@blackbelt-technology/pi-agent-dashboard 0.2.0

package/packages/server/src/__tests__/provider-auth-routes.test.ts

@@ -0,0 +1,143 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+// Mock the storage and handlers to avoid touching real auth.json
+vi.mock("../provider-auth-storage.js", () => ({
+  getOAuthProvidersMeta: () => [
+    { id: "anthropic", name: "Anthropic", flowType: "auth_code" },
+    { id: "github-copilot", name: "GitHub Copilot", flowType: "device_code" },
+  ],
+  getAuthStatus: () => [
+    { id: "anthropic", name: "Anthropic", flowType: "auth_code", authenticated: false },
+    { id: "github-copilot", name: "GitHub Copilot", flowType: "device_code", authenticated: true, expires: Date.now() + 86400000 },
+  ],
+  writeCredential: vi.fn(),
+  removeCredential: vi.fn(),
+  resolveAuthJsonKey: (id: string) => id,
+}));
+
+// Mock the callback server to avoid opening real ports
+vi.mock("../oauth-callback-server.js", () => ({
+  startCallbackServer: vi.fn().mockResolvedValue({
+    closed: new Promise(() => {}),
+    close: vi.fn().mockResolvedValue(undefined),
+  }),
+}));
+
+// Mock child_process.exec to avoid opening a browser
+vi.mock("node:child_process", () => ({
+  exec: vi.fn(),
+}));
+
+import Fastify from "fastify";
+import { registerProviderAuthRoutes } from "../routes/provider-auth-routes.js";
+
+function createMockPiGateway() {
+  return {
+    broadcast: vi.fn(),
+    start: vi.fn(),
+    stop: vi.fn(),
+    sendToSession: vi.fn(),
+    connectionCount: () => 0,
+    findSessionByCwd: () => undefined,
+    getConnectedSessionIds: () => [],
+    isSessionConnected: () => false,
+  } as any;
+}
+
+describe("provider-auth-routes", () => {
+  let app: ReturnType<typeof Fastify>;
+  let piGateway: ReturnType<typeof createMockPiGateway>;
+
+  beforeEach(async () => {
+    app = Fastify();
+    piGateway = createMockPiGateway();
+    registerProviderAuthRoutes(app, { piGateway });
+    await app.ready();
+  });
+
+  it("GET /api/provider-auth/providers returns OAuth provider list", async () => {
+    const res = await app.inject({ method: "GET", url: "/api/provider-auth/providers" });
+    expect(res.statusCode).toBe(200);
+    const data = JSON.parse(res.payload);
+    expect(data).toHaveLength(2);
+    expect(data[0].id).toBe("anthropic");
+  });
+
+  it("GET /api/provider-auth/status returns all provider statuses", async () => {
+    const res = await app.inject({ method: "GET", url: "/api/provider-auth/status" });
+    expect(res.statusCode).toBe(200);
+    const data = JSON.parse(res.payload);
+    expect(data).toHaveLength(2);
+    expect(data[0].authenticated).toBe(false);
+    expect(data[1].authenticated).toBe(true);
+  });
+
+  it("POST /api/provider-auth/authorize returns authUrl with correct redirect URI", async () => {
+    const { startCallbackServer } = await import("../oauth-callback-server.js");
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/provider-auth/authorize",
+      payload: { provider: "anthropic" },
+    });
+    expect(res.statusCode).toBe(200);
+    const data = JSON.parse(res.payload);
+    expect(data.flowId).toBeTruthy();
+    expect(data.authUrl).toContain("claude.ai/oauth/authorize");
+    // Verify redirect URI uses the registered callback port/path
+    expect(data.authUrl).toContain(encodeURIComponent("http://localhost:53692/callback"));
+    // Verify callback server was started
+    expect(startCallbackServer).toHaveBeenCalledWith(
+      expect.objectContaining({
+        providerId: "anthropic",
+        port: 53692,
+        path: "/callback",
+      }),
+    );
+  });
+
+  it("POST /api/provider-auth/authorize rejects unknown provider", async () => {
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/provider-auth/authorize",
+      payload: { provider: "nope" },
+    });
+    expect(res.statusCode).toBe(400);
+  });
+
+  // /exchange endpoint removed — token exchange happens in the callback server's onCode
+
+  it("PUT /api/provider-auth/api-key saves and notifies", async () => {
+    const { writeCredential } = await import("../provider-auth-storage.js");
+    const res = await app.inject({
+      method: "PUT",
+      url: "/api/provider-auth/api-key",
+      payload: { provider: "openai", key: "sk-test" },
+    });
+    expect(res.statusCode).toBe(200);
+    expect(JSON.parse(res.payload).ok).toBe(true);
+    expect(writeCredential).toHaveBeenCalledWith("openai", { type: "api_key", key: "sk-test" });
+    expect(piGateway.broadcast).toHaveBeenCalledWith({ type: "credentials_updated" });
+  });
+
+  it("DELETE /api/provider-auth/:provider removes and notifies", async () => {
+    const { removeCredential } = await import("../provider-auth-storage.js");
+    const res = await app.inject({
+      method: "DELETE",
+      url: "/api/provider-auth/anthropic",
+    });
+    expect(res.statusCode).toBe(200);
+    expect(removeCredential).toHaveBeenCalledWith("anthropic");
+    expect(piGateway.broadcast).toHaveBeenCalledWith({ type: "credentials_updated" });
+  });
+
+  // /callback/:provider route removed — temp callback server handles this directly
+
+  it("POST /api/provider-auth/device-code rejects auth_code provider", async () => {
+    const res = await app.inject({
+      method: "POST",
+      url: "/api/provider-auth/device-code",
+      payload: { provider: "anthropic" },
+    });
+    expect(res.statusCode).toBe(400);
+  });
+});

package/packages/server/src/__tests__/provider-auth-storage.test.ts

@@ -0,0 +1,114 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+
+// We test by importing the module and using a temp directory
+// Since the module uses hardcoded paths, we mock fs operations
+
+describe("provider-auth-storage", () => {
+  const authDir = path.join(os.homedir(), ".pi", "agent");
+  const authPath = path.join(authDir, "auth.json");
+  let originalContent: string | null = null;
+
+  beforeEach(() => {
+    // Backup existing auth.json
+    try {
+      originalContent = fs.readFileSync(authPath, "utf-8");
+    } catch {
+      originalContent = null;
+    }
+  });
+
+  afterEach(() => {
+    // Restore original auth.json
+    if (originalContent !== null) {
+      fs.writeFileSync(authPath, originalContent);
+    }
+  });
+
+  it("readAuthJson returns empty object when file does not exist", async () => {
+    // Use dynamic import to get fresh module
+    const { readAuthJson } = await import("../provider-auth-storage.js");
+    // readAuthJson handles ENOENT gracefully
+    const result = readAuthJson();
+    expect(typeof result).toBe("object");
+  });
+
+  it("writeCredential and readAuthJson roundtrip", async () => {
+    const { writeCredential, readAuthJson } = await import("../provider-auth-storage.js");
+    const cred = { type: "api_key" as const, key: "test-key-123" };
+    writeCredential("test-provider", cred);
+    const data = readAuthJson();
+    expect(data["test-provider"]).toEqual(cred);
+    // Cleanup
+    const { removeCredential } = await import("../provider-auth-storage.js");
+    removeCredential("test-provider");
+  });
+
+  it("removeCredential removes the entry", async () => {
+    const { writeCredential, removeCredential, readAuthJson } = await import("../provider-auth-storage.js");
+    writeCredential("test-remove", { type: "api_key" as const, key: "x" });
+    removeCredential("test-remove");
+    const data = readAuthJson();
+    expect(data["test-remove"]).toBeUndefined();
+  });
+
+  it("getAuthStatus returns all providers", async () => {
+    const { getAuthStatus } = await import("../provider-auth-storage.js");
+    const statuses = getAuthStatus();
+    // Should have at least the 5 OAuth providers
+    const oauthIds = statuses.filter((s) => s.flowType !== "api_key").map((s) => s.id);
+    expect(oauthIds).toContain("anthropic");
+    expect(oauthIds).toContain("openai-codex");
+    expect(oauthIds).toContain("github-copilot");
+    expect(oauthIds).toContain("google-gemini-cli");
+    expect(oauthIds).toContain("google-antigravity");
+  });
+
+  it("getAuthStatus includes zai provider with flowType api_key", async () => {
+    const { getAuthStatus } = await import("../provider-auth-storage.js");
+    const statuses = getAuthStatus();
+    const zai = statuses.find((s) => s.id === "zai");
+    expect(zai).toBeDefined();
+    expect(zai!.name).toBe("Z.ai");
+    expect(zai!.flowType).toBe("api_key");
+  });
+
+  it("masking shows first 5 + ... + last 3 for keys >= 12 chars", async () => {
+    const { writeCredential, getAuthStatus, removeCredential } = await import("../provider-auth-storage.js");
+    writeCredential("openai", { type: "api_key", key: "sk-abc123xyz789" });
+    try {
+      const statuses = getAuthStatus();
+      const openai = statuses.find((s) => s.id === "openai");
+      expect(openai!.maskedKey).toBe("sk-ab...789");
+    } finally {
+      removeCredential("openai");
+    }
+  });
+
+  it("masking returns **** for keys < 12 chars", async () => {
+    const { writeCredential, getAuthStatus, removeCredential } = await import("../provider-auth-storage.js");
+    writeCredential("openai", { type: "api_key", key: "shortkey" });
+    try {
+      const statuses = getAuthStatus();
+      const openai = statuses.find((s) => s.id === "openai");
+      expect(openai!.maskedKey).toBe("****");
+    } finally {
+      removeCredential("openai");
+    }
+  });
+
+  it("empty key string results in authenticated false with no maskedKey", async () => {
+    const { writeCredential, getAuthStatus, removeCredential } = await import("../provider-auth-storage.js");
+    writeCredential("openai", { type: "api_key", key: "" });
+    try {
+      const statuses = getAuthStatus();
+      const openai = statuses.find((s) => s.id === "openai");
+      expect(openai!.authenticated).toBe(false);
+      expect(openai!.maskedKey).toBeUndefined();
+    } finally {
+      removeCredential("openai");
+    }
+  });
+});

package/packages/server/src/__tests__/resolve-path.test.ts

@@ -0,0 +1,38 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import fs from "node:fs";
+import { safeRealpathSync } from "../resolve-path.js";
+
+describe("safeRealpathSync", () => {
+  it("resolves a real path", () => {
+    // process.cwd() is always a real path
+    const result = safeRealpathSync(process.cwd());
+    expect(result).toBe(fs.realpathSync(process.cwd()));
+  });
+
+  it("falls back to original when path does not exist", () => {
+    const fakePath = "/nonexistent/path/that/does/not/exist";
+    const result = safeRealpathSync(fakePath);
+    expect(result).toBe(fakePath);
+  });
+
+  it("resolves symlinks", () => {
+    const os = require("node:os");
+    const path = require("node:path");
+    const tmpDir = fs.mkdtempSync(path.join(os.tmpdir(), "resolve-test-"));
+    const realDir = path.join(tmpDir, "real");
+    const linkDir = path.join(tmpDir, "link");
+
+    const realTmpDir = fs.realpathSync(tmpDir);
+    const target = path.join(realTmpDir, "real");
+    const link = path.join(realTmpDir, "link");
+
+    fs.mkdirSync(target);
+    fs.symlinkSync(target, link);
+
+    try {
+      expect(safeRealpathSync(link)).toBe(target);
+    } finally {
+      fs.rmSync(realTmpDir, { recursive: true });
+    }
+  });
+});

package/packages/server/src/__tests__/ring-buffer.test.ts

@@ -0,0 +1,45 @@
+import { describe, it, expect } from "vitest";
+import { RingBuffer } from "../terminal-manager.js";
+
+describe("RingBuffer", () => {
+  it("stores and returns written data", () => {
+    const buf = new RingBuffer(64);
+    buf.write(Buffer.from("hello"));
+    expect(buf.contents().toString()).toBe("hello");
+  });
+
+  it("appends multiple writes", () => {
+    const buf = new RingBuffer(64);
+    buf.write(Buffer.from("hello "));
+    buf.write(Buffer.from("world"));
+    expect(buf.contents().toString()).toBe("hello world");
+  });
+
+  it("returns empty buffer when nothing written", () => {
+    const buf = new RingBuffer(64);
+    expect(buf.contents().length).toBe(0);
+  });
+
+  it("overwrites oldest data when capacity exceeded", () => {
+    const buf = new RingBuffer(8);
+    buf.write(Buffer.from("12345678")); // fills exactly
+    buf.write(Buffer.from("AB")); // overwrites first 2
+    expect(buf.contents().toString()).toBe("345678AB");
+  });
+
+  it("handles write larger than capacity", () => {
+    const buf = new RingBuffer(4);
+    buf.write(Buffer.from("ABCDEFGH"));
+    // Only last 4 bytes should remain
+    expect(buf.contents().toString()).toBe("EFGH");
+  });
+
+  it("handles many small writes wrapping around", () => {
+    const buf = new RingBuffer(6);
+    buf.write(Buffer.from("AAA"));
+    buf.write(Buffer.from("BBB"));
+    buf.write(Buffer.from("CC"));
+    // Should have BBBCC... last 6 = "BBBCC" wait: AAA + BBB = 6 bytes exactly, then CC overwrites first 2
+    expect(buf.contents().toString()).toBe("ABBBCC");
+  });
+});

package/packages/server/src/__tests__/server-pid.test.ts

@@ -0,0 +1,89 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import fs from "node:fs";
+import path from "node:path";
+import os from "node:os";
+import { writePid, readPid, removePid, isProcessAlive } from "../server-pid.js";
+
+describe("server-pid", () => {
+  const tmpDir = path.join(os.tmpdir(), "pi-dashboard-test-pid-" + process.pid);
+  const pidPath = path.join(tmpDir, "server.pid");
+  const opts = { pidPath };
+
+  beforeEach(() => {
+    fs.mkdirSync(tmpDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    fs.rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  describe("writePid", () => {
+    it("writes PID to file", () => {
+      writePid(12345, opts);
+      const content = fs.readFileSync(pidPath, "utf-8").trim();
+      expect(content).toBe("12345");
+    });
+
+    it("creates parent directories", () => {
+      const nestedPath = path.join(tmpDir, "nested", "dir", "server.pid");
+      writePid(99, { pidPath: nestedPath });
+      expect(fs.existsSync(nestedPath)).toBe(true);
+    });
+  });
+
+  describe("readPid", () => {
+    it("reads PID from file", () => {
+      fs.writeFileSync(pidPath, "42\n");
+      expect(readPid(opts)).toBe(42);
+    });
+
+    it("returns null for missing file", () => {
+      expect(readPid(opts)).toBeNull();
+    });
+
+    it("returns null for invalid content", () => {
+      fs.writeFileSync(pidPath, "not-a-number\n");
+      expect(readPid(opts)).toBeNull();
+    });
+
+    it("returns null for zero", () => {
+      fs.writeFileSync(pidPath, "0\n");
+      expect(readPid(opts)).toBeNull();
+    });
+
+    it("returns null for negative number", () => {
+      fs.writeFileSync(pidPath, "-1\n");
+      expect(readPid(opts)).toBeNull();
+    });
+  });
+
+  describe("removePid", () => {
+    it("removes existing PID file", () => {
+      fs.writeFileSync(pidPath, "42\n");
+      removePid(opts);
+      expect(fs.existsSync(pidPath)).toBe(false);
+    });
+
+    it("does not throw for missing file", () => {
+      expect(() => removePid(opts)).not.toThrow();
+    });
+  });
+
+  describe("isProcessAlive", () => {
+    it("returns true for current process", () => {
+      expect(isProcessAlive(process.pid)).toBe(true);
+    });
+
+    it("returns false for non-existent PID", () => {
+      // Use a very high PID that's unlikely to exist
+      expect(isProcessAlive(999999999)).toBe(false);
+    });
+  });
+
+  describe("writePid + readPid roundtrip", () => {
+    it("can write and read back", () => {
+      writePid(55555, opts);
+      expect(readPid(opts)).toBe(55555);
+    });
+  });
+});

package/packages/server/src/__tests__/session-api.test.ts

@@ -0,0 +1,244 @@
+/**
+ * Tests for session control REST API endpoints (session-api.ts).
+ */
+import { describe, it, expect, afterAll, beforeAll, vi } from "vitest";
+import { createServer, type DashboardServer } from "../server.js";
+
+const httpPort = 19200;
+const piPort = 19201;
+let server: DashboardServer;
+
+// Mock spawnPiSession to avoid actually spawning processes
+vi.mock("../process-manager.js", async (importOriginal) => {
+  const orig: any = await importOriginal();
+  return {
+    ...orig,
+    spawnPiSession: vi.fn().mockResolvedValue({ success: true, message: "spawned" }),
+  };
+});
+
+function url(path: string) {
+  return `http://localhost:${httpPort}${path}`;
+}
+
+async function postJson(path: string, body?: Record<string, unknown>) {
+  return fetch(url(path), {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(body ?? {}),
+  });
+}
+
+/** Register a fresh session, returning its id */
+function registerSession(id: string, overrides?: Record<string, unknown>) {
+  server.sessionManager.register({
+    id,
+    cwd: "/tmp/test",
+    source: "tui" as const,
+    startedAt: Date.now(),
+    ...overrides,
+  });
+  return id;
+}
+
+describe("Session Control REST API", () => {
+  beforeAll(async () => {
+    server = await createServer({
+      port: httpPort,
+      piPort,
+      dev: true,
+      autoShutdown: false,
+      shutdownIdleSeconds: 999,
+      tunnel: false,
+    editor: { idleTimeoutMinutes: 10, maxInstances: 3 },
+    });
+    await server.start();
+  });
+
+  afterAll(async () => {
+    if (server) {
+      try { await server.stop(); } catch { /* */ }
+    }
+  });
+
+  // ── prompt ──────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/prompt — 404 for unknown session", async () => {
+    const res = await postJson("/api/session/unknown-id/prompt", { text: "hello" });
+    expect(res.status).toBe(404);
+    const body = await res.json();
+    expect(body.success).toBe(false);
+    expect(body.error).toBe("session not found");
+  });
+
+  it("POST /api/session/:id/prompt — 400 when text missing", async () => {
+    const res = await postJson("/api/session/any-id/prompt", {});
+    expect(res.status).toBe(400);
+    expect((await res.json()).error).toBe("text is required");
+  });
+
+  it("POST /api/session/:id/prompt — 502 when no bridge connection", async () => {
+    registerSession("prompt-no-bridge");
+    const res = await postJson("/api/session/prompt-no-bridge/prompt", { text: "hello" });
+    expect(res.status).toBe(502);
+    expect((await res.json()).error).toBe("no bridge connection for session");
+  });
+
+  // ── abort ───────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/abort — 404 for unknown", async () => {
+    const res = await postJson("/api/session/unknown/abort");
+    expect(res.status).toBe(404);
+  });
+
+  it("POST /api/session/:id/abort — success for known session", async () => {
+    registerSession("abort-ok");
+    const res = await postJson("/api/session/abort-ok/abort");
+    expect(res.status).toBe(200);
+    expect((await res.json()).success).toBe(true);
+  });
+
+  // ── shutdown ────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/shutdown — 404 for unknown", async () => {
+    const res = await postJson("/api/session/unknown/shutdown");
+    expect(res.status).toBe(404);
+  });
+
+  it("POST /api/session/:id/shutdown — unregisters session", async () => {
+    registerSession("shutdown-me");
+    const res = await postJson("/api/session/shutdown-me/shutdown");
+    expect(res.status).toBe(200);
+    expect((await res.json()).success).toBe(true);
+    expect(server.sessionManager.get("shutdown-me")?.status).toBe("ended");
+  });
+
+  // ── rename ──────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/rename — 400 when name missing", async () => {
+    const res = await postJson("/api/session/any/rename", {});
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/rename — renames session", async () => {
+    registerSession("rename-me");
+    const res = await postJson("/api/session/rename-me/rename", { name: "new-name" });
+    expect(res.status).toBe(200);
+    expect(server.sessionManager.get("rename-me")?.name).toBe("new-name");
+  });
+
+  // ── hide/unhide ─────────────────────────────────────────────────
+
+  it("POST /api/session/:id/hide — hides session", async () => {
+    registerSession("hide-me");
+    const res = await postJson("/api/session/hide-me/hide");
+    expect(res.status).toBe(200);
+    expect(server.sessionManager.get("hide-me")?.hidden).toBe(true);
+  });
+
+  it("POST /api/session/:id/unhide — unhides session", async () => {
+    registerSession("unhide-me");
+    server.sessionManager.update("unhide-me", { hidden: true });
+    const res = await postJson("/api/session/unhide-me/unhide");
+    expect(res.status).toBe(200);
+    expect(server.sessionManager.get("unhide-me")?.hidden).toBe(false);
+  });
+
+  // ── spawn ───────────────────────────────────────────────────────
+
+  it("POST /api/session/spawn — 400 when cwd missing", async () => {
+    const res = await postJson("/api/session/spawn", {});
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/spawn — success with valid cwd", async () => {
+    const res = await postJson("/api/session/spawn", { cwd: "/tmp/project" });
+    expect(res.status).toBe(200);
+    expect((await res.json()).success).toBe(true);
+  });
+
+  // ── resume ──────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/resume — 400 for invalid mode", async () => {
+    const res = await postJson("/api/session/any/resume", { mode: "invalid" });
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/resume — 404 for unknown session", async () => {
+    const res = await postJson("/api/session/unknown/resume", { mode: "continue" });
+    expect(res.status).toBe(404);
+  });
+
+  it("POST /api/session/:id/resume — 409 if session still active", async () => {
+    registerSession("resume-active", { sessionFile: "/path/session.jsonl" });
+    const res = await postJson("/api/session/resume-active/resume", { mode: "continue" });
+    expect(res.status).toBe(409);
+  });
+
+  // ── flow-control ────────────────────────────────────────────────
+
+  it("POST /api/session/:id/flow-control — 400 for invalid action", async () => {
+    const res = await postJson("/api/session/any/flow-control", { action: "invalid" });
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/flow-control — success", async () => {
+    registerSession("flow-ctrl");
+    const res = await postJson("/api/session/flow-ctrl/flow-control", { action: "abort" });
+    expect(res.status).toBe(200);
+    expect((await res.json()).success).toBe(true);
+  });
+
+  // ── model ───────────────────────────────────────────────────────
+
+  it("POST /api/session/:id/model — 400 when missing fields", async () => {
+    const res = await postJson("/api/session/any/model", { provider: "anthropic" });
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/model — success", async () => {
+    registerSession("model-set");
+    const res = await postJson("/api/session/model-set/model", {
+      provider: "anthropic",
+      modelId: "claude-sonnet-4-20250514",
+    });
+    expect(res.status).toBe(200);
+  });
+
+  // ── thinking-level ──────────────────────────────────────────────
+
+  it("POST /api/session/:id/thinking-level — 400 when missing", async () => {
+    const res = await postJson("/api/session/any/thinking-level", {});
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/thinking-level — success", async () => {
+    registerSession("think-set");
+    const res = await postJson("/api/session/think-set/thinking-level", { level: "high" });
+    expect(res.status).toBe(200);
+  });
+
+  // ── attach/detach proposal ──────────────────────────────────────
+
+  it("POST /api/session/:id/attach-proposal — 400 when changeName missing", async () => {
+    const res = await postJson("/api/session/any/attach-proposal", {});
+    expect(res.status).toBe(400);
+  });
+
+  it("POST /api/session/:id/attach-proposal — attaches and auto-names", async () => {
+    registerSession("attach-me");
+    const res = await postJson("/api/session/attach-me/attach-proposal", { changeName: "add-feature" });
+    expect(res.status).toBe(200);
+    const session = server.sessionManager.get("attach-me");
+    expect(session?.attachedProposal).toBe("add-feature");
+    expect(session?.name).toBe("add-feature"); // auto-named
+  });
+
+  it("POST /api/session/:id/detach-proposal — detaches", async () => {
+    registerSession("detach-me");
+    server.sessionManager.update("detach-me", { attachedProposal: "some-change" });
+    const res = await postJson("/api/session/detach-me/detach-proposal");
+    expect(res.status).toBe(200);
+    expect(server.sessionManager.get("detach-me")?.attachedProposal).toBeNull();
+  });
+});