@desplega.ai/agent-swarm 1.90.0 → 1.92.0

package/src/tests/profile-sync.test.ts

@@ -0,0 +1,282 @@
+import { describe, expect, spyOn, test } from "bun:test";
+import {
+  buildIdentityPayload,
+  CLAUDE_MD_PATH,
+  collectProfilePayloads,
+  extractSetupScriptContent,
+  type FileReader,
+  IDENTITY_MD_PATH,
+  postProfileUpdate,
+  resolveClaudeMdPath,
+  SETUP_SCRIPT_PATH,
+  SOUL_MD_PATH,
+  syncProfileFilesToServer,
+  TOOLS_MD_PATH,
+  WORKSPACE_CLAUDE_MD_PATH,
+} from "../commands/profile-sync";
+
+const MARKER_START = "# === Agent-managed setup (from DB) ===";
+const MARKER_END = "# === End agent-managed setup ===";
+
+// A SOUL/IDENTITY body long enough to clear the 500-char min-length guard.
+const LONG = "x".repeat(600);
+
+describe("extractSetupScriptContent (marker extraction)", () => {
+  test("extracts ONLY the content between the agent-managed markers", () => {
+    const raw = [
+      "#!/bin/bash",
+      "echo operator-prelude",
+      MARKER_START,
+      "export FOO=bar",
+      'echo "agent line"',
+      MARKER_END,
+      "echo operator-postlude",
+    ].join("\n");
+
+    expect(extractSetupScriptContent(raw)).toBe('export FOO=bar\necho "agent line"');
+  });
+
+  test("strips a leading shebang when no markers are present", () => {
+    const raw = '#!/bin/bash\necho "whole file is agent-managed"';
+    expect(extractSetupScriptContent(raw)).toBe('echo "whole file is agent-managed"');
+  });
+
+  test("returns null for an empty / whitespace-only file", () => {
+    expect(extractSetupScriptContent("")).toBeNull();
+    expect(extractSetupScriptContent("   \n\t ")).toBeNull();
+  });
+
+  test("returns null when the marker section is empty", () => {
+    const raw = `prelude\n${MARKER_START}\n   \n${MARKER_END}\npostlude`;
+    expect(extractSetupScriptContent(raw)).toBeNull();
+  });
+
+  test("returns null when content exceeds the max length", () => {
+    const raw = `${MARKER_START}\n${"a".repeat(65537)}\n${MARKER_END}`;
+    expect(extractSetupScriptContent(raw)).toBeNull();
+  });
+});
+
+describe("buildIdentityPayload (min-length guard)", () => {
+  test("includes SOUL/IDENTITY only when they clear the 500-char minimum", () => {
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    try {
+      const ok = buildIdentityPayload({ soulMd: LONG, identityMd: LONG });
+      expect(ok.soulMd).toBe(LONG);
+      expect(ok.identityMd).toBe(LONG);
+
+      const short = buildIdentityPayload({ soulMd: "too short", identityMd: "also short" });
+      expect(short.soulMd).toBeUndefined();
+      expect(short.identityMd).toBeUndefined();
+      // The guard must be VISIBLE — it logs why it skipped.
+      expect(errSpy).toHaveBeenCalled();
+    } finally {
+      errSpy.mockRestore();
+    }
+  });
+
+  test("TOOLS.md has no min-length guard (any non-empty content syncs)", () => {
+    const payload = buildIdentityPayload({ toolsMd: "short tools" });
+    expect(payload.toolsMd).toBe("short tools");
+  });
+
+  test("HEARTBEAT.md syncs even when empty (no trim/min-length guard)", () => {
+    const payload = buildIdentityPayload({ heartbeatMd: "" });
+    expect(payload.heartbeatMd).toBe("");
+  });
+
+  test("skips files that exceed the max length", () => {
+    const huge = "z".repeat(65537);
+    const payload = buildIdentityPayload({ soulMd: huge, toolsMd: huge });
+    expect(payload.soulMd).toBeUndefined();
+    expect(payload.toolsMd).toBeUndefined();
+  });
+
+  test("absent files (undefined) produce no keys", () => {
+    expect(buildIdentityPayload({})).toEqual({});
+  });
+});
+
+describe("collectProfilePayloads (field gate)", () => {
+  const reader = (files: Record<string, string>): FileReader => {
+    return async (path: string) => files[path];
+  };
+
+  test("only the selected field group is collected", async () => {
+    const files = reader({
+      [SOUL_MD_PATH]: LONG,
+      [IDENTITY_MD_PATH]: LONG,
+      [TOOLS_MD_PATH]: "tools",
+      [CLAUDE_MD_PATH]: "claude md content",
+      [SETUP_SCRIPT_PATH]: `${MARKER_START}\nexport X=1\n${MARKER_END}`,
+    });
+
+    const setupOnly = await collectProfilePayloads(["setup"], "session_sync", files);
+    expect(setupOnly.map((p) => p.label)).toEqual(["setup"]);
+    expect(setupOnly[0]?.body).toEqual({ setupScript: "export X=1", changeSource: "session_sync" });
+
+    const claudeOnly = await collectProfilePayloads(["claude"], "session_sync", files);
+    expect(claudeOnly.map((p) => p.label)).toEqual(["claude"]);
+
+    const all = await collectProfilePayloads(
+      ["identity", "claude", "setup"],
+      "session_sync",
+      files,
+    );
+    expect(all.map((p) => p.label).sort()).toEqual(["claude", "identity", "setup"]);
+  });
+
+  test("a missing file yields no payload for that group (no empty POST)", async () => {
+    const files = reader({}); // nothing on disk
+    const payloads = await collectProfilePayloads(
+      ["identity", "claude", "setup"],
+      "session_sync",
+      files,
+    );
+    expect(payloads).toEqual([]);
+  });
+
+  test("propagates the changeSource into every body", async () => {
+    const files = reader({ [TOOLS_MD_PATH]: "tools" });
+    const payloads = await collectProfilePayloads(["identity"], "self_edit", files);
+    expect(payloads[0]?.body.changeSource).toBe("self_edit");
+  });
+
+  test("non-Claude providers sync /workspace/CLAUDE.md, not the personal file", async () => {
+    // A codex/pi/opencode session edits the runner-materialized workspace file;
+    // the Claude personal file (~/.claude/CLAUDE.md) is absent for them.
+    const files = reader({ [WORKSPACE_CLAUDE_MD_PATH]: "workspace claude md edit" });
+
+    const payloads = await collectProfilePayloads(
+      ["claude"],
+      "session_sync",
+      files,
+      WORKSPACE_CLAUDE_MD_PATH,
+    );
+    expect(payloads.map((p) => p.label)).toEqual(["claude"]);
+    expect(payloads[0]?.body).toEqual({
+      claudeMd: "workspace claude md edit",
+      changeSource: "session_sync",
+    });
+  });
+
+  test("Claude's default path never reads the workspace materialization", async () => {
+    // Guard against reverting a real Claude personal-file edit: with the default
+    // (personal-file) path, content sitting only at /workspace/CLAUDE.md — the
+    // stale boot materialization — must NOT be picked up as a claude payload.
+    const files = reader({ [WORKSPACE_CLAUDE_MD_PATH]: "stale workspace materialization" });
+
+    const payloads = await collectProfilePayloads(["claude"], "session_sync", files);
+    expect(payloads).toEqual([]);
+  });
+});
+
+describe("resolveClaudeMdPath (per-batch provider routing)", () => {
+  test("an all-Claude batch uses the personal-file path (Stop-hook backstop)", () => {
+    expect(resolveClaudeMdPath(["claude"])).toBe(CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["claude", "claude"])).toBe(CLAUDE_MD_PATH);
+  });
+
+  test("any non-Claude local session routes to the workspace file", () => {
+    expect(resolveClaudeMdPath(["codex"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["pi"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    expect(resolveClaudeMdPath(["opencode"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+    // Mixed batch: a non-Claude edit means the workspace file is authoritative.
+    expect(resolveClaudeMdPath(["claude", "codex"])).toBe(WORKSPACE_CLAUDE_MD_PATH);
+  });
+});
+
+describe("postProfileUpdate (non-2xx is surfaced, not swallowed)", () => {
+  const opts = {
+    agentId: "agent-1",
+    apiUrl: "https://api.example.test",
+    apiKey: "secret-key",
+  };
+  const payload = {
+    label: "setup",
+    body: { setupScript: "export X=1", changeSource: "session_sync" },
+  };
+
+  test("a successful 2xx response logs no warning", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () => new Response("{}", { status: 200 })) as typeof fetch;
+    try {
+      await postProfileUpdate({ ...opts, fetchImpl }, payload);
+      expect(warnSpy).not.toHaveBeenCalled();
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("a non-2xx response surfaces a warning but does NOT throw", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () =>
+      new Response("boom", { status: 500, statusText: "Server Error" })) as typeof fetch;
+    try {
+      // Must resolve (non-fatal), not reject.
+      await expect(postProfileUpdate({ ...opts, fetchImpl }, payload)).resolves.toBeUndefined();
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      const msg = String(warnSpy.mock.calls[0]?.[0]);
+      expect(msg).toContain("setup sync failed");
+      expect(msg).toContain("500");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("a thrown fetch error surfaces a warning but does NOT throw", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const fetchImpl = (async () => {
+      throw new Error("network down");
+    }) as typeof fetch;
+    try {
+      await expect(postProfileUpdate({ ...opts, fetchImpl }, payload)).resolves.toBeUndefined();
+      expect(warnSpy).toHaveBeenCalledTimes(1);
+      expect(String(warnSpy.mock.calls[0]?.[0])).toContain("setup sync errored");
+    } finally {
+      warnSpy.mockRestore();
+    }
+  });
+
+  test("sends a PUT to the profile route with auth + agent headers", async () => {
+    let capturedUrl = "";
+    let capturedInit: RequestInit | undefined;
+    const fetchImpl = (async (url: string | URL | Request, init?: RequestInit) => {
+      capturedUrl = String(url);
+      capturedInit = init;
+      return new Response("{}", { status: 200 });
+    }) as typeof fetch;
+
+    await postProfileUpdate({ ...opts, fetchImpl }, payload);
+
+    expect(capturedUrl).toBe("https://api.example.test/api/agents/agent-1/profile");
+    expect(capturedInit?.method).toBe("PUT");
+    const headers = capturedInit?.headers as Record<string, string>;
+    expect(headers.Authorization).toBe("Bearer secret-key");
+    expect(headers["X-Agent-ID"]).toBe("agent-1");
+    expect(JSON.parse(String(capturedInit?.body))).toEqual(payload.body);
+  });
+});
+
+describe("syncProfileFilesToServer (orchestration is non-fatal)", () => {
+  test("resolves without throwing even when every POST fails", async () => {
+    const warnSpy = spyOn(console, "warn").mockImplementation(() => {});
+    const errSpy = spyOn(console, "error").mockImplementation(() => {});
+    const fetchImpl = (async () => new Response("nope", { status: 503 })) as typeof fetch;
+    try {
+      await expect(
+        syncProfileFilesToServer({
+          agentId: "agent-1",
+          apiUrl: "https://api.example.test",
+          apiKey: "secret-key",
+          changeSource: "session_sync",
+          // No files on a CI box → typically no payloads; still must never throw.
+          fetchImpl,
+        }),
+      ).resolves.toBeUndefined();
+    } finally {
+      warnSpy.mockRestore();
+      errSpy.mockRestore();
+    }
+  });
+});

package/src/tests/prompt-template-session.test.ts

@@ -54,7 +54,7 @@ describe("Session templates — registration", () => {
     await ensureTemplatesRegistered();
   });
 
-  test("all 14 system templates are registered", () => {
+  test("all 15 system templates are registered", () => {
     const systemTemplates = [
       "system.agent.role",
       "system.agent.register",
@@ -66,6 +66,7 @@ describe("Session templates — registration", () => {
       "system.agent.agent_fs",
       "system.agent.self_awareness",
       "system.agent.context_mode",
+      "system.agent.seed_scripts",
 
       "system.agent.system",
       "system.agent.services",
@@ -90,12 +91,12 @@ describe("Session templates — registration", () => {
     }
   });
 
-  test("total of 20 session/system templates registered", () => {
+  test("total of 21 session/system templates registered", () => {
     const all = getAllTemplateDefinitions();
     const sessionSystem = all.filter((d) => d.category === "system" || d.category === "session");
-    // 20 = the original 19 + `system.session.worker.pi` (a pi-specific worker
-    // composite that omits the context_mode block — see session-templates.ts).
-    expect(sessionSystem.length).toBe(20);
+    // 21 = the original 19 + `system.session.worker.pi` + `system.agent.seed_scripts`.
+    // The pi composite omits script nudges because pi workers do not have MCP.
+    expect(sessionSystem.length).toBe(21);
   });
 });
 
@@ -187,6 +188,15 @@ describe("Session templates — individual resolution", () => {
     expect(result.text).toContain("batch_execute");
   });
 
+  test("system.agent.seed_scripts points agents at task-start scripts", () => {
+    const result = resolveTemplate("system.agent.seed_scripts", {});
+    expect(result.text).toContain("Pre-built Seed Scripts");
+    expect(result.text).toContain("task-context-gathering");
+    expect(result.text).toContain("smart-recall");
+    expect(result.text).toContain("script-search");
+    expect(result.text).not.toContain("compound-insights");
+  });
+
   // system.agent.guidelines was removed — its content was redundant with worker/lead templates
 
   test("system.agent.system contains package info", () => {
@@ -240,6 +250,7 @@ describe("Session templates — composite resolution", () => {
 
     // Contains context_mode
     expect(result.text).toContain("Context Window Management");
+    expect(result.text).toContain("Pre-built Seed Scripts");
 
     // Guidelines template was removed (redundant with lead/worker templates)
 
@@ -275,6 +286,7 @@ describe("Session templates — composite resolution", () => {
 
     // Contains context_mode
     expect(result.text).toContain("Context Window Management");
+    expect(result.text).toContain("Pre-built Seed Scripts");
 
     // Guidelines template was removed (redundant with lead/worker templates)
 
@@ -309,6 +321,8 @@ describe("Session templates — composite resolution", () => {
     expect(workerResult.text).toContain("join-swarm");
     expect(leadResult.text).toContain("How You Are Built");
     expect(workerResult.text).toContain("How You Are Built");
+    expect(leadResult.text).toContain("Pre-built Seed Scripts");
+    expect(workerResult.text).toContain("Pre-built Seed Scripts");
 
     // Lead has lead content, not worker
     expect(leadResult.text).toContain("CRITICAL: You are a coordinator");
@@ -343,6 +357,7 @@ describe("Session templates — getBasePrompt integration", () => {
     expect(result).toContain("join-swarm");
     expect(result).toContain("store-progress");
     expect(result).toContain("How You Are Built");
+    expect(result).toContain("Pre-built Seed Scripts");
     expect(result).toContain("System packages available");
 
     // Conditional sections (services included by default)
@@ -365,8 +380,22 @@ describe("Session templates — getBasePrompt integration", () => {
     expect(result).toContain("your role is: lead");
     expect(result).toContain("integration-test-lead");
     expect(result).toContain("CRITICAL: You are a coordinator");
+    expect(result).toContain("Pre-built Seed Scripts");
 
     // Should NOT have worker content
     expect(result).not.toContain("task-action");
   });
+
+  test("getBasePrompt excludes seed_scripts for pi worker", async () => {
+    const { getBasePrompt } = await import("../prompts/base-prompt");
+    const result = await getBasePrompt({
+      role: "worker",
+      agentId: "integration-test-pi",
+      swarmUrl: "swarm.test.com",
+      provider: "pi",
+    });
+
+    expect(result).not.toContain("Pre-built Seed Scripts");
+    expect(result).not.toContain("task-context-gathering");
+  });
 });

package/src/tests/script-runs-http.test.ts

@@ -0,0 +1,278 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
+import { unlink } from "node:fs/promises";
+import type { IncomingMessage, ServerResponse } from "node:http";
+import { Readable } from "node:stream";
+import { closeDb, createAgent, getDb, initDb, updateScriptRun } from "../be/db";
+import { handleCore } from "../http/core";
+import { handleScriptRuns } from "../http/script-runs";
+import { getPathSegments, parseQueryParams } from "../http/utils";
+import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
+
+const TEST_DB_PATH = "./test-script-runs-http.sqlite";
+const API_KEY = "test-script-runs-http-key-1234567890";
+
+let agentId: string;
+let savedEnv: NodeJS.ProcessEnv;
+
+async function removeDbFiles(path: string): Promise<void> {
+  for (const suffix of ["", "-wal", "-shm"]) {
+    try {
+      await unlink(path + suffix);
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== "ENOENT") throw error;
+    }
+  }
+}
+
+beforeAll(async () => {
+  savedEnv = { ...process.env };
+  await removeDbFiles(TEST_DB_PATH);
+  initDb(TEST_DB_PATH);
+  process.env.AGENT_SWARM_API_KEY = API_KEY;
+  process.env.APP_URL = "https://app.example.test";
+  process.env.SCRIPT_RUN_SUPERVISOR_DISABLE = "true";
+  delete process.env.API_KEY;
+  refreshSecretScrubberCache();
+
+  const agent = createAgent({ name: "script-runs-worker", isLead: false, status: "idle" });
+  agentId = agent.id;
+});
+
+afterAll(async () => {
+  closeDb();
+  await removeDbFiles(TEST_DB_PATH);
+  for (const key of Object.keys(process.env)) {
+    if (!(key in savedEnv)) delete process.env[key];
+  }
+  for (const [key, value] of Object.entries(savedEnv)) {
+    if (value === undefined) delete process.env[key];
+    else process.env[key] = value;
+  }
+  refreshSecretScrubberCache();
+});
+
+beforeEach(() => {
+  getDb().run("DELETE FROM script_run_journal");
+  getDb().run("DELETE FROM script_runs");
+  delete process.env.SCRIPT_RUN_CONCURRENCY_CAP;
+  delete process.env.SCRIPT_RUN_MAX_STEPS;
+  delete process.env.SCRIPT_RUN_MAX_AGENT_TASKS;
+  delete process.env.SCRIPT_RUN_MAX_WALL_MS;
+  process.env.SCRIPT_RUN_SUPERVISOR_DISABLE = "true";
+});
+
+type TestResponse = {
+  status: number;
+  text: string;
+  json: () => Promise<unknown>;
+};
+
+async function dispatch(
+  path: string,
+  init: RequestInit & { agentId?: string } = {},
+): Promise<TestResponse> {
+  const headers: Record<string, string> = {
+    Authorization: `Bearer ${API_KEY}`,
+    "Content-Type": "application/json",
+    ...((init.headers as Record<string, string>) ?? {}),
+  };
+  if (init.agentId !== undefined) headers["X-Agent-ID"] = init.agentId;
+  const req = Readable.from(init.body ? [Buffer.from(String(init.body))] : []) as IncomingMessage;
+  req.method = init.method ?? "GET";
+  req.url = path;
+  req.headers = Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => [key.toLowerCase(), value]),
+  );
+
+  let status = 200;
+  let text = "";
+  const res = {
+    headersSent: false,
+    writableEnded: false,
+    setHeader() {},
+    writeHead(code: number) {
+      status = code;
+      this.headersSent = true;
+      return this;
+    },
+    end(chunk?: unknown) {
+      if (chunk !== undefined) text += String(chunk);
+      this.writableEnded = true;
+      return this;
+    },
+  } as unknown as ServerResponse;
+
+  const requestAgentId = req.headers["x-agent-id"] as string | undefined;
+  if (!(await handleCore(req, res, requestAgentId, API_KEY))) {
+    const pathSegments = getPathSegments(req.url || "");
+    const queryParams = parseQueryParams(req.url || "");
+    if (!(await handleScriptRuns(req, res, pathSegments, queryParams, requestAgentId))) {
+      res.writeHead(404);
+      res.end("Not Found");
+    }
+  }
+
+  return {
+    status,
+    text,
+    json: async () => JSON.parse(text),
+  };
+}
+
+function createBody(extra: Record<string, unknown> = {}): string {
+  return JSON.stringify({
+    source: "export default async function main() { return { ok: true }; }",
+    args: { ok: true },
+    ...extra,
+  });
+}
+
+describe("/api/script-runs HTTP", () => {
+  test("creates and lists a script run", async () => {
+    const created = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody({ scriptName: "daily-report" }),
+    });
+    expect(created.status).toBe(201);
+    const body = (await created.json()) as { id: string; status: string; url: string };
+    expect(body.status).toBe("running");
+    expect(body.url).toBe(`https://app.example.test/script-runs/${body.id}`);
+
+    const listed = await dispatch("/api/script-runs", { agentId });
+    expect(listed.status).toBe(200);
+    const listBody = (await listed.json()) as { runs: Array<{ id: string }>; total: number };
+    expect(listBody.total).toBe(1);
+    expect(listBody.runs[0]?.id).toBe(body.id);
+  });
+
+  test("returns the existing run for an idempotency key", async () => {
+    const first = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody({ idempotencyKey: "stable-key" }),
+    });
+    const firstBody = (await first.json()) as { id: string };
+
+    const second = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody({ idempotencyKey: "stable-key" }),
+    });
+    expect(second.status).toBe(409);
+    const secondBody = (await second.json()) as { id: string };
+    expect(secondBody.id).toBe(firstBody.id);
+  });
+
+  test("rejects obvious literal labels inside loops before launch", async () => {
+    const rejected = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody({
+        source:
+          'export default async function main(args, ctx) { for (const item of args.items) { await ctx.step.agentTask("process", { task: item.task }); } }',
+      }),
+    });
+    expect(rejected.status).toBe(400);
+    const body = (await rejected.json()) as { error: string; violations: Array<{ label: string }> };
+    expect(body.error).toBe("label_lint_violation");
+    expect(body.violations[0]?.label).toBe("process");
+  });
+
+  test("records and replays journal steps through internal routes", async () => {
+    const created = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody(),
+    });
+    const { id } = (await created.json()) as { id: string };
+
+    const recorded = await dispatch(`/api/internal/script-runs/${id}/steps`, {
+      method: "POST",
+      agentId,
+      body: JSON.stringify({
+        stepKey: "summarize",
+        stepType: "raw-llm",
+        config: { prompt: "hello" },
+        status: "completed",
+        result: { text: "hi" },
+      }),
+    });
+    expect(recorded.status).toBe(201);
+
+    const replayed = await dispatch(`/api/internal/script-runs/${id}/steps/summarize`, {
+      agentId,
+    });
+    expect(replayed.status).toBe(200);
+    expect(await replayed.json()).toEqual({
+      stepKey: "summarize",
+      stepType: "raw-llm",
+      result: { text: "hi" },
+    });
+  });
+
+  test("aborts the run when the journal step cap is exceeded", async () => {
+    process.env.SCRIPT_RUN_MAX_STEPS = "1";
+    const created = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody(),
+    });
+    const { id } = (await created.json()) as { id: string };
+
+    const first = await dispatch(`/api/internal/script-runs/${id}/steps`, {
+      method: "POST",
+      agentId,
+      body: JSON.stringify({
+        stepKey: "one",
+        stepType: "swarm-script",
+        status: "completed",
+        result: 1,
+      }),
+    });
+    expect(first.status).toBe(201);
+
+    const second = await dispatch(`/api/internal/script-runs/${id}/steps`, {
+      method: "POST",
+      agentId,
+      body: JSON.stringify({
+        stepKey: "two",
+        stepType: "swarm-script",
+        status: "completed",
+        result: 2,
+      }),
+    });
+    expect(second.status).toBe(429);
+
+    const detail = await dispatch(`/api/script-runs/${id}`, { agentId });
+    const body = (await detail.json()) as { run: { status: string; error?: string } };
+    expect(body.run.status).toBe("aborted_limit");
+    expect(body.run.error).toContain("SCRIPT_RUN_MAX_STEPS");
+  });
+
+  test("cancel leaves terminal script runs unchanged", async () => {
+    const created = await dispatch("/api/script-runs", {
+      method: "POST",
+      agentId,
+      body: createBody(),
+    });
+    const { id } = (await created.json()) as { id: string };
+    updateScriptRun(id, {
+      status: "failed",
+      pid: null,
+      finishedAt: new Date().toISOString(),
+      error: "original failure",
+    });
+
+    const cancelled = await dispatch(`/api/script-runs/${id}`, {
+      method: "DELETE",
+      agentId,
+    });
+    expect(cancelled.status).toBe(204);
+
+    const detail = await dispatch(`/api/script-runs/${id}`, { agentId });
+    const body = (await detail.json()) as { run: { status: string; error?: string } };
+    expect(body.run.status).toBe("failed");
+    expect(body.run.error).toBe("original failure");
+  });
+});