@desplega.ai/agent-swarm 1.83.1 → 1.83.2

package/src/tests/codex-rate-limit-parse.test.ts

@@ -0,0 +1,256 @@
+import { describe, expect, test } from "bun:test";
+import {
+  MAX_RATE_LIMIT_RESET_MS,
+  parseCodexRateLimitResetTime,
+  SessionErrorTracker,
+} from "../utils/error-tracker";
+
+// Verbatim from Linear CAI-1284 issue body (Team/Business plan fixture)
+const VERBATIM_ERROR_MESSAGE =
+  "You've hit your usage limit. To get more access now, send a request to your admin or try again at 8:35 PM.";
+
+describe("parseCodexRateLimitResetTime — verbatim CAI-1284 fixture", () => {
+  test("parses '8:35 PM' as 20:35 UTC same day when now is 18:00 UTC", () => {
+    const now = new Date("2026-05-25T18:00:00Z");
+    const result = parseCodexRateLimitResetTime(VERBATIM_ERROR_MESSAGE, now);
+    expect(result).toBe("2026-05-25T20:35:00.000Z");
+  });
+
+  test("rolls to next day when 'now' is past the parsed wall-clock", () => {
+    const now = new Date("2026-05-25T21:00:00Z"); // 9:00 PM UTC — past 8:35 PM
+    const result = parseCodexRateLimitResetTime(VERBATIM_ERROR_MESSAGE, now);
+    expect(result).toBe("2026-05-26T20:35:00.000Z");
+  });
+
+  test("keeps same day when 'now' equals the parsed wall-clock exactly (clock-skew window)", () => {
+    const now = new Date("2026-05-25T20:35:00Z");
+    const result = parseCodexRateLimitResetTime(VERBATIM_ERROR_MESSAGE, now);
+    // Within 2-min skew window → same day; clampRateLimitResetMs applies now+60s floor.
+    expect(result).toBe("2026-05-25T20:35:00.000Z");
+  });
+
+  test("clock-skew regression: 30s past 8:35 PM does NOT roll to tomorrow (CAI-1284)", () => {
+    // Worker receives the usage-limit event 30 seconds after the wall-clock reset time.
+    // Should stay same-day; clampRateLimitResetMs applies now+60s floor instead.
+    const now = new Date("2026-05-25T20:35:30Z");
+    const result = parseCodexRateLimitResetTime(VERBATIM_ERROR_MESSAGE, now);
+    expect(result).toBe("2026-05-25T20:35:00.000Z");
+  });
+});
+
+describe("parseCodexRateLimitResetTime — same-day format variants", () => {
+  test.each([
+    // [time string, expected ISO, now ISO]
+    ["12:00 AM", "2026-05-25T00:00:00.000Z", "2026-05-25T00:00:00Z"], // midnight == now: within skew, stays same day
+    ["12:00 PM", "2026-05-25T12:00:00.000Z", "2026-05-25T00:00:00Z"], // noon: future
+    ["1:00 PM", "2026-05-25T13:00:00.000Z", "2026-05-25T00:00:00Z"],
+    ["11:59 PM", "2026-05-25T23:59:00.000Z", "2026-05-25T00:00:00Z"],
+  ])("'Try again at %s.' → %s", (time, expected, nowISO) => {
+    const now = new Date(nowISO);
+    const msg = `You've hit your usage limit. Try again at ${time}.`;
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe(expected);
+  });
+
+  test("'or try again at' prefix (lowercase) also parses", () => {
+    const now = new Date("2026-05-25T18:00:00Z");
+    const msg =
+      "You've hit your usage limit. To get more access now, send a request to your admin or try again at 8:35 PM.";
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe("2026-05-25T20:35:00.000Z");
+  });
+});
+
+describe("parseCodexRateLimitResetTime — different-day format", () => {
+  test("'May 26th, 2026 8:35 PM' parses with ordinal suffix", () => {
+    const now = new Date("2026-05-25T22:00:00Z");
+    const msg =
+      "You've hit your usage limit. Upgrade to Pro (https://chatgpt.com/explore/pro), " +
+      "visit https://chatgpt.com/codex/settings/usage to purchase more credits or " +
+      "try again at May 26th, 2026 8:35 PM.";
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe("2026-05-26T20:35:00.000Z");
+  });
+
+  test("ordinal-less form 'May 26, 2026 8:35 PM' also parses (defensive)", () => {
+    const now = new Date("2026-05-25T22:00:00Z");
+    const msg = "You've hit your usage limit. Try again at May 26, 2026 8:35 PM.";
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe("2026-05-26T20:35:00.000Z");
+  });
+
+  test.each([
+    ["1st", 1],
+    ["2nd", 2],
+    ["3rd", 3],
+    ["4th", 4],
+    ["11th", 11],
+    ["21st", 21],
+    ["22nd", 22],
+    ["23rd", 23],
+  ])("ordinal suffix %s parses", (ord, day) => {
+    const now = new Date("2026-04-01T00:00:00Z");
+    const msg = `You've hit your usage limit. Try again at May ${day}${ord.replace(/\d+/, "")}, 2026 8:35 PM.`;
+    const result = parseCodexRateLimitResetTime(msg, now);
+    expect(result).toBe(`2026-05-${String(day).padStart(2, "0")}T20:35:00.000Z`);
+  });
+
+  test("12-hour edge: midnight cross-day 'Jan 1st, 2027 12:00 AM'", () => {
+    const now = new Date("2026-12-31T23:00:00Z");
+    const msg = "You've hit your usage limit. Try again at Jan 1st, 2027 12:00 AM.";
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe("2027-01-01T00:00:00.000Z");
+  });
+
+  test("12-hour edge: noon cross-day 'Jan 2nd, 2027 12:00 PM'", () => {
+    const now = new Date("2026-12-31T23:00:00Z");
+    const msg = "You've hit your usage limit. Try again at Jan 2nd, 2027 12:00 PM.";
+    expect(parseCodexRateLimitResetTime(msg, now)).toBe("2027-01-02T12:00:00.000Z");
+  });
+});
+
+describe("parseCodexRateLimitResetTime — negative cases", () => {
+  test("'Try again later.' (no time) → undefined", () => {
+    const msg = "You've hit your usage limit. Try again later.";
+    expect(parseCodexRateLimitResetTime(msg)).toBeUndefined();
+  });
+
+  test("'or try again later.' (no time) → undefined", () => {
+    const msg =
+      "You've hit your usage limit. To get more access now, send a request to your admin or try again later.";
+    expect(parseCodexRateLimitResetTime(msg)).toBeUndefined();
+  });
+
+  test("workspace-credit-depleted (no retry suffix at all) → undefined", () => {
+    expect(
+      parseCodexRateLimitResetTime("Your workspace is out of credits. Add credits to continue."),
+    ).toBeUndefined();
+  });
+
+  test("workspace member out of credits → undefined", () => {
+    expect(
+      parseCodexRateLimitResetTime(
+        "Your workspace is out of credits. Ask your workspace owner to refill in order to continue.",
+      ),
+    ).toBeUndefined();
+  });
+
+  test("non-codex error message → undefined", () => {
+    expect(parseCodexRateLimitResetTime("Connection failed: ECONNREFUSED")).toBeUndefined();
+  });
+
+  test("empty string → undefined", () => {
+    expect(parseCodexRateLimitResetTime("")).toBeUndefined();
+  });
+});
+
+describe("parseCodexRateLimitResetTime — invalid component rejection (CAI-1284 review)", () => {
+  const now = new Date("2026-05-25T18:00:00Z");
+
+  test("'Try again at 99:99 PM.' → undefined (hour and minute out of range)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at 99:99 PM.", now),
+    ).toBeUndefined();
+  });
+
+  test("'Try again at 13:99 PM.' → undefined (hour out of range)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at 13:99 PM.", now),
+    ).toBeUndefined();
+  });
+
+  test("'Try again at 0:30 PM.' → undefined (hour 0 is not 1–12)", () => {
+    expect(parseCodexRateLimitResetTime("usage limit. Try again at 0:30 PM.", now)).toBeUndefined();
+  });
+
+  test("'Try again at 12:60 PM.' → undefined (minute 60 out of range)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at 12:60 PM.", now),
+    ).toBeUndefined();
+  });
+
+  test("'Try again at May 32nd, 2026 8:35 PM.' → undefined (day overflow)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at May 32nd, 2026 8:35 PM.", now),
+    ).toBeUndefined();
+  });
+
+  test("'Try again at Feb 30th, 2026 8:35 PM.' → undefined (Feb has ≤29 days)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at Feb 30th, 2026 8:35 PM.", now),
+    ).toBeUndefined();
+  });
+
+  test("'Try again at May 26th, 2026 8:35 PM.' → valid (positive control)", () => {
+    expect(
+      parseCodexRateLimitResetTime("usage limit. Try again at May 26th, 2026 8:35 PM.", now),
+    ).toBe("2026-05-26T20:35:00.000Z");
+  });
+});
+
+describe("parseCodexRateLimitResetTime — case-insensitive", () => {
+  test("'TRY AGAIN AT 8:35 PM' (all caps) parses", () => {
+    const now = new Date("2026-05-25T00:00:00Z");
+    const result = parseCodexRateLimitResetTime("usage limit. TRY AGAIN AT 8:35 PM.", now);
+    expect(result).toBe("2026-05-25T20:35:00.000Z");
+  });
+});
+
+describe("SessionErrorTracker — Codex usage-limit integration", () => {
+  test("stashes clamped reset time from verbatim CAI-1284 fixture", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processCodexUsageLimitMessage(VERBATIM_ERROR_MESSAGE);
+    const iso = tracker.getRateLimitResetAt();
+    expect(iso).toBeDefined();
+    const ms = new Date(iso!).getTime();
+    const nowMs = Date.now();
+    // Bounded to [now+60s, now+7d]. The same-day wall-clock fixture may be >6h away.
+    expect(ms).toBeGreaterThanOrEqual(nowMs + 59_000);
+    expect(ms).toBeLessThanOrEqual(nowMs + MAX_RATE_LIMIT_RESET_MS + 1000);
+  });
+
+  test("non-usage-limit error does not stash", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processCodexUsageLimitMessage("Connection failed.");
+    expect(tracker.getRateLimitResetAt()).toBeUndefined();
+  });
+
+  test("workspace-credit message does not stash (no parseable time)", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processCodexUsageLimitMessage(
+      "Your workspace is out of credits. Add credits to continue.",
+    );
+    expect(tracker.getRateLimitResetAt()).toBeUndefined();
+  });
+
+  test("'try again later' variant does not stash (no parseable time)", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processCodexUsageLimitMessage(
+      "You've hit your usage limit. To get more access now, send a request to your admin or try again later.",
+    );
+    expect(tracker.getRateLimitResetAt()).toBeUndefined();
+  });
+
+  test("last call wins on multiple usage-limit events", () => {
+    const tracker = new SessionErrorTracker();
+    // First: a past-sounding time that would be clamped to now+60s
+    tracker.processCodexUsageLimitMessage("You've hit your usage limit. Try again at 1:00 AM.");
+    const firstIso = tracker.getRateLimitResetAt();
+    expect(firstIso).toBeDefined();
+
+    // Second: clear future time
+    const future = new Date(Date.now() + 3 * 60 * 60 * 1000); // +3h
+    const h = future.getUTCHours();
+    const m = future.getUTCMinutes();
+    const hh = h % 12 || 12;
+    const ampm = h >= 12 ? "PM" : "AM";
+    const mm = String(m).padStart(2, "0");
+    tracker.processCodexUsageLimitMessage(
+      `You've hit your usage limit. Try again at ${hh}:${mm} ${ampm}.`,
+    );
+    const secondIso = tracker.getRateLimitResetAt();
+    expect(secondIso).toBeDefined();
+    // Last call wins — value changed (may be same or different after clamp, but defined)
+  });
+
+  test("empty string does not stash", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processCodexUsageLimitMessage("");
+    expect(tracker.getRateLimitResetAt()).toBeUndefined();
+  });
+});

package/src/tests/db-queries-oauth.test.ts

@@ -7,6 +7,7 @@ import {
   getOAuthTokens,
   isTokenExpiringSoon,
   storeOAuthTokens,
+  updateOAuthTokensAfterRefresh,
   upsertOAuthApp,
 } from "../be/db-queries/oauth";
 
@@ -140,6 +141,48 @@ describe("OAuth Tokens CRUD", () => {
     expect(tokens!.refreshToken).toBe("refresh-xyz");
   });
 
+  test("updateOAuthTokensAfterRefresh replaces the rotated refresh token atomically", () => {
+    const futureDate = new Date(Date.now() + 7200000).toISOString();
+    storeOAuthTokens("token-test", {
+      accessToken: "access-before-refresh",
+      refreshToken: "refresh-before-refresh",
+      expiresAt: new Date(Date.now() + 60000).toISOString(),
+    });
+
+    updateOAuthTokensAfterRefresh("token-test", "refresh-before-refresh", {
+      accessToken: "access-after-refresh",
+      refreshToken: "refresh-after-refresh",
+      expiresAt: futureDate,
+      scope: "read,write",
+    });
+
+    const tokens = getOAuthTokens("token-test");
+    expect(tokens!.accessToken).toBe("access-after-refresh");
+    expect(tokens!.refreshToken).toBe("refresh-after-refresh");
+    expect(tokens!.expiresAt).toBe(futureDate);
+    expect(tokens!.scope).toBe("read,write");
+  });
+
+  test("updateOAuthTokensAfterRefresh refuses to overwrite a concurrently rotated token", () => {
+    storeOAuthTokens("token-test", {
+      accessToken: "access-current",
+      refreshToken: "refresh-current",
+      expiresAt: new Date(Date.now() + 60000).toISOString(),
+    });
+
+    expect(() =>
+      updateOAuthTokensAfterRefresh("token-test", "refresh-stale", {
+        accessToken: "access-stale-result",
+        refreshToken: "refresh-stale-result",
+        expiresAt: new Date(Date.now() + 7200000).toISOString(),
+      }),
+    ).toThrow(/stored refresh token changed during refresh/);
+
+    const tokens = getOAuthTokens("token-test");
+    expect(tokens!.accessToken).toBe("access-current");
+    expect(tokens!.refreshToken).toBe("refresh-current");
+  });
+
   test("deleteOAuthTokens removes tokens", () => {
     deleteOAuthTokens("token-test");
     const tokens = getOAuthTokens("token-test");

package/src/tests/ensure-token.test.ts

@@ -25,10 +25,15 @@ const originalFetch = globalThis.fetch;
 beforeAll(() => {
   initDb(TEST_DB_PATH);
   upsertOAuthApp("test-provider", testApp);
+  upsertOAuthApp("jira", {
+    ...testApp,
+    tokenUrl: "https://example.com/jira/oauth/token",
+  });
 });
 
 beforeEach(() => {
   deleteOAuthTokens("test-provider");
+  deleteOAuthTokens("jira");
   globalThis.fetch = originalFetch;
 });
 
@@ -266,4 +271,92 @@ describe("ensureTokenOrThrow", () => {
     expect(tokens?.accessToken).toBe("rotated-token");
     expect(tokens?.refreshToken).toBe("rotated-refresh");
   });
+
+  test("persists Jira's rotated refresh token before reporting refresh success", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 50 * 60 * 1000).toISOString(),
+    });
+
+    globalThis.fetch = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+
+    await ensureTokenOrThrow("jira", Number.MAX_SAFE_INTEGER);
+
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("new-jira-access");
+    expect(tokens?.refreshToken).toBe("new-jira-refresh");
+  });
+
+  test("rejects a Jira refresh response that omits the rotated refresh token", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+
+    globalThis.fetch = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+
+    await expect(ensureTokenOrThrow("jira")).rejects.toThrow(/rotated refresh_token/);
+
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("old-jira-access");
+    expect(tokens?.refreshToken).toBe("old-jira-refresh");
+  });
+
+  test("does not use a refreshed Jira access token when persistence loses the CAS race", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+
+    globalThis.fetch = mock(() => {
+      storeOAuthTokens("jira", {
+        accessToken: "concurrent-jira-access",
+        refreshToken: "concurrent-jira-refresh",
+        expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+      });
+      return Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "stale-result-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "stale-result-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      );
+    });
+
+    await expect(ensureTokenOrThrow("jira")).rejects.toThrow(/stored refresh token changed/);
+
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("concurrent-jira-access");
+    expect(tokens?.refreshToken).toBe("concurrent-jira-refresh");
+  });
 });

package/src/tests/error-tracker.test.ts

@@ -1,5 +1,6 @@
 import { describe, expect, test } from "bun:test";
 import {
+  parseCodexRateLimitResetTime,
   parseRateLimitResetTime,
   parseStderrForErrors,
   SessionErrorTracker,
@@ -89,6 +90,23 @@ describe("SessionErrorTracker", () => {
     expect(errors[0]!.type).toBe("stderr_error");
     expect(errors[0]!.message).toBe("fatal: connection refused");
   });
+
+  test("detects Claude CLI invalid --resume session errors as stale sessions", () => {
+    const tracker = new SessionErrorTracker();
+    trackErrorFromJson(
+      {
+        type: "result",
+        subtype: "error_during_execution",
+        is_error: true,
+        errors: [
+          'Error during execution: Error: --resume requires a valid session ID or session title when used with --print. Usage: claude -p --resume <session-id|title>. Provided value "ses_19c145de3ffeD9qLlntj8SRO28" is not a UUID and does not match any session title.',
+        ],
+      },
+      tracker,
+    );
+
+    expect(tracker.isSessionNotFound()).toBe(true);
+  });
 });
 
 describe("buildFailureReason", () => {
@@ -548,3 +566,37 @@ describe("parseRateLimitResetTime", () => {
     expect(parseRateLimitResetTime("wait 2000 minutes")).toBeUndefined();
   });
 });
+
+describe("Codex/Claude coexistence — single tracker handles both providers", () => {
+  test("processRateLimitEvent (Claude) and processCodexUsageLimitMessage (Codex) both stash into getRateLimitResetAt", () => {
+    // Claude path: processRateLimitEvent
+    const claudeTracker = new SessionErrorTracker();
+    const futureResetsAtSec = Math.floor(Date.now() / 1000) + 3600;
+    claudeTracker.processRateLimitEvent({
+      type: "rate_limit_event",
+      rate_limit_info: { status: "rejected", resetsAt: futureResetsAtSec },
+    });
+    expect(claudeTracker.getRateLimitResetAt()).toBeDefined();
+
+    // Codex path: processCodexUsageLimitMessage
+    const codexTracker = new SessionErrorTracker();
+    codexTracker.processCodexUsageLimitMessage(
+      "You've hit your usage limit. To get more access now, send a request to your admin or try again at 8:35 PM.",
+    );
+    expect(codexTracker.getRateLimitResetAt()).toBeDefined();
+
+    // A tracker that received a Claude event does NOT get cross-contaminated by
+    // an independent Codex call on a different instance.
+    const iso = claudeTracker.getRateLimitResetAt();
+    expect(iso).toBeDefined();
+    const ms = new Date(iso!).getTime();
+    expect(ms).toBeCloseTo(futureResetsAtSec * 1000, -2); // within 100ms tolerance
+  });
+
+  test("parseCodexRateLimitResetTime does not interfere with parseRateLimitResetTime fixtures", () => {
+    // Claude format: "resets 3pm (UTC)" — must NOT be matched by Codex parser
+    expect(parseCodexRateLimitResetTime("resets 3pm (UTC)")).toBeUndefined();
+    // Codex format: "try again at 8:35 PM" — must NOT be matched by Claude parser
+    expect(parseRateLimitResetTime("try again at 8:35 PM.")).toBeUndefined();
+  });
+});

package/src/tests/fetch-resolved-env.test.ts

@@ -8,22 +8,26 @@ import { afterAll, beforeAll, describe, expect, test } from "bun:test";
  */
 
 let server: ReturnType<typeof Bun.serve>;
-const TEST_PORT = 13099;
-const TEST_URL = `http://localhost:${TEST_PORT}`;
+let testUrl: string;
+const nativeFetch = globalThis.fetch.bind(globalThis);
 
-// Configurable response for the mock server
-let mockResponse: { status: number; body: unknown } = {
+type MockResponse = { status: number; body: unknown };
+
+const defaultMockResponse: MockResponse = {
   status: 200,
   body: { configs: [] },
 };
+const mockResponsesByAgentId = new Map<string, MockResponse>();
 
 beforeAll(() => {
   server = Bun.serve({
-    port: TEST_PORT,
+    port: 0,
     fetch(req) {
       const url = new URL(req.url);
 
       if (url.pathname === "/api/config/resolved") {
+        const agentId = url.searchParams.get("agentId") ?? "";
+        const mockResponse = mockResponsesByAgentId.get(agentId) ?? defaultMockResponse;
         return new Response(JSON.stringify(mockResponse.body), {
           status: mockResponse.status,
           headers: { "Content-Type": "application/json" },
@@ -33,6 +37,7 @@ beforeAll(() => {
       return new Response("Not found", { status: 404 });
     },
   });
+  testUrl = server.url.toString().replace(/\/$/, "");
 });
 
 afterAll(() => {
@@ -56,7 +61,10 @@ async function fetchResolvedEnv(
     if (apiKey) headers.Authorization = `Bearer ${apiKey}`;
 
     const url = `${apiUrl}/api/config/resolved?agentId=${encodeURIComponent(agentId)}&includeSecrets=true`;
-    const response = await fetch(url, { headers });
+    const request = new Request(url, { headers });
+    const response = url.startsWith(testUrl)
+      ? await server.fetch(request)
+      : await nativeFetch(request);
 
     if (!response.ok) {
       return { ...baseEnv };
@@ -88,12 +96,13 @@ describe("fetchResolvedEnv", () => {
 
   test("returns baseEnv when agentId is empty", async () => {
     const baseEnv = { EXISTING: "value" };
-    const result = await fetchResolvedEnv(TEST_URL, "key", "", baseEnv);
+    const result = await fetchResolvedEnv(testUrl, "key", "", baseEnv);
     expect(result).toEqual({ EXISTING: "value" });
   });
 
   test("merges API config over baseEnv", async () => {
-    mockResponse = {
+    const agentId = "agent-merge";
+    mockResponsesByAgentId.set(agentId, {
       status: 200,
       body: {
         configs: [
@@ -101,10 +110,10 @@ describe("fetchResolvedEnv", () => {
           { key: "OVERRIDE_VAR", value: "api-wins" },
         ],
       },
-    };
+    });
 
     const baseEnv = { EXISTING: "keep", OVERRIDE_VAR: "original" };
-    const result = await fetchResolvedEnv(TEST_URL, "key", "agent-1", baseEnv);
+    const result = await fetchResolvedEnv(testUrl, "key", agentId, baseEnv);
 
     expect(result.EXISTING).toBe("keep");
     expect(result.NEW_VAR).toBe("from-api");
@@ -112,18 +121,20 @@ describe("fetchResolvedEnv", () => {
   });
 
   test("returns baseEnv when API returns empty configs", async () => {
-    mockResponse = { status: 200, body: { configs: [] } };
+    const agentId = "agent-empty";
+    mockResponsesByAgentId.set(agentId, { status: 200, body: { configs: [] } });
 
     const baseEnv = { EXISTING: "value" };
-    const result = await fetchResolvedEnv(TEST_URL, "key", "agent-1", baseEnv);
+    const result = await fetchResolvedEnv(testUrl, "key", agentId, baseEnv);
     expect(result).toEqual({ EXISTING: "value" });
   });
 
   test("returns baseEnv when API returns non-200", async () => {
-    mockResponse = { status: 500, body: { error: "server error" } };
+    const agentId = "agent-500";
+    mockResponsesByAgentId.set(agentId, { status: 500, body: { error: "server error" } });
 
     const baseEnv = { EXISTING: "value" };
-    const result = await fetchResolvedEnv(TEST_URL, "key", "agent-1", baseEnv);
+    const result = await fetchResolvedEnv(testUrl, "key", agentId, baseEnv);
     expect(result).toEqual({ EXISTING: "value" });
   });
 
@@ -134,13 +145,14 @@ describe("fetchResolvedEnv", () => {
   });
 
   test("does not mutate the baseEnv object", async () => {
-    mockResponse = {
+    const agentId = "agent-mutation";
+    mockResponsesByAgentId.set(agentId, {
       status: 200,
       body: { configs: [{ key: "NEW_VAR", value: "new" }] },
-    };
+    });
 
     const baseEnv = { EXISTING: "value" };
-    const result = await fetchResolvedEnv(TEST_URL, "key", "agent-1", baseEnv);
+    const result = await fetchResolvedEnv(testUrl, "key", agentId, baseEnv);
 
     // baseEnv should be untouched
     expect(baseEnv).toEqual({ EXISTING: "value" });
@@ -148,7 +160,8 @@ describe("fetchResolvedEnv", () => {
   });
 
   test("handles multiple configs correctly", async () => {
-    mockResponse = {
+    const agentId = "agent-multiple";
+    mockResponsesByAgentId.set(agentId, {
       status: 200,
       body: {
         configs: [
@@ -157,9 +170,9 @@ describe("fetchResolvedEnv", () => {
           { key: "VAR_C", value: "c" },
         ],
       },
-    };
+    });
 
-    const result = await fetchResolvedEnv(TEST_URL, "key", "agent-1", {});
+    const result = await fetchResolvedEnv(testUrl, "key", agentId, {});
     expect(result.VAR_A).toBe("a");
     expect(result.VAR_B).toBe("b");
     expect(result.VAR_C).toBe("c");

package/src/tests/http-users.test.ts

@@ -20,7 +20,7 @@ import {
   type Server,
   type ServerResponse,
 } from "node:http";
-import { closeDb, createUser, getDb, initDb, upsertKv } from "../be/db";
+import { closeDb, createUser, getBudget, getDb, initDb, upsertKv } from "../be/db";
 import { fingerprintApiKey, linkIdentity } from "../be/users";
 import { handleCore } from "../http/core";
 import { handleUsers } from "../http/users";
@@ -92,6 +92,7 @@ beforeEach(() => {
   db.run("DELETE FROM user_external_ids");
   db.run("DELETE FROM user_tokens");
   db.run("DELETE FROM users");
+  db.run("DELETE FROM budgets");
   db.run("DELETE FROM kv_entries");
 });
 
@@ -185,6 +186,33 @@ describe("POST /api/users", () => {
 });
 
 describe("PATCH /api/users/:id", () => {
+  test("dailyBudgetUsd mirrors into user-scoped budgets and null removes the mirror", async () => {
+    const create = await authedFetch("/api/users", {
+      method: "POST",
+      body: JSON.stringify({
+        name: "Budget Mirror",
+        dailyBudgetUsd: 1.25,
+      }),
+    });
+    expect(create.status).toBe(200);
+    const { user } = (await create.json()) as { user: { id: string } };
+    expect(getBudget("user", user.id)?.dailyBudgetUsd).toBe(1.25);
+
+    const update = await authedFetch(`/api/users/${user.id}`, {
+      method: "PATCH",
+      body: JSON.stringify({ dailyBudgetUsd: 2.5 }),
+    });
+    expect(update.status).toBe(200);
+    expect(getBudget("user", user.id)?.dailyBudgetUsd).toBe(2.5);
+
+    const remove = await authedFetch(`/api/users/${user.id}`, {
+      method: "PATCH",
+      body: JSON.stringify({ dailyBudgetUsd: null }),
+    });
+    expect(remove.status).toBe(200);
+    expect(getBudget("user", user.id)).toBeNull();
+  });
+
   test("budget / status / emailAliases diffs each emit the right event types", async () => {
     const u = createUser({
       name: "Patcher",