1D,EAAE,CAAC,aAAa,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;AAC5D,CAAC;AAED,QAAQ,CAAC,+CAA+C,EAAE,GAAG,EAAE;IAC7D,IAAI,GAAW,CAAC;IAChB,IAAI,aAAqB,CAAC;IAC1B,IAAI,aAAqB,CAAC;IAE1B,UAAU,CAAC,GAAG,EAAE;QACd,GAAG,GAAG,UAAU,EAAE,CAAC;QACnB,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,QAAQ,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;QAClE,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,EAAE,aAAa,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,EAAE,CAAC,MAAM,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,uEAAuE,EAAE,GAAG,EAAE;QAC/E,6DAA6D;QAC7D,uEAAuE;QACvE,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;QACjF,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEjE,2DAA2D;QAC3D,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAC;QAChF,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACrC,MAAM,CAAC,qBAAqB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAExD,2DAA2D;QAC3D,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAEnE,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAE1D,iEAAiE;QACjE,MAAM,YAAY,GAAG,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QACjE,MAAM,CAAC,YAAY,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;QAC5C,MAAM,CAAC,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAEhE,+DAA+D;QAC/D,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACrD,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAEnE,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,oBAAoB,CAAC,CAAC;QAEzD,oEAAoE;QACpE,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;QACjF,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QACrC,MAAM,SAAS,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAEnE,CAAC;QACF,MAAM,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAE1D,iCAAiC;QACjC,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,YAAY,CAAC,QAAS,EAAE,OAAO,CAAC,CAElF,CAAC;QACF,MAAM,CAAC,eAAe,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8DAA8D,EAAE,GAAG,EAAE;QACtE,8CAA8C;QAC9C,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,qBAAqB,EAAE,CAAC;QACjF,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAErC,+DAA+D;QAC/D,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAE/D,0DAA0D;QAC1D,MAAM,MAAM,GAAG,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAC3D,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACjC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,aAAa,EAAE,CAAC,CAAC,qBAAqB;QAE9D,+BAA+B;QAC/B,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAA4B,CAAC;QAC5F,MAAM,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,qBAAqB,CAAC,CAAC;QAErD,uDAAuD;QACvD,SAAS,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,eAAe,EAAE,CAAC,CAAC;QAClF,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAA4B,CAAC;QAC7F,MAAM,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,MAAM,GAAG,CAAC,aAAa,EAAE,aAAa,EAAE,aAAa,CAAC,CAAC;QAC7D,MAAM,UAAU,GAAG,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,cAAc,EAAE,CAAC;QAC1E,SAAS,CAAC,aAAa,EAAE,UAAU,CAAC,CAAC;QAErC,iCAAiC;QACjC,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YACrF,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAC1D,MAAM,GAAG,GAAG,aAAa,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC;YACnD,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChC,CAAC;QAED,sBAAsB;QACtB,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAA4B,CAAC;YAC1F,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACnD,CAAC;QAED,6DAA6D;QAC7D,SAAS,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,aAAa,EAAE,CAAC,CAAC;QAChF,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;YAC/B,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,eAAe,EAAE,SAAS,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC;YACrF,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAA4B,CAAC;YAC1F,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qEAAqE,EAAE,KAAK,IAAI,EAAE;QACnF,yCAAyC;QACzC,SAAS,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,UAAU,EAAE,CAAC,CAAC;QAC7E,EAAE,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAC/D,aAAa,CAAC,aAAa,EAAE,aAAa,CAAC,CAAC;QAC5C,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAErD,6DAA6D;QAC7D,EAAE,CAAC,UAAU,CAAC,aAAa,CAAC,CAAC;QAC7B,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAEtD,wEAAwE;QACxE,uDAAuD;QACvD,8DAA8D;QAC9D,MAAM,KAAK,GAAG,EAAE,CAAC,SAAS,CAAC,aAAa,CAAC,CAAC;QAC1C,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAE1C,oBAAoB;QACpB,SAAS,CAAC,aAAa,EAAE,EAAE,QAAQ,EAAE,WAAW,EAAE,WAAW,EAAE,gBAAgB,EAAE,CAAC,CAAC;QACnF,MAAM,CAAC,kBAAkB,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAErD,gCAAgC;QAChC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC,YAAY,CAAC,aAAa,EAAE,OAAO,CAAC,CAA4B,CAAC;QAC/F,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/auth-guard.test.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Unit tests for auth-guard.ts — Epics #470 + #490
+ *
+ * Tests:
+ *  1. validateCanonicalAuth — detects valid/invalid/missing canonical auth
+ *  2. isValidAuthSymlink — detects valid/broken/missing/regular-file symlinks
+ *  3. linkAgentAuth — creates symlink, backs up regular files, removes stale symlinks
+ *  4. ensureAgentAuthLink — full link-or-repair flow
+ *  5. preflightAgentAuth — preflight with retry semantics
+ *  6. startAuthHealthWatcher — periodic check, backoff, event emission
+ *  7. runAuthDoctor — discovery + optional repair
+ *  8. isTempPath — temp path detection (#490)
+ *  9. validateAuthSchema — schema validation incl. auth.type field (#490)
+ * 10. writeRealAuthFile — real-file fallback when symlinking fails (#490)
+ * 11. getSymlinkTempTarget — detects temp-path symlink targets (#490)
+ */
+export {};