@desplega.ai/agent-swarm 1.71.2 → 1.72.0

package/src/tests/budget-refusal-notification.test.ts

@@ -0,0 +1,324 @@
+// Phase 5: lead-facing budget refusal notification tests.
+//
+// Exercises `handlePoll` end-to-end with a tripped budget gate to assert:
+//   - The first refusal of (task, day) creates exactly one follow-up task
+//     owned by the lead, with Slack context inherited from the refused task.
+//   - Same-day repeat refusals create ZERO additional follow-ups (dedup).
+//   - The dedup row's `follow_up_task_id` is populated with the new task id.
+//   - A subsequent refusal on a different UTC day creates a new follow-up
+//     (the `(task_id, date)` PK rolls over).
+//   - Each refusal — first or repeat — reaches the workflow event bus.
+//
+// Tests directly invoke `handlePoll` with mocked req/res, identical to the
+// pattern used by `budget-claim-gate.test.ts`.
+
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  closeDb,
+  createAgent,
+  createSessionCost,
+  createTaskExtended,
+  getBudgetRefusalNotification,
+  getDb,
+  initDb,
+} from "../be/db";
+import { handlePoll } from "../http/poll";
+import { workflowEventBus } from "../workflows/event-bus";
+
+const TEST_DB_PATH = "./test-budget-refusal-notification.sqlite";
+
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") throw error;
+    }
+  }
+}
+
+beforeAll(() => {
+  initDb(TEST_DB_PATH);
+});
+
+afterAll(async () => {
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+});
+
+beforeEach(() => {
+  const db = getDb();
+  db.prepare("DELETE FROM session_costs").run();
+  db.prepare("DELETE FROM budget_refusal_notifications").run();
+  db.prepare("DELETE FROM budgets").run();
+  db.prepare("DELETE FROM agent_tasks").run();
+  db.prepare("DELETE FROM agents").run();
+});
+
+// ─── Helpers ────────────────────────────────────────────────────────────────
+
+interface PollResponse {
+  status: number;
+  body: { trigger: { type: string; [key: string]: unknown } | null } | { error: string };
+}
+
+async function callPoll(agentId: string | undefined): Promise<PollResponse> {
+  let status = 200;
+  let bodyStr = "";
+  const headers: Record<string, string> = {};
+
+  const req = {
+    method: "GET",
+    url: "/api/poll",
+    headers: agentId ? { "x-agent-id": agentId } : {},
+  } as unknown as Parameters<typeof handlePoll>[0];
+
+  const res = {
+    setHeader(name: string, value: string) {
+      headers[name.toLowerCase()] = value;
+    },
+    writeHead(code: number, h?: Record<string, string>) {
+      status = code;
+      if (h) {
+        for (const [k, v] of Object.entries(h)) headers[k.toLowerCase()] = v;
+      }
+    },
+    end(body?: string) {
+      bodyStr = body ?? "";
+    },
+  } as unknown as Parameters<typeof handlePoll>[1];
+
+  const handled = await handlePoll(req, res, ["api", "poll"], new URLSearchParams(), agentId);
+  if (!handled) throw new Error("handlePoll did not handle the request");
+  return { status, body: bodyStr ? JSON.parse(bodyStr) : null };
+}
+
+function insertBudget(scope: "global" | "agent", scopeId: string, dailyBudgetUsd: number): void {
+  const now = Date.now();
+  getDb()
+    .prepare(
+      "INSERT INTO budgets (scope, scope_id, daily_budget_usd, createdAt, lastUpdatedAt) VALUES (?, ?, ?, ?, ?)",
+    )
+    .run(scope, scopeId, dailyBudgetUsd, now, now);
+}
+
+function insertSpend(agentId: string, totalCostUsd: number): void {
+  createSessionCost({
+    sessionId: `sess-${crypto.randomUUID()}`,
+    agentId,
+    totalCostUsd,
+    durationMs: 1_000,
+    numTurns: 1,
+    model: "test-model",
+  });
+}
+
+function todayUtc(): string {
+  return new Date().toISOString().slice(0, 10);
+}
+
+interface FollowUpRow {
+  id: string;
+  agentId: string | null;
+  parentTaskId: string | null;
+  taskType: string | null;
+  task: string;
+  slackChannelId: string | null;
+  slackThreadTs: string | null;
+  slackUserId: string | null;
+  source: string;
+}
+
+function listFollowUpTasks(parentTaskId: string): FollowUpRow[] {
+  return getDb()
+    .prepare<FollowUpRow, [string]>(
+      `SELECT id, agentId, parentTaskId, taskType, task, slackChannelId, slackThreadTs, slackUserId, source
+       FROM agent_tasks
+       WHERE parentTaskId = ? AND taskType = 'follow-up'
+       ORDER BY createdAt ASC`,
+    )
+    .all(parentTaskId);
+}
+
+// Brief microtask-pump helper. The workflow bus emit goes through a dynamic
+// `import().then(...)` in budget-refusal-notify.ts, so we wait one tick for
+// the listener to fire before asserting.
+async function waitForBusEmit(): Promise<void> {
+  // Two macrotask ticks plus a couple of microtask flushes is overkill but
+  // makes the test deterministic regardless of import-cache state.
+  await new Promise((resolve) => setTimeout(resolve, 10));
+}
+
+// ─── Tests ──────────────────────────────────────────────────────────────────
+
+describe("Phase 5 — budget refusal lead notification + dedup", () => {
+  test("first refusal creates exactly one lead-owned follow-up task with Slack context", async () => {
+    const lead = createAgent({ name: "lead-1", isLead: true, status: "idle", maxTasks: 5 });
+    const worker = createAgent({ name: "worker-1", isLead: false, status: "idle", maxTasks: 1 });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.05);
+
+    const parentTask = createTaskExtended("over-budget task", {
+      agentId: worker.id,
+      slackChannelId: "C_TEST_1",
+      slackThreadTs: "1700000000.000001",
+      slackUserId: "U_REPORTER_1",
+    });
+
+    const { body } = await callPoll(worker.id);
+    if ("error" in body) throw new Error("unexpected error response");
+    expect(body.trigger?.type).toBe("budget_refused");
+
+    const followUps = listFollowUpTasks(parentTask.id);
+    expect(followUps).toHaveLength(1);
+    const followUp = followUps[0]!;
+    expect(followUp.agentId).toBe(lead.id);
+    expect(followUp.taskType).toBe("follow-up");
+    expect(followUp.parentTaskId).toBe(parentTask.id);
+    expect(followUp.source).toBe("system");
+    // Slack context inherited from parent.
+    expect(followUp.slackChannelId).toBe("C_TEST_1");
+    expect(followUp.slackThreadTs).toBe("1700000000.000001");
+    expect(followUp.slackUserId).toBe("U_REPORTER_1");
+    // Body contains the rendered template variables.
+    expect(followUp.task).toContain("Cause: agent");
+    expect(followUp.task).toContain("worker-1");
+    expect(followUp.task).toContain("over-budget task");
+    expect(followUp.task).toContain("$0.05 / $0.01");
+    expect(followUp.task).toContain(parentTask.id);
+  });
+
+  test("second same-day refusal creates ZERO additional follow-ups (dedup honored)", async () => {
+    createAgent({ name: "lead-2", isLead: true, status: "idle", maxTasks: 5 });
+    const worker = createAgent({ name: "worker-2", isLead: false, status: "idle", maxTasks: 1 });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.5);
+
+    const parentTask = createTaskExtended("dedup target", { agentId: worker.id });
+
+    const r1 = await callPoll(worker.id);
+    if ("error" in r1.body) throw new Error("unexpected error response");
+    expect(r1.body.trigger?.type).toBe("budget_refused");
+    expect(listFollowUpTasks(parentTask.id)).toHaveLength(1);
+
+    // Second poll on the same UTC day — refusal repeats, but no new follow-up.
+    const r2 = await callPoll(worker.id);
+    if ("error" in r2.body) throw new Error("unexpected error response");
+    expect(r2.body.trigger?.type).toBe("budget_refused");
+    expect(listFollowUpTasks(parentTask.id)).toHaveLength(1);
+  });
+
+  test("dedup row's follow_up_task_id is written back to the new follow-up's id", async () => {
+    createAgent({ name: "lead-3", isLead: true, status: "idle", maxTasks: 5 });
+    const worker = createAgent({ name: "worker-3", isLead: false, status: "idle", maxTasks: 1 });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.05);
+
+    const parentTask = createTaskExtended("audit-trail task", { agentId: worker.id });
+
+    await callPoll(worker.id);
+
+    const followUps = listFollowUpTasks(parentTask.id);
+    expect(followUps).toHaveLength(1);
+    const followUpId = followUps[0]!.id;
+
+    const dedupRow = getBudgetRefusalNotification(parentTask.id, todayUtc());
+    expect(dedupRow).not.toBeNull();
+    expect(dedupRow?.followUpTaskId).toBe(followUpId);
+  });
+
+  test("refusal on a NEW UTC day creates a new follow-up (PK rolls over)", async () => {
+    createAgent({ name: "lead-4", isLead: true, status: "idle", maxTasks: 5 });
+    const worker = createAgent({ name: "worker-4", isLead: false, status: "idle", maxTasks: 1 });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.05);
+
+    const parentTask = createTaskExtended("rollover task", { agentId: worker.id });
+
+    // First refusal — first follow-up.
+    await callPoll(worker.id);
+    expect(listFollowUpTasks(parentTask.id)).toHaveLength(1);
+
+    // Simulate "yesterday already had a refusal" by manually inserting a row
+    // for a different `(task, date)` PK is the wrong approach — we instead
+    // simulate "today rolled over to tomorrow" by overwriting today's dedup
+    // row's `date` field to a yesterday placeholder, leaving the test poll
+    // to insert a fresh row for the actual current UTC date.
+    const yesterday = "1999-01-01"; // arbitrary past date guaranteed not to collide
+    getDb()
+      .prepare("UPDATE budget_refusal_notifications SET date = ? WHERE task_id = ? AND date = ?")
+      .run(yesterday, parentTask.id, todayUtc());
+
+    // Verify we moved the row.
+    expect(getBudgetRefusalNotification(parentTask.id, todayUtc())).toBeNull();
+    expect(getBudgetRefusalNotification(parentTask.id, yesterday)).not.toBeNull();
+
+    // Second refusal — fresh PK, fresh follow-up.
+    await callPoll(worker.id);
+    const followUps = listFollowUpTasks(parentTask.id);
+    expect(followUps).toHaveLength(2);
+    // The newer dedup row exists for today.
+    expect(getBudgetRefusalNotification(parentTask.id, todayUtc())).not.toBeNull();
+  });
+
+  test("workflow event bus receives task.budget_refused on every refusal (not just first)", async () => {
+    createAgent({ name: "lead-5", isLead: true, status: "idle", maxTasks: 5 });
+    const worker = createAgent({ name: "worker-5", isLead: false, status: "idle", maxTasks: 1 });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.05);
+
+    const parentTask = createTaskExtended("event-bus task", { agentId: worker.id });
+
+    const events: Array<{ taskId: string; agentId: string; cause: string }> = [];
+    const handler = (data: unknown) => {
+      events.push(data as { taskId: string; agentId: string; cause: string });
+    };
+    workflowEventBus.on("task.budget_refused", handler);
+
+    try {
+      await callPoll(worker.id);
+      await waitForBusEmit();
+      await callPoll(worker.id);
+      await waitForBusEmit();
+
+      // Both refusals must reach the bus, even though only the first creates
+      // a follow-up task.
+      expect(events.length).toBeGreaterThanOrEqual(2);
+      for (const ev of events) {
+        expect(ev.taskId).toBe(parentTask.id);
+        expect(ev.agentId).toBe(worker.id);
+        expect(ev.cause).toBe("agent");
+      }
+    } finally {
+      workflowEventBus.off("task.budget_refused", handler);
+    }
+  });
+
+  test("no follow-up created when there's no lead agent (refusal still emits + dedup row stays)", async () => {
+    // Workers only — no lead.
+    const worker = createAgent({
+      name: "worker-no-lead",
+      isLead: false,
+      status: "idle",
+      maxTasks: 1,
+    });
+    insertBudget("agent", worker.id, 0.01);
+    insertSpend(worker.id, 0.05);
+
+    const parentTask = createTaskExtended("no-lead task", { agentId: worker.id });
+
+    const { body } = await callPoll(worker.id);
+    if ("error" in body) throw new Error("unexpected error response");
+    expect(body.trigger?.type).toBe("budget_refused");
+
+    expect(listFollowUpTasks(parentTask.id)).toHaveLength(0);
+    // The dedup row is still recorded — write-back is a best-effort step that
+    // won't run when there's no follow-up to link, but the row's existence
+    // is what serves as the operator's "the lead was already notified
+    // (theoretically)" audit signal.
+    const dedupRow = getBudgetRefusalNotification(parentTask.id, todayUtc());
+    expect(dedupRow).not.toBeNull();
+    expect(dedupRow?.followUpTaskId).toBeUndefined();
+  });
+});

package/src/tests/budgets-routes.test.ts

@@ -0,0 +1,331 @@
+// Phase 6: REST CRUD + audit-log + auth tests for /api/budgets/*.
+//
+// Spins up a real HTTP server using `handleCore` (auth gate) → `handleBudgets`
+// so we exercise the full request lifecycle including the API-key bearer
+// check. Direct invocation of `handleBudgets` would bypass auth.
+
+import { afterAll, afterEach, beforeAll, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import {
+  closeDb,
+  getDb,
+  getLogsByEventType,
+  initDb,
+  recordBudgetRefusalNotification,
+} from "../be/db";
+import { handleBudgets } from "../http/budgets";
+import { handleCore } from "../http/core";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-budgets-routes.sqlite";
+const API_KEY = "test-budget-secret-key";
+
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") throw error;
+    }
+  }
+}
+
+async function listen(server: Server): Promise<number> {
+  await new Promise<void>((resolve) => server.listen(0, resolve));
+  const addr = server.address();
+  if (!addr || typeof addr === "string") throw new Error("no port");
+  return addr.port;
+}
+
+function createTestServer(apiKey: string): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    const handled = await handleCore(req, res, myAgentId, apiKey);
+    if (handled) return;
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const ok = await handleBudgets(req, res, pathSegments, queryParams, myAgentId);
+    if (!ok) {
+      res.writeHead(404);
+      res.end("Not Found");
+    }
+  });
+}
+
+let server: Server;
+let port: number;
+
+beforeAll(async () => {
+  await removeDbFiles(TEST_DB_PATH);
+  initDb(TEST_DB_PATH);
+  server = createTestServer(API_KEY);
+  port = await listen(server);
+});
+
+afterAll(async () => {
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+});
+
+afterEach(() => {
+  const db = getDb();
+  db.prepare("DELETE FROM budgets").run();
+  db.prepare("DELETE FROM agent_log WHERE eventType LIKE 'budget.%'").run();
+  db.prepare("DELETE FROM budget_refusal_notifications").run();
+});
+
+function authedFetch(path: string, init: RequestInit = {}): Promise<Response> {
+  return fetch(`http://localhost:${port}${path}`, {
+    ...init,
+    headers: {
+      Authorization: `Bearer ${API_KEY}`,
+      "Content-Type": "application/json",
+      ...(init.headers ?? {}),
+    },
+  });
+}
+
+describe("Phase 6 — /api/budgets REST surface", () => {
+  describe("auth", () => {
+    test("401 when Authorization header is missing", async () => {
+      const res = await fetch(`http://localhost:${port}/api/budgets`);
+      expect(res.status).toBe(401);
+    });
+
+    test("401 when bearer is wrong", async () => {
+      const res = await fetch(`http://localhost:${port}/api/budgets`, {
+        headers: { Authorization: "Bearer WRONG" },
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+
+  describe("CRUD round-trip", () => {
+    test("PUT creates → GET returns 200 with the row → list includes it", async () => {
+      const agentId = "agent-uuid-1";
+      const putRes = await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 5 }),
+      });
+      expect(putRes.status).toBe(200);
+      const created = await putRes.json();
+      expect(created.scope).toBe("agent");
+      expect(created.scopeId).toBe(agentId);
+      expect(created.dailyBudgetUsd).toBe(5);
+
+      const getRes = await authedFetch(`/api/budgets/agent/${agentId}`);
+      expect(getRes.status).toBe(200);
+      const fetched = await getRes.json();
+      expect(fetched.dailyBudgetUsd).toBe(5);
+
+      const listRes = await authedFetch(`/api/budgets`);
+      expect(listRes.status).toBe(200);
+      const listBody = await listRes.json();
+      expect(listBody.budgets).toBeInstanceOf(Array);
+      expect(listBody.budgets.length).toBe(1);
+      expect(listBody.budgets[0].scopeId).toBe(agentId);
+    });
+
+    test("PUT upserts an existing row", async () => {
+      const agentId = "agent-uuid-2";
+      await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 1 }),
+      });
+      const putRes = await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 9 }),
+      });
+      expect(putRes.status).toBe(200);
+      const updated = await putRes.json();
+      expect(updated.dailyBudgetUsd).toBe(9);
+    });
+
+    test("PUT for the global scope uses '_global' wire placeholder", async () => {
+      const putRes = await authedFetch(`/api/budgets/global/_global`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 100 }),
+      });
+      expect(putRes.status).toBe(200);
+      const created = await putRes.json();
+      expect(created.scope).toBe("global");
+      expect(created.scopeId).toBe("");
+
+      const getRes = await authedFetch(`/api/budgets/global/_global`);
+      expect(getRes.status).toBe(200);
+      const fetched = await getRes.json();
+      expect(fetched.scopeId).toBe("");
+      expect(fetched.dailyBudgetUsd).toBe(100);
+    });
+
+    test("GET returns 404 for missing budget", async () => {
+      const getRes = await authedFetch(`/api/budgets/agent/does-not-exist`);
+      expect(getRes.status).toBe(404);
+    });
+
+    test("DELETE returns 204 then 404 on subsequent GET", async () => {
+      const agentId = "agent-uuid-3";
+      await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 5 }),
+      });
+      const delRes = await authedFetch(`/api/budgets/agent/${agentId}`, { method: "DELETE" });
+      expect(delRes.status).toBe(204);
+      const getRes = await authedFetch(`/api/budgets/agent/${agentId}`);
+      expect(getRes.status).toBe(404);
+    });
+
+    test("DELETE on missing row returns 404", async () => {
+      const delRes = await authedFetch(`/api/budgets/agent/never-existed`, { method: "DELETE" });
+      expect(delRes.status).toBe(404);
+    });
+
+    test("PUT 400 when dailyBudgetUsd is missing", async () => {
+      const res = await authedFetch(`/api/budgets/agent/x`, {
+        method: "PUT",
+        body: JSON.stringify({}),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    test("PUT 400 when dailyBudgetUsd is negative", async () => {
+      const res = await authedFetch(`/api/budgets/agent/x`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: -1 }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    test("PUT 400 on invalid scope", async () => {
+      const res = await authedFetch(`/api/budgets/team/x`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 1 }),
+      });
+      expect(res.status).toBe(400);
+    });
+  });
+
+  describe("audit logging", () => {
+    test("PUT writes a budget.upserted log row with key fingerprint and before/after", async () => {
+      const agentId = "audit-agent-1";
+      await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 3 }),
+      });
+      // Update — should produce a SECOND audit row with before set.
+      await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 7 }),
+      });
+
+      const logs = getLogsByEventType("budget.upserted");
+      expect(logs.length).toBe(2);
+
+      // Logs land within the same millisecond so the DESC-by-createdAt order
+      // is non-deterministic between the two. Identify them by payload shape:
+      // the insert log has `before === null`; the update log has the previous
+      // dailyBudgetUsd in `before`.
+      const metas = logs.map((l) => JSON.parse(l.metadata!));
+      const insertMeta = metas.find((m) => m.before === null)!;
+      const updateMeta = metas.find((m) => m.before !== null)!;
+
+      expect(insertMeta.scope).toBe("agent");
+      expect(insertMeta.scopeId).toBe(agentId);
+      expect(insertMeta.before).toBeNull();
+      expect(insertMeta.after.dailyBudgetUsd).toBe(3);
+      expect(insertMeta.apiKeyFingerprint).toMatch(/^[a-f0-9]{8}$/);
+      // Raw key MUST NEVER appear in the metadata payload.
+      for (const log of logs) {
+        expect(log.metadata).not.toContain(API_KEY);
+      }
+
+      expect(updateMeta.before.dailyBudgetUsd).toBe(3);
+      expect(updateMeta.after.dailyBudgetUsd).toBe(7);
+      expect(updateMeta.apiKeyFingerprint).toMatch(/^[a-f0-9]{8}$/);
+    });
+
+    test("GET /api/budgets/refusals returns recent refusals newest first", async () => {
+      // Seed three refusals across two days/agents.
+      recordBudgetRefusalNotification({
+        taskId: "task-old",
+        date: "2026-04-26",
+        agentId: "agent-A",
+        cause: "agent",
+        agentSpendUsd: 1.5,
+        agentBudgetUsd: 1.0,
+      });
+      // Force a small gap so createdAt ordering is deterministic.
+      await new Promise((r) => setTimeout(r, 5));
+      recordBudgetRefusalNotification({
+        taskId: "task-mid",
+        date: "2026-04-27",
+        agentId: "agent-B",
+        cause: "global",
+        globalSpendUsd: 50,
+        globalBudgetUsd: 40,
+      });
+      await new Promise((r) => setTimeout(r, 5));
+      recordBudgetRefusalNotification({
+        taskId: "task-new",
+        date: "2026-04-28",
+        agentId: "agent-A",
+        cause: "agent",
+        agentSpendUsd: 2.0,
+        agentBudgetUsd: 1.5,
+      });
+
+      const res = await authedFetch(`/api/budgets/refusals`);
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.refusals).toBeInstanceOf(Array);
+      expect(body.refusals.length).toBe(3);
+      // Newest first by createdAt.
+      expect(body.refusals[0].taskId).toBe("task-new");
+      expect(body.refusals[1].taskId).toBe("task-mid");
+      expect(body.refusals[2].taskId).toBe("task-old");
+      expect(body.refusals[0].cause).toBe("agent");
+      expect(body.refusals[1].cause).toBe("global");
+    });
+
+    test("GET /api/budgets/refusals respects limit query param", async () => {
+      for (let i = 0; i < 5; i++) {
+        recordBudgetRefusalNotification({
+          taskId: `task-${i}`,
+          date: "2026-04-28",
+          agentId: "agent-A",
+          cause: "agent",
+        });
+        await new Promise((r) => setTimeout(r, 2));
+      }
+      const res = await authedFetch(`/api/budgets/refusals?limit=2`);
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.refusals.length).toBe(2);
+    });
+
+    test("DELETE writes a budget.deleted log row with key fingerprint", async () => {
+      const agentId = "audit-agent-2";
+      await authedFetch(`/api/budgets/agent/${agentId}`, {
+        method: "PUT",
+        body: JSON.stringify({ dailyBudgetUsd: 4 }),
+      });
+      await authedFetch(`/api/budgets/agent/${agentId}`, { method: "DELETE" });
+
+      const logs = getLogsByEventType("budget.deleted");
+      expect(logs.length).toBe(1);
+      const meta = JSON.parse(logs[0].metadata!);
+      expect(meta.scope).toBe("agent");
+      expect(meta.scopeId).toBe(agentId);
+      expect(meta.before.dailyBudgetUsd).toBe(4);
+      expect(meta.apiKeyFingerprint).toMatch(/^[a-f0-9]{8}$/);
+      expect(logs[0].metadata).not.toContain(API_KEY);
+    });
+  });
+});