npm - @desplega.ai/agent-swarm - Versions diffs - 1.84.0 → 1.85.0 - Mend

@desplega.ai/agent-swarm 1.84.0 → 1.85.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/README.md +48 -8
package/openapi.json +5 -3
package/package.json +1 -1
package/src/be/db-queries/oauth.ts +33 -0
package/src/be/db.ts +7 -1
package/src/be/migrations/076_kapso_sender_user_backfill.sql +43 -0
package/src/be/migrations/077_oauth_refresh_locks.sql +8 -0
package/src/commands/context-preamble.ts +178 -0
package/src/commands/runner.ts +87 -7
package/src/http/index.ts +11 -3
package/src/http/tasks.ts +17 -0
package/src/http/users.ts +11 -3
package/src/http/utils.ts +17 -0
package/src/integrations/kapso/inbound.ts +36 -0
package/src/oauth/ensure-token.ts +97 -11
package/src/prompts/base-prompt.ts +15 -2
package/src/prompts/session-templates.ts +26 -12
package/src/providers/pi-mono-adapter.ts +44 -25
package/src/server.ts +2 -0
package/src/tasks/worker-follow-up.ts +82 -0
package/src/tests/agentmail-sending-skill.test.ts +75 -0
package/src/tests/agents-list-model-display.test.ts +45 -0
package/src/tests/base-prompt.test.ts +90 -1
package/src/tests/db-queries-oauth.test.ts +27 -0
package/src/tests/ensure-token.test.ts +71 -0
package/src/tests/http-log-scrubbing.test.ts +24 -0
package/src/tests/http-users.test.ts +53 -0
package/src/tests/kapso-inbound.test.ts +60 -1
package/src/tests/kv-page-proxy.test.ts +1 -0
package/src/tests/list-endpoint-slimming.test.ts +22 -1
package/src/tests/oauth-access-token-tool.test.ts +138 -0
package/src/tests/pagination-metrics.test.ts +4 -4
package/src/tests/pi-mono-adapter.test.ts +37 -1
package/src/tests/prompt-template-session.test.ts +13 -3
package/src/tests/runner-context-preamble.test.ts +202 -0
package/src/tests/runner-fallback-output.test.ts +118 -39
package/src/tests/task-completion-idempotency.test.ts +89 -0
package/src/tools/cancel-task.ts +13 -5
package/src/tools/get-task-details.ts +18 -10
package/src/tools/get-tasks.ts +9 -4
package/src/tools/oauth-access-token.ts +118 -0
package/src/tools/send-task.ts +9 -5
package/src/tools/store-progress.ts +12 -77
package/src/tools/task-action.ts +20 -10
package/src/tools/tool-config.ts +2 -1
package/src/types.ts +5 -0
package/src/utils/secret-scrubber.ts +23 -0
package/templates/skills/agentmail-sending/SKILL.md +148 -28

package/src/tests/agents-list-model-display.test.ts ADDED Viewed

@@ -0,0 +1,45 @@
+import { describe, expect, test } from "bun:test";
+import {
+  getAgentModelDisplay,
+  getAgentModelPresentation,
+} from "../../ui/src/lib/agents-list-model-display";
+describe("agents list model display", () => {
+  test("shows configured and last-used models when they diverge", () => {
+    const display = getAgentModelDisplay("claude-opus-4-7", "claude-sonnet-4-6");
+    expect(display).toEqual({
+      configured: "claude-opus-4-7",
+      lastUsed: "claude-sonnet-4-6",
+      primary: "claude-opus-4-7",
+      diverged: true,
+    });
+  });
+  test("shows one model when configured and last-used match", () => {
+    const display = getAgentModelDisplay("claude-sonnet-4-6", "claude-sonnet-4-6");
+    expect(display).toEqual({
+      configured: "claude-sonnet-4-6",
+      lastUsed: "claude-sonnet-4-6",
+      primary: "claude-sonnet-4-6",
+      diverged: false,
+    });
+  });
+  test("shows configured model alone before an agent reports a last-used model", () => {
+    const display = getAgentModelDisplay("claude-opus-4-7", null);
+    expect(display.primary).toBe("claude-opus-4-7");
+    expect(display.diverged).toBe(false);
+  });
+  test("presents known provider-prefixed model ids as readable labels", () => {
+    expect(getAgentModelPresentation("openrouter/deepseek/deepseek-v4-flash")).toEqual({
+      raw: "openrouter/deepseek/deepseek-v4-flash",
+      label: "DeepSeek V4 Flash",
+      provider: "OpenRouter",
+      providerId: "openrouter",
+    });
+  });
+});

package/src/tests/base-prompt.test.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { describe, expect, test } from "bun:test";
+import { afterEach, describe, expect, test } from "bun:test";
 import { type BasePromptArgs, getBasePrompt } from "../prompts/base-prompt";
 import type { ProviderTraits } from "../providers/types";
@@ -9,6 +9,39 @@ const minimalArgs: BasePromptArgs = {
   swarmUrl: "swarm.example.com",
 };
+const originalSlackDisable = process.env.SLACK_DISABLE;
+const originalSlackBotToken = process.env.SLACK_BOT_TOKEN;
+const originalSlackAppToken = process.env.SLACK_APP_TOKEN;
+afterEach(() => {
+  restoreEnv("SLACK_DISABLE", originalSlackDisable);
+  restoreEnv("SLACK_BOT_TOKEN", originalSlackBotToken);
+  restoreEnv("SLACK_APP_TOKEN", originalSlackAppToken);
+});
+function restoreEnv(
+  name: "SLACK_DISABLE" | "SLACK_BOT_TOKEN" | "SLACK_APP_TOKEN",
+  value: string | undefined,
+) {
+  if (value === undefined) {
+    delete process.env[name];
+  } else {
+    process.env[name] = value;
+  }
+}
+function enableSlackPromptTools() {
+  process.env.SLACK_DISABLE = "false";
+  process.env.SLACK_BOT_TOKEN = "xoxb-test-token";
+  process.env.SLACK_APP_TOKEN = "xapp-test-token";
+}
+function disableSlackPromptTools() {
+  process.env.SLACK_DISABLE = "true";
+  delete process.env.SLACK_BOT_TOKEN;
+  delete process.env.SLACK_APP_TOKEN;
+}
 // ---------------------------------------------------------------------------
 // Basic fields
 // ---------------------------------------------------------------------------
@@ -533,3 +566,59 @@ describe("getBasePrompt — local providers unaffected", () => {
     expect(result).toContain("/workspace");
   });
 });
+describe("getBasePrompt — conditional Slack templates", () => {
+  test("omits Slack tool templates when Slack is disabled", async () => {
+    disableSlackPromptTools();
+    const result = await getBasePrompt({
+      ...minimalArgs,
+      role: "lead",
+      slackContext: { channelId: "C123", threadTs: "123.456" },
+    });
+    expect(result).not.toMatch(/\bslack-[a-z-]+\b/);
+    expect(result).toContain("Task Routing");
+  });
+  test("includes Slack tool template for lead when Slack is enabled", async () => {
+    enableSlackPromptTools();
+    const result = await getBasePrompt({
+      ...minimalArgs,
+      role: "lead",
+    });
+    expect(result).toContain("#### Slack Tools");
+    expect(result).toContain("slack-reply");
+    expect(result).toContain("slack-read");
+    expect(result).toContain("slack-list-channels");
+  });
+  test("includes Slack tool template for worker when Slack is enabled", async () => {
+    enableSlackPromptTools();
+    const result = await getBasePrompt({
+      ...minimalArgs,
+      role: "worker",
+    });
+    expect(result).toContain("#### Slack Tools");
+    expect(result).toContain("slack-reply");
+    expect(result).toContain("slack-read");
+    expect(result).toContain("slack-list-channels");
+  });
+  test("includes worker Slack thread template when Slack is enabled", async () => {
+    enableSlackPromptTools();
+    const result = await getBasePrompt({
+      ...minimalArgs,
+      role: "worker",
+      slackContext: { channelId: "C123", threadTs: "123.456" },
+    });
+    expect(result).toContain("slack-reply");
+    expect(result).toContain("C123");
+  });
+});

package/src/tests/db-queries-oauth.test.ts CHANGED Viewed

@@ -2,10 +2,12 @@ import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
 import { closeDb, initDb } from "../be/db";
 import {
+  acquireOAuthRefreshLock,
   deleteOAuthTokens,
   getOAuthApp,
   getOAuthTokens,
   isTokenExpiringSoon,
+  releaseOAuthRefreshLock,
   storeOAuthTokens,
   updateOAuthTokensAfterRefresh,
   upsertOAuthApp,
@@ -238,3 +240,28 @@ describe("isTokenExpiringSoon", () => {
     expect(isTokenExpiringSoon("expiry-test", 180000)).toBe(true);
   });
 });
+describe("OAuth refresh locks", () => {
+  test("allows only one owner until the lock is released", () => {
+    const owner = acquireOAuthRefreshLock("lock-test", 60_000);
+    expect(typeof owner).toBe("string");
+    expect(acquireOAuthRefreshLock("lock-test", 60_000)).toBeNull();
+    releaseOAuthRefreshLock("lock-test", owner!);
+    const nextOwner = acquireOAuthRefreshLock("lock-test", 60_000);
+    expect(typeof nextOwner).toBe("string");
+    releaseOAuthRefreshLock("lock-test", nextOwner!);
+  });
+  test("allows a new owner after the lock expires", () => {
+    const expiredOwner = acquireOAuthRefreshLock("expired-lock-test", -1_000);
+    expect(typeof expiredOwner).toBe("string");
+    const nextOwner = acquireOAuthRefreshLock("expired-lock-test", 60_000);
+    expect(typeof nextOwner).toBe("string");
+    expect(nextOwner).not.toBe(expiredOwner);
+    releaseOAuthRefreshLock("expired-lock-test", nextOwner!);
+  });
+});

package/src/tests/ensure-token.test.ts CHANGED Viewed

@@ -300,6 +300,77 @@ describe("ensureTokenOrThrow", () => {
     expect(tokens?.refreshToken).toBe("new-jira-refresh");
   });
+  test("serializes concurrent Jira refresh callers before the token endpoint", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+    await Promise.all([
+      ensureTokenOrThrow("jira"),
+      ensureTokenOrThrow("jira"),
+      ensureTokenOrThrow("jira"),
+    ]);
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    const [_url, init] = fetchSpy.mock.calls[0] as [string, RequestInit];
+    expect(init.body).toContain("refresh_token=old-jira-refresh");
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("new-jira-access");
+    expect(tokens?.refreshToken).toBe("new-jira-refresh");
+  });
+  test("does not rotate again when a concurrent caller already changed the token row", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+    await Promise.all([
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+    ]);
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("new-jira-access");
+    expect(tokens?.refreshToken).toBe("new-jira-refresh");
+  });
   test("rejects a Jira refresh response that omits the rotated refresh token", async () => {
     storeOAuthTokens("jira", {
       accessToken: "old-jira-access",

package/src/tests/http-log-scrubbing.test.ts ADDED Viewed

@@ -0,0 +1,24 @@
+import { describe, expect, test } from "bun:test";
+import { safeRequestUrlForLog } from "../http/utils";
+describe("safeRequestUrlForLog", () => {
+  test("redacts OAuth callback query values", () => {
+    expect(
+      safeRequestUrlForLog(
+        "/api/trackers/jira/callback?state=opaque-state-value&code=oauth-code-value",
+      ),
+    ).toBe("/api/trackers/jira/callback?state=[REDACTED]&code=[REDACTED]");
+  });
+  test("preserves paths without query strings", () => {
+    expect(safeRequestUrlForLog("/api/trackers/jira/authorize")).toBe(
+      "/api/trackers/jira/authorize",
+    );
+  });
+  test("redacts every query parameter value in order", () => {
+    expect(safeRequestUrlForLog("/mcp?session=abc&session=def&token=secret")).toBe(
+      "/mcp?session=[REDACTED]&session=[REDACTED]&token=[REDACTED]",
+    );
+  });
+});

package/src/tests/http-users.test.ts CHANGED Viewed

@@ -439,6 +439,26 @@ describe("GET /api/users/unmapped", () => {
     expect(body.unmapped[0]!.count).toBe(5);
     expect(body.unmapped[1]!.externalId).toBe("U_LOW");
   });
+  test("default unmapped list includes Kapso sender identities", async () => {
+    const ns = "integration:unmapped:kapso";
+    upsertKv({
+      namespace: ns,
+      key: "34679077777:meta",
+      value: { lastSeenAt: "2026-05-20T00:00:00Z", sampleEventType: "kapso.message.received" },
+      valueType: "json",
+    });
+    upsertKv({ namespace: ns, key: "34679077777:count", value: 1, valueType: "integer" });
+    const r = await authedFetch("/api/users/unmapped");
+    expect(r.status).toBe(200);
+    const body = (await r.json()) as {
+      unmapped: Array<{ kind: string; externalId: string }>;
+    };
+    expect(body.unmapped).toContainEqual(
+      expect.objectContaining({ kind: "kapso", externalId: "34679077777" }),
+    );
+  });
 });
 describe("POST /api/users/unmapped/:kind/:externalId/resolve", () => {
@@ -482,6 +502,39 @@ describe("POST /api/users/unmapped/:kind/:externalId/resolve", () => {
     expect(user.identities).toContainEqual({ kind: "github", externalId: "ghuser" });
   });
+  test("create-new branch supports phone-only Kapso contacts without email", async () => {
+    const ns = "integration:unmapped:kapso";
+    upsertKv({
+      namespace: ns,
+      key: "34679077777:meta",
+      value: { lastSeenAt: "x", sampleEventType: "kapso.message.received" },
+      valueType: "json",
+    });
+    upsertKv({ namespace: ns, key: "34679077777:count", value: 1, valueType: "integer" });
+    const r = await authedFetch("/api/users/unmapped/kapso/34679077777/resolve", {
+      method: "POST",
+      body: JSON.stringify({
+        name: "Taras",
+        notes: "WhatsApp: +34 679 077 777 (E.164: 34679077777)",
+      }),
+    });
+    expect(r.status).toBe(200);
+    const { user } = (await r.json()) as {
+      user: {
+        id: string;
+        name: string;
+        email?: string;
+        notes?: string;
+        identities: Array<{ kind: string; externalId: string }>;
+      };
+    };
+    expect(user.name).toBe("Taras");
+    expect(user.email).toBeUndefined();
+    expect(user.notes).toContain("E.164: 34679077777");
+    expect(user.identities).toContainEqual({ kind: "kapso", externalId: "34679077777" });
+  });
   test("URL-encoded externalId is decoded — kv rows clear, identity stored decoded", async () => {
     // Mimics an AgentMail/Linear @handle entry that contains `@` (or any
     // URL-reserved char). Kv keys are written by the webhook with the literal

package/src/tests/kapso-inbound.test.ts CHANGED Viewed

@@ -1,7 +1,8 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import crypto from "node:crypto";
 import type { IncomingMessage, ServerResponse } from "node:http";
-import { closeDb, createAgent, getTaskById, initDb } from "../be/db";
+import { closeDb, createAgent, createUser, getKv, getTaskById, initDb } from "../be/db";
+import { findUserByExternalId, linkIdentity } from "../be/users";
 import { handleWebhooks } from "../http/webhooks";
 import { putKapsoNumberMapping } from "../integrations/kapso/config";
 import { routeKapsoInbound } from "../integrations/kapso/inbound";
@@ -107,6 +108,64 @@ describe("routeKapsoInbound", () => {
     expect(task!.task).toContain("## Source: WhatsApp (Kapso)");
   });
+  test("known Kapso sender → populates requestedByUserId and skips unmapped tracker", () => {
+    putKapsoNumberMapping({
+      phoneNumberId: "pn-known-sender",
+      agentId,
+      createdAt: new Date().toISOString(),
+    });
+    const user = createUser({ name: "Known WhatsApp Sender" });
+    linkIdentity(user.id, "kapso", "34679077778", { kind: "system", id: "test-fixture" });
+    const routing = routeKapsoInbound(
+      makePayload({
+        phoneNumberId: "pn-known-sender",
+        messageId: "wamid.KNOWN_SENDER",
+        from: "+34 679 077 778",
+        conversationId: "conv-known-sender",
+      }),
+    );
+    expect(routing.kind).toBe("task");
+    if (routing.kind !== "task") throw new Error("expected task");
+    const task = getTaskById(routing.taskId);
+    expect(task!.requestedByUserId).toBe(user.id);
+    expect(getKv("integration:unmapped:kapso", "34679077778:meta")).toBeNull();
+  });
+  test("unknown Kapso sender → records unmapped identity and leaves task unowned", () => {
+    putKapsoNumberMapping({
+      phoneNumberId: "pn-unknown-sender",
+      agentId,
+      createdAt: new Date().toISOString(),
+    });
+    expect(findUserByExternalId("kapso", "34679077779")).toBeNull();
+    const routing = routeKapsoInbound(
+      makePayload({
+        phoneNumberId: "pn-unknown-sender",
+        messageId: "wamid.UNKNOWN_SENDER",
+        from: "+34 679 077 779",
+        conversationId: "conv-unknown-sender",
+      }),
+    );
+    expect(routing.kind).toBe("task");
+    if (routing.kind !== "task") throw new Error("expected task");
+    const task = getTaskById(routing.taskId);
+    expect(task!.requestedByUserId).toBeUndefined();
+    const meta = getKv("integration:unmapped:kapso", "34679077779:meta");
+    expect(meta?.valueType).toBe("json");
+    expect(meta?.value).toMatchObject({
+      sampleEventType: "kapso.message.received",
+    });
+    expect(String(meta?.value.sampleContext)).toContain("contact=Taras");
+    expect(String(meta?.value.sampleContext)).toContain("message=wamid.UNKNOWN_SENDER");
+    const count = getKv("integration:unmapped:kapso", "34679077779:count");
+    expect(count?.value).toBe(1);
+  });
   test("no mapping → no_mapping (does not break, no task)", () => {
     const routing = routeKapsoInbound(makePayload({ phoneNumberId: "pn-unregistered" }));
     expect(routing.kind).toBe("no_mapping");

package/src/tests/kv-page-proxy.test.ts CHANGED Viewed

@@ -52,6 +52,7 @@ beforeAll(async () => {
       ...process.env,
       PORT: String(TEST_PORT),
       DATABASE_PATH: TEST_DB_PATH,
+      AGENT_SWARM_API_KEY: API_KEY,
       API_KEY,
       PAGE_SESSION_SECRET: PAGE_SECRET,
       MCP_BASE_URL: `http://127.0.0.1:${TEST_PORT}`,

package/src/tests/list-endpoint-slimming.test.ts CHANGED Viewed

@@ -5,6 +5,7 @@ import {
   createAgent,
   createPage,
   createScheduledTask,
+  createSessionCost,
   createTaskExtended,
   createWorkflow,
   getAllAgents,
@@ -145,7 +146,25 @@ describe("list-endpoint slimming", () => {
   test("getAllTasks — slim truncates task text and drops heavy blobs", () => {
     const longText = "Z".repeat(2000);
-    createTaskExtended(longText, { agentId: "slim-agent-1" });
+    const task = createTaskExtended(longText, { agentId: "slim-agent-1" });
+    createSessionCost({
+      sessionId: "slim-cost-session-1",
+      taskId: task.id,
+      agentId: "slim-agent-1",
+      totalCostUsd: 0.0123,
+      durationMs: 1000,
+      numTurns: 1,
+      model: "test-model",
+    });
+    createSessionCost({
+      sessionId: "slim-cost-session-2",
+      taskId: task.id,
+      agentId: "slim-agent-1",
+      totalCostUsd: 0.0045,
+      durationMs: 1000,
+      numTurns: 1,
+      model: "test-model",
+    });
     const slim = getAllTasks({}, { slim: true });
     const slimTask = slim.find((t) => t.task.startsWith("Z"));
@@ -155,10 +174,12 @@ describe("list-endpoint slimming", () => {
     expect("output" in slimTask!).toBe(false);
     expect("failureReason" in slimTask!).toBe(false);
     expect("providerMeta" in slimTask!).toBe(false);
+    expect(slimTask?.totalCostUsd).toBeCloseTo(0.0168, 6);
     const full = getAllTasks({}).find((t) => t.task === longText);
     expect(full).toBeDefined();
     expect(full?.task).toBe(longText);
+    expect(full?.totalCostUsd).toBeCloseTo(0.0168, 6);
   });
   test("listRecentSessions — slim root is a truncated task summary", () => {

package/src/tests/oauth-access-token-tool.test.ts ADDED Viewed

@@ -0,0 +1,138 @@
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, mock, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import { closeDb, initDb } from "../be/db";
+import {
+  deleteOAuthTokens,
+  getOAuthTokens,
+  storeOAuthTokens,
+  upsertOAuthApp,
+} from "../be/db-queries/oauth";
+import { resolveOAuthAccessToken } from "../tools/oauth-access-token";
+import {
+  clearVolatileSecretsForTesting,
+  refreshSecretScrubberCache,
+  scrubSecrets,
+} from "../utils/secret-scrubber";
+const TEST_DB_PATH = "./test-oauth-access-token-tool.sqlite";
+const originalFetch = globalThis.fetch;
+const testApp = {
+  clientId: "client-id",
+  clientSecret: "client-secret",
+  authorizeUrl: "https://example.com/oauth/authorize",
+  tokenUrl: "https://example.com/oauth/token",
+  redirectUri: "http://localhost:3013/callback",
+  scopes: "read,write",
+};
+beforeAll(() => {
+  initDb(TEST_DB_PATH);
+  upsertOAuthApp("linear", testApp);
+  upsertOAuthApp("jira", {
+    ...testApp,
+    tokenUrl: "https://example.com/jira/oauth/token",
+  });
+  upsertOAuthApp("custom-provider", {
+    ...testApp,
+    tokenUrl: "https://example.com/custom/oauth/token",
+  });
+});
+beforeEach(() => {
+  deleteOAuthTokens("linear");
+  deleteOAuthTokens("jira");
+  deleteOAuthTokens("custom-provider");
+  globalThis.fetch = originalFetch;
+  clearVolatileSecretsForTesting();
+  refreshSecretScrubberCache();
+});
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+  clearVolatileSecretsForTesting();
+  refreshSecretScrubberCache();
+});
+afterAll(async () => {
+  globalThis.fetch = originalFetch;
+  closeDb();
+  await unlink(TEST_DB_PATH).catch(() => {});
+  await unlink(`${TEST_DB_PATH}-wal`).catch(() => {});
+  await unlink(`${TEST_DB_PATH}-shm`).catch(() => {});
+});
+describe("resolveOAuthAccessToken", () => {
+  test("returns a fresh access token and registers it for scrubber redaction", async () => {
+    const accessToken = "linear-access-token-plain-value-1234567890";
+    storeOAuthTokens("linear", {
+      accessToken,
+      refreshToken: "linear-refresh-token",
+      expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+    });
+    const result = await resolveOAuthAccessToken("linear");
+    expect(result).toEqual({
+      provider: "linear",
+      accessToken,
+      expiresAt: result.expiresAt,
+      tokenType: "Bearer",
+    });
+    expect(scrubSecrets(`Authorization: Bearer ${accessToken}`)).toBe(
+      "Authorization: Bearer [REDACTED:LINEAR_OAUTH_ACCESS_TOKEN]",
+    );
+  });
+  test("supports any configured OAuth provider slug", async () => {
+    storeOAuthTokens("custom-provider", {
+      accessToken: "custom-provider-access-token-plain-value",
+      refreshToken: "custom-provider-refresh-token",
+      expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+    });
+    const result = await resolveOAuthAccessToken("custom-provider");
+    expect(result.provider).toBe("custom-provider");
+    expect(result.accessToken).toBe("custom-provider-access-token-plain-value");
+  });
+  test("refreshes Jira before returning a near-expiry token", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access-token",
+      refreshToken: "old-jira-refresh-token",
+      expiresAt: new Date(Date.now() + 60_000).toISOString(),
+    });
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access-token-plain-value",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh-token",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+    const result = await resolveOAuthAccessToken("jira");
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    expect(result.accessToken).toBe("new-jira-access-token-plain-value");
+    expect(getOAuthTokens("jira")?.refreshToken).toBe("new-jira-refresh-token");
+  });
+  test("rejects a near-expiry token when no refresh token is available", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "stale-jira-access-token",
+      refreshToken: null,
+      expiresAt: new Date(Date.now() + 60_000).toISOString(),
+    });
+    await expect(resolveOAuthAccessToken("jira")).rejects.toThrow(/could not be refreshed/);
+  });
+});

package/src/tests/pagination-metrics.test.ts CHANGED Viewed

@@ -47,6 +47,8 @@ describe("pagination metrics", () => {
   });
   test("getTasksCount is filter-aware and independent of limit/offset", () => {
+    const totalBefore = getTasksCount();
     for (let i = 0; i < 7; i++) {
       createTaskExtended(`alpha task ${i}`, { tags: ["alpha"] });
     }
@@ -66,7 +68,7 @@ describe("pagination metrics", () => {
     expect(getTasksCount({ tags: ["alpha"], limit: 2, offset: 0 })).toBe(7);
     // The unfiltered count covers every task created above.
-    expect(getTasksCount()).toBe(10);
+    expect(getTasksCount() - totalBefore).toBe(10);
   });
   test("getTasksCount filter-aware on search", () => {
@@ -123,9 +125,7 @@ describe("pagination metrics", () => {
     expect(countSessions({ source: ["slack"] }) - slackBefore).toBe(2);
     expect(countSessions({ source: ["mcp", "slack"] }) - bothBefore).toBe(7);
     // q filter narrows on top of source.
-    expect(countSessions({ source: ["slack"], q: "slack session" })).toBe(
-      countSessions({ source: ["slack"] }),
-    );
+    expect(countSessions({ source: ["slack"], q: "slack session" }) - slackBefore).toBe(2);
     expect(countSessions({ q: "no-such-session-marker-zzz" })).toBe(0);
   });