@desplega.ai/agent-swarm 1.84.1 → 1.85.0

package/src/tests/db-queries-oauth.test.ts

@@ -2,10 +2,12 @@ import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
 import { closeDb, initDb } from "../be/db";
 import {
+  acquireOAuthRefreshLock,
   deleteOAuthTokens,
   getOAuthApp,
   getOAuthTokens,
   isTokenExpiringSoon,
+  releaseOAuthRefreshLock,
   storeOAuthTokens,
   updateOAuthTokensAfterRefresh,
   upsertOAuthApp,
@@ -238,3 +240,28 @@ describe("isTokenExpiringSoon", () => {
     expect(isTokenExpiringSoon("expiry-test", 180000)).toBe(true);
   });
 });
+
+describe("OAuth refresh locks", () => {
+  test("allows only one owner until the lock is released", () => {
+    const owner = acquireOAuthRefreshLock("lock-test", 60_000);
+    expect(typeof owner).toBe("string");
+
+    expect(acquireOAuthRefreshLock("lock-test", 60_000)).toBeNull();
+
+    releaseOAuthRefreshLock("lock-test", owner!);
+    const nextOwner = acquireOAuthRefreshLock("lock-test", 60_000);
+    expect(typeof nextOwner).toBe("string");
+    releaseOAuthRefreshLock("lock-test", nextOwner!);
+  });
+
+  test("allows a new owner after the lock expires", () => {
+    const expiredOwner = acquireOAuthRefreshLock("expired-lock-test", -1_000);
+    expect(typeof expiredOwner).toBe("string");
+
+    const nextOwner = acquireOAuthRefreshLock("expired-lock-test", 60_000);
+    expect(typeof nextOwner).toBe("string");
+    expect(nextOwner).not.toBe(expiredOwner);
+
+    releaseOAuthRefreshLock("expired-lock-test", nextOwner!);
+  });
+});

package/src/tests/ensure-token.test.ts

@@ -300,6 +300,77 @@ describe("ensureTokenOrThrow", () => {
     expect(tokens?.refreshToken).toBe("new-jira-refresh");
   });
 
+  test("serializes concurrent Jira refresh callers before the token endpoint", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+
+    await Promise.all([
+      ensureTokenOrThrow("jira"),
+      ensureTokenOrThrow("jira"),
+      ensureTokenOrThrow("jira"),
+    ]);
+
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    const [_url, init] = fetchSpy.mock.calls[0] as [string, RequestInit];
+    expect(init.body).toContain("refresh_token=old-jira-refresh");
+
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("new-jira-access");
+    expect(tokens?.refreshToken).toBe("new-jira-refresh");
+  });
+
+  test("does not rotate again when a concurrent caller already changed the token row", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access",
+      refreshToken: "old-jira-refresh",
+      expiresAt: new Date(Date.now() + 60 * 1000).toISOString(),
+    });
+
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+
+    await Promise.all([
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+      ensureTokenOrThrow("jira", 65 * 60 * 1000),
+    ]);
+
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    const tokens = getOAuthTokens("jira");
+    expect(tokens?.accessToken).toBe("new-jira-access");
+    expect(tokens?.refreshToken).toBe("new-jira-refresh");
+  });
+
   test("rejects a Jira refresh response that omits the rotated refresh token", async () => {
     storeOAuthTokens("jira", {
       accessToken: "old-jira-access",

package/src/tests/http-log-scrubbing.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, test } from "bun:test";
+import { safeRequestUrlForLog } from "../http/utils";
+
+describe("safeRequestUrlForLog", () => {
+  test("redacts OAuth callback query values", () => {
+    expect(
+      safeRequestUrlForLog(
+        "/api/trackers/jira/callback?state=opaque-state-value&code=oauth-code-value",
+      ),
+    ).toBe("/api/trackers/jira/callback?state=[REDACTED]&code=[REDACTED]");
+  });
+
+  test("preserves paths without query strings", () => {
+    expect(safeRequestUrlForLog("/api/trackers/jira/authorize")).toBe(
+      "/api/trackers/jira/authorize",
+    );
+  });
+
+  test("redacts every query parameter value in order", () => {
+    expect(safeRequestUrlForLog("/mcp?session=abc&session=def&token=secret")).toBe(
+      "/mcp?session=[REDACTED]&session=[REDACTED]&token=[REDACTED]",
+    );
+  });
+});

package/src/tests/list-endpoint-slimming.test.ts

@@ -5,6 +5,7 @@ import {
   createAgent,
   createPage,
   createScheduledTask,
+  createSessionCost,
   createTaskExtended,
   createWorkflow,
   getAllAgents,
@@ -145,7 +146,25 @@ describe("list-endpoint slimming", () => {
 
   test("getAllTasks — slim truncates task text and drops heavy blobs", () => {
     const longText = "Z".repeat(2000);
-    createTaskExtended(longText, { agentId: "slim-agent-1" });
+    const task = createTaskExtended(longText, { agentId: "slim-agent-1" });
+    createSessionCost({
+      sessionId: "slim-cost-session-1",
+      taskId: task.id,
+      agentId: "slim-agent-1",
+      totalCostUsd: 0.0123,
+      durationMs: 1000,
+      numTurns: 1,
+      model: "test-model",
+    });
+    createSessionCost({
+      sessionId: "slim-cost-session-2",
+      taskId: task.id,
+      agentId: "slim-agent-1",
+      totalCostUsd: 0.0045,
+      durationMs: 1000,
+      numTurns: 1,
+      model: "test-model",
+    });
 
     const slim = getAllTasks({}, { slim: true });
     const slimTask = slim.find((t) => t.task.startsWith("Z"));
@@ -155,10 +174,12 @@ describe("list-endpoint slimming", () => {
     expect("output" in slimTask!).toBe(false);
     expect("failureReason" in slimTask!).toBe(false);
     expect("providerMeta" in slimTask!).toBe(false);
+    expect(slimTask?.totalCostUsd).toBeCloseTo(0.0168, 6);
 
     const full = getAllTasks({}).find((t) => t.task === longText);
     expect(full).toBeDefined();
     expect(full?.task).toBe(longText);
+    expect(full?.totalCostUsd).toBeCloseTo(0.0168, 6);
   });
 
   test("listRecentSessions — slim root is a truncated task summary", () => {

package/src/tests/oauth-access-token-tool.test.ts

@@ -0,0 +1,138 @@
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, mock, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import { closeDb, initDb } from "../be/db";
+import {
+  deleteOAuthTokens,
+  getOAuthTokens,
+  storeOAuthTokens,
+  upsertOAuthApp,
+} from "../be/db-queries/oauth";
+import { resolveOAuthAccessToken } from "../tools/oauth-access-token";
+import {
+  clearVolatileSecretsForTesting,
+  refreshSecretScrubberCache,
+  scrubSecrets,
+} from "../utils/secret-scrubber";
+
+const TEST_DB_PATH = "./test-oauth-access-token-tool.sqlite";
+const originalFetch = globalThis.fetch;
+
+const testApp = {
+  clientId: "client-id",
+  clientSecret: "client-secret",
+  authorizeUrl: "https://example.com/oauth/authorize",
+  tokenUrl: "https://example.com/oauth/token",
+  redirectUri: "http://localhost:3013/callback",
+  scopes: "read,write",
+};
+
+beforeAll(() => {
+  initDb(TEST_DB_PATH);
+  upsertOAuthApp("linear", testApp);
+  upsertOAuthApp("jira", {
+    ...testApp,
+    tokenUrl: "https://example.com/jira/oauth/token",
+  });
+  upsertOAuthApp("custom-provider", {
+    ...testApp,
+    tokenUrl: "https://example.com/custom/oauth/token",
+  });
+});
+
+beforeEach(() => {
+  deleteOAuthTokens("linear");
+  deleteOAuthTokens("jira");
+  deleteOAuthTokens("custom-provider");
+  globalThis.fetch = originalFetch;
+  clearVolatileSecretsForTesting();
+  refreshSecretScrubberCache();
+});
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+  clearVolatileSecretsForTesting();
+  refreshSecretScrubberCache();
+});
+
+afterAll(async () => {
+  globalThis.fetch = originalFetch;
+  closeDb();
+  await unlink(TEST_DB_PATH).catch(() => {});
+  await unlink(`${TEST_DB_PATH}-wal`).catch(() => {});
+  await unlink(`${TEST_DB_PATH}-shm`).catch(() => {});
+});
+
+describe("resolveOAuthAccessToken", () => {
+  test("returns a fresh access token and registers it for scrubber redaction", async () => {
+    const accessToken = "linear-access-token-plain-value-1234567890";
+    storeOAuthTokens("linear", {
+      accessToken,
+      refreshToken: "linear-refresh-token",
+      expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+    });
+
+    const result = await resolveOAuthAccessToken("linear");
+
+    expect(result).toEqual({
+      provider: "linear",
+      accessToken,
+      expiresAt: result.expiresAt,
+      tokenType: "Bearer",
+    });
+    expect(scrubSecrets(`Authorization: Bearer ${accessToken}`)).toBe(
+      "Authorization: Bearer [REDACTED:LINEAR_OAUTH_ACCESS_TOKEN]",
+    );
+  });
+
+  test("supports any configured OAuth provider slug", async () => {
+    storeOAuthTokens("custom-provider", {
+      accessToken: "custom-provider-access-token-plain-value",
+      refreshToken: "custom-provider-refresh-token",
+      expiresAt: new Date(Date.now() + 3600_000).toISOString(),
+    });
+
+    const result = await resolveOAuthAccessToken("custom-provider");
+
+    expect(result.provider).toBe("custom-provider");
+    expect(result.accessToken).toBe("custom-provider-access-token-plain-value");
+  });
+
+  test("refreshes Jira before returning a near-expiry token", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "old-jira-access-token",
+      refreshToken: "old-jira-refresh-token",
+      expiresAt: new Date(Date.now() + 60_000).toISOString(),
+    });
+
+    const fetchSpy = mock(() =>
+      Promise.resolve(
+        new Response(
+          JSON.stringify({
+            access_token: "new-jira-access-token-plain-value",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "new-jira-refresh-token",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      ),
+    );
+    globalThis.fetch = fetchSpy;
+
+    const result = await resolveOAuthAccessToken("jira");
+
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+    expect(result.accessToken).toBe("new-jira-access-token-plain-value");
+    expect(getOAuthTokens("jira")?.refreshToken).toBe("new-jira-refresh-token");
+  });
+
+  test("rejects a near-expiry token when no refresh token is available", async () => {
+    storeOAuthTokens("jira", {
+      accessToken: "stale-jira-access-token",
+      refreshToken: null,
+      expiresAt: new Date(Date.now() + 60_000).toISOString(),
+    });
+
+    await expect(resolveOAuthAccessToken("jira")).rejects.toThrow(/could not be refreshed/);
+  });
+});

package/src/tests/pi-mono-adapter.test.ts

@@ -1,7 +1,12 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { existsSync, mkdirSync, readFileSync, rmSync, symlinkSync, writeFileSync } from "node:fs";
 import { join } from "node:path";
-import { createPiRuntimeAuth, PiMonoAdapter, resolveModel } from "../providers/pi-mono-adapter";
+import {
+  createPiRuntimeAuth,
+  extractPiAssistantText,
+  PiMonoAdapter,
+  resolveModel,
+} from "../providers/pi-mono-adapter";
 
 describe("PiMonoAdapter", () => {
   test("name is 'pi'", () => {
@@ -198,6 +203,37 @@ describe("createPiRuntimeAuth", () => {
 });
 
 describe("Pi-mono event normalization", () => {
+  test("extractPiAssistantText ignores user messages", () => {
+    const text = extractPiAssistantText({
+      role: "user",
+      content: "/skill:work-on-task task-123\n\nTask: hello",
+    });
+
+    expect(text).toBe("");
+  });
+
+  test("extractPiAssistantText extracts assistant text blocks", () => {
+    const text = extractPiAssistantText({
+      role: "assistant",
+      content: [
+        { type: "text", text: "Hello, " },
+        { type: "thinking", thinking: "hidden" },
+        { type: "text", text: "world!" },
+      ],
+    });
+
+    expect(text).toBe("Hello, world!");
+  });
+
+  test("extractPiAssistantText supports string assistant content", () => {
+    const text = extractPiAssistantText({
+      role: "assistant",
+      content: "Plain assistant output",
+    });
+
+    expect(text).toBe("Plain assistant output");
+  });
+
   test("message_update with text content produces raw_log-style data", () => {
     // Simulates what PiMonoSession.handleAgentEvent does
     const event = {

package/src/tests/runner-fallback-output.test.ts

@@ -1,76 +1,70 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
-import { createServer as createHttpServer, type Server } from "node:http";
 import {
   type ApiConfig,
   ensureTaskFinished,
   handleStructuredOutputFallback,
 } from "../commands/runner";
 
-const TEST_PORT = 13099;
-
 // Configurable mock responses per test
 let mockGetTask: Record<string, unknown> | null = null;
 let mockGetTaskStatus = 200;
 let lastFinishBody: Record<string, unknown> | null = null;
 let mockFinishResponse: Record<string, unknown> = { success: true };
+let mockFetchError: Error | null = null;
+let originalFetch: typeof fetch;
 
 function resetMocks() {
   mockGetTask = null;
   mockGetTaskStatus = 200;
   lastFinishBody = null;
   mockFinishResponse = { success: true };
+  mockFetchError = null;
 }
 
-let server: Server;
-
-function makeConfig(port = TEST_PORT): ApiConfig {
+function makeConfig(): ApiConfig {
   return {
-    apiUrl: `http://localhost:${port}`,
+    apiUrl: "http://runner-fallback.test",
     apiKey: "test-key",
     agentId: "test-agent-id",
   };
 }
 
-beforeAll(async () => {
-  server = createHttpServer(async (req, res) => {
-    const chunks: Buffer[] = [];
-    for await (const chunk of req) {
-      chunks.push(chunk);
-    }
-    const body = Buffer.concat(chunks).toString();
-    const url = req.url || "";
+beforeAll(() => {
+  originalFetch = globalThis.fetch;
+  globalThis.fetch = (async (input, init) => {
+    if (mockFetchError) throw mockFetchError;
 
-    // GET /api/tasks/:id
-    if (req.method === "GET" && /^\/api\/tasks\/[^/]+$/.test(url)) {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    const parsedUrl = new URL(url);
+    const method = init?.method ?? "GET";
+
+    if (method === "GET" && /^\/api\/tasks\/[^/]+$/.test(parsedUrl.pathname)) {
       if (!mockGetTask) {
-        res.writeHead(mockGetTaskStatus);
-        res.end(JSON.stringify({ error: "Not found" }));
-        return;
+        return new Response(JSON.stringify({ error: "Not found" }), {
+          status: mockGetTaskStatus,
+        });
       }
-      res.writeHead(mockGetTaskStatus, { "Content-Type": "application/json" });
-      res.end(JSON.stringify(mockGetTask));
-      return;
+      return new Response(JSON.stringify(mockGetTask), {
+        status: mockGetTaskStatus,
+        headers: { "Content-Type": "application/json" },
+      });
     }
 
-    // POST /api/tasks/:id/finish
-    if (req.method === "POST" && /^\/api\/tasks\/[^/]+\/finish$/.test(url)) {
+    if (method === "POST" && /^\/api\/tasks\/[^/]+\/finish$/.test(parsedUrl.pathname)) {
+      const body = typeof init?.body === "string" ? init.body : "";
       lastFinishBody = body ? JSON.parse(body) : null;
-      res.writeHead(200, { "Content-Type": "application/json" });
-      res.end(JSON.stringify(mockFinishResponse));
-      return;
+      return new Response(JSON.stringify(mockFinishResponse), {
+        status: 200,
+        headers: { "Content-Type": "application/json" },
+      });
     }
 
-    res.writeHead(404);
-    res.end("Not found");
-  });
-
-  await new Promise<void>((resolve) => {
-    server.listen(TEST_PORT, () => resolve());
-  });
+    return new Response("Not found", { status: 404 });
+  }) as typeof fetch;
 });
 
 afterAll(() => {
-  server.close();
+  globalThis.fetch = originalFetch;
 });
 
 describe("handleStructuredOutputFallback", () => {
@@ -175,10 +169,9 @@ describe("handleStructuredOutputFallback", () => {
 
   test("returns fetch-error on network error", async () => {
     resetMocks();
-    // Use a port that nothing listens on
-    const badConfig = makeConfig(19999);
+    mockFetchError = new Error("network down");
 
-    const result = await handleStructuredOutputFallback(badConfig, "task-7", "claude");
+    const result = await handleStructuredOutputFallback(makeConfig(), "task-7", "claude");
     expect(result.kind).toBe("fetch-error");
     expect((result as { kind: "fetch-error"; error: string }).error).toBeTruthy();
   });
@@ -227,6 +220,92 @@ describe("ensureTaskFinished", () => {
     expect(lastFinishBody!.output).toBe("Process completed successfully (no output captured)");
   });
 
+  test("uses provider output when no outputSchema exists", async () => {
+    resetMocks();
+    mockGetTask = {
+      id: "task-provider-output",
+      task: "Do work",
+      status: "in_progress",
+      output: null,
+      progress: null,
+      logs: [],
+    };
+
+    await ensureTaskFinished(
+      makeConfig(),
+      "worker",
+      "task-provider-output",
+      0,
+      undefined,
+      "Provider final answer",
+      "pi",
+    );
+
+    expect(lastFinishBody).toBeTruthy();
+    expect(lastFinishBody!.status).toBe("completed");
+    expect(lastFinishBody!.output).toBe("Provider final answer");
+  });
+
+  test("accepts provider output that satisfies outputSchema", async () => {
+    resetMocks();
+    mockGetTask = {
+      id: "task-provider-schema-valid",
+      task: "Do work",
+      status: "in_progress",
+      output: null,
+      outputSchema: {
+        type: "object",
+        required: ["result"],
+        properties: { result: { type: "string" } },
+      },
+      logs: [],
+    };
+
+    await ensureTaskFinished(
+      makeConfig(),
+      "worker",
+      "task-provider-schema-valid",
+      0,
+      undefined,
+      '{"result":"ok"}',
+      "pi",
+    );
+
+    expect(lastFinishBody).toBeTruthy();
+    expect(lastFinishBody!.status).toBe("completed");
+    expect(lastFinishBody!.output).toBe('{"result":"ok"}');
+  });
+
+  test("fails provider output that violates outputSchema", async () => {
+    resetMocks();
+    mockGetTask = {
+      id: "task-provider-schema-invalid",
+      task: "Do work",
+      status: "in_progress",
+      output: null,
+      outputSchema: {
+        type: "object",
+        required: ["result"],
+        properties: { result: { type: "string" } },
+      },
+      logs: [],
+    };
+
+    await ensureTaskFinished(
+      makeConfig(),
+      "worker",
+      "task-provider-schema-invalid",
+      0,
+      undefined,
+      "plain text",
+      "pi",
+    );
+
+    expect(lastFinishBody).toBeTruthy();
+    expect(lastFinishBody!.status).toBe("failed");
+    expect(lastFinishBody!.failureReason).toContain("outputSchema");
+  });
+
   test("sets failed status for schema-fail fallback", async () => {
     resetMocks();
     mockGetTask = {