@desplega.ai/agent-swarm 1.78.1 → 1.79.0

package/src/tests/page-session.test.ts

@@ -0,0 +1,164 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { parseCookieHeader, signPageSession, verifyPageSession } from "../utils/page-session";
+
+const ORIGINAL_SECRET = process.env.PAGE_SESSION_SECRET;
+const ORIGINAL_API_KEY = process.env.API_KEY;
+
+beforeAll(() => {
+  process.env.PAGE_SESSION_SECRET = "test-secret-fixed-vector-key";
+});
+
+afterAll(() => {
+  if (ORIGINAL_SECRET !== undefined) process.env.PAGE_SESSION_SECRET = ORIGINAL_SECRET;
+  else delete process.env.PAGE_SESSION_SECRET;
+  if (ORIGINAL_API_KEY !== undefined) process.env.API_KEY = ORIGINAL_API_KEY;
+  else delete process.env.API_KEY;
+});
+
+describe("page-session HMAC helpers", () => {
+  test("sign produces deterministic output for fixed payload + secret", async () => {
+    const payload = { pageId: "deadbeefcafef00d", exp: 1893456000 };
+    const a = await signPageSession(payload);
+    const b = await signPageSession(payload);
+    expect(a).toBe(b);
+    // Shape: two base64url parts joined by `.`, no padding `=`.
+    expect(a).toMatch(/^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/);
+  });
+
+  test("round-trip: verify returns the original payload", async () => {
+    const payload = { pageId: "abc123", exp: Math.floor(Date.now() / 1000) + 3600 };
+    const token = await signPageSession(payload);
+    const got = await verifyPageSession(token);
+    expect(got).toEqual(payload);
+  });
+
+  test("expired token (exp in the past) returns null", async () => {
+    const payload = { pageId: "abc123", exp: Math.floor(Date.now() / 1000) - 1 };
+    const token = await signPageSession(payload);
+    const got = await verifyPageSession(token);
+    expect(got).toBeNull();
+  });
+
+  test("tampered payload returns null", async () => {
+    const payload = { pageId: "abc123", exp: Math.floor(Date.now() / 1000) + 3600 };
+    const token = await signPageSession(payload);
+    const [head, sig] = token.split(".");
+    // Re-encode a different payload with the SAME signature — must fail.
+    const evil = Buffer.from(JSON.stringify({ pageId: "evil", exp: payload.exp }))
+      .toString("base64")
+      .replace(/\+/g, "-")
+      .replace(/\//g, "_")
+      .replace(/=+$/, "");
+    expect(head).toBeDefined();
+    const tampered = `${evil}.${sig}`;
+    expect(await verifyPageSession(tampered)).toBeNull();
+  });
+
+  test("tampered signature (single-bit flip) returns null", async () => {
+    const payload = { pageId: "abc123", exp: Math.floor(Date.now() / 1000) + 3600 };
+    const token = await signPageSession(payload);
+    const [head, sig] = token.split(".");
+    expect(sig).toBeDefined();
+    // Flip the last character — keeps length identical so we exercise the
+    // constant-time compare branch (not the length-mismatch early-return).
+    const lastChar = sig!.slice(-1);
+    const flipped = lastChar === "A" ? "B" : "A";
+    const tamperedSig = sig!.slice(0, -1) + flipped;
+    const tampered = `${head}.${tamperedSig}`;
+    expect(await verifyPageSession(tampered)).toBeNull();
+  });
+
+  test("malformed token (no dot) returns null", async () => {
+    expect(await verifyPageSession("not-a-token")).toBeNull();
+  });
+
+  test("empty / null / undefined token returns null", async () => {
+    expect(await verifyPageSession("")).toBeNull();
+    expect(await verifyPageSession(null)).toBeNull();
+    expect(await verifyPageSession(undefined)).toBeNull();
+  });
+
+  test("token signed with different secret is rejected", async () => {
+    const payload = { pageId: "abc123", exp: Math.floor(Date.now() / 1000) + 3600 };
+    const token = await signPageSession(payload);
+
+    process.env.PAGE_SESSION_SECRET = "different-secret-after-rotation";
+    try {
+      const got = await verifyPageSession(token);
+      expect(got).toBeNull();
+    } finally {
+      process.env.PAGE_SESSION_SECRET = "test-secret-fixed-vector-key";
+    }
+  });
+
+  test("falls back to API_KEY when PAGE_SESSION_SECRET unset", async () => {
+    delete process.env.PAGE_SESSION_SECRET;
+    process.env.API_KEY = "fallback-api-key-for-test";
+    try {
+      const payload = { pageId: "fallback", exp: Math.floor(Date.now() / 1000) + 3600 };
+      const token = await signPageSession(payload);
+      const got = await verifyPageSession(token);
+      expect(got).toEqual(payload);
+    } finally {
+      process.env.PAGE_SESSION_SECRET = "test-secret-fixed-vector-key";
+    }
+  });
+
+  test("refuses to sign when both PAGE_SESSION_SECRET and API_KEY are unset", async () => {
+    delete process.env.PAGE_SESSION_SECRET;
+    const savedApiKey = process.env.API_KEY;
+    delete process.env.API_KEY;
+    try {
+      await expect(
+        signPageSession({ pageId: "x", exp: Math.floor(Date.now() / 1000) + 60 }),
+      ).rejects.toThrow(/PAGE_SESSION_SECRET|API_KEY/);
+    } finally {
+      process.env.PAGE_SESSION_SECRET = "test-secret-fixed-vector-key";
+      if (savedApiKey !== undefined) process.env.API_KEY = savedApiKey;
+    }
+  });
+
+  test("known-vector regression: payload {pageId:'abc',exp:1893456000} with secret 'test-secret-fixed-vector-key' verifies", async () => {
+    const payload = { pageId: "abc", exp: 1893456000 };
+    const token = await signPageSession(payload);
+    // We don't pin the exact bytes here (Buffer base64url ordering is stable
+    // but the test value would be brittle to refactor); instead we re-verify
+    // and check the payload survives the round-trip — this exercises the
+    // full sign+verify pipeline against a known vector.
+    expect(await verifyPageSession(token)).toEqual(payload);
+  });
+});
+
+describe("parseCookieHeader", () => {
+  test("returns undefined when header is absent", () => {
+    expect(parseCookieHeader(undefined, "page_session")).toBeUndefined();
+    expect(parseCookieHeader("", "page_session")).toBeUndefined();
+  });
+
+  test("parses a single cookie", () => {
+    expect(parseCookieHeader("page_session=abc.def", "page_session")).toBe("abc.def");
+  });
+
+  test("parses one cookie among many", () => {
+    const header = "foo=1; page_session=abc.def; bar=2";
+    expect(parseCookieHeader(header, "page_session")).toBe("abc.def");
+  });
+
+  test("returns first match when duplicate cookies present", () => {
+    const header = "page_session=first; page_session=second";
+    expect(parseCookieHeader(header, "page_session")).toBe("first");
+  });
+
+  test("handles array headers (Node's http types allow string[])", () => {
+    expect(parseCookieHeader(["page_session=array-value"], "page_session")).toBe("array-value");
+  });
+
+  test("returns undefined when target cookie not in header", () => {
+    expect(parseCookieHeader("foo=1; bar=2", "page_session")).toBeUndefined();
+  });
+
+  test("does NOT match a cookie whose name is a suffix of another", () => {
+    // `xxpage_session=evil` must not be returned for name `page_session`.
+    expect(parseCookieHeader("xxpage_session=evil; other=ok", "page_session")).toBeUndefined();
+  });
+});

package/src/tests/pages-actions-endpoint.test.ts

@@ -0,0 +1,102 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, initDb } from "../be/db";
+import { handlePages } from "../http/pages";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-pages-actions-endpoint.sqlite";
+const TEST_PORT = 13062;
+const baseUrl = `http://localhost:${TEST_PORT}`;
+
+interface ActionListResponse {
+  actions: Array<{
+    name: string;
+    description: string;
+    params: Record<string, unknown>;
+    sdkMethods?: string[];
+  }>;
+}
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    res.setHeader("Content-Type", "application/json");
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    const handled = await handlePages(req, res, pathSegments, queryParams, myAgentId);
+    if (!handled) {
+      res.writeHead(404);
+      res.end(JSON.stringify({ error: "Not found" }));
+    }
+  });
+}
+
+describe("GET /api/pages/actions — JSON-page action allowlist", () => {
+  let server: Server;
+
+  beforeAll(async () => {
+    process.env.DB_PATH = TEST_DB_PATH;
+    initDb();
+    server = createTestServer();
+    await new Promise<void>((r) => server.listen(TEST_PORT, r));
+  });
+
+  afterAll(async () => {
+    await new Promise<void>((r) => server.close(() => r()));
+    closeDb();
+    try {
+      await unlink(TEST_DB_PATH);
+    } catch {
+      /* ok */
+    }
+  });
+
+  test("returns both swarm.sdk and swarm.call action descriptors", async () => {
+    const res = await fetch(`${baseUrl}/api/pages/actions`);
+    expect(res.status).toBe(200);
+    const json = (await res.json()) as ActionListResponse;
+    const names = json.actions.map((a) => a.name);
+    expect(names).toContain("swarm.sdk");
+    expect(names).toContain("swarm.call");
+  });
+
+  test("swarm.sdk descriptor surfaces the full SDK method allowlist", async () => {
+    const res = await fetch(`${baseUrl}/api/pages/actions`);
+    expect(res.status).toBe(200);
+    const json = (await res.json()) as ActionListResponse;
+    const sdk = json.actions.find((a) => a.name === "swarm.sdk");
+    expect(sdk).toBeDefined();
+    expect(sdk?.sdkMethods).toEqual([
+      "createTask",
+      "getTasks",
+      "getTaskDetails",
+      "storeProgress",
+      "postMessage",
+      "readMessages",
+      "getSwarm",
+      "listServices",
+      "slackReply",
+    ]);
+    // params is a JSON Schema 7 object with `sdk` enum + optional `args`
+    expect(sdk?.params).toBeDefined();
+    expect((sdk?.params as { type?: string }).type).toBe("object");
+  });
+
+  test("swarm.call descriptor describes the {method, endpoint, body} shape", async () => {
+    const res = await fetch(`${baseUrl}/api/pages/actions`);
+    const json = (await res.json()) as ActionListResponse;
+    const call = json.actions.find((a) => a.name === "swarm.call");
+    expect(call).toBeDefined();
+    const params = call?.params as { properties?: Record<string, unknown> };
+    expect(params.properties).toBeDefined();
+    expect(params.properties).toHaveProperty("method");
+    expect(params.properties).toHaveProperty("endpoint");
+    expect(params.properties).toHaveProperty("body");
+  });
+});

package/src/tests/pages-authed-mode.test.ts

@@ -0,0 +1,207 @@
+/**
+ * End-to-end coverage for `auth_mode='authed'` on `/p/:id` (step-4):
+ *
+ *   1. Create an authed HTML page.
+ *   2. `GET /p/:id` without cookie → 401.
+ *   3. `POST /api/pages/:id/launch` (bearer) → 204 + Set-Cookie.
+ *   4. `GET /p/:id` with cookie → 200 + SDK injected.
+ *   5. `GET /p/:id` with cookie scoped to a DIFFERENT page id → 403.
+ *   6. `GET /p/:id.json` with cookie → 200 + JSON metadata.
+ *
+ * Uses the same in-process handler wiring as `pages-public-html.test.ts` so
+ * we don't have to boot the full http server. The proxy in
+ * `page-proxy.test.ts` exercises the spawned-server bearer-gate path; here
+ * we're just verifying the cookie-gate at `/p/:id`.
+ */
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import crypto from "node:crypto";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, initDb } from "../be/db";
+import { handlePages } from "../http/pages";
+import { handlePagesPublic } from "../http/pages-public";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+import { signPageSession } from "../utils/page-session";
+
+const TEST_DB_PATH = "./test-pages-authed-mode.sqlite";
+const TEST_PORT = 13049;
+const BASE = `http://localhost:${TEST_PORT}`;
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+    if (await handlePagesPublic(req, res, pathSegments, queryParams)) return;
+    if (await handlePages(req, res, pathSegments, queryParams, myAgentId)) return;
+    res.writeHead(404);
+    res.end("not found");
+  });
+}
+
+/** Pull the cookie value out of a Set-Cookie header line. */
+function extractCookieValue(setCookie: string | null): string {
+  expect(setCookie).toBeTruthy();
+  const match = /page_session=([^;]+)/.exec(setCookie!);
+  expect(match).toBeTruthy();
+  return match![1]!;
+}
+
+describe("GET /p/:id — authed mode cookie gate (step-4)", () => {
+  let server: Server;
+  const agentId = crypto.randomUUID();
+  const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
+
+  // Set the page-session secret BEFORE the server boots so signPageSession()
+  // in the launch handler picks it up. The test re-uses API_KEY fallback too.
+  beforeAll(async () => {
+    process.env.PAGE_SESSION_SECRET = "test-authed-mode-secret-xyz";
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+    initDb(TEST_DB_PATH);
+    server = createTestServer();
+    await new Promise<void>((resolve) => server.listen(TEST_PORT, () => resolve()));
+  });
+
+  afterAll(async () => {
+    await new Promise<void>((resolve) => server.close(() => resolve()));
+    closeDb();
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+  });
+
+  async function createAuthedPage(slug: string, body = "<h1>secret</h1>"): Promise<string> {
+    const post = await fetch(`${BASE}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug,
+        title: `Authed ${slug}`,
+        contentType: "text/html",
+        authMode: "authed",
+        body,
+      }),
+    });
+    expect(post.status).toBe(201);
+    const { id } = (await post.json()) as { id: string };
+    return id;
+  }
+
+  test("no cookie → 401 with cookie-required guidance", async () => {
+    const id = await createAuthedPage("no-cookie");
+    const res = await fetch(`${BASE}/p/${id}`);
+    expect(res.status).toBe(401);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toContain("cookie");
+  });
+
+  test("launch issues cookie → /p/:id with cookie → 200 + SDK", async () => {
+    const id = await createAuthedPage(
+      "with-cookie",
+      "<!doctype html><body><h1>private</h1></body>",
+    );
+
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    const cookieValue = extractCookieValue(launch.headers.get("set-cookie"));
+
+    const res = await fetch(`${BASE}/p/${id}`, {
+      headers: { Cookie: `page_session=${cookieValue}` },
+    });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("content-type")?.toLowerCase()).toContain("text/html");
+    const text = await res.text();
+    expect(text).toContain("<h1>private</h1>");
+    // BROWSER_SDK_JS sentinel — confirms injection happened on the authed
+    // branch, not just the public one.
+    expect(text).toContain("class SwarmSDK");
+  });
+
+  test("cookie scoped to a different page id → 403", async () => {
+    const idA = await createAuthedPage("page-a");
+    const idB = await createAuthedPage("page-b");
+
+    // Mint a cookie for page A …
+    const exp = Math.floor(Date.now() / 1000) + 3600;
+    const tokenForA = await signPageSession({ pageId: idA, exp });
+
+    // … and try to use it for page B.
+    const res = await fetch(`${BASE}/p/${idB}`, {
+      headers: { Cookie: `page_session=${tokenForA}` },
+    });
+    expect(res.status).toBe(403);
+    const body = (await res.json()) as { error: string };
+    expect(body.error).toContain("different page id");
+  });
+
+  test("/p/:id.json with cookie → 200 + JSON metadata", async () => {
+    const id = await createAuthedPage("json-meta");
+    const launch = await fetch(`${BASE}/api/pages/${id}/launch`, {
+      method: "POST",
+      headers: { "X-Agent-ID": agentId },
+    });
+    expect(launch.status).toBe(204);
+    const cookieValue = extractCookieValue(launch.headers.get("set-cookie"));
+
+    const res = await fetch(`${BASE}/p/${id}.json`, {
+      headers: { Cookie: `page_session=${cookieValue}` },
+    });
+    expect(res.status).toBe(200);
+    expect(res.headers.get("content-type")?.toLowerCase()).toContain("application/json");
+    const json = (await res.json()) as {
+      id: string;
+      authMode: string;
+      contentType: string;
+      body: string;
+    };
+    expect(json.id).toBe(id);
+    expect(json.authMode).toBe("authed");
+    expect(json.contentType).toBe("text/html");
+    expect(json.body).toContain("<h1>secret</h1>");
+  });
+
+  test("/p/:id.json WITHOUT cookie → 401", async () => {
+    const id = await createAuthedPage("json-no-cookie");
+    const res = await fetch(`${BASE}/p/${id}.json`);
+    expect(res.status).toBe(401);
+  });
+
+  test("expired cookie → 401 (HMAC actually verified, not just presence)", async () => {
+    const id = await createAuthedPage("expired");
+    const expired = await signPageSession({
+      pageId: id,
+      exp: Math.floor(Date.now() / 1000) - 60,
+    });
+    const res = await fetch(`${BASE}/p/${id}`, {
+      headers: { Cookie: `page_session=${expired}` },
+    });
+    expect(res.status).toBe(401);
+  });
+
+  test("tampered signature → 401", async () => {
+    const id = await createAuthedPage("tampered");
+    const exp = Math.floor(Date.now() / 1000) + 3600;
+    const good = await signPageSession({ pageId: id, exp });
+    const [head, sig] = good.split(".");
+    const tamperedSig = `${sig!.slice(0, -1)}${sig!.slice(-1) === "A" ? "B" : "A"}`;
+    const bad = `${head}.${tamperedSig}`;
+    const res = await fetch(`${BASE}/p/${id}`, {
+      headers: { Cookie: `page_session=${bad}` },
+    });
+    expect(res.status).toBe(401);
+  });
+});

package/src/tests/pages-http.test.ts

@@ -0,0 +1,193 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import crypto from "node:crypto";
+import { unlink } from "node:fs/promises";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, initDb } from "../be/db";
+import { handlePages } from "../http/pages";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+import type { Page } from "../types";
+
+const TEST_DB_PATH = "./test-pages-http.sqlite";
+const TEST_PORT = 13037;
+const baseUrl = `http://localhost:${TEST_PORT}`;
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    res.setHeader("Content-Type", "application/json");
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+
+    const handled = await handlePages(req, res, pathSegments, queryParams, myAgentId);
+    if (!handled) {
+      res.writeHead(404);
+      res.end(JSON.stringify({ error: "Not found" }));
+    }
+  });
+}
+
+describe("Pages HTTP API", () => {
+  let server: Server;
+  const agentId = crypto.randomUUID();
+  const headers = {
+    "Content-Type": "application/json",
+    "X-Agent-ID": agentId,
+  };
+
+  beforeAll(async () => {
+    try {
+      await unlink(TEST_DB_PATH);
+    } catch {}
+    initDb(TEST_DB_PATH);
+
+    server = createTestServer();
+    await new Promise<void>((resolve) => {
+      server.listen(TEST_PORT, () => resolve());
+    });
+  });
+
+  afterAll(async () => {
+    await new Promise<void>((resolve) => server.close(() => resolve()));
+    closeDb();
+    for (const suffix of ["", "-wal", "-shm"]) {
+      try {
+        await unlink(`${TEST_DB_PATH}${suffix}`);
+      } catch {}
+    }
+  });
+
+  test("POST /api/pages creates a page and returns {id, version}", async () => {
+    const res = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        title: "Hello",
+        contentType: "text/html",
+        authMode: "public",
+        body: "<h1>hi</h1>",
+      }),
+    });
+
+    expect(res.status).toBe(201);
+    const json = (await res.json()) as { id: string; version: number };
+    expect(json.id).toMatch(/^[0-9a-f]{32}$/);
+    expect(json.version).toBe(1);
+
+    // Round-trip via GET
+    const got = await fetch(`${baseUrl}/api/pages/${json.id}`, { headers });
+    expect(got.status).toBe(200);
+    const page = (await got.json()) as Page;
+    expect(page.title).toBe("Hello");
+    expect(page.body).toBe("<h1>hi</h1>");
+    expect(page.agentId).toBe(agentId);
+    expect(page.slug).toBe("hello"); // auto-slug from title
+    expect(page.contentType).toBe("text/html");
+    expect(page.authMode).toBe("public");
+  });
+
+  test("POST /api/pages with full HTML document body is stored verbatim", async () => {
+    const fullDoc =
+      "<!doctype html><html><head><title>x</title></head><body><h1>hi</h1></body></html>";
+    const res = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "full-doc",
+        title: "Full Doc",
+        contentType: "text/html",
+        authMode: "public",
+        body: fullDoc,
+      }),
+    });
+    expect(res.status).toBe(201);
+    const { id } = (await res.json()) as { id: string };
+    const got = await fetch(`${baseUrl}/api/pages/${id}`, { headers });
+    const page = (await got.json()) as Page;
+    expect(page.body).toBe(fullDoc);
+  });
+
+  test("POST /api/pages with password hashes the password", async () => {
+    const password = "open-sesame-9";
+    const res = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        slug: "pw-page",
+        title: "Pw",
+        contentType: "text/html",
+        authMode: "password",
+        password,
+        body: "<h1>secret</h1>",
+      }),
+    });
+    expect(res.status).toBe(201);
+    const { id } = (await res.json()) as { id: string };
+
+    const got = await fetch(`${baseUrl}/api/pages/${id}`, { headers });
+    const page = (await got.json()) as Page;
+    expect(page.passwordHash).toBeDefined();
+    expect(page.passwordHash).not.toBe(password);
+    expect(await Bun.password.verify(password, page.passwordHash!)).toBe(true);
+  });
+
+  test("POST /api/pages with duplicate slug → 409", async () => {
+    const body = {
+      slug: "dup-slug",
+      title: "First",
+      contentType: "text/html" as const,
+      authMode: "public" as const,
+      body: "<h1>1</h1>",
+    };
+    const first = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+    });
+    expect(first.status).toBe(201);
+
+    const second = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify(body),
+    });
+    expect(second.status).toBe(409);
+  });
+
+  test("POST /api/pages without X-Agent-ID → 400", async () => {
+    const res = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        title: "Anonymous",
+        contentType: "text/html",
+        authMode: "public",
+        body: "<h1>hi</h1>",
+      }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("POST /api/pages with bad contentType → 400", async () => {
+    const res = await fetch(`${baseUrl}/api/pages`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        title: "Bad",
+        contentType: "image/png",
+        authMode: "public",
+        body: "x",
+      }),
+    });
+    expect(res.status).toBe(400);
+  });
+
+  test("GET /api/pages/:id → 404 for unknown id", async () => {
+    const res = await fetch(`${baseUrl}/api/pages/${"0".repeat(32)}`, { headers });
+    expect(res.status).toBe(404);
+  });
+});