@desplega.ai/agent-swarm 1.71.2 → 1.72.0

package/src/tests/migration-046-budgets.test.ts

@@ -0,0 +1,327 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import { closeDb, getDb, initDb } from "../be/db";
+import { CODEX_MODEL_PRICING } from "../providers/codex-models";
+
+const TEST_DB_PATH = "./test-migration-046.sqlite";
+
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") {
+        throw error;
+      }
+    }
+  }
+}
+
+beforeAll(() => {
+  initDb(TEST_DB_PATH);
+});
+
+afterAll(async () => {
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+});
+
+interface TableInfoRow {
+  name: string;
+  type: string;
+  notnull: number;
+  pk: number;
+}
+
+interface MasterRow {
+  sql: string;
+  name: string;
+}
+
+interface CountRow {
+  cnt: number;
+}
+
+interface PricingRow {
+  provider: string;
+  model: string;
+  token_class: string;
+  effective_from: number;
+  price_per_million_usd: number;
+  createdAt: number;
+  lastUpdatedAt: number;
+}
+
+describe("migration 046 — budgets and pricing", () => {
+  test("budgets table exists with expected columns and PK", () => {
+    const db = getDb();
+    const cols = db.prepare<TableInfoRow, []>("PRAGMA table_info(budgets)").all();
+    expect(cols.length).toBeGreaterThan(0);
+
+    const colMap = new Map(cols.map((c) => [c.name, c]));
+    expect(colMap.has("scope")).toBe(true);
+    expect(colMap.has("scope_id")).toBe(true);
+    expect(colMap.has("daily_budget_usd")).toBe(true);
+    expect(colMap.has("createdAt")).toBe(true);
+    expect(colMap.has("lastUpdatedAt")).toBe(true);
+
+    // Composite PK on (scope, scope_id) — both pk fields > 0.
+    expect(colMap.get("scope")!.pk).toBeGreaterThan(0);
+    expect(colMap.get("scope_id")!.pk).toBeGreaterThan(0);
+  });
+
+  test("budgets CHECK constraints reject invalid scope and negative budget", () => {
+    const db = getDb();
+    // Valid global row.
+    db.prepare(
+      "INSERT INTO budgets (scope, scope_id, daily_budget_usd, createdAt, lastUpdatedAt) VALUES (?, ?, ?, ?, ?)",
+    ).run("global", "", 10.0, 0, 0);
+
+    // Round-trip
+    const row = db
+      .prepare<{ scope: string; scope_id: string; daily_budget_usd: number }, []>(
+        "SELECT scope, scope_id, daily_budget_usd FROM budgets WHERE scope = 'global'",
+      )
+      .get();
+    expect(row?.scope).toBe("global");
+    expect(row?.scope_id).toBe("");
+    expect(row?.daily_budget_usd).toBe(10.0);
+
+    // Inserting another row with same PK fails.
+    expect(() =>
+      db
+        .prepare(
+          "INSERT INTO budgets (scope, scope_id, daily_budget_usd, createdAt, lastUpdatedAt) VALUES (?, ?, ?, ?, ?)",
+        )
+        .run("global", "", 5.0, 0, 0),
+    ).toThrow();
+
+    // Invalid scope rejected by CHECK.
+    expect(() =>
+      db
+        .prepare(
+          "INSERT INTO budgets (scope, scope_id, daily_budget_usd, createdAt, lastUpdatedAt) VALUES (?, ?, ?, ?, ?)",
+        )
+        .run("not-a-scope", "x", 1.0, 0, 0),
+    ).toThrow();
+
+    // Negative budget rejected by CHECK.
+    expect(() =>
+      db
+        .prepare(
+          "INSERT INTO budgets (scope, scope_id, daily_budget_usd, createdAt, lastUpdatedAt) VALUES (?, ?, ?, ?, ?)",
+        )
+        .run("agent", "agent-x", -1, 0, 0),
+    ).toThrow();
+  });
+
+  test("pricing table exists with expected columns and composite PK", () => {
+    const db = getDb();
+    const cols = db.prepare<TableInfoRow, []>("PRAGMA table_info(pricing)").all();
+    expect(cols.length).toBeGreaterThan(0);
+
+    const colMap = new Map(cols.map((c) => [c.name, c]));
+    expect(colMap.has("provider")).toBe(true);
+    expect(colMap.has("model")).toBe(true);
+    expect(colMap.has("token_class")).toBe(true);
+    expect(colMap.has("effective_from")).toBe(true);
+    expect(colMap.has("price_per_million_usd")).toBe(true);
+
+    // All four PK columns participate in the composite PK.
+    expect(colMap.get("provider")!.pk).toBeGreaterThan(0);
+    expect(colMap.get("model")!.pk).toBeGreaterThan(0);
+    expect(colMap.get("token_class")!.pk).toBeGreaterThan(0);
+    expect(colMap.get("effective_from")!.pk).toBeGreaterThan(0);
+  });
+
+  test("pricing seed has exactly 12 rows (4 models × 3 token_classes), all at effective_from=0", () => {
+    const db = getDb();
+    const total = db.prepare<CountRow, []>("SELECT COUNT(*) as cnt FROM pricing").get();
+    expect(total?.cnt).toBe(12);
+
+    const seedRows = db
+      .prepare<CountRow, []>("SELECT COUNT(*) as cnt FROM pricing WHERE effective_from = 0")
+      .get();
+    expect(seedRows?.cnt).toBe(12);
+  });
+
+  test("every CODEX_MODEL_PRICING entry has rows for input / cached_input / output with matching rates", () => {
+    const db = getDb();
+
+    for (const [model, pricing] of Object.entries(CODEX_MODEL_PRICING)) {
+      const inputRow = db
+        .prepare<PricingRow, [string, string, number]>(
+          "SELECT * FROM pricing WHERE provider = 'codex' AND model = ? AND token_class = ? AND effective_from = ?",
+        )
+        .get(model, "input", 0);
+      expect(inputRow?.price_per_million_usd).toBe(pricing.inputPerMillion);
+
+      const cachedRow = db
+        .prepare<PricingRow, [string, string, number]>(
+          "SELECT * FROM pricing WHERE provider = 'codex' AND model = ? AND token_class = ? AND effective_from = ?",
+        )
+        .get(model, "cached_input", 0);
+      expect(cachedRow?.price_per_million_usd).toBe(pricing.cachedInputPerMillion);
+
+      const outputRow = db
+        .prepare<PricingRow, [string, string, number]>(
+          "SELECT * FROM pricing WHERE provider = 'codex' AND model = ? AND token_class = ? AND effective_from = ?",
+        )
+        .get(model, "output", 0);
+      expect(outputRow?.price_per_million_usd).toBe(pricing.outputPerMillion);
+    }
+  });
+
+  test("idx_pricing_lookup index exists", () => {
+    const db = getDb();
+    const idx = db
+      .prepare<MasterRow, []>(
+        "SELECT name, sql FROM sqlite_master WHERE type='index' AND name='idx_pricing_lookup'",
+      )
+      .get();
+    expect(idx?.name).toBe("idx_pricing_lookup");
+    expect(idx?.sql).toContain("provider");
+    expect(idx?.sql).toContain("model");
+    expect(idx?.sql).toContain("token_class");
+    expect(idx?.sql).toContain("effective_from");
+  });
+
+  test("re-applying seed INSERT OR IGNORE does not duplicate rows", () => {
+    const db = getDb();
+    const before = db.prepare<CountRow, []>("SELECT COUNT(*) as cnt FROM pricing").get();
+
+    // Replay the same seed statements.
+    db.prepare(
+      `INSERT OR IGNORE INTO pricing (provider, model, token_class, effective_from, price_per_million_usd, createdAt, lastUpdatedAt)
+       VALUES ('codex', 'gpt-5.4', 'input', 0, 2.5, 0, 0)`,
+    ).run();
+    db.prepare(
+      `INSERT OR IGNORE INTO pricing (provider, model, token_class, effective_from, price_per_million_usd, createdAt, lastUpdatedAt)
+       VALUES ('codex', 'gpt-5.3-codex', 'output', 0, 14.0, 0, 0)`,
+    ).run();
+
+    const after = db.prepare<CountRow, []>("SELECT COUNT(*) as cnt FROM pricing").get();
+    expect(after?.cnt).toBe(before?.cnt);
+  });
+
+  test("append-only price history: new effective_from row coexists with seed; latest-active lookup picks correct row", () => {
+    const db = getDb();
+    const NOW = 1_700_000_000_000; // arbitrary epoch ms in the future relative to 0
+
+    // Add a NEW pricing row for codex/gpt-5.3-codex/input at a later effective_from with a different price.
+    db.prepare(
+      `INSERT INTO pricing (provider, model, token_class, effective_from, price_per_million_usd, createdAt, lastUpdatedAt)
+       VALUES ('codex', 'gpt-5.3-codex', 'input', ?, ?, ?, ?)`,
+    ).run(NOW, 99.99, NOW, NOW);
+
+    // Seed row should still exist at effective_from = 0.
+    const seedRow = db
+      .prepare<PricingRow, []>(
+        "SELECT * FROM pricing WHERE provider='codex' AND model='gpt-5.3-codex' AND token_class='input' AND effective_from=0",
+      )
+      .get();
+    expect(seedRow?.price_per_million_usd).toBe(1.75);
+
+    // "Largest effective_from <= now" — should return the new row.
+    const latestRow = db
+      .prepare<PricingRow, [number]>(
+        `SELECT * FROM pricing
+         WHERE provider='codex' AND model='gpt-5.3-codex' AND token_class='input'
+         AND effective_from <= ?
+         ORDER BY effective_from DESC LIMIT 1`,
+      )
+      .get(NOW + 1);
+    expect(latestRow?.effective_from).toBe(NOW);
+    expect(latestRow?.price_per_million_usd).toBe(99.99);
+
+    // Same query against effective_from <= 0 should return the seed row.
+    const seedLookup = db
+      .prepare<PricingRow, [number]>(
+        `SELECT * FROM pricing
+         WHERE provider='codex' AND model='gpt-5.3-codex' AND token_class='input'
+         AND effective_from <= ?
+         ORDER BY effective_from DESC LIMIT 1`,
+      )
+      .get(0);
+    expect(seedLookup?.effective_from).toBe(0);
+    expect(seedLookup?.price_per_million_usd).toBe(1.75);
+  });
+
+  test("budget_refusal_notifications table exists with expected columns and composite PK", () => {
+    const db = getDb();
+    const cols = db
+      .prepare<TableInfoRow, []>("PRAGMA table_info(budget_refusal_notifications)")
+      .all();
+    expect(cols.length).toBeGreaterThan(0);
+
+    const colMap = new Map(cols.map((c) => [c.name, c]));
+    expect(colMap.has("task_id")).toBe(true);
+    expect(colMap.has("date")).toBe(true);
+    expect(colMap.has("agent_id")).toBe(true);
+    expect(colMap.has("cause")).toBe(true);
+    expect(colMap.has("agent_spend_usd")).toBe(true);
+    expect(colMap.has("agent_budget_usd")).toBe(true);
+    expect(colMap.has("global_spend_usd")).toBe(true);
+    expect(colMap.has("global_budget_usd")).toBe(true);
+    expect(colMap.has("follow_up_task_id")).toBe(true);
+    expect(colMap.has("createdAt")).toBe(true);
+
+    // Composite PK on (task_id, date).
+    expect(colMap.get("task_id")!.pk).toBeGreaterThan(0);
+    expect(colMap.get("date")!.pk).toBeGreaterThan(0);
+
+    // Optional spend/budget fields are NULL-able.
+    expect(colMap.get("agent_spend_usd")!.notnull).toBe(0);
+    expect(colMap.get("global_budget_usd")!.notnull).toBe(0);
+    expect(colMap.get("follow_up_task_id")!.notnull).toBe(0);
+  });
+
+  test("budget_refusal_notifications dedup via INSERT OR IGNORE on (task_id, date)", () => {
+    const db = getDb();
+
+    const taskId = "task-dedup-1";
+    const date = "2026-04-28";
+
+    const first = db
+      .prepare(
+        `INSERT OR IGNORE INTO budget_refusal_notifications
+         (task_id, date, agent_id, cause, createdAt)
+         VALUES (?, ?, ?, ?, ?)`,
+      )
+      .run(taskId, date, "agent-1", "agent", 0);
+    expect(first.changes).toBe(1);
+
+    // Second insert with same PK is silently ignored.
+    const second = db
+      .prepare(
+        `INSERT OR IGNORE INTO budget_refusal_notifications
+         (task_id, date, agent_id, cause, createdAt)
+         VALUES (?, ?, ?, ?, ?)`,
+      )
+      .run(taskId, date, "agent-1", "agent", 1);
+    expect(second.changes).toBe(0);
+
+    // Different date succeeds (PK rolls over).
+    const nextDay = db
+      .prepare(
+        `INSERT OR IGNORE INTO budget_refusal_notifications
+         (task_id, date, agent_id, cause, createdAt)
+         VALUES (?, ?, ?, ?, ?)`,
+      )
+      .run(taskId, "2026-04-29", "agent-1", "agent", 2);
+    expect(nextDay.changes).toBe(1);
+  });
+
+  test("budget_refusal_notifications CHECK rejects unknown cause", () => {
+    const db = getDb();
+    expect(() =>
+      db
+        .prepare(
+          `INSERT INTO budget_refusal_notifications
+           (task_id, date, agent_id, cause, createdAt)
+           VALUES (?, ?, ?, ?, ?)`,
+        )
+        .run("task-cause-1", "2026-04-28", "agent-1", "not-a-cause", 0),
+    ).toThrow();
+  });
+});

package/src/tests/pricing-routes.test.ts

@@ -0,0 +1,315 @@
+// Phase 6: REST CRUD + audit-log + auth tests for /api/pricing/*.
+//
+// The pricing surface is append-only — operators add a new row with a later
+// `effective_from` rather than mutating an existing one. `POST` collisions
+// on the same `(provider, model, token_class, effective_from)` PK return 409.
+
+import { afterAll, afterEach, beforeAll, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, getDb, getLogsByEventType, initDb } from "../be/db";
+import { handleCore } from "../http/core";
+import { handlePricing } from "../http/pricing";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-pricing-routes.sqlite";
+const API_KEY = "test-pricing-secret-key";
+
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") throw error;
+    }
+  }
+}
+
+async function listen(server: Server): Promise<number> {
+  await new Promise<void>((resolve) => server.listen(0, resolve));
+  const addr = server.address();
+  if (!addr || typeof addr === "string") throw new Error("no port");
+  return addr.port;
+}
+
+function createTestServer(apiKey: string): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    const handled = await handleCore(req, res, myAgentId, apiKey);
+    if (handled) return;
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const ok = await handlePricing(req, res, pathSegments, queryParams, myAgentId);
+    if (!ok) {
+      res.writeHead(404);
+      res.end("Not Found");
+    }
+  });
+}
+
+let server: Server;
+let port: number;
+
+beforeAll(async () => {
+  await removeDbFiles(TEST_DB_PATH);
+  initDb(TEST_DB_PATH);
+  server = createTestServer(API_KEY);
+  port = await listen(server);
+});
+
+afterAll(async () => {
+  await new Promise<void>((resolve) => server.close(() => resolve()));
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+});
+
+afterEach(() => {
+  const db = getDb();
+  // Remove every non-seed pricing row so each test starts from the migration
+  // 044 seed (effective_from=0). The seed uses literal 0 for effective_from.
+  db.prepare("DELETE FROM pricing WHERE effective_from > 0").run();
+  db.prepare("DELETE FROM agent_log WHERE eventType LIKE 'pricing.%'").run();
+});
+
+function authedFetch(path: string, init: RequestInit = {}): Promise<Response> {
+  return fetch(`http://localhost:${port}${path}`, {
+    ...init,
+    headers: {
+      Authorization: `Bearer ${API_KEY}`,
+      "Content-Type": "application/json",
+      ...(init.headers ?? {}),
+    },
+  });
+}
+
+describe("Phase 6 — /api/pricing REST surface", () => {
+  describe("auth", () => {
+    test("401 when Authorization header is missing", async () => {
+      const res = await fetch(`http://localhost:${port}/api/pricing`);
+      expect(res.status).toBe(401);
+    });
+
+    test("401 when bearer is wrong", async () => {
+      const res = await fetch(`http://localhost:${port}/api/pricing`, {
+        headers: { Authorization: "Bearer WRONG" },
+      });
+      expect(res.status).toBe(401);
+    });
+  });
+
+  describe("read endpoints", () => {
+    test("GET /api/pricing lists every row including the migration 044 seed", async () => {
+      const res = await authedFetch(`/api/pricing`);
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.rows).toBeInstanceOf(Array);
+      // Migration 044 seeds 12 codex rows with effective_from=0. They should
+      // all be present here.
+      const seedRows = body.rows.filter(
+        (r: { provider: string; effectiveFrom: number }) =>
+          r.provider === "codex" && r.effectiveFrom === 0,
+      );
+      expect(seedRows.length).toBe(12);
+    });
+
+    test("GET /api/pricing/{provider}/{model}/{tokenClass} returns rows latest-first", async () => {
+      // Insert two new rows on top of the existing seed for gpt-5.3-codex/input.
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 2.0, effectiveFrom: 1_000 }),
+      });
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 2.5, effectiveFrom: 5_000 }),
+      });
+
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`);
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.rows.length).toBe(3);
+      // Newest first.
+      expect(body.rows[0].effectiveFrom).toBe(5_000);
+      expect(body.rows[1].effectiveFrom).toBe(1_000);
+      expect(body.rows[2].effectiveFrom).toBe(0);
+    });
+
+    test("GET /api/pricing/.../{tokenClass} returns empty list (NOT 404) for unseeded triple", async () => {
+      const res = await authedFetch(`/api/pricing/claude/sonnet-4/input`);
+      expect(res.status).toBe(200);
+      const body = await res.json();
+      expect(body.rows).toEqual([]);
+    });
+
+    test("GET /api/pricing/.../active returns the largest effective_from <= now", async () => {
+      const past = Date.now() - 10_000;
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 99.0, effectiveFrom: past }),
+      });
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input/active`);
+      expect(res.status).toBe(200);
+      const row = await res.json();
+      expect(row.effectiveFrom).toBe(past);
+      expect(row.pricePerMillionUsd).toBe(99.0);
+    });
+
+    test("GET /api/pricing/.../active returns 404 for unseeded triple with no rows", async () => {
+      const res = await authedFetch(`/api/pricing/claude/sonnet-4/input/active`);
+      expect(res.status).toBe(404);
+    });
+  });
+
+  describe("write endpoints", () => {
+    test("POST inserts a new row, returns 201, body matches", async () => {
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1.5, effectiveFrom: 12_345 }),
+      });
+      expect(res.status).toBe(201);
+      const row = await res.json();
+      expect(row.provider).toBe("codex");
+      expect(row.model).toBe("gpt-5.3-codex");
+      expect(row.tokenClass).toBe("input");
+      expect(row.effectiveFrom).toBe(12_345);
+      expect(row.pricePerMillionUsd).toBe(1.5);
+    });
+
+    test("POST defaults effectiveFrom to Date.now() when omitted", async () => {
+      const before = Date.now();
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.4/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 3.0 }),
+      });
+      const after = Date.now();
+      expect(res.status).toBe(201);
+      const row = await res.json();
+      expect(row.effectiveFrom).toBeGreaterThanOrEqual(before);
+      expect(row.effectiveFrom).toBeLessThanOrEqual(after);
+    });
+
+    test("POST 409 on duplicate (provider, model, tokenClass, effectiveFrom)", async () => {
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1.5, effectiveFrom: 99_999 }),
+      });
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 2.0, effectiveFrom: 99_999 }),
+      });
+      expect(res.status).toBe(409);
+    });
+
+    test("same-millisecond collision: two rapid POSTs without explicit effectiveFrom may 409; explicit unblocks", async () => {
+      // Run two POSTs back-to-back. They MIGHT land on the same Date.now() millisecond.
+      // If they do, the second returns 409. If they don't, both succeed.
+      const r1 = await authedFetch(`/api/pricing/codex/gpt-5.4-mini/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 0.5 }),
+      });
+      const r2 = await authedFetch(`/api/pricing/codex/gpt-5.4-mini/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 0.6 }),
+      });
+      // At least the first must succeed.
+      expect(r1.status).toBe(201);
+      expect([201, 409]).toContain(r2.status);
+
+      // Workaround: pass an explicit effectiveFrom that we KNOW is unique.
+      // It still must not collide with r1's effective_from. Use a future ms.
+      const futureMs = Date.now() + 10_000;
+      const r3 = await authedFetch(`/api/pricing/codex/gpt-5.4-mini/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 0.7, effectiveFrom: futureMs }),
+      });
+      expect(r3.status).toBe(201);
+    });
+
+    test("POST 400 on invalid body (negative price)", async () => {
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: -1 }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    test("POST 400 on invalid provider", async () => {
+      const res = await authedFetch(`/api/pricing/totally-fake/x/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1 }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    test("POST 400 on invalid token class", async () => {
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/wrong-class`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1 }),
+      });
+      expect(res.status).toBe(400);
+    });
+
+    test("DELETE removes a row, returns 204, GET reflects removal", async () => {
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1.5, effectiveFrom: 42 }),
+      });
+      const delRes = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input/42`, {
+        method: "DELETE",
+      });
+      expect(delRes.status).toBe(204);
+
+      const listRes = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`);
+      const body = await listRes.json();
+      const found = body.rows.find((r: { effectiveFrom: number }) => r.effectiveFrom === 42);
+      expect(found).toBeUndefined();
+    });
+
+    test("DELETE 404 when row does not exist", async () => {
+      const res = await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input/123456789`, {
+        method: "DELETE",
+      });
+      expect(res.status).toBe(404);
+    });
+  });
+
+  describe("audit logging", () => {
+    test("POST writes a pricing.inserted log row with key fingerprint", async () => {
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1.5, effectiveFrom: 100 }),
+      });
+
+      const logs = getLogsByEventType("pricing.inserted");
+      expect(logs.length).toBe(1);
+      const meta = JSON.parse(logs[0].metadata!);
+      expect(meta.provider).toBe("codex");
+      expect(meta.model).toBe("gpt-5.3-codex");
+      expect(meta.tokenClass).toBe("input");
+      expect(meta.effectiveFrom).toBe(100);
+      expect(meta.pricePerMillionUsd).toBe(1.5);
+      expect(meta.apiKeyFingerprint).toMatch(/^[a-f0-9]{8}$/);
+      expect(logs[0].metadata).not.toContain(API_KEY);
+    });
+
+    test("DELETE writes a pricing.deleted log row with key fingerprint", async () => {
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input`, {
+        method: "POST",
+        body: JSON.stringify({ pricePerMillionUsd: 1.5, effectiveFrom: 200 }),
+      });
+      await authedFetch(`/api/pricing/codex/gpt-5.3-codex/input/200`, { method: "DELETE" });
+
+      const logs = getLogsByEventType("pricing.deleted");
+      expect(logs.length).toBe(1);
+      const meta = JSON.parse(logs[0].metadata!);
+      expect(meta.provider).toBe("codex");
+      expect(meta.effectiveFrom).toBe(200);
+      expect(meta.apiKeyFingerprint).toMatch(/^[a-f0-9]{8}$/);
+      expect(logs[0].metadata).not.toContain(API_KEY);
+    });
+  });
+});

package/src/tests/prompt-template-remaining.test.ts

@@ -433,6 +433,8 @@ Note: Claims are first-come-first-serve. If claim fails, pick another.`;
       task_id: "task-xyz",
       task_description: "Fix the test suite",
       progress: "Fixed 3 of 5 failing tests",
+      completion_instructions:
+        '\n\nWhen done, use `store-progress` with status: "completed" and include your output.',
     });
 
     expect(result.skipped).toBe(false);
@@ -458,6 +460,8 @@ When done, use \`store-progress\` with status: "completed" and include your outp
       work_on_task_cmd: "/work-on-task",
       task_id: "task-xyz",
       task_description: "Fix the test suite",
+      completion_instructions:
+        '\n\nWhen done, use `store-progress` with status: "completed" and include your output.',
     });
 
     expect(result.skipped).toBe(false);

package/src/tests/prompt-template-session.test.ts

@@ -88,10 +88,10 @@ describe("Session templates — registration", () => {
     }
   });
 
-  test("total of 15 session/system templates registered", () => {
+  test("total of 17 session/system templates registered", () => {
     const all = getAllTemplateDefinitions();
     const sessionSystem = all.filter((d) => d.category === "system" || d.category === "session");
-    expect(sessionSystem.length).toBe(15);
+    expect(sessionSystem.length).toBe(17);
   });
 });
 

package/src/tests/provider-adapter.test.ts

@@ -19,7 +19,7 @@ describe("createProviderAdapter", () => {
 
   test("throws for unknown provider", () => {
     expect(() => createProviderAdapter("unknown")).toThrow(
-      'Unknown HARNESS_PROVIDER: "unknown". Supported: claude, pi, codex',
+      'Unknown HARNESS_PROVIDER: "unknown". Supported: claude, pi, codex, devin, claude-managed',
     );
   });