@desplega.ai/agent-swarm 1.89.0 → 1.91.0

package/src/tests/heartbeat-supersede-resume.test.ts

@@ -10,16 +10,29 @@ import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:tes
 import { unlink } from "node:fs/promises";
 import {
   closeDb,
+  completeTask,
   createAgent,
   createTaskExtended,
   getChildTasks,
   getDb,
+  getLogsByTaskId,
   getTaskById,
   initDb,
   insertActiveSession,
   startTask,
 } from "../be/db";
-import { codeLevelTriage } from "../heartbeat/heartbeat";
+import {
+  createTrackerSync,
+  getTrackerSync,
+  getTrackerSyncByExternalId,
+} from "../be/db-queries/tracker";
+import {
+  codeLevelTriage,
+  MAX_RESUME_GENERATIONS,
+  RESUME_BUDGET_EXHAUSTED_REASON,
+  setBeforeHeartbeatSupersedeForTests,
+} from "../heartbeat/heartbeat";
+import { RESUME_GENERATION_TAG_PREFIX } from "../tasks/worker-follow-up";
 
 const TEST_DB_PATH = "./test-heartbeat-supersede-resume.sqlite";
 
@@ -46,6 +59,8 @@ describe("Heartbeat — supersede + resume (DES-523)", () => {
   });
 
   beforeEach(() => {
+    setBeforeHeartbeatSupersedeForTests(null);
+    getDb().run("DELETE FROM tracker_sync");
     getDb().run("DELETE FROM agent_tasks");
     getDb().run("DELETE FROM agents");
     getDb().run("DELETE FROM active_sessions");
@@ -81,7 +96,82 @@ describe("Heartbeat — supersede + resume (DES-523)", () => {
     expect(resume.taskType).toBe("resume");
     expect(resume.tags).toContain("auto-resume");
     expect(resume.tags).toContain("reason:crash_recovery");
+    expect(resume.tags).toContain(`${RESUME_GENERATION_TAG_PREFIX}1`);
     expect(resume.id).toBe(findings.autoResumedTasks[0]!.resumeTaskId);
+
+    const supersedeLog = getLogsByTaskId(parent.id).find(
+      (log) => log.eventType === "task_superseded",
+    );
+    expect(supersedeLog).toBeTruthy();
+    const metadata = JSON.parse(supersedeLog!.metadata ?? "{}") as { resumeTaskId?: string };
+    expect(metadata.resumeTaskId).toBe(resume.id);
+  });
+
+  test("Case A: crash-recovery resume chain stops at the generation cap", async () => {
+    const agent = createAgent({ name: "dead-resume-worker", isLead: false, status: "busy" });
+    const parent = createTaskExtended("Resume at generation cap", {
+      agentId: agent.id,
+      taskType: "resume",
+      tags: [
+        "auto-resume",
+        "reason:crash_recovery",
+        `${RESUME_GENERATION_TAG_PREFIX}${MAX_RESUME_GENERATIONS}`,
+      ],
+    });
+    startTask(parent.id);
+
+    const oldTime = new Date(Date.now() - 10 * 60 * 1000).toISOString();
+    getDb().run("UPDATE agent_tasks SET lastUpdatedAt = ? WHERE id = ?", [oldTime, parent.id]);
+
+    const findings = await codeLevelTriage();
+
+    expect(findings.autoResumedTasks.length).toBe(0);
+    expect(findings.autoFailedTasks.length).toBe(1);
+    expect(findings.autoFailedTasks[0]!.taskId).toBe(parent.id);
+    expect(findings.autoFailedTasks[0]!.reason).toBe(RESUME_BUDGET_EXHAUSTED_REASON);
+
+    const updatedParent = getTaskById(parent.id);
+    expect(updatedParent?.status).toBe("failed");
+    expect(updatedParent?.failureReason).toBe(RESUME_BUDGET_EXHAUSTED_REASON);
+    expect(getChildTasks(parent.id).length).toBe(0);
+  });
+
+  test("Case A: supersede race does not create a resume child or repoint tracker_sync", async () => {
+    const agent = createAgent({ name: "dead-worker-race", isLead: false, status: "busy" });
+    const parent = createTaskExtended("Tracked parent that finishes during heartbeat", {
+      agentId: agent.id,
+    });
+    startTask(parent.id);
+
+    createTrackerSync({
+      provider: "linear",
+      entityType: "task",
+      swarmId: parent.id,
+      externalId: "linear-race-issue",
+      externalIdentifier: "ENG-637",
+      externalUrl: "https://linear.app/test/issue/ENG-637",
+    });
+
+    const oldTime = new Date(Date.now() - 10 * 60 * 1000).toISOString();
+    getDb().run("UPDATE agent_tasks SET lastUpdatedAt = ? WHERE id = ?", [oldTime, parent.id]);
+
+    setBeforeHeartbeatSupersedeForTests((task) => {
+      expect(task.id).toBe(parent.id);
+      completeTask(parent.id, "finished by racing worker");
+    });
+
+    const findings = await codeLevelTriage();
+
+    expect(findings.autoResumedTasks.length).toBe(0);
+    expect(findings.autoFailedTasks.length).toBe(0);
+
+    const updatedParent = getTaskById(parent.id);
+    expect(updatedParent?.status).toBe("completed");
+    expect(getChildTasks(parent.id).length).toBe(0);
+
+    expect(getTrackerSync("linear", "task", parent.id)).not.toBeNull();
+    const byExternal = getTrackerSyncByExternalId("linear", "task", "linear-race-issue");
+    expect(byExternal?.swarmId).toBe(parent.id);
   });
 
   // --------------------------------------------------------------------------

package/src/tests/hook-registration-nudge.test.ts

@@ -0,0 +1,69 @@
+/**
+ * Registration-nudge gate tests.
+ *
+ * The "use join-swarm" nudge previously fired on EVERY hook event when
+ * getAgentInfo() returned null — including transient lookup failures for
+ * already-registered agents. This caused 123 redundant join-swarm calls
+ * in a 3-day window, all bouncing off "already exists".
+ *
+ * The fix: only nudge on SessionStart AND only when no X-Agent-ID header
+ * is present (genuinely unregistered).
+ */
+import { describe, expect, test } from "bun:test";
+import { shouldShowRegistrationNudge } from "../hooks/hook";
+
+describe("shouldShowRegistrationNudge", () => {
+  test("(a) pre-assigned agent (X-Agent-ID present) + null lookup on SessionStart → NO nudge", () => {
+    expect(
+      shouldShowRegistrationNudge({
+        agentInfoPresent: false,
+        eventType: "SessionStart",
+        hasAgentIdHeader: true,
+      }),
+    ).toBe(false);
+  });
+
+  test("(b) non-SessionStart event → NO nudge regardless of other conditions", () => {
+    const nonStartEvents = ["UserPromptSubmit", "PreToolUse", "PostToolUse", "PreCompact", "Stop"];
+
+    for (const eventType of nonStartEvents) {
+      expect(
+        shouldShowRegistrationNudge({
+          agentInfoPresent: false,
+          eventType,
+          hasAgentIdHeader: false,
+        }),
+      ).toBe(false);
+    }
+  });
+
+  test("(c) genuinely unregistered (no X-Agent-ID) on SessionStart → nudge present", () => {
+    expect(
+      shouldShowRegistrationNudge({
+        agentInfoPresent: false,
+        eventType: "SessionStart",
+        hasAgentIdHeader: false,
+      }),
+    ).toBe(true);
+  });
+
+  test("registered agent (agentInfo present) never gets nudged", () => {
+    expect(
+      shouldShowRegistrationNudge({
+        agentInfoPresent: true,
+        eventType: "SessionStart",
+        hasAgentIdHeader: false,
+      }),
+    ).toBe(false);
+  });
+
+  test("pre-assigned agent on non-SessionStart event → NO nudge", () => {
+    expect(
+      shouldShowRegistrationNudge({
+        agentInfoPresent: false,
+        eventType: "UserPromptSubmit",
+        hasAgentIdHeader: true,
+      }),
+    ).toBe(false);
+  });
+});

package/src/tests/mcp-oauth-manual-client.test.ts

@@ -0,0 +1,213 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { Readable } from "node:stream";
+import { closeDb, createMcpServer, initDb } from "../be/db";
+import { getMcpOAuthToken } from "../be/db-queries/mcp-oauth";
+import { handleCore } from "../http/core";
+import { handleMcpOAuth } from "../http/mcp-oauth";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const API_KEY = "test-secret-key";
+const TEST_DB_PATH = "./test-mcp-oauth-manual-client.sqlite";
+
+async function removeDbFiles(): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    await unlink(`${TEST_DB_PATH}${suffix}`).catch(() => {});
+  }
+}
+
+type TestResponse = {
+  status: number;
+  text: string;
+  headers: Record<string, string>;
+  json: () => Promise<unknown>;
+};
+
+async function dispatch(path: string, init: RequestInit = {}): Promise<TestResponse> {
+  const headers: Record<string, string> = {
+    ...((init.headers as Record<string, string>) ?? {}),
+  };
+  if (init.body !== undefined && !headers["Content-Type"])
+    headers["Content-Type"] = "application/json";
+
+  const req = Readable.from(init.body ? [Buffer.from(String(init.body))] : []) as IncomingMessage;
+  req.method = init.method ?? "GET";
+  req.url = path;
+  req.headers = Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]),
+  );
+
+  let status = 200;
+  let text = "";
+  const responseHeaders: Record<string, string> = {};
+  const res = {
+    headersSent: false,
+    writableEnded: false,
+    setHeader(name: string, value: number | string | readonly string[]) {
+      responseHeaders[name.toLowerCase()] = Array.isArray(value) ? value.join(", ") : String(value);
+      return this;
+    },
+    writeHead(code: number, headersArg?: Record<string, number | string | readonly string[]>) {
+      status = code;
+      if (headersArg) {
+        for (const [key, value] of Object.entries(headersArg)) {
+          responseHeaders[key.toLowerCase()] = Array.isArray(value)
+            ? value.join(", ")
+            : String(value);
+        }
+      }
+      this.headersSent = true;
+      return this;
+    },
+    end(chunk?: unknown) {
+      if (chunk !== undefined) text += String(chunk);
+      this.writableEnded = true;
+      return this;
+    },
+  } as unknown as ServerResponse;
+
+  const handledCore = await handleCore(req, res, undefined, API_KEY);
+  if (!handledCore) {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const handled = await handleMcpOAuth(req, res, pathSegments, queryParams);
+    if (!handled) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not found" }));
+    }
+  }
+
+  return {
+    status,
+    text,
+    headers: responseHeaders,
+    json: async () => JSON.parse(text),
+  };
+}
+
+describe("MCP OAuth manual client flow", () => {
+  let originalFetch: typeof fetch;
+  let capturedTokenBody: string | null;
+  let originalPublicMcpBaseUrl: string | undefined;
+  let originalAppUrl: string | undefined;
+  let originalDashboardUrl: string | undefined;
+
+  beforeEach(async () => {
+    originalFetch = globalThis.fetch;
+    capturedTokenBody = null;
+    originalPublicMcpBaseUrl = process.env.PUBLIC_MCP_BASE_URL;
+    originalAppUrl = process.env.APP_URL;
+    originalDashboardUrl = process.env.DASHBOARD_URL;
+    process.env.SECRETS_ENCRYPTION_KEY = Buffer.alloc(32, 9).toString("base64");
+
+    await removeDbFiles();
+    initDb(TEST_DB_PATH);
+    process.env.PUBLIC_MCP_BASE_URL = "https://swarm.example.test";
+    process.env.APP_URL = "https://dashboard.example.test";
+    delete process.env.DASHBOARD_URL;
+
+    globalThis.fetch = (async (input: string | URL | Request, init?: RequestInit) => {
+      const href = input.toString();
+      if (href === "https://login.salesforce.com/services/oauth2/token") {
+        capturedTokenBody = init?.body?.toString() ?? null;
+        return new Response(
+          JSON.stringify({
+            access_token: "sf-access-token",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "sf-refresh-token",
+            scope: "mcp_api refresh_token",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response("not found", { status: 404 });
+    }) as typeof fetch;
+  });
+
+  afterEach(async () => {
+    globalThis.fetch = originalFetch;
+    closeDb();
+    await removeDbFiles();
+    if (originalPublicMcpBaseUrl === undefined) delete process.env.PUBLIC_MCP_BASE_URL;
+    else process.env.PUBLIC_MCP_BASE_URL = originalPublicMcpBaseUrl;
+    if (originalAppUrl === undefined) delete process.env.APP_URL;
+    else process.env.APP_URL = originalAppUrl;
+    if (originalDashboardUrl === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = originalDashboardUrl;
+  });
+
+  test("authorize-url uses a stored manual client when DCR is not available", async () => {
+    const mcpServer = createMcpServer({
+      name: "salesforce-sobjects",
+      transport: "http",
+      url: "https://api.salesforce.com/platform/mcp/v1/platform/sobject-all",
+      scope: "swarm",
+    });
+
+    const manualRes = await dispatch(`/api/mcp-oauth/${mcpServer.id}/manual-client`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${API_KEY}`,
+      },
+      body: JSON.stringify({
+        clientId: "sf-client-id",
+        clientSecret: "sf-client-secret",
+        authorizationServerIssuer: "https://login.salesforce.com",
+        authorizeUrl: "https://login.salesforce.com/services/oauth2/authorize",
+        tokenUrl: "https://login.salesforce.com/services/oauth2/token",
+        scopes: ["mcp_api", "refresh_token"],
+      }),
+    });
+    expect(manualRes.status).toBe(200);
+
+    const provisionalToken = getMcpOAuthToken(mcpServer.id);
+    expect(provisionalToken?.clientSource).toBe("manual");
+    expect(provisionalToken?.status).toBe("error");
+
+    const authorizeRes = await dispatch(`/api/mcp-oauth/${mcpServer.id}/authorize-url`, {
+      headers: { Authorization: `Bearer ${API_KEY}` },
+    });
+    expect(authorizeRes.status).toBe(200);
+    const { providerUrl } = (await authorizeRes.json()) as { providerUrl: string };
+    const provider = new URL(providerUrl);
+
+    expect(provider.origin + provider.pathname).toBe(
+      "https://login.salesforce.com/services/oauth2/authorize",
+    );
+    expect(provider.searchParams.get("client_id")).toBe("sf-client-id");
+    expect(provider.searchParams.get("scope")).toBe("mcp_api refresh_token");
+    expect(provider.searchParams.get("resource")).toBe(mcpServer.url);
+    expect(provider.searchParams.get("redirect_uri")).toBe(
+      "https://swarm.example.test/api/mcp-oauth/callback",
+    );
+
+    const state = provider.searchParams.get("state");
+    expect(state).toBeTruthy();
+
+    const callbackRes = await dispatch(
+      `/api/mcp-oauth/callback?state=${encodeURIComponent(state!)}&code=sf-auth-code`,
+    );
+    expect(callbackRes.status).toBe(302);
+    expect(callbackRes.headers.location).toBe(
+      `${process.env.APP_URL}/mcp-servers/${mcpServer.id}?oauth=success`,
+    );
+
+    const tokenRequest = new URLSearchParams(capturedTokenBody ?? "");
+    expect(tokenRequest.get("client_id")).toBe("sf-client-id");
+    expect(tokenRequest.get("client_secret")).toBe("sf-client-secret");
+    expect(tokenRequest.get("resource")).toBe(mcpServer.url);
+    expect(tokenRequest.get("redirect_uri")).toBe(
+      "https://swarm.example.test/api/mcp-oauth/callback",
+    );
+
+    const connectedToken = getMcpOAuthToken(mcpServer.id);
+    expect(connectedToken?.clientSource).toBe("manual");
+    expect(connectedToken?.status).toBe("connected");
+    expect(connectedToken?.accessToken).toBe("sf-access-token");
+    expect(connectedToken?.refreshToken).toBe("sf-refresh-token");
+    expect(connectedToken?.dcrClientId).toBe("sf-client-id");
+    expect(connectedToken?.dcrClientSecret).toBe("sf-client-secret");
+  });
+});

package/src/tests/pages-public-html.test.ts

@@ -41,6 +41,8 @@ describe("GET /p/:id — HTML public path", () => {
   let server: Server;
   const agentId = crypto.randomUUID();
   const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
+  const ORIG_APP = process.env.APP_URL;
+  const ORIG_DASHBOARD = process.env.DASHBOARD_URL;
 
   beforeAll(async () => {
     for (const suffix of ["", "-wal", "-shm"]) {
@@ -56,6 +58,10 @@ describe("GET /p/:id — HTML public path", () => {
   afterAll(async () => {
     await new Promise<void>((resolve) => server.close(() => resolve()));
     closeDb();
+    if (ORIG_APP === undefined) delete process.env.APP_URL;
+    else process.env.APP_URL = ORIG_APP;
+    if (ORIG_DASHBOARD === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = ORIG_DASHBOARD;
     for (const suffix of ["", "-wal", "-shm"]) {
       try {
         await unlink(`${TEST_DB_PATH}${suffix}`);
@@ -98,6 +104,41 @@ describe("GET /p/:id — HTML public path", () => {
     expect(text).toContain("class SwarmSDK"); // BROWSER_SDK_JS sentinel
   });
 
+  test("CSP frame ancestors include deprecated DASHBOARD_URL alias", async () => {
+    const prevApp = process.env.APP_URL;
+    const prevDashboard = process.env.DASHBOARD_URL;
+    delete process.env.APP_URL;
+    process.env.DASHBOARD_URL = "https://dashboard.example.test/";
+    try {
+      const html = "<!doctype html><html><head><title>CSP</title></head><body></body></html>";
+      const post = await fetch(`${BASE}/api/pages`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          slug: "dashboard-url-csp",
+          title: "Dashboard URL CSP",
+          contentType: "text/html",
+          authMode: "public",
+          body: html,
+        }),
+      });
+      expect(post.status).toBe(201);
+      const { id } = (await post.json()) as { id: string };
+
+      const res = await fetch(`${BASE}/p/${id}`);
+      expect(res.status).toBe(200);
+      const csp = res.headers.get("content-security-policy");
+      const frameAncestors =
+        csp?.split(";").find((d) => d.trim().startsWith("frame-ancestors ")) ?? "";
+      expect(frameAncestors).toContain("https://dashboard.example.test");
+    } finally {
+      if (prevApp === undefined) delete process.env.APP_URL;
+      else process.env.APP_URL = prevApp;
+      if (prevDashboard === undefined) delete process.env.DASHBOARD_URL;
+      else process.env.DASHBOARD_URL = prevDashboard;
+    }
+  });
+
   test("public JSON page 302-redirects to SPA artifact route", async () => {
     const post = await fetch(`${BASE}/api/pages`, {
       method: "POST",

package/src/tests/pages-public-json-redirect.test.ts

@@ -1,7 +1,7 @@
 /**
  * Public `/p/:id` for JSON content. JSON pages do NOT render at the API —
  * the renderer lives in the SPA at `/pages/:id` (step-6/7). The API
- * responds with a 302 to `${APP_URL}/pages/:id`.
+ * responds with a 302 to the configured app URL's `/pages/:id`.
  */
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import crypto from "node:crypto";
@@ -38,6 +38,7 @@ describe("GET /p/:id — JSON page redirect", () => {
   const agentId = crypto.randomUUID();
   const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
   const ORIG_APP = process.env.APP_URL;
+  const ORIG_DASHBOARD = process.env.DASHBOARD_URL;
 
   beforeAll(async () => {
     for (const suffix of ["", "-wal", "-shm"]) {
@@ -48,6 +49,7 @@ describe("GET /p/:id — JSON page redirect", () => {
     initDb(TEST_DB_PATH);
     // Pin APP_URL so the redirect is deterministic across hosts.
     process.env.APP_URL = "http://localhost:5274";
+    delete process.env.DASHBOARD_URL;
     server = createTestServer();
     await new Promise<void>((resolve) => server.listen(TEST_PORT, () => resolve()));
   });
@@ -57,6 +59,8 @@ describe("GET /p/:id — JSON page redirect", () => {
     closeDb();
     if (ORIG_APP === undefined) delete process.env.APP_URL;
     else process.env.APP_URL = ORIG_APP;
+    if (ORIG_DASHBOARD === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = ORIG_DASHBOARD;
     for (const suffix of ["", "-wal", "-shm"]) {
       try {
         await unlink(`${TEST_DB_PATH}${suffix}`);
@@ -64,7 +68,7 @@ describe("GET /p/:id — JSON page redirect", () => {
     }
   });
 
-  test("JSON content redirects to ${APP_URL}/pages/:id", async () => {
+  test("JSON content redirects to configured app URL pages route", async () => {
     const post = await fetch(`${BASE}/api/pages`, {
       method: "POST",
       headers,
@@ -83,4 +87,35 @@ describe("GET /p/:id — JSON page redirect", () => {
     expect(res.status).toBe(302);
     expect(res.headers.get("location")).toBe(`http://localhost:5274/pages/${id}`);
   });
+
+  test("JSON content falls back to local SPA when app URL envs are unset", async () => {
+    const prevApp = process.env.APP_URL;
+    const prevDashboard = process.env.DASHBOARD_URL;
+    process.env.APP_URL = "";
+    delete process.env.DASHBOARD_URL;
+    try {
+      const post = await fetch(`${BASE}/api/pages`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          slug: "redir-local-fallback",
+          title: "Redirect Locally",
+          contentType: "application/json",
+          authMode: "public",
+          body: JSON.stringify({ kind: "spec", nodes: [] }),
+        }),
+      });
+      expect(post.status).toBe(201);
+      const { id } = (await post.json()) as { id: string };
+
+      const res = await fetch(`${BASE}/p/${id}`, { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe(`http://localhost:5274/pages/${id}`);
+    } finally {
+      if (prevApp === undefined) delete process.env.APP_URL;
+      else process.env.APP_URL = prevApp;
+      if (prevDashboard === undefined) delete process.env.DASHBOARD_URL;
+      else process.env.DASHBOARD_URL = prevDashboard;
+    }
+  });
 });