@desplega.ai/agent-swarm 1.88.0 → 1.89.0

package/src/tests/runner-repo-autostash.test.ts

@@ -0,0 +1,117 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { execFile } from "node:child_process";
+import { mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { promisify } from "node:util";
+import { ensureRepoForTask } from "../commands/runner";
+
+const execFileAsync = promisify(execFile);
+
+let tempRoot = "";
+
+async function git(cwd: string, args: string[]): Promise<string> {
+  const { stdout } = await execFileAsync("git", ["-C", cwd, ...args]);
+  return stdout;
+}
+
+async function gitRaw(args: string[]): Promise<void> {
+  await execFileAsync("git", args);
+}
+
+async function commitAll(cwd: string, message: string): Promise<void> {
+  await git(cwd, ["add", "."]);
+  await git(cwd, ["commit", "-m", message]);
+}
+
+async function configureIdentity(cwd: string): Promise<void> {
+  await git(cwd, ["config", "user.email", "test@example.com"]);
+  await git(cwd, ["config", "user.name", "Test User"]);
+}
+
+describe("ensureRepoForTask auto-stash refresh", () => {
+  beforeEach(async () => {
+    tempRoot = await mkdtemp(join(tmpdir(), "swarm-runner-autostash-"));
+  });
+
+  afterEach(async () => {
+    if (tempRoot) {
+      await rm(tempRoot, { recursive: true, force: true });
+    }
+  });
+
+  test("stashes dirty work with a swarm-autostash name before refreshing from origin", async () => {
+    const remotePath = join(tempRoot, "remote.git");
+    const upstreamPath = join(tempRoot, "upstream");
+    const clonePath = join(tempRoot, "clone");
+
+    await gitRaw(["init", "--bare", remotePath]);
+    await mkdir(upstreamPath);
+    await git(upstreamPath, ["init", "-b", "main"]);
+    await configureIdentity(upstreamPath);
+    await writeFile(join(upstreamPath, "README.md"), "initial\n");
+    await commitAll(upstreamPath, "initial commit");
+    await git(upstreamPath, ["remote", "add", "origin", remotePath]);
+    await git(upstreamPath, ["push", "-u", "origin", "main"]);
+
+    await gitRaw(["clone", "--branch", "main", remotePath, clonePath]);
+    await configureIdentity(clonePath);
+    await writeFile(join(clonePath, "README.md"), "local dirty change\n");
+    await writeFile(join(clonePath, "untracked.txt"), "local untracked\n");
+
+    await writeFile(join(upstreamPath, "remote.txt"), "remote change\n");
+    await commitAll(upstreamPath, "remote update");
+    await git(upstreamPath, ["push", "origin", "main"]);
+
+    const result = await ensureRepoForTask(
+      { url: remotePath, name: "repo", clonePath, defaultBranch: "main" },
+      "test",
+    );
+
+    expect(result.warning).toBeNull();
+    expect(result.autoStashes).toHaveLength(1);
+    expect(result.autoStashes[0]?.ref).toMatch(/^stash@\{\d+\}$/);
+    expect(result.autoStashes[0]?.message).toContain("swarm-autostash main ");
+    expect(await readFile(join(clonePath, "remote.txt"), "utf8")).toBe("remote change\n");
+    expect((await git(clonePath, ["status", "--porcelain"])).trim()).toBe("");
+
+    const stashList = await git(clonePath, ["stash", "list"]);
+    expect(stashList).toContain("swarm-autostash main ");
+    expect(stashList).toContain("On main:");
+  });
+
+  test("merges a clean divergent checkout with origin without hard reset", async () => {
+    const remotePath = join(tempRoot, "remote.git");
+    const upstreamPath = join(tempRoot, "upstream");
+    const clonePath = join(tempRoot, "clone");
+
+    await gitRaw(["init", "--bare", remotePath]);
+    await mkdir(upstreamPath);
+    await git(upstreamPath, ["init", "-b", "main"]);
+    await configureIdentity(upstreamPath);
+    await writeFile(join(upstreamPath, "README.md"), "initial\n");
+    await commitAll(upstreamPath, "initial commit");
+    await git(upstreamPath, ["remote", "add", "origin", remotePath]);
+    await git(upstreamPath, ["push", "-u", "origin", "main"]);
+
+    await gitRaw(["clone", "--branch", "main", remotePath, clonePath]);
+    await configureIdentity(clonePath);
+    await writeFile(join(clonePath, "local.txt"), "local commit\n");
+    await commitAll(clonePath, "local commit");
+
+    await writeFile(join(upstreamPath, "remote.txt"), "remote commit\n");
+    await commitAll(upstreamPath, "remote commit");
+    await git(upstreamPath, ["push", "origin", "main"]);
+
+    const result = await ensureRepoForTask(
+      { url: remotePath, name: "repo", clonePath, defaultBranch: "main" },
+      "test",
+    );
+
+    expect(result.warning).toBeNull();
+    expect(result.autoStashes).toEqual([]);
+    expect(await readFile(join(clonePath, "local.txt"), "utf8")).toBe("local commit\n");
+    expect(await readFile(join(clonePath, "remote.txt"), "utf8")).toBe("remote commit\n");
+    expect((await git(clonePath, ["status", "--porcelain"])).trim()).toBe("");
+  });
+});

package/src/tests/runner-requester-profile.test.ts

@@ -0,0 +1,25 @@
+import { describe, expect, test } from "bun:test";
+import { buildRequesterProfilePrompt } from "../commands/runner";
+
+describe("runner requester profile prompt", () => {
+  test("omits requester profile when no role or notes are set", async () => {
+    await expect(
+      buildRequesterProfilePrompt({ name: "Taras", email: "t@example.com" }),
+    ).resolves.toBe("");
+  });
+
+  test("formats requester role and free-text notes", async () => {
+    const prompt = await buildRequesterProfilePrompt({
+      name: "Taras",
+      email: "t@example.com",
+      role: "CEO",
+      notes: "Lead with the answer; keep updates terse.",
+    });
+
+    expect(prompt).toContain("## Requester Profile");
+    expect(prompt).toContain("This task was requested by Taras (CEO).");
+    expect(prompt).toContain("Their stated notes for how you should respond and act:");
+    expect(prompt).toContain("Lead with the answer; keep updates terse.");
+    expect(prompt).toContain("where it doesn't conflict with correctness or your operating rules");
+  });
+});

package/src/tests/runner-skills-refresh.test.ts

@@ -83,7 +83,7 @@ describe("refreshSkillsIfChanged", () => {
   function makeCtx(): SkillsRefreshContext {
     return {
       apiUrl: baseUrl,
-      swarmUrl: baseUrl,
+      swarmUrl: "app.agent-swarm.dev",
       apiKey: "test-key",
       agentId: "agent-1",
       role: "worker",

package/src/tests/swarm-x-tool.test.ts

@@ -0,0 +1,90 @@
+import { afterEach, describe, expect, mock, test } from "bun:test";
+import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
+import { registerSwarmXTool } from "../tools/swarm-x";
+import { clearVolatileSecretsForTesting } from "../utils/secret-scrubber";
+
+type RegisteredTool = {
+  handler: (args: unknown, extra: unknown) => Promise<unknown>;
+};
+
+const originalFetch = globalThis.fetch;
+const originalComposioKey = process.env.COMPOSIO_API_KEY;
+
+function jsonResponse(body: unknown, status = 200): Response {
+  return new Response(JSON.stringify(body), {
+    status,
+    headers: { "Content-Type": "application/json" },
+  });
+}
+
+function buildTool() {
+  const server = new McpServer({ name: "swarm-x-test", version: "1.0.0" });
+  registerSwarmXTool(server);
+  const registered = (server as unknown as { _registeredTools: Record<string, RegisteredTool> })
+    ._registeredTools;
+  const tool = registered.swarm_x;
+  if (!tool) throw new Error("swarm_x tool not registered");
+  return tool;
+}
+
+afterEach(() => {
+  globalThis.fetch = originalFetch;
+  if (originalComposioKey === undefined) delete process.env.COMPOSIO_API_KEY;
+  else process.env.COMPOSIO_API_KEY = originalComposioKey;
+  clearVolatileSecretsForTesting();
+});
+
+describe("swarm_x MCP tool", () => {
+  test("routes composio requests with server-side auth and scrubbed output", async () => {
+    process.env.COMPOSIO_API_KEY = "ck_tool_secret_value";
+    const fetchMock = mock(async (url: string | URL | Request, init?: RequestInit) => {
+      expect(String(url)).toBe("https://backend.composio.dev/api/v3.1/tools?limit=1");
+      expect(init?.method).toBe("GET");
+      expect((init?.headers as Record<string, string>)["x-api-key"]).toBe("ck_tool_secret_value");
+      return jsonResponse({ ok: true, token: "ck_tool_secret_value" });
+    });
+    globalThis.fetch = fetchMock;
+
+    const tool = buildTool();
+    const result = (await tool.handler(
+      {
+        target: "composio",
+        method: "GET",
+        path: "/tools",
+        query: { limit: 1 },
+      },
+      { sessionId: "s", requestInfo: { headers: {} } },
+    )) as {
+      isError?: boolean;
+      structuredContent: { ok: boolean; response: unknown; responseText: string };
+    };
+
+    expect(fetchMock).toHaveBeenCalledTimes(1);
+    expect(result.isError).toBe(false);
+    expect(result.structuredContent.ok).toBe(true);
+    expect(JSON.stringify(result.structuredContent.response)).toContain(
+      "[REDACTED:COMPOSIO_API_KEY]",
+    );
+    expect(result.structuredContent.responseText).not.toContain("ck_tool_secret_value");
+  });
+
+  test("rejects absolute composio paths", async () => {
+    process.env.COMPOSIO_API_KEY = "ck_tool_secret_value";
+    const fetchMock = mock(async () => jsonResponse({ ok: true }));
+    globalThis.fetch = fetchMock;
+
+    const tool = buildTool();
+    const result = (await tool.handler(
+      {
+        target: "composio",
+        method: "GET",
+        path: "https://evil.example/tools",
+      },
+      { sessionId: "s", requestInfo: { headers: {} } },
+    )) as { isError?: boolean; structuredContent: { message: string } };
+
+    expect(result.isError).toBe(true);
+    expect(result.structuredContent.message).toContain("endpoint must be a Composio API path");
+    expect(fetchMock).not.toHaveBeenCalled();
+  });
+});

package/src/tests/system-default-skills.test.ts

@@ -36,7 +36,9 @@ describe("system-default skills", () => {
     const skills = loadSeedSkills();
     const names = skills.map((skill) => skill.name);
 
+    expect(names).toContain("attio-interaction");
     expect(names).toContain("swarm-scripts");
+    expect(skills.find((skill) => skill.name === "attio-interaction")?.systemDefault).toBe(true);
     expect(skills.find((skill) => skill.name === "swarm-scripts")?.systemDefault).toBe(true);
     expect(skills.find((skill) => skill.name === "kv-storage")?.systemDefault).toBe(true);
     expect(skills.find((skill) => skill.name === "pages")?.systemDefault).toBe(true);
@@ -45,6 +47,7 @@ describe("system-default skills", () => {
     expect(result.failed).toEqual([]);
 
     const defaults = getSystemDefaultSkills().map((skill) => skill.name);
+    expect(defaults).toContain("attio-interaction");
     expect(defaults).toContain("swarm-scripts");
     expect(defaults).toContain("kv-storage");
     expect(defaults).toContain("pages");

package/src/tests/ui-logs-parser.test.ts

@@ -0,0 +1,271 @@
+import { describe, expect, test } from "bun:test";
+import {
+  normalizeSessionLogs,
+  parseSessionLogs,
+  type SessionLogRecord,
+  unwrapResult,
+} from "../../ui/src/logs-parser";
+
+function log(
+  id: string,
+  cli: string,
+  lineNumber: number,
+  content: unknown,
+  createdAt = "2026-06-01T10:00:00.000Z",
+): SessionLogRecord {
+  return {
+    id,
+    taskId: "task-1",
+    sessionId: "session-1",
+    iteration: 1,
+    cli,
+    content: typeof content === "string" ? content : JSON.stringify(content),
+    lineNumber,
+    createdAt,
+  };
+}
+
+describe("ui logs parser", () => {
+  test("orders opencode deltas before reassembling streamed text", () => {
+    const result = normalizeSessionLogs([
+      log("delta-2", "opencode", 2, {
+        type: "message.part.delta",
+        properties: { partID: "part-1", delta: "world" },
+      }),
+      log("updated", "opencode", 3, {
+        type: "message.part.updated",
+        properties: { part: { id: "part-1", type: "text" } },
+      }),
+      log("delta-1", "opencode", 1, {
+        type: "message.part.delta",
+        properties: { partID: "part-1", delta: "Hello " },
+      }),
+    ]);
+
+    expect(result.gate).toEqual({ total: 3, ok: 3, bad: 0, passed: true });
+    expect(result.items).toHaveLength(1);
+    expect(result.items[0]?.kind).toBe("text");
+    expect(result.items[0]?.text).toBe("Hello world");
+    expect(result.items[0]?.recId).toBe("delta-1");
+  });
+
+  test("pairs codex started and completed tool events by item id", () => {
+    const result = normalizeSessionLogs([
+      log("start", "codex", 1, {
+        type: "item.started",
+        item: { id: "item-1", type: "command_execution", command: "pwd" },
+      }),
+      log("done", "codex", 2, {
+        type: "item.completed",
+        item: {
+          id: "item-1",
+          type: "command_execution",
+          aggregated_output: "/tmp\n",
+          exit_code: 0,
+        },
+      }),
+    ]);
+
+    expect(result.items.map((item) => item.kind)).toEqual(["tool_call", "tool_result"]);
+    expect(result.pairing.paired).toBe(1);
+    expect(result.pairing.orphanCalls).toEqual([]);
+    expect(result.pairing.orphanResults).toEqual([]);
+  });
+
+  test("normalizes claude-managed raw SSE events without unknown noise", () => {
+    const result = normalizeSessionLogs([
+      log("status", "claude-managed", 1, {
+        type: "session.status_running",
+        id: "evt-running",
+      }),
+      log("message", "claude-managed", 2, {
+        type: "agent.message",
+        id: "evt-message",
+        content: [{ type: "text", text: "Hello from managed agent" }],
+      }),
+      log("tool", "claude-managed", 3, {
+        type: "agent.tool_use",
+        id: "tool-1",
+        name: "read_file",
+        input: { path: "/etc/hosts" },
+      }),
+      log("result", "claude-managed", 4, {
+        type: "agent.tool_result",
+        id: "tool-result-1",
+        tool_use_id: "tool-1",
+        content: [{ type: "text", text: "127.0.0.1 localhost" }],
+        is_error: false,
+      }),
+    ]);
+
+    expect(result.items.map((item) => item.kind)).toEqual([
+      "lifecycle",
+      "text",
+      "tool_call",
+      "tool_result",
+    ]);
+    expect(result.items.some((item) => item.kind === "unknown")).toBe(false);
+    expect(result.pairing.paired).toBe(1);
+    expect(result.pairing.orphanCalls).toEqual([]);
+    expect(result.pairing.orphanResults).toEqual([]);
+  });
+
+  test("keeps parse errors visible in the compatibility message output", () => {
+    const messages = parseSessionLogs([log("bad", "claude", 1, "{not-json")]);
+    expect(messages).toHaveLength(1);
+    expect(messages[0]?.role).toBe("system");
+    expect(messages[0]?.content[0]).toEqual({
+      type: "provider_meta",
+      kind: "parse_error",
+      provider: "claude",
+      data: { raw: "{not-json" },
+    });
+  });
+
+  test("classifies claude runtime noise as internal or helper metadata", () => {
+    const messages = parseSessionLogs([
+      log("rate", "claude", 1, {
+        type: "rate_limit_event",
+        rate_limit_info: { status: "rejected", resetsAt: 1779202200 },
+      }),
+      log("think", "claude", 2, {
+        type: "system",
+        subtype: "thinking_tokens",
+        estimated_tokens: 150,
+        estimated_tokens_delta: 100,
+      }),
+      log("hook", "claude", 3, {
+        type: "system",
+        subtype: "hook_response",
+        hook_id: "hook-1",
+        hook_event: "SessionStart",
+        outcome: "success",
+      }),
+    ]);
+
+    expect(messages.map((message) => message.content[0])).toEqual([
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "internal",
+        data: expect.objectContaining({ internalType: "rate_limit" }),
+      }),
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "helper",
+        data: expect.objectContaining({ helperType: "thinking_tokens" }),
+      }),
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "internal",
+        data: expect.objectContaining({ internalType: "hook" }),
+      }),
+    ]);
+  });
+
+  test("classifies codex and opencode lifecycle rows for shared rendering", () => {
+    const codex = parseSessionLogs([
+      log("turn", "codex", 1, {
+        type: "turn.completed",
+        usage: { input_tokens: 100, cached_input_tokens: 50, output_tokens: 10 },
+      }),
+    ]);
+    const opencode = parseSessionLogs([
+      log("context", "opencode", 1, {
+        type: "context_usage",
+        contextUsedTokens: 25_000,
+        contextTotalTokens: 200_000,
+        contextPercent: 12.5,
+      }),
+      log("session", "opencode", 2, {
+        type: "session_init",
+        sessionId: "ses_1",
+        provider: "opencode",
+      }),
+      log("heartbeat", "opencode", 3, { type: "server.heartbeat", properties: {} }),
+      log("connected", "opencode", 4, { type: "server.connected", properties: {} }),
+      log("result", "opencode", 5, {
+        type: "result",
+        cost: { totalCostUsd: 0.12, inputTokens: 100, outputTokens: 20 },
+        isError: false,
+      }),
+    ]);
+
+    expect(codex[0]?.content[0]).toEqual(
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "helper",
+        data: expect.objectContaining({ helperType: "turn_usage" }),
+      }),
+    );
+    expect(opencode.map((message) => message.content[0])).toEqual([
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "helper",
+        data: expect.objectContaining({ helperType: "context_usage" }),
+      }),
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "internal",
+        data: expect.objectContaining({ internalType: "runtime" }),
+      }),
+      expect.objectContaining({ type: "provider_meta", kind: "result" }),
+    ]);
+  });
+
+  test("keeps devin provider meta and transcript messages on the generic path", () => {
+    const messages = parseSessionLogs([
+      log("status", "devin", 1, {
+        type: "system",
+        message: { role: "system", content: "" },
+        provider_meta: { provider: "devin", kind: "status", status: "running" },
+      }),
+      log("message", "devin", 2, {
+        type: "assistant",
+        message: { role: "assistant", content: "Devin update" },
+      }),
+    ]);
+
+    expect(messages.map((message) => message.content[0])).toEqual([
+      expect.objectContaining({
+        type: "provider_meta",
+        kind: "status",
+        provider: "devin",
+        data: expect.objectContaining({ status: "running" }),
+      }),
+      { type: "text", text: "Devin update" },
+    ]);
+  });
+
+  test("unwraps prose followed by embedded JSON", () => {
+    expect(unwrapResult('Created file\n\n{"ok":true,"path":"a.ts"}')).toEqual({
+      prose: "Created file",
+      json: { ok: true, path: "a.ts" },
+    });
+  });
+
+  test("unwraps pi tool result content text wrappers", () => {
+    const messages = parseSessionLogs([
+      log("pi-result", "pi", 1, {
+        type: "assistant",
+        message: {
+          content: [
+            {
+              type: "tool_result",
+              tool_use_id: "functions.memory-get:1",
+              content: JSON.stringify({
+                content: [{ type: "text", text: 'Memory retrieved.\n\n{"ok":true}' }],
+              }),
+            },
+          ],
+        },
+      }),
+    ]);
+
+    expect(messages[0]?.content[0]).toEqual(
+      expect.objectContaining({
+        type: "tool_result",
+        content: 'Memory retrieved.\n\n{\n  "ok": true\n}',
+      }),
+    );
+  });
+});

package/src/tests/user-token-rest-auth.test.ts

@@ -0,0 +1,129 @@
+import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { unlinkSync } from "node:fs";
+import {
+  createServer as createHttpServer,
+  type IncomingMessage,
+  type Server,
+  type ServerResponse,
+} from "node:http";
+import { closeDb, createAgent, createUser, getDb, initDb } from "../be/db";
+import { type IdentityActor, mintToken, revokeToken } from "../be/users";
+import { handleCore } from "../http/core";
+import { handleTasks } from "../http/tasks";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const TEST_DB_PATH = "./test-user-token-rest-auth.sqlite";
+const API_KEY = "test-api-key";
+const ACTOR: IdentityActor = { kind: "operator", id: "op:test" };
+
+function createTestServer(): Server {
+  return createHttpServer(async (req: IncomingMessage, res: ServerResponse) => {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const myAgentId = req.headers["x-agent-id"] as string | undefined;
+
+    if (await handleCore(req, res, myAgentId, API_KEY)) return;
+    if (await handleTasks(req, res, pathSegments, queryParams, myAgentId)) return;
+
+    res.writeHead(404);
+    res.end("Not Found");
+  });
+}
+
+async function listen(server: Server): Promise<number> {
+  await new Promise<void>((resolve) => server.listen(0, resolve));
+  const addr = server.address();
+  if (!addr || typeof addr === "string") throw new Error("no port");
+  return addr.port;
+}
+
+function cleanupDb() {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      unlinkSync(`${TEST_DB_PATH}${suffix}`);
+    } catch {}
+  }
+}
+
+describe("normal REST API user-bound token auth", () => {
+  let server: Server;
+  let port: number;
+
+  beforeAll(async () => {
+    cleanupDb();
+    initDb(TEST_DB_PATH);
+    createAgent({ name: "Lead", isLead: true, status: "idle" });
+    server = createTestServer();
+    port = await listen(server);
+  });
+
+  afterAll(() => {
+    server.close();
+    closeDb();
+    cleanupDb();
+  });
+
+  test("POST /api/tasks accepts active user token and forces requester/audit user", async () => {
+    const user = createUser({ name: "Token REST User" });
+    const other = createUser({ name: "Other User" });
+    const { plaintext } = mintToken(user.id, "rest", ACTOR);
+
+    const res = await fetch(`http://localhost:${port}/api/tasks`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${plaintext}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({
+        task: "created through user token",
+        requestedByUserId: other.id,
+      }),
+    });
+
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as { id: string; requestedByUserId?: string };
+    expect(body.requestedByUserId).toBe(user.id);
+
+    const row = getDb()
+      .prepare<
+        { requestedByUserId: string | null; created_by: string | null; updated_by: string | null },
+        string
+      >("SELECT requestedByUserId, created_by, updated_by FROM agent_tasks WHERE id = ?")
+      .get(body.id);
+    expect(row?.requestedByUserId).toBe(user.id);
+    expect(row?.created_by).toBe(user.id);
+    expect(row?.updated_by).toBe(user.id);
+  });
+
+  test("global API key still creates unattributed tasks by default", async () => {
+    const res = await fetch(`http://localhost:${port}/api/tasks`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${API_KEY}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ task: "created through global key" }),
+    });
+
+    expect(res.status).toBe(201);
+    const body = (await res.json()) as { id: string; requestedByUserId?: string };
+    expect(body.requestedByUserId).toBeUndefined();
+  });
+
+  test("revoked user token is unauthorized for normal API", async () => {
+    const user = createUser({ name: "Revoked REST User" });
+    const { tokenId, plaintext } = mintToken(user.id, "revoked", ACTOR);
+    revokeToken(tokenId, ACTOR);
+
+    const res = await fetch(`http://localhost:${port}/api/tasks`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${plaintext}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ task: "should not be created" }),
+    });
+
+    expect(res.status).toBe(401);
+  });
+});