@desplega.ai/agent-swarm 1.90.0 → 1.91.0

package/src/tests/mcp-oauth-manual-client.test.ts

@@ -0,0 +1,213 @@
+import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { Readable } from "node:stream";
+import { closeDb, createMcpServer, initDb } from "../be/db";
+import { getMcpOAuthToken } from "../be/db-queries/mcp-oauth";
+import { handleCore } from "../http/core";
+import { handleMcpOAuth } from "../http/mcp-oauth";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+
+const API_KEY = "test-secret-key";
+const TEST_DB_PATH = "./test-mcp-oauth-manual-client.sqlite";
+
+async function removeDbFiles(): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    await unlink(`${TEST_DB_PATH}${suffix}`).catch(() => {});
+  }
+}
+
+type TestResponse = {
+  status: number;
+  text: string;
+  headers: Record<string, string>;
+  json: () => Promise<unknown>;
+};
+
+async function dispatch(path: string, init: RequestInit = {}): Promise<TestResponse> {
+  const headers: Record<string, string> = {
+    ...((init.headers as Record<string, string>) ?? {}),
+  };
+  if (init.body !== undefined && !headers["Content-Type"])
+    headers["Content-Type"] = "application/json";
+
+  const req = Readable.from(init.body ? [Buffer.from(String(init.body))] : []) as IncomingMessage;
+  req.method = init.method ?? "GET";
+  req.url = path;
+  req.headers = Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]),
+  );
+
+  let status = 200;
+  let text = "";
+  const responseHeaders: Record<string, string> = {};
+  const res = {
+    headersSent: false,
+    writableEnded: false,
+    setHeader(name: string, value: number | string | readonly string[]) {
+      responseHeaders[name.toLowerCase()] = Array.isArray(value) ? value.join(", ") : String(value);
+      return this;
+    },
+    writeHead(code: number, headersArg?: Record<string, number | string | readonly string[]>) {
+      status = code;
+      if (headersArg) {
+        for (const [key, value] of Object.entries(headersArg)) {
+          responseHeaders[key.toLowerCase()] = Array.isArray(value)
+            ? value.join(", ")
+            : String(value);
+        }
+      }
+      this.headersSent = true;
+      return this;
+    },
+    end(chunk?: unknown) {
+      if (chunk !== undefined) text += String(chunk);
+      this.writableEnded = true;
+      return this;
+    },
+  } as unknown as ServerResponse;
+
+  const handledCore = await handleCore(req, res, undefined, API_KEY);
+  if (!handledCore) {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    const handled = await handleMcpOAuth(req, res, pathSegments, queryParams);
+    if (!handled) {
+      res.writeHead(404, { "Content-Type": "application/json" });
+      res.end(JSON.stringify({ error: "Not found" }));
+    }
+  }
+
+  return {
+    status,
+    text,
+    headers: responseHeaders,
+    json: async () => JSON.parse(text),
+  };
+}
+
+describe("MCP OAuth manual client flow", () => {
+  let originalFetch: typeof fetch;
+  let capturedTokenBody: string | null;
+  let originalPublicMcpBaseUrl: string | undefined;
+  let originalAppUrl: string | undefined;
+  let originalDashboardUrl: string | undefined;
+
+  beforeEach(async () => {
+    originalFetch = globalThis.fetch;
+    capturedTokenBody = null;
+    originalPublicMcpBaseUrl = process.env.PUBLIC_MCP_BASE_URL;
+    originalAppUrl = process.env.APP_URL;
+    originalDashboardUrl = process.env.DASHBOARD_URL;
+    process.env.SECRETS_ENCRYPTION_KEY = Buffer.alloc(32, 9).toString("base64");
+
+    await removeDbFiles();
+    initDb(TEST_DB_PATH);
+    process.env.PUBLIC_MCP_BASE_URL = "https://swarm.example.test";
+    process.env.APP_URL = "https://dashboard.example.test";
+    delete process.env.DASHBOARD_URL;
+
+    globalThis.fetch = (async (input: string | URL | Request, init?: RequestInit) => {
+      const href = input.toString();
+      if (href === "https://login.salesforce.com/services/oauth2/token") {
+        capturedTokenBody = init?.body?.toString() ?? null;
+        return new Response(
+          JSON.stringify({
+            access_token: "sf-access-token",
+            token_type: "Bearer",
+            expires_in: 3600,
+            refresh_token: "sf-refresh-token",
+            scope: "mcp_api refresh_token",
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        );
+      }
+      return new Response("not found", { status: 404 });
+    }) as typeof fetch;
+  });
+
+  afterEach(async () => {
+    globalThis.fetch = originalFetch;
+    closeDb();
+    await removeDbFiles();
+    if (originalPublicMcpBaseUrl === undefined) delete process.env.PUBLIC_MCP_BASE_URL;
+    else process.env.PUBLIC_MCP_BASE_URL = originalPublicMcpBaseUrl;
+    if (originalAppUrl === undefined) delete process.env.APP_URL;
+    else process.env.APP_URL = originalAppUrl;
+    if (originalDashboardUrl === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = originalDashboardUrl;
+  });
+
+  test("authorize-url uses a stored manual client when DCR is not available", async () => {
+    const mcpServer = createMcpServer({
+      name: "salesforce-sobjects",
+      transport: "http",
+      url: "https://api.salesforce.com/platform/mcp/v1/platform/sobject-all",
+      scope: "swarm",
+    });
+
+    const manualRes = await dispatch(`/api/mcp-oauth/${mcpServer.id}/manual-client`, {
+      method: "POST",
+      headers: {
+        Authorization: `Bearer ${API_KEY}`,
+      },
+      body: JSON.stringify({
+        clientId: "sf-client-id",
+        clientSecret: "sf-client-secret",
+        authorizationServerIssuer: "https://login.salesforce.com",
+        authorizeUrl: "https://login.salesforce.com/services/oauth2/authorize",
+        tokenUrl: "https://login.salesforce.com/services/oauth2/token",
+        scopes: ["mcp_api", "refresh_token"],
+      }),
+    });
+    expect(manualRes.status).toBe(200);
+
+    const provisionalToken = getMcpOAuthToken(mcpServer.id);
+    expect(provisionalToken?.clientSource).toBe("manual");
+    expect(provisionalToken?.status).toBe("error");
+
+    const authorizeRes = await dispatch(`/api/mcp-oauth/${mcpServer.id}/authorize-url`, {
+      headers: { Authorization: `Bearer ${API_KEY}` },
+    });
+    expect(authorizeRes.status).toBe(200);
+    const { providerUrl } = (await authorizeRes.json()) as { providerUrl: string };
+    const provider = new URL(providerUrl);
+
+    expect(provider.origin + provider.pathname).toBe(
+      "https://login.salesforce.com/services/oauth2/authorize",
+    );
+    expect(provider.searchParams.get("client_id")).toBe("sf-client-id");
+    expect(provider.searchParams.get("scope")).toBe("mcp_api refresh_token");
+    expect(provider.searchParams.get("resource")).toBe(mcpServer.url);
+    expect(provider.searchParams.get("redirect_uri")).toBe(
+      "https://swarm.example.test/api/mcp-oauth/callback",
+    );
+
+    const state = provider.searchParams.get("state");
+    expect(state).toBeTruthy();
+
+    const callbackRes = await dispatch(
+      `/api/mcp-oauth/callback?state=${encodeURIComponent(state!)}&code=sf-auth-code`,
+    );
+    expect(callbackRes.status).toBe(302);
+    expect(callbackRes.headers.location).toBe(
+      `${process.env.APP_URL}/mcp-servers/${mcpServer.id}?oauth=success`,
+    );
+
+    const tokenRequest = new URLSearchParams(capturedTokenBody ?? "");
+    expect(tokenRequest.get("client_id")).toBe("sf-client-id");
+    expect(tokenRequest.get("client_secret")).toBe("sf-client-secret");
+    expect(tokenRequest.get("resource")).toBe(mcpServer.url);
+    expect(tokenRequest.get("redirect_uri")).toBe(
+      "https://swarm.example.test/api/mcp-oauth/callback",
+    );
+
+    const connectedToken = getMcpOAuthToken(mcpServer.id);
+    expect(connectedToken?.clientSource).toBe("manual");
+    expect(connectedToken?.status).toBe("connected");
+    expect(connectedToken?.accessToken).toBe("sf-access-token");
+    expect(connectedToken?.refreshToken).toBe("sf-refresh-token");
+    expect(connectedToken?.dcrClientId).toBe("sf-client-id");
+    expect(connectedToken?.dcrClientSecret).toBe("sf-client-secret");
+  });
+});

package/src/tests/pages-public-html.test.ts

@@ -41,6 +41,8 @@ describe("GET /p/:id — HTML public path", () => {
   let server: Server;
   const agentId = crypto.randomUUID();
   const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
+  const ORIG_APP = process.env.APP_URL;
+  const ORIG_DASHBOARD = process.env.DASHBOARD_URL;
 
   beforeAll(async () => {
     for (const suffix of ["", "-wal", "-shm"]) {
@@ -56,6 +58,10 @@ describe("GET /p/:id — HTML public path", () => {
   afterAll(async () => {
     await new Promise<void>((resolve) => server.close(() => resolve()));
     closeDb();
+    if (ORIG_APP === undefined) delete process.env.APP_URL;
+    else process.env.APP_URL = ORIG_APP;
+    if (ORIG_DASHBOARD === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = ORIG_DASHBOARD;
     for (const suffix of ["", "-wal", "-shm"]) {
       try {
         await unlink(`${TEST_DB_PATH}${suffix}`);
@@ -98,6 +104,41 @@ describe("GET /p/:id — HTML public path", () => {
     expect(text).toContain("class SwarmSDK"); // BROWSER_SDK_JS sentinel
   });
 
+  test("CSP frame ancestors include deprecated DASHBOARD_URL alias", async () => {
+    const prevApp = process.env.APP_URL;
+    const prevDashboard = process.env.DASHBOARD_URL;
+    delete process.env.APP_URL;
+    process.env.DASHBOARD_URL = "https://dashboard.example.test/";
+    try {
+      const html = "<!doctype html><html><head><title>CSP</title></head><body></body></html>";
+      const post = await fetch(`${BASE}/api/pages`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          slug: "dashboard-url-csp",
+          title: "Dashboard URL CSP",
+          contentType: "text/html",
+          authMode: "public",
+          body: html,
+        }),
+      });
+      expect(post.status).toBe(201);
+      const { id } = (await post.json()) as { id: string };
+
+      const res = await fetch(`${BASE}/p/${id}`);
+      expect(res.status).toBe(200);
+      const csp = res.headers.get("content-security-policy");
+      const frameAncestors =
+        csp?.split(";").find((d) => d.trim().startsWith("frame-ancestors ")) ?? "";
+      expect(frameAncestors).toContain("https://dashboard.example.test");
+    } finally {
+      if (prevApp === undefined) delete process.env.APP_URL;
+      else process.env.APP_URL = prevApp;
+      if (prevDashboard === undefined) delete process.env.DASHBOARD_URL;
+      else process.env.DASHBOARD_URL = prevDashboard;
+    }
+  });
+
   test("public JSON page 302-redirects to SPA artifact route", async () => {
     const post = await fetch(`${BASE}/api/pages`, {
       method: "POST",

package/src/tests/pages-public-json-redirect.test.ts

@@ -1,7 +1,7 @@
 /**
  * Public `/p/:id` for JSON content. JSON pages do NOT render at the API —
  * the renderer lives in the SPA at `/pages/:id` (step-6/7). The API
- * responds with a 302 to `${APP_URL}/pages/:id`.
+ * responds with a 302 to the configured app URL's `/pages/:id`.
  */
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import crypto from "node:crypto";
@@ -38,6 +38,7 @@ describe("GET /p/:id — JSON page redirect", () => {
   const agentId = crypto.randomUUID();
   const headers = { "Content-Type": "application/json", "X-Agent-ID": agentId };
   const ORIG_APP = process.env.APP_URL;
+  const ORIG_DASHBOARD = process.env.DASHBOARD_URL;
 
   beforeAll(async () => {
     for (const suffix of ["", "-wal", "-shm"]) {
@@ -48,6 +49,7 @@ describe("GET /p/:id — JSON page redirect", () => {
     initDb(TEST_DB_PATH);
     // Pin APP_URL so the redirect is deterministic across hosts.
     process.env.APP_URL = "http://localhost:5274";
+    delete process.env.DASHBOARD_URL;
     server = createTestServer();
     await new Promise<void>((resolve) => server.listen(TEST_PORT, () => resolve()));
   });
@@ -57,6 +59,8 @@ describe("GET /p/:id — JSON page redirect", () => {
     closeDb();
     if (ORIG_APP === undefined) delete process.env.APP_URL;
     else process.env.APP_URL = ORIG_APP;
+    if (ORIG_DASHBOARD === undefined) delete process.env.DASHBOARD_URL;
+    else process.env.DASHBOARD_URL = ORIG_DASHBOARD;
     for (const suffix of ["", "-wal", "-shm"]) {
       try {
         await unlink(`${TEST_DB_PATH}${suffix}`);
@@ -64,7 +68,7 @@ describe("GET /p/:id — JSON page redirect", () => {
     }
   });
 
-  test("JSON content redirects to ${APP_URL}/pages/:id", async () => {
+  test("JSON content redirects to configured app URL pages route", async () => {
     const post = await fetch(`${BASE}/api/pages`, {
       method: "POST",
       headers,
@@ -83,4 +87,35 @@ describe("GET /p/:id — JSON page redirect", () => {
     expect(res.status).toBe(302);
     expect(res.headers.get("location")).toBe(`http://localhost:5274/pages/${id}`);
   });
+
+  test("JSON content falls back to local SPA when app URL envs are unset", async () => {
+    const prevApp = process.env.APP_URL;
+    const prevDashboard = process.env.DASHBOARD_URL;
+    process.env.APP_URL = "";
+    delete process.env.DASHBOARD_URL;
+    try {
+      const post = await fetch(`${BASE}/api/pages`, {
+        method: "POST",
+        headers,
+        body: JSON.stringify({
+          slug: "redir-local-fallback",
+          title: "Redirect Locally",
+          contentType: "application/json",
+          authMode: "public",
+          body: JSON.stringify({ kind: "spec", nodes: [] }),
+        }),
+      });
+      expect(post.status).toBe(201);
+      const { id } = (await post.json()) as { id: string };
+
+      const res = await fetch(`${BASE}/p/${id}`, { redirect: "manual" });
+      expect(res.status).toBe(302);
+      expect(res.headers.get("location")).toBe(`http://localhost:5274/pages/${id}`);
+    } finally {
+      if (prevApp === undefined) delete process.env.APP_URL;
+      else process.env.APP_URL = prevApp;
+      if (prevDashboard === undefined) delete process.env.DASHBOARD_URL;
+      else process.env.DASHBOARD_URL = prevDashboard;
+    }
+  });
 });

package/src/tests/profile-sync.test.ts

@@ -0,0 +1,282 @@
+import { describe, expect, spyOn, test } from "bun:test";
+import {
+  buildIdentityPayload,
+  CLAUDE_MD_PATH,
+  collectProfilePayloads,
+  extractSetupScriptContent,
+  type FileReader,
+  IDENTITY_MD_PATH,
+  postProfileUpdate,
+  resolveClaudeMdPath,
+  SETUP_SCRIPT_PATH,
+  SOUL_MD_PATH,
+  syncProfileFilesToServer,
+  TOOLS_MD_PATH,
+  WORKSPACE_CLAUDE_MD_PATH,
+} from "../commands/profile-sync";
+
+const MARKER_START = "# === Agent-managed setup (from DB) ===";
+const MARKER_END = "# === End agent-managed setup ===";
+
+// A SOUL/IDENTITY body long enough to clear the 500-char min-length guard.
+const LONG = "x".repeat(600);
+
+describe("extractSetupScriptContent (marker extraction)", () => {
+  test("extracts ONLY the content between the agent-managed markers", () => {
+    const raw = [
+      "#!/bin/bash",
+      "echo operator-prelude",
+      MARKER_START,
+      "export FOO=bar",
+      'echo "agent line"',
+      MARKER_END,
+      "echo operator-postlude",
+    ].join("\n");
+
+    expect(extractSetupScriptContent(raw)).toBe('export FOO=bar\necho "agent line"');
+  });
+
+  test("strips a leading shebang when no markers are present", () => {
+    const raw = '#!/bin/bash\necho "whole file is agent-managed"';
+    expect(extractSetupScriptContent(raw)).toBe('echo "whole file is agent-managed"');
+  });
+
+  test("returns null for an empty / whitespace-only file", () => {
+    expect(extractSetupScriptContent("")).toBeNull();
+    expect(extractSetupScriptContent("   \n\t ")).toBeNull();
+  });
+
+  test("returns null when the marker section is empty", () => {
+    const raw = `prelude\n${MARKER_START}\n   \n${MARKER_END}\npostlude`;
+    expect(extractSetupScriptContent(raw)).toBeNull();
+  });
+
+  test("returns null when content exceeds the max length", () => {
+    const raw = `${MARKER_START}\n${"a".repeat(65537)}\n${MARKER_END}`;
+    expect(extractSetupScriptContent(raw)).toBeNull();
+  });
+});
+
+describe("buildIdentityPayload (min-length guard)", () => {
+  test("includes SOUL/IDENTITY only when they clear the 500-char minimum", () => {
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    try {
+      const ok = buildIdentityPayload({ soulMd: LONG, identityMd: LONG });
+      expect(ok.soulMd).toBe(LONG);
+      expect(ok.identityMd).toBe(LONG);
+
+      const short = buildIdentityPayload({ soulMd: "too short", identityMd: "also short" });
+      expect(short.soulMd).toBeUndefined();
+      expect(short.identityMd).toBeUndefined();
+      // The guard must be VISIBLE — it logs why it skipped.
+      expect(errSpy).toHaveBeenCalled();
+    } finally {
+      errSpy.mockRestore();
+    }
+  });
+
+  test("TOOLS.md has no min-length guard (any non-empty content syncs)", () => {
+    const payload = buildIdentityPayload({ toolsMd: "short tools" });
+    expect(payload.toolsMd).toBe("short tools");
+  });
+
+  test("HEARTBEAT.md syncs even when empty (no trim/min-length guard)", () => {
+    const payload = buildIdentityPayload({ heartbeatMd: "" });
+    expect(payload.heartbeatMd).toBe("");
+  });
+
+  test("skips files that exceed the max length", () => {
+    const huge = "z".repeat(65537);
+    const payload = buildIdentityPayload({ soulMd: huge, toolsMd: huge });
+    expect(payload.soulMd).toBeUndefined();
+    expect(payload.toolsMd).toBeUndefined();
+  });
+
+  test("absent files (undefined) produce no keys", () => {
+    expect(buildIdentityPayload({})).toEqual({});
+  });
+});
+
+describe("collectProfilePayloads (field gate)", () => {
+  const reader = (files: Record<string, string>): FileReader => {
+    return async (path: string) => files[path];
+  };
+
+  test("only the selected field group is collected", async () => {
+    const files = reader({
+      [SOUL_MD_PATH]: LONG,
+      [IDENTITY_MD_PATH]: LONG,
+      [TOOLS_MD_PATH]: "tools",
+      [CLAUDE_MD_PATH]: "claude md content",
+      [SETUP_SCRIPT_PATH]: `${MARKER_START}\nexport X=1\n${MARKER_END}`,
+    });
+
+    const setupOnly = await collectProfilePayloads(["setup"], "session_sync", files);
+    expect(setupOnly.map((p) => p.label)).toEqual(["setup"]);
+    expect(setupOnly[0]?.body).toEqual({ setupScript: "export X=1", changeSource: "session_sync" });
+
+    const claudeOnly = await collectProfilePayloads(["claude"], "session_sync", files);
+    expect(claudeOnly.map((p) => p.label)).toEqual(["claude"]);
+
+    const all = await collectProfilePayloads(
+      ["identity", "claude", "setup"],
+      "session_sync",
+      files,
+    );
+    expect(all.map((p) => p.label).sort()).toEqual(["claude", "identity", "setup"]);
+  });
+
+  test("a missing file yields no payload for that group (no empty POST)", async () => {
+    const files = reader({}); // nothing on disk
+    const payloads = await collectProfilePayloads(
+      ["identity", "claude", "setup"],
+      "session_sync",
+      files,
+    );
+    expect(payloads).toEqual([]);
+  });
+
+  test("propagates the changeSource into every body", async () => {
+    const files = reader({ [TOOLS_MD_PATH]: "tools" });
+    const payloads = await collectProfilePayloads(["identity"], "self_edit", files);
+    expect(payloads[0]?.body.changeSource).toBe("self_edit");
+  });
+
+  test("non-Claude providers sync /workspace/CLAUDE.md, not the personal file", async () => {
+    // A codex/pi/opencode session edits the runner-materialized workspace file;
+    // the Claude personal file (~/.claude/CLAUDE.md) is absent for them.
+    const files = reader({ [WORKSPACE_CLAUDE_MD_PATH]: "workspace claude md edit" });
+
+    const payloads = await collectProfilePayloads(
+      ["claude"],
+      "session_sync",
+      files,
+      WORKSPACE_CLAUDE_MD_PATH,
+    );
+    expect(payloads.map((p) => p.label)).toEqual(["claude"]);
+    expect(payloads[0]?.body).toEqual({
+      claudeMd: "workspace claude md edit",
+      changeSource: "session_sync",
+    });
+  });
+
+  test("Claude's default path never reads the workspace materialization", async () => {
+    // Guard against reverting a real Claude personal-file edit: with the default
+    // (personal-file) path, content sitting only at /workspace/CLAUDE.md — the
+    // stale boot materialization — must NOT be picked up as a claude payload.
+    const files = reader({ [WORKSPACE_CLAUDE_MD_PATH]: "stale workspace materialization" });
+
+    const payloads = await collectProfilePayloads(["claude"], "session_sync", files);
+    expect(payloads).toEqual([]);
+  });
+});
+
+describe("resolveClaudeMdPath (per-batch provider routing)", () => {
+  test("an all-Claude batch uses the personal-file path (Stop-hook backstop)", () => {
+    expect(resolveClaudeMdPath(["claude"])).toBe(CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["claude", "claude"])).toBe(CLAUDE_MD_PATH);
+  });
+
+  test("any non-Claude local session routes to the workspace file", () => {
+    expect(resolveClaudeMdPath(["codex"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["pi"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["opencode"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    // Mixed batch: a non-Claude edit means the workspace file is authoritative.
+    expect(resolveClaudeMdPath(["claude", "codex"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+  });
+});
+
+describe("postProfileUpdate (non-2xx is surfaced, not swallowed)", () => {
+  const opts = {
+    agentId: "agent-1",
+    apiUrl: "https://api.example.test",
+    apiKey: "secret-key",
+  };
+  const payload = {
+    label: "setup",
+    body: { setupScript: "export X=1", changeSource: "session_sync" },
+  };
+
+  test("a successful 2xx response logs no warning", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () => new Response("{}", { status: 200 })) as typeof fetch;
+    try {
+      await postProfileUpdate({ ...opts, fetchImpl }, payload);
+      expect(warnSpy).not.toHaveBeenCalled();
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("a non-2xx response surfaces a warning but does NOT throw", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () =>
+      new Response("boom", { status: 500, statusText: "Server Error" })) as typeof fetch;
+    try {
+      // Must resolve (non-fatal), not reject.
+      await expect(postProfileUpdate({ ...opts, fetchImpl }, payload)).resolves.toBeUndefined();
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      const msg = String(warnSpy.mock.calls[0]?.[0]);
+      expect(msg).toContain("setup sync failed");
+      expect(msg).toContain("500");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("a thrown fetch error surfaces a warning but does NOT throw", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () => {
+      throw new Error("network down");
+    }) as typeof fetch;
+    try {
+      await expect(postProfileUpdate({ ...opts, fetchImpl }, payload)).resolves.toBeUndefined();
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      expect(String(warnSpy.mock.calls[0]?.[0])).toContain("setup sync errored");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("sends a PUT to the profile route with auth + agent headers", async () => {
+    let capturedUrl = "";
+    let capturedInit: RequestInit | undefined;
+    const fetchImpl = (async (url: string | URL | Request, init?: RequestInit) => {
+      capturedUrl = String(url);
+      capturedInit = init;
+      return new Response("{}", { status: 200 });
+    }) as typeof fetch;
+
+    await postProfileUpdate({ ...opts, fetchImpl }, payload);
+
+    expect(capturedUrl).toBe("https://api.example.test/api/agents/agent-1/profile");
+    expect(capturedInit?.method).toBe("PUT");
+    const headers = capturedInit?.headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Bearer secret-key");
+    expect(headers["X-Agent-ID"]).toBe("agent-1");
+    expect(JSON.parse(String(capturedInit?.body))).toEqual(payload.body);
+  });
+});
+
+describe("syncProfileFilesToServer (orchestration is non-fatal)", () => {
+  test("resolves without throwing even when every POST fails", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    const fetchImpl = (async () => new Response("nope", { status: 503 })) as typeof fetch;
+    try {
+      await expect(
+        syncProfileFilesToServer({
+          agentId: "agent-1",
+          apiUrl: "https://api.example.test",
+          apiKey: "secret-key",
+          changeSource: "session_sync",
+          // No files on a CI box → typically no payloads; still must never throw.
+          fetchImpl,
+        }),
+      ).resolves.toBeUndefined();
+    } finally {
+      warnSpy.mockRestore();
+      errSpy.mockRestore();
+    }
+  });
+});

package/src/tests/scripts-runtime.test.ts

@@ -288,6 +288,39 @@ describe("runScript", () => {
     }
   });
 
+  test("zod import works in compiled binary mode (SCRIPT_RUNTIME_DIR)", async () => {
+    const tmpdir = `${process.env.TMPDIR ?? "/tmp"}/script-runtime-test-${crypto.randomUUID()}`;
+    await Bun.$`mkdir -p ${tmpdir}`;
+    try {
+      const runtimeSrc = new URL("../scripts-runtime", import.meta.url).pathname;
+      await Bun.$`bun build ${runtimeSrc}/eval-harness.ts --target bun --no-splitting --outfile ${tmpdir}/eval-harness.bundle.js`.quiet();
+      await Bun.$`bun build ${runtimeSrc}/stdlib/index.ts --target bun --no-splitting --outfile ${tmpdir}/stdlib.bundle.js`.quiet();
+      await Bun.$`bun build ${runtimeSrc}/swarm-sdk.ts --target bun --no-splitting --outfile ${tmpdir}/swarm-sdk.bundle.js`.quiet();
+      const zodEntry = Bun.resolveSync("zod", import.meta.dir);
+      await Bun.$`bun build ${zodEntry} --target bun --no-splitting --outfile ${tmpdir}/zod.bundle.js`.quiet();
+
+      process.env.SCRIPT_RUNTIME_DIR = tmpdir;
+
+      const output = await runScript({
+        agentId: "agent-1",
+        args: { name: "test" },
+        resources,
+        source: `
+          import { z } from "zod";
+          export const argsSchema = z.object({ name: z.string() });
+          export default async (args: z.infer<typeof argsSchema>) => ({ greeting: "hello " + args.name });
+        `,
+      });
+
+      expect(output.error).toBeUndefined();
+      expect(output.result).toEqual({ greeting: "hello test" });
+      expect(output.exitCode).toBe(0);
+    } finally {
+      delete process.env.SCRIPT_RUNTIME_DIR;
+      await Bun.$`rm -rf ${tmpdir}`;
+    }
+  });
+
   test("argsSchema rejects invalid args with a formatted Zod error", async () => {
     const output = await runScript({
       agentId: "agent-1",

package/src/tests/seed-scripts.test.ts

@@ -48,8 +48,8 @@ afterAll(async () => {
 });
 
 describe("seed-scripts catalog", () => {
-  test("manifest holds 10 unique, well-described scripts", () => {
-    expect(SEED_SCRIPTS.length).toBe(10);
+  test("manifest holds 14 unique, well-described scripts", () => {
+    expect(SEED_SCRIPTS.length).toBe(14);
     const names = SEED_SCRIPTS.map((s) => s.name);
     expect(new Set(names).size).toBe(names.length);
     for (const s of SEED_SCRIPTS) {