@glwhappen/web-code 1.32.0 → 1.32.2

package/server/modules/database/repositories/queued-messages.db.integration.test.ts

@@ -0,0 +1,84 @@
+import assert from 'node:assert/strict';
+import { mkdtemp, rm } from 'node:fs/promises';
+import { tmpdir } from 'node:os';
+import path from 'node:path';
+import test from 'node:test';
+
+import { closeConnection } from '@/modules/database/connection.js';
+import { initializeDatabase } from '@/modules/database/init-db.js';
+import { queuedMessagesDb } from '@/modules/database/repositories/queued-messages.db.js';
+import { sessionsDb } from '@/modules/database/repositories/sessions.db.js';
+import { userDb } from '@/modules/database/repositories/users.js';
+
+async function withIsolatedDatabase(
+  runTest: (userId: number) => void | Promise<void>,
+): Promise<void> {
+  const previousDatabasePath = process.env.DATABASE_PATH;
+  const tempDirectory = await mkdtemp(path.join(tmpdir(), 'queued-messages-db-'));
+  const databasePath = path.join(tempDirectory, 'auth.db');
+
+  closeConnection();
+  process.env.DATABASE_PATH = databasePath;
+  await initializeDatabase();
+
+  const created = userDb.createUser('test-user', 'hash');
+  const userId = Number(created.id);
+
+  try {
+    await runTest(userId);
+  } finally {
+    closeConnection();
+    if (previousDatabasePath === undefined) {
+      delete process.env.DATABASE_PATH;
+    } else {
+      process.env.DATABASE_PATH = previousDatabasePath;
+    }
+    await rm(tempDirectory, { recursive: true, force: true });
+  }
+}
+
+test('queuedMessagesDb persists queued messages in insertion order', async () => {
+  await withIsolatedDatabase((userId) => {
+    sessionsDb.createSession(userId, 'session-1', 'claude', '/workspace/demo-project', 'Demo');
+
+    const first = queuedMessagesDb.create(userId, 'session-1', {
+      provider: 'claude',
+      content: 'first queued prompt',
+      permissionMode: 'default',
+      model: 'claude-sonnet',
+    });
+    const second = queuedMessagesDb.create(userId, 'session-1', {
+      provider: 'codex',
+      content: 'second queued prompt',
+      permissionMode: 'auto',
+      model: 'gpt-5.2',
+    });
+
+    const messages = queuedMessagesDb.listBySession(userId, 'session-1');
+
+    assert.deepEqual(messages.map((message) => message.id), [first.id, second.id]);
+    assert.deepEqual(messages.map((message) => message.content), ['first queued prompt', 'second queued prompt']);
+  });
+});
+
+test('queuedMessagesDb updates and deletes individual queued messages', async () => {
+  await withIsolatedDatabase((userId) => {
+    sessionsDb.createSession(userId, 'session-1', 'claude', '/workspace/demo-project', 'Demo');
+    const message = queuedMessagesDb.create(userId, 'session-1', {
+      provider: 'claude',
+      content: 'old content',
+    });
+
+    const updated = queuedMessagesDb.update(userId, 'session-1', message.id, {
+      content: 'new content',
+      permissionMode: 'acceptEdits',
+      metadata: { source: 'test' },
+    });
+
+    assert.equal(updated?.content, 'new content');
+    assert.equal(updated?.permissionMode, 'acceptEdits');
+    assert.deepEqual(updated?.metadata, { source: 'test' });
+    assert.equal(queuedMessagesDb.delete(userId, 'session-1', message.id), true);
+    assert.deepEqual(queuedMessagesDb.listBySession(userId, 'session-1'), []);
+  });
+});

package/server/modules/database/repositories/queued-messages.db.ts

@@ -0,0 +1,154 @@
+import { randomUUID } from 'node:crypto';
+
+import { getConnection } from '@/modules/database/connection.js';
+
+export type QueuedMessageRow = {
+  id: string;
+  user_id: number;
+  session_id: string;
+  provider: string;
+  content: string;
+  permission_mode: string | null;
+  model: string | null;
+  metadata_json: string | null;
+  created_at: string;
+  updated_at: string;
+};
+
+export type QueuedMessage = {
+  id: string;
+  userId: number;
+  sessionId: string;
+  provider: string;
+  content: string;
+  permissionMode: string | null;
+  model: string | null;
+  metadata: unknown;
+  createdAt: string;
+  updatedAt: string;
+};
+
+type CreateQueuedMessageInput = {
+  provider: string;
+  content: string;
+  permissionMode?: string | null;
+  model?: string | null;
+  metadata?: unknown;
+};
+
+type UpdateQueuedMessageInput = Partial<Pick<CreateQueuedMessageInput, 'content' | 'permissionMode' | 'model' | 'metadata'>>;
+
+function serializeMetadata(metadata: unknown): string | null {
+  if (metadata === undefined || metadata === null) {
+    return null;
+  }
+  return JSON.stringify(metadata);
+}
+
+function parseMetadata(metadataJson: string | null): unknown {
+  if (!metadataJson) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(metadataJson);
+  } catch {
+    return null;
+  }
+}
+
+function mapQueuedMessage(row: QueuedMessageRow): QueuedMessage {
+  return {
+    id: row.id,
+    userId: row.user_id,
+    sessionId: row.session_id,
+    provider: row.provider,
+    content: row.content,
+    permissionMode: row.permission_mode,
+    model: row.model,
+    metadata: parseMetadata(row.metadata_json),
+    createdAt: row.created_at,
+    updatedAt: row.updated_at,
+  };
+}
+
+export const queuedMessagesDb = {
+  listBySession(userId: number, sessionId: string): QueuedMessage[] {
+    const db = getConnection();
+    const rows = db
+      .prepare(
+        `SELECT id, user_id, session_id, provider, content, permission_mode, model, metadata_json, created_at, updated_at
+         FROM queued_messages
+         WHERE user_id = ? AND session_id = ?
+         ORDER BY rowid ASC`
+      )
+      .all(userId, sessionId) as QueuedMessageRow[];
+
+    return rows.map(mapQueuedMessage);
+  },
+
+  create(userId: number, sessionId: string, input: CreateQueuedMessageInput): QueuedMessage {
+    const db = getConnection();
+    const id = randomUUID();
+    db.prepare(
+      `INSERT INTO queued_messages (id, user_id, session_id, provider, content, permission_mode, model, metadata_json)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+    ).run(
+      id,
+      userId,
+      sessionId,
+      input.provider,
+      input.content,
+      input.permissionMode ?? null,
+      input.model ?? null,
+      serializeMetadata(input.metadata),
+    );
+
+    return this.getById(userId, sessionId, id)!;
+  },
+
+  getById(userId: number, sessionId: string, id: string): QueuedMessage | null {
+    const db = getConnection();
+    const row = db
+      .prepare(
+        `SELECT id, user_id, session_id, provider, content, permission_mode, model, metadata_json, created_at, updated_at
+         FROM queued_messages
+         WHERE user_id = ? AND session_id = ? AND id = ?
+         LIMIT 1`
+      )
+      .get(userId, sessionId, id) as QueuedMessageRow | undefined;
+
+    return row ? mapQueuedMessage(row) : null;
+  },
+
+  update(userId: number, sessionId: string, id: string, input: UpdateQueuedMessageInput): QueuedMessage | null {
+    const existing = this.getById(userId, sessionId, id);
+    if (!existing) {
+      return null;
+    }
+
+    const db = getConnection();
+    db.prepare(
+      `UPDATE queued_messages
+       SET content = ?, permission_mode = ?, model = ?, metadata_json = ?, updated_at = CURRENT_TIMESTAMP
+       WHERE user_id = ? AND session_id = ? AND id = ?`
+    ).run(
+      input.content ?? existing.content,
+      input.permissionMode ?? existing.permissionMode,
+      input.model ?? existing.model,
+      input.metadata === undefined ? serializeMetadata(existing.metadata) : serializeMetadata(input.metadata),
+      userId,
+      sessionId,
+      id,
+    );
+
+    return this.getById(userId, sessionId, id);
+  },
+
+  delete(userId: number, sessionId: string, id: string): boolean {
+    const db = getConnection();
+    return db
+      .prepare('DELETE FROM queued_messages WHERE user_id = ? AND session_id = ? AND id = ?')
+      .run(userId, sessionId, id).changes > 0;
+  },
+};

package/server/modules/database/schema.ts

@@ -102,6 +102,22 @@ CREATE TABLE IF NOT EXISTS sessions (
 );
 `;
 
+export const QUEUED_MESSAGES_TABLE_SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS queued_messages (
+    id TEXT PRIMARY KEY NOT NULL,
+    user_id INTEGER NOT NULL,
+    session_id TEXT NOT NULL,
+    provider TEXT NOT NULL,
+    content TEXT NOT NULL,
+    permission_mode TEXT,
+    model TEXT,
+    metadata_json TEXT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+);
+`;
+
 export const LAST_SCANNED_AT_SQL = `
 CREATE TABLE IF NOT EXISTS scan_state (
   id INTEGER PRIMARY KEY CHECK (id = 1),
@@ -153,6 +169,9 @@ CREATE INDEX IF NOT EXISTS idx_session_ids_lookup ON sessions(session_id);
 -- NOTE: This index is created in migrations after sessions is rebuilt to include project_path.
 -- Creating it here can fail on upgraded installs where the legacy sessions table has no project_path.
 
+${QUEUED_MESSAGES_TABLE_SCHEMA_SQL}
+CREATE INDEX IF NOT EXISTS idx_queued_messages_session ON queued_messages(user_id, session_id, created_at);
+
 ${LAST_SCANNED_AT_SQL}
 
 ${APP_CONFIG_TABLE_SCHEMA_SQL}

package/server/modules/projects/index.ts

@@ -1,3 +1,6 @@
+export {
+  assertUserOwnsProjectPath,
+} from './services/project-authorization.service.js';
 export {
   generateDisplayName,
   getProjectsWithSessions,

package/server/modules/projects/projects.routes.ts

@@ -12,6 +12,7 @@ const router = express.Router();
 
 type AuthenticatedUser = {
   id?: number | string;
+  username?: string;
 };
 
 function getAuthenticatedUserId(req: express.Request): number {
@@ -33,6 +34,18 @@ function getAuthenticatedUserId(req: express.Request): number {
   return numericId;
 }
 
+function getAuthenticatedUsername(req: express.Request): string {
+  const authenticatedUser = (req as typeof req & { user?: AuthenticatedUser }).user;
+  const username = authenticatedUser?.username;
+  if (typeof username !== 'string' || username.length === 0) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+  return username;
+}
+
 function readQueryStringValue(value: unknown): string {
   if (typeof value === 'string') {
     return value;
@@ -138,6 +151,7 @@ router.post(
 
     const projectCreationResult = await createProject({
       userId: getAuthenticatedUserId(req),
+      username: getAuthenticatedUsername(req),
       projectPath,
       customName,
     });
@@ -203,6 +217,7 @@ router.get('/clone-progress', async (req, res) => {
         statusCode: 401,
       });
     }
+    const username = getAuthenticatedUsername(req);
     cloneOperation = await startCloneProject(
       {
         workspacePath,
@@ -210,6 +225,7 @@ router.get('/clone-progress', async (req, res) => {
         githubTokenId,
         newGithubToken,
         userId,
+        username,
       },
       {
         onProgress: (message) => {

package/server/modules/projects/services/project-authorization.service.ts

@@ -0,0 +1,70 @@
+import { projectsDb } from '@/modules/database/index.js';
+import { AppError, normalizeProjectPath } from '@/shared/utils.js';
+
+type AuthorizationDependencies = {
+  getProjectPath: (userId: number, projectPath: string) => unknown;
+};
+
+const defaultDependencies: AuthorizationDependencies = {
+  getProjectPath: projectsDb.getProjectPath.bind(projectsDb),
+};
+
+function coerceNumericUserId(userId: unknown): number {
+  if (userId === null || userId === undefined) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  const numericId = typeof userId === 'number' ? userId : Number.parseInt(String(userId), 10);
+  if (Number.isNaN(numericId)) {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  return numericId;
+}
+
+/**
+ * Confirms that `requestedPath` is a project registered to `userId`, and
+ * returns its canonical (normalized) form.
+ *
+ * Use this anywhere the server is about to act on a path supplied over the
+ * wire — spawn a CLI, register a clone target, etc. — so a user with a valid
+ * session cannot pivot to another user's project simply by knowing its path.
+ */
+export function assertUserOwnsProjectPath(
+  userId: unknown,
+  requestedPath: unknown,
+  dependencies: AuthorizationDependencies = defaultDependencies,
+): string {
+  const numericUserId = coerceNumericUserId(userId);
+
+  if (typeof requestedPath !== 'string' || requestedPath.trim().length === 0) {
+    throw new AppError('A project path is required', {
+      code: 'PROJECT_PATH_REQUIRED',
+      statusCode: 400,
+    });
+  }
+
+  const normalized = normalizeProjectPath(requestedPath);
+  if (!normalized) {
+    throw new AppError('A project path is required', {
+      code: 'PROJECT_PATH_REQUIRED',
+      statusCode: 400,
+    });
+  }
+
+  const project = dependencies.getProjectPath(numericUserId, normalized);
+  if (!project) {
+    throw new AppError('The requested path is not a project owned by the authenticated user', {
+      code: 'PROJECT_NOT_OWNED_BY_USER',
+      statusCode: 403,
+    });
+  }
+
+  return normalized;
+}

package/server/modules/projects/services/project-clone.service.ts

@@ -5,7 +5,7 @@ import path from 'node:path';
 import { githubTokensDb } from '@/modules/database/index.js';
 import { createProject } from '@/modules/projects/services/project-management.service.js';
 import type { WorkspacePathValidationResult } from '@/shared/types.js';
-import { AppError, validateWorkspacePath } from '@/shared/utils.js';
+import { AppError, ensureUserWorkspaceRoot, validateWorkspacePath } from '@/shared/utils.js';
 
 type CloneProjectInput = {
   workspacePath: string;
@@ -13,6 +13,7 @@ type CloneProjectInput = {
   githubTokenId?: number | null;
   newGithubToken?: string | null;
   userId: number | string;
+  username: string;
 };
 
 type CloneCompletePayload = {
@@ -34,8 +35,9 @@ type GitCloneProcess = {
 };
 
 type CloneProjectDependencies = {
-  validatePath: (requestedPath: string) => Promise<WorkspacePathValidationResult>;
+  validatePath: (requestedPath: string, workspaceRoot: string) => Promise<WorkspacePathValidationResult>;
   ensureDirectory: (directoryPath: string) => Promise<void>;
+  resolveUserWorkspaceRoot: (username: string) => Promise<string>;
   pathExists: (targetPath: string) => Promise<boolean>;
   removePath: (targetPath: string) => Promise<void>;
   getGithubTokenById: (
@@ -45,6 +47,7 @@ type CloneProjectDependencies = {
   spawnGitClone: (cloneUrl: string, clonePath: string) => GitCloneProcess;
   registerProject: (
     userId: number,
+    username: string,
     projectPath: string,
     customName: string,
   ) => Promise<{ project: Record<string, unknown> }>;
@@ -115,6 +118,7 @@ const defaultDependencies: CloneProjectDependencies = {
   ensureDirectory: async (directoryPath: string): Promise<void> => {
     await mkdir(directoryPath, { recursive: true });
   },
+  resolveUserWorkspaceRoot: ensureUserWorkspaceRoot,
   pathExists: defaultPathExists,
   removePath: async (targetPath: string): Promise<void> => {
     await rm(targetPath, { recursive: true, force: true });
@@ -138,11 +142,13 @@ const defaultDependencies: CloneProjectDependencies = {
     }) as unknown as GitCloneProcess,
   registerProject: async (
     userId: number,
+    username: string,
     projectPath: string,
     customName: string,
   ): Promise<{ project: Record<string, unknown> }> =>
     createProject({
       userId,
+      username,
       projectPath,
       customName,
     }) as Promise<{ project: Record<string, unknown> }>,
@@ -180,7 +186,15 @@ export async function startCloneProject(
     });
   }
 
-  const pathValidation = await dependencies.validatePath(normalizedWorkspacePath);
+  if (!input.username || typeof input.username !== 'string') {
+    throw new AppError('Authenticated user is required', {
+      code: 'AUTHENTICATION_REQUIRED',
+      statusCode: 401,
+    });
+  }
+
+  const userWorkspaceRoot = await dependencies.resolveUserWorkspaceRoot(input.username);
+  const pathValidation = await dependencies.validatePath(normalizedWorkspacePath, userWorkspaceRoot);
   if (!pathValidation.valid || !pathValidation.resolvedPath) {
     throw new AppError(pathValidation.error || 'Invalid workspace path', {
       code: 'INVALID_PROJECT_PATH',
@@ -264,7 +278,7 @@ export async function startCloneProject(
     gitProcess.on('close', async (code) => {
       if (code === 0) {
         try {
-          const createdProject = await dependencies.registerProject(numericUserId, clonePath, repoName);
+          const createdProject = await dependencies.registerProject(numericUserId, input.username, clonePath, repoName);
           handlers.onComplete({
             project: createdProject.project,
             message: 'Repository cloned successfully',

package/server/modules/projects/services/project-management.service.ts

@@ -7,17 +7,24 @@ import type {
   ProjectRepositoryRow,
   WorkspacePathValidationResult,
 } from '@/shared/types.js';
-import { AppError, normalizeProjectPath, validateWorkspacePath } from '@/shared/utils.js';
+import {
+  AppError,
+  ensureUserWorkspaceRoot,
+  normalizeProjectPath,
+  validateWorkspacePath,
+} from '@/shared/utils.js';
 
 type CreateProjectInput = {
   userId: number;
+  username: string;
   projectPath: string;
   customName?: string | null;
 };
 
 type CreateProjectDependencies = {
-  validatePath: (projectPath: string) => Promise<WorkspacePathValidationResult>;
+  validatePath: (projectPath: string, workspaceRoot: string) => Promise<WorkspacePathValidationResult>;
   ensureWorkspaceDirectory: (projectPath: string) => Promise<void>;
+  resolveUserWorkspaceRoot: (username: string) => Promise<string>;
   persistProjectPath: (userId: number, projectPath: string, customName: string | null) => CreateProjectPathResult;
   getProjectByPath: (userId: number, projectPath: string) => ProjectRepositoryRow | null;
 };
@@ -57,6 +64,7 @@ const defaultDependencies: CreateProjectDependencies = {
       });
     }
   },
+  resolveUserWorkspaceRoot: ensureUserWorkspaceRoot,
   persistProjectPath: (userId: number, projectPath: string, customName: string | null): CreateProjectPathResult =>
     projectsDb.createProjectPath(userId, projectPath, customName),
   getProjectByPath: (userId: number, projectPath: string): ProjectRepositoryRow | null =>
@@ -111,7 +119,8 @@ export async function createProject(
     });
   }
 
-  const pathValidation = await dependencies.validatePath(normalizedPath);
+  const userWorkspaceRoot = await dependencies.resolveUserWorkspaceRoot(input.username);
+  const pathValidation = await dependencies.validatePath(normalizedPath, userWorkspaceRoot);
   if (!pathValidation.valid || !pathValidation.resolvedPath) {
     throw new AppError('Invalid project path', {
       code: 'INVALID_PROJECT_PATH',

package/server/modules/projects/tests/project-authorization.service.test.ts

@@ -0,0 +1,68 @@
+import assert from 'node:assert/strict';
+import test from 'node:test';
+
+import { assertUserOwnsProjectPath } from '@/modules/projects/services/project-authorization.service.js';
+import { AppError } from '@/shared/utils.js';
+
+const TEST_USER_ID = 7;
+const OWNED_PATH = '/workspace/tester/my-project';
+
+function buildDependencies(found: boolean) {
+  return {
+    getProjectPath: () => (found ? { project_id: 'p1' } : null),
+  };
+}
+
+test('assertUserOwnsProjectPath returns the normalized path when the user owns it', () => {
+  const result = assertUserOwnsProjectPath(TEST_USER_ID, `${OWNED_PATH}/`, buildDependencies(true));
+  assert.equal(result, OWNED_PATH);
+});
+
+test('assertUserOwnsProjectPath throws AUTHENTICATION_REQUIRED when userId is missing', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(undefined, OWNED_PATH, buildDependencies(true)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'AUTHENTICATION_REQUIRED');
+      assert.equal(error.statusCode, 401);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath throws PROJECT_PATH_REQUIRED when path is blank', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(TEST_USER_ID, '   ', buildDependencies(true)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'PROJECT_PATH_REQUIRED');
+      assert.equal(error.statusCode, 400);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath throws PROJECT_NOT_OWNED_BY_USER when the project is not registered for the user', () => {
+  assert.throws(
+    () => assertUserOwnsProjectPath(TEST_USER_ID, OWNED_PATH, buildDependencies(false)),
+    (error: unknown) => {
+      assert.ok(error instanceof AppError);
+      assert.equal(error.code, 'PROJECT_NOT_OWNED_BY_USER');
+      assert.equal(error.statusCode, 403);
+      return true;
+    },
+  );
+});
+
+test('assertUserOwnsProjectPath coerces stringified userIds', () => {
+  let receivedUserId: number | null = null;
+  const dependencies = {
+    getProjectPath: (userId: number) => {
+      receivedUserId = userId;
+      return { project_id: 'p1' };
+    },
+  };
+
+  assertUserOwnsProjectPath('42', OWNED_PATH, dependencies);
+  assert.equal(receivedUserId, 42);
+});

package/server/modules/projects/tests/project-clone.service.test.ts

@@ -13,6 +13,7 @@ function buildDependencies(overrides: Partial<NonNullable<TestDependencies>> = {
   return {
     validatePath: async () => ({ valid: true, resolvedPath: '/workspace/root' }),
     ensureDirectory: async () => undefined,
+    resolveUserWorkspaceRoot: async () => '/workspace/root',
     pathExists: async () => false,
     removePath: async () => undefined,
     getGithubTokenById: async () => ({ github_token: 'token-value' }),
@@ -49,6 +50,7 @@ test('startCloneProject rejects when workspace path is missing', async () => {
           workspacePath: '',
           githubUrl: 'https://github.com/example/repo',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -72,6 +74,7 @@ test('startCloneProject rejects when github URL is missing', async () => {
           workspacePath: '/workspace/root',
           githubUrl: '',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -95,6 +98,7 @@ test('startCloneProject rejects github URL values that begin with option prefixe
           workspacePath: '/workspace/root',
           githubUrl: '--upload-pack=malicious',
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -119,6 +123,7 @@ test('startCloneProject rejects when selected github token does not exist', asyn
           githubUrl: 'https://github.com/example/repo',
           githubTokenId: 12,
           userId: 1,
+          username: 'tester',
         },
         {
           onProgress: () => undefined,
@@ -144,11 +149,14 @@ test('startCloneProject completes and emits complete payload when git exits succ
   let capturedProjectPath = '';
   let capturedCustomName = '';
 
+  let capturedUsername = '';
+
   const operation = await startCloneProject(
     {
       workspacePath: '/workspace/root',
       githubUrl: 'https://github.com/example/repo.git',
       userId: 1,
+      username: 'tester',
     },
     {
       onProgress: (message) => {
@@ -160,8 +168,9 @@ test('startCloneProject completes and emits complete payload when git exits succ
     },
     buildDependencies({
       spawnGitClone: () => gitProcess as any,
-      registerProject: async (userId, projectPath, customName) => {
+      registerProject: async (userId, username, projectPath, customName) => {
         capturedUserId = userId;
+        capturedUsername = username;
         capturedProjectPath = projectPath;
         capturedCustomName = customName;
         return { project: { projectId: 'project-1', path: projectPath } };
@@ -174,6 +183,7 @@ test('startCloneProject completes and emits complete payload when git exits succ
 
   assert.ok(progressMessages.some((message) => message.includes("Cloning into 'repo'")));
   assert.equal(capturedUserId, 1);
+  assert.equal(capturedUsername, 'tester');
   assert.equal(capturedCustomName, 'repo');
   assert.equal(path.basename(capturedProjectPath), 'repo');
   assert.notEqual(completePayload, null);