npm - @hellcoder/companion - Versions diffs - 0.96.0 - Mend

@hellcoder/companion 0.96.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/bin/cli.ts +168 -0
package/bin/ctl.ts +528 -0
package/bin/generate-token.ts +28 -0
package/dist/apple-touch-icon.png +0 -0
package/dist/assets/AgentsPage-DCFhrJ28.js +13 -0
package/dist/assets/CronManager-EGwLJONv.js +1 -0
package/dist/assets/IntegrationsPage-CTMRnbQS.js +1 -0
package/dist/assets/LinearOAuthSettingsPage-CgQFMIgr.js +1 -0
package/dist/assets/LinearSettingsPage-C9nok1qi.js +1 -0
package/dist/assets/Playground-BV3k0RbV.js +109 -0
package/dist/assets/PromptsPage-CFojqNKP.js +4 -0
package/dist/assets/RunsPage-DUJ1QUSa.js +1 -0
package/dist/assets/SandboxManager-CrVQ-VU_.js +8 -0
package/dist/assets/SettingsPage-D1fPCL19.js +1 -0
package/dist/assets/TailscalePage-D06cyvyC.js +1 -0
package/dist/assets/index-BhUa1e6X.css +1 -0
package/dist/assets/index-DkqeP-R9.js +134 -0
package/dist/assets/sw-register-BibwRdvC.js +1 -0
package/dist/assets/workbox-window.prod.es5-BIl4cyR9.js +2 -0
package/dist/favicon.svg +8 -0
package/dist/fonts/MesloLGSNerdFontMono-Bold.woff2 +0 -0
package/dist/fonts/MesloLGSNerdFontMono-Regular.woff2 +0 -0
package/dist/icon-192.png +0 -0
package/dist/icon-512.png +0 -0
package/dist/index.html +20 -0
package/dist/logo-codex.svg +14 -0
package/dist/logo-docker.svg +4 -0
package/dist/logo.svg +14 -0
package/dist/manifest.json +24 -0
package/dist/sw.js +2 -0
package/package.json +104 -0
package/server/agent-cron-migrator.test.ts +610 -0
package/server/agent-cron-migrator.ts +85 -0
package/server/agent-executor.test.ts +1108 -0
package/server/agent-executor.ts +346 -0
package/server/agent-store.test.ts +588 -0
package/server/agent-store.ts +185 -0
package/server/agent-types.ts +138 -0
package/server/ai-validation-settings.test.ts +128 -0
package/server/ai-validation-settings.ts +35 -0
package/server/ai-validator.test.ts +387 -0
package/server/ai-validator.ts +271 -0
package/server/auth-manager.test.ts +83 -0
package/server/auth-manager.ts +150 -0
package/server/auto-namer.test.ts +252 -0
package/server/auto-namer.ts +78 -0
package/server/backend-adapter.test.ts +38 -0
package/server/backend-adapter.ts +54 -0
package/server/cache-headers.test.ts +98 -0
package/server/cache-headers.ts +61 -0
package/server/claude-adapter.test.ts +1363 -0
package/server/claude-adapter.ts +889 -0
package/server/claude-container-auth.test.ts +44 -0
package/server/claude-container-auth.ts +30 -0
package/server/claude-protocol-contract.test.ts +71 -0
package/server/claude-protocol-drift.test.ts +78 -0
package/server/claude-session-discovery.test.ts +132 -0
package/server/claude-session-discovery.ts +157 -0
package/server/claude-session-history.test.ts +158 -0
package/server/claude-session-history.ts +410 -0
package/server/cli-launcher.test.ts +1343 -0
package/server/cli-launcher.ts +1298 -0
package/server/cli.test.ts +16 -0
package/server/codex-adapter.test.ts +5545 -0
package/server/codex-adapter.ts +3062 -0
package/server/codex-container-auth.test.ts +50 -0
package/server/codex-container-auth.ts +24 -0
package/server/codex-home.test.ts +61 -0
package/server/codex-home.ts +26 -0
package/server/codex-protocol-contract.test.ts +96 -0
package/server/codex-protocol-drift.test.ts +123 -0
package/server/codex-ws-proxy.cjs +226 -0
package/server/commands-discovery.test.ts +179 -0
package/server/commands-discovery.ts +81 -0
package/server/constants.ts +7 -0
package/server/container-manager.test.ts +1211 -0
package/server/container-manager.ts +1053 -0
package/server/cron-scheduler.test.ts +957 -0
package/server/cron-scheduler.ts +243 -0
package/server/cron-store.test.ts +422 -0
package/server/cron-store.ts +148 -0
package/server/cron-types.ts +63 -0
package/server/env-manager.test.ts +268 -0
package/server/env-manager.ts +161 -0
package/server/event-bus-types.ts +64 -0
package/server/event-bus.test.ts +244 -0
package/server/event-bus.ts +124 -0
package/server/execution-store.test.ts +307 -0
package/server/execution-store.ts +170 -0
package/server/fs-utils.ts +15 -0
package/server/git-utils.test.ts +938 -0
package/server/git-utils.ts +421 -0
package/server/github-pr.test.ts +498 -0
package/server/github-pr.ts +379 -0
package/server/image-pull-manager.test.ts +303 -0
package/server/image-pull-manager.ts +279 -0
package/server/index.ts +396 -0
package/server/linear-agent-bridge.test.ts +1157 -0
package/server/linear-agent-bridge.ts +629 -0
package/server/linear-agent.test.ts +473 -0
package/server/linear-agent.ts +479 -0
package/server/linear-cache.test.ts +136 -0
package/server/linear-cache.ts +113 -0
package/server/linear-connections.test.ts +350 -0
package/server/linear-connections.ts +231 -0
package/server/linear-credential-migration.test.ts +337 -0
package/server/linear-credential-migration.ts +63 -0
package/server/linear-oauth-connections-migration.test.ts +268 -0
package/server/linear-oauth-connections.test.ts +365 -0
package/server/linear-oauth-connections.ts +294 -0
package/server/linear-project-manager.test.ts +162 -0
package/server/linear-project-manager.ts +111 -0
package/server/linear-prompt-builder.test.ts +74 -0
package/server/linear-prompt-builder.ts +61 -0
package/server/linear-staging.test.ts +276 -0
package/server/linear-staging.ts +142 -0
package/server/logger.test.ts +393 -0
package/server/logger.ts +259 -0
package/server/metrics-collector.test.ts +413 -0
package/server/metrics-collector.ts +350 -0
package/server/metrics-types.ts +108 -0
package/server/middleware/managed-auth.test.ts +264 -0
package/server/middleware/managed-auth.ts +195 -0
package/server/novnc-proxy.test.ts +333 -0
package/server/novnc-proxy.ts +99 -0
package/server/path-resolver.test.ts +552 -0
package/server/path-resolver.ts +186 -0
package/server/paths.test.ts +31 -0
package/server/paths.ts +11 -0
package/server/pr-poller.test.ts +191 -0
package/server/pr-poller.ts +162 -0
package/server/prompt-manager.test.ts +211 -0
package/server/prompt-manager.ts +211 -0
package/server/protocol/claude-upstream/README.md +19 -0
package/server/protocol/claude-upstream/sdk.d.ts.txt +1943 -0
package/server/protocol/codex-upstream/ClientNotification.ts.txt +5 -0
package/server/protocol/codex-upstream/ClientRequest.ts.txt +60 -0
package/server/protocol/codex-upstream/README.md +18 -0
package/server/protocol/codex-upstream/ServerNotification.ts.txt +41 -0
package/server/protocol/codex-upstream/ServerRequest.ts.txt +16 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallParams.ts.txt +6 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallResponse.ts.txt +6 -0
package/server/protocol-monitor.ts +50 -0
package/server/recorder.test.ts +454 -0
package/server/recorder.ts +374 -0
package/server/recording-hub/compat-validator.test.ts +150 -0
package/server/recording-hub/compat-validator.ts +284 -0
package/server/recording-hub/diagnostics.test.ts +140 -0
package/server/recording-hub/diagnostics.ts +299 -0
package/server/recording-hub/hub-config.test.ts +44 -0
package/server/recording-hub/hub-config.ts +19 -0
package/server/recording-hub/hub-routes.test.ts +417 -0
package/server/recording-hub/hub-routes.ts +236 -0
package/server/recording-hub/hub-store.test.ts +262 -0
package/server/recording-hub/hub-store.ts +265 -0
package/server/recording-hub/replay-adapter.test.ts +294 -0
package/server/recording-hub/replay-adapter.ts +207 -0
package/server/relay-client.test.ts +337 -0
package/server/relay-client.ts +320 -0
package/server/replay.test.ts +200 -0
package/server/replay.ts +78 -0
package/server/routes/agent-routes.test.ts +1400 -0
package/server/routes/agent-routes.ts +409 -0
package/server/routes/cron-routes.test.ts +881 -0
package/server/routes/cron-routes.ts +103 -0
package/server/routes/env-routes.test.ts +383 -0
package/server/routes/env-routes.ts +95 -0
package/server/routes/fs-routes.test.ts +1198 -0
package/server/routes/fs-routes.ts +605 -0
package/server/routes/git-routes.test.ts +813 -0
package/server/routes/git-routes.ts +97 -0
package/server/routes/linear-agent-routes.test.ts +721 -0
package/server/routes/linear-agent-routes.ts +304 -0
package/server/routes/linear-connection-routes.test.ts +927 -0
package/server/routes/linear-connection-routes.ts +244 -0
package/server/routes/linear-oauth-connection-routes.test.ts +406 -0
package/server/routes/linear-oauth-connection-routes.ts +129 -0
package/server/routes/linear-routes.test.ts +1510 -0
package/server/routes/linear-routes.ts +953 -0
package/server/routes/metrics-routes.test.ts +103 -0
package/server/routes/metrics-routes.ts +13 -0
package/server/routes/prompt-routes.ts +67 -0
package/server/routes/sandbox-routes.test.ts +513 -0
package/server/routes/sandbox-routes.ts +127 -0
package/server/routes/settings-routes.ts +270 -0
package/server/routes/skills-routes.test.ts +690 -0
package/server/routes/skills-routes.ts +100 -0
package/server/routes/system-routes.test.ts +637 -0
package/server/routes/system-routes.ts +228 -0
package/server/routes/tailscale-routes.test.ts +176 -0
package/server/routes/tailscale-routes.ts +22 -0
package/server/routes.test.ts +4655 -0
package/server/routes.ts +1277 -0
package/server/sandbox-manager.test.ts +378 -0
package/server/sandbox-manager.ts +168 -0
package/server/service.test.ts +1419 -0
package/server/service.ts +718 -0
package/server/session-creation-service.test.ts +661 -0
package/server/session-creation-service.ts +473 -0
package/server/session-git-info.ts +104 -0
package/server/session-linear-issues.test.ts +118 -0
package/server/session-linear-issues.ts +88 -0
package/server/session-names.test.ts +94 -0
package/server/session-names.ts +67 -0
package/server/session-orchestrator.test.ts +1784 -0
package/server/session-orchestrator.ts +973 -0
package/server/session-state-machine.test.ts +606 -0
package/server/session-state-machine.ts +207 -0
package/server/session-store.test.ts +290 -0
package/server/session-store.ts +146 -0
package/server/session-types.ts +509 -0
package/server/settings-manager.test.ts +275 -0
package/server/settings-manager.ts +173 -0
package/server/tailscale-manager.test.ts +553 -0
package/server/tailscale-manager.ts +451 -0
package/server/terminal-manager.ts +240 -0
package/server/update-checker.test.ts +306 -0
package/server/update-checker.ts +197 -0
package/server/usage-limits.test.ts +536 -0
package/server/usage-limits.ts +225 -0
package/server/worktree-tracker.test.ts +243 -0
package/server/worktree-tracker.ts +84 -0
package/server/ws-auth.test.ts +59 -0
package/server/ws-auth.ts +41 -0
package/server/ws-bridge-browser-ingest.test.ts +272 -0
package/server/ws-bridge-browser-ingest.ts +72 -0
package/server/ws-bridge-browser.ts +112 -0
package/server/ws-bridge-cli-ingest.test.ts +302 -0
package/server/ws-bridge-cli-ingest.ts +81 -0
package/server/ws-bridge-codex.test.ts +1837 -0
package/server/ws-bridge-codex.ts +266 -0
package/server/ws-bridge-controls.test.ts +124 -0
package/server/ws-bridge-controls.ts +20 -0
package/server/ws-bridge-persist.test.ts +296 -0
package/server/ws-bridge-persist.ts +66 -0
package/server/ws-bridge-publish.test.ts +234 -0
package/server/ws-bridge-publish.ts +79 -0
package/server/ws-bridge-replay.test.ts +44 -0
package/server/ws-bridge-replay.ts +61 -0
package/server/ws-bridge-types.ts +106 -0
package/server/ws-bridge.test.ts +4777 -0
package/server/ws-bridge.ts +1279 -0

package/server/usage-limits.test.ts ADDED Viewed

@@ -0,0 +1,536 @@
+import { mkdtempSync, rmSync, mkdirSync, writeFileSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { tmpdir } from "node:os";
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+// ---------------------------------------------------------------------------
+// Mocks
+// ---------------------------------------------------------------------------
+const mockExecSync = vi.hoisted(() => vi.fn());
+const mockExecFileSync = vi.hoisted(() => vi.fn());
+vi.mock("node:child_process", () => ({
+  execSync: mockExecSync,
+  execFileSync: mockExecFileSync,
+}));
+// Mock global fetch at the module level (persists across tests)
+const mockFetch = vi.fn();
+globalThis.fetch = mockFetch as unknown as typeof fetch;
+// ---------------------------------------------------------------------------
+// Module under test - re-imported each time to reset module-level cache
+// ---------------------------------------------------------------------------
+let mod: typeof import("./usage-limits.js");
+const originalPlatform = process.platform;
+beforeEach(async () => {
+  vi.resetModules();
+  mockExecSync.mockReset();
+  mockExecFileSync.mockReset();
+  mockFetch.mockReset();
+  mod = await import("./usage-limits.js");
+});
+afterEach(() => {
+  Object.defineProperty(process, "platform", { value: originalPlatform });
+});
+// ---------------------------------------------------------------------------
+// Helpers
+// ---------------------------------------------------------------------------
+const SAMPLE_TOKEN = "sk-ant-fake-token-123";
+function makeCredentialsJson(token: string, opts?: { expired?: boolean }): string {
+  return JSON.stringify({
+    claudeAiOauth: {
+      accessToken: token,
+      refreshToken: "sk-ant-ort01-fake-refresh-token",
+      expiresAt: opts?.expired ? Date.now() - 1000 : Date.now() + 3_600_000,
+    },
+  });
+}
+function makeCredentialsHex(token: string): string {
+  return Buffer.from(makeCredentialsJson(token), "utf-8").toString("hex");
+}
+function makeFetchResponse(body: object, ok = true) {
+  return Promise.resolve({
+    ok,
+    json: () => Promise.resolve(body),
+  });
+}
+const SAMPLE_LIMITS = {
+  five_hour: { utilization: 42, resets_at: "2025-01-01T12:00:00Z" },
+  seven_day: { utilization: 15, resets_at: null },
+  extra_usage: null,
+};
+// ===========================================================================
+// getCredentials (macOS - Keychain)
+// ===========================================================================
+describe("getCredentials (macOS)", () => {
+  beforeEach(() => {
+    // Force macOS platform so the Keychain (execSync) path is used
+    Object.defineProperty(process, "platform", { value: "darwin" });
+  });
+  it("extracts token from plain JSON output", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN));
+    expect(darwinMod.getCredentials()).toBe(SAMPLE_TOKEN);
+  });
+  it("extracts token from hex-encoded output", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsHex(SAMPLE_TOKEN));
+    expect(darwinMod.getCredentials()).toBe(SAMPLE_TOKEN);
+  });
+  it("returns null when execSync throws (e.g. no keychain entry)", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockImplementation(() => {
+      throw new Error("security: command not found");
+    });
+    expect(darwinMod.getCredentials()).toBeNull();
+  });
+  it("returns null when JSON has no claudeAiOauth field", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(JSON.stringify({ other: "data" }));
+    expect(darwinMod.getCredentials()).toBeNull();
+  });
+  it("returns token even when format does not match sk-ant-*", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(
+      JSON.stringify({ claudeAiOauth: { accessToken: "not-a-valid-token" } }),
+    );
+    expect(darwinMod.getCredentials()).toBe("not-a-valid-token");
+  });
+});
+// ===========================================================================
+// getCredentials - Windows path
+// ===========================================================================
+describe("getCredentials (Windows)", () => {
+  let tempDir: string;
+  beforeEach(() => {
+    Object.defineProperty(process, "platform", { value: "win32" });
+    tempDir = mkdtempSync(join(tmpdir(), "usage-limits-test-"));
+  });
+  afterEach(() => {
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+  it("reads token from credentials file on Windows", async () => {
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, ".credentials.json"),
+      makeCredentialsJson(SAMPLE_TOKEN),
+    );
+    process.env.USERPROFILE = tempDir;
+    // Re-import to pick up the mocked platform
+    vi.resetModules();
+    mockFetch.mockReset();
+    const winMod = await import("./usage-limits.js");
+    expect(winMod.getCredentials()).toBe(SAMPLE_TOKEN);
+    delete process.env.USERPROFILE;
+  });
+  it("returns null when credentials file does not exist on Windows", async () => {
+    process.env.USERPROFILE = tempDir;
+    vi.resetModules();
+    const winMod = await import("./usage-limits.js");
+    expect(winMod.getCredentials()).toBeNull();
+    delete process.env.USERPROFILE;
+  });
+  it("returns null when credentials file has invalid JSON on Windows", async () => {
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(join(claudeDir, ".credentials.json"), "NOT VALID JSON{{{");
+    process.env.USERPROFILE = tempDir;
+    vi.resetModules();
+    const winMod = await import("./usage-limits.js");
+    expect(winMod.getCredentials()).toBeNull();
+    delete process.env.USERPROFILE;
+  });
+});
+// ===========================================================================
+// getCredentials - Linux / Docker path
+// ===========================================================================
+describe("getCredentials (Linux / Docker)", () => {
+  let tempDir: string;
+  const originalHome = process.env.HOME;
+  beforeEach(() => {
+    // Force Linux platform so the file-based credential path is used
+    Object.defineProperty(process, "platform", { value: "linux" });
+    tempDir = mkdtempSync(join(tmpdir(), "usage-limits-linux-test-"));
+  });
+  afterEach(() => {
+    // Restore original HOME to avoid cross-test environment pollution
+    if (originalHome !== undefined) {
+      process.env.HOME = originalHome;
+    } else {
+      delete process.env.HOME;
+    }
+    rmSync(tempDir, { recursive: true, force: true });
+  });
+  it("reads token from .credentials.json on Linux", async () => {
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, ".credentials.json"),
+      makeCredentialsJson(SAMPLE_TOKEN),
+    );
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    expect(linuxMod.getCredentials()).toBe(SAMPLE_TOKEN);
+  });
+  it("falls back to alternative credential file names", async () => {
+    // Only auth.json exists (not .credentials.json)
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, "auth.json"),
+      makeCredentialsJson(SAMPLE_TOKEN),
+    );
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    expect(linuxMod.getCredentials()).toBe(SAMPLE_TOKEN);
+  });
+  it("returns null when no credential files exist on Linux", async () => {
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    expect(linuxMod.getCredentials()).toBeNull();
+  });
+  it("returns null when credentials file has invalid JSON on Linux", async () => {
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(join(claudeDir, ".credentials.json"), "NOT VALID JSON{{{");
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    expect(linuxMod.getCredentials()).toBeNull();
+  });
+  it("does not call macOS security command on Linux", async () => {
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, ".credentials.json"),
+      makeCredentialsJson(SAMPLE_TOKEN),
+    );
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    linuxMod.getCredentials();
+    // security command should never be invoked on Linux
+    expect(mockExecSync).not.toHaveBeenCalled();
+  });
+  it("writes refreshed credentials back to the same source file", async () => {
+    // Credentials are stored in auth.json (not the default .credentials.json)
+    const claudeDir = join(tempDir, ".claude");
+    mkdirSync(claudeDir, { recursive: true });
+    writeFileSync(
+      join(claudeDir, "auth.json"),
+      makeCredentialsJson(SAMPLE_TOKEN, { expired: true }),
+    );
+    process.env.HOME = tempDir;
+    vi.resetModules();
+    mockFetch.mockReset();
+    const linuxMod = await import("./usage-limits.js");
+    // First call = token refresh, second call = usage API
+    mockFetch
+      .mockReturnValueOnce(
+        makeFetchResponse({
+          access_token: "sk-ant-new-token",
+          refresh_token: "sk-ant-new-refresh",
+          expires_in: 3600,
+        }),
+      )
+      .mockReturnValueOnce(makeFetchResponse(SAMPLE_LIMITS));
+    const result = await linuxMod.getUsageLimits();
+    expect(result).toEqual(SAMPLE_LIMITS);
+    // Credentials should have been written to file (not via execFileSync/security)
+    expect(mockExecFileSync).not.toHaveBeenCalled();
+    // Verify the refreshed token was written back to auth.json (the source file)
+    const updatedCreds = JSON.parse(
+      readFileSync(join(claudeDir, "auth.json"), "utf-8"),
+    );
+    expect(updatedCreds.claudeAiOauth.accessToken).toBe("sk-ant-new-token");
+    expect(updatedCreds.claudeAiOauth.refreshToken).toBe("sk-ant-new-refresh");
+  });
+});
+// ===========================================================================
+// fetchUsageLimits
+// ===========================================================================
+describe("fetchUsageLimits", () => {
+  it("returns parsed limits on success", async () => {
+    mockFetch.mockReturnValue(makeFetchResponse(SAMPLE_LIMITS));
+    const result = await mod.fetchUsageLimits(SAMPLE_TOKEN);
+    expect(result).toEqual(SAMPLE_LIMITS);
+    // Verify correct headers
+    expect(mockFetch).toHaveBeenCalledWith(
+      "https://api.anthropic.com/api/oauth/usage",
+      expect.objectContaining({
+        method: "GET",
+        headers: expect.objectContaining({
+          Authorization: `Bearer ${SAMPLE_TOKEN}`,
+        }),
+      }),
+    );
+  });
+  it("returns null on non-ok response", async () => {
+    mockFetch.mockReturnValue(makeFetchResponse({}, false));
+    const result = await mod.fetchUsageLimits(SAMPLE_TOKEN);
+    expect(result).toBeNull();
+  });
+  it("returns null on network error", async () => {
+    mockFetch.mockRejectedValue(new Error("network error"));
+    const result = await mod.fetchUsageLimits(SAMPLE_TOKEN);
+    expect(result).toBeNull();
+  });
+  it("normalizes missing fields to null", async () => {
+    mockFetch.mockReturnValue(
+      makeFetchResponse({ five_hour: { utilization: 10, resets_at: null } }),
+    );
+    const result = await mod.fetchUsageLimits(SAMPLE_TOKEN);
+    expect(result).toEqual({
+      five_hour: { utilization: 10, resets_at: null },
+      seven_day: null,
+      extra_usage: null,
+    });
+  });
+});
+// ===========================================================================
+// getUsageLimits (orchestrator with cache)
+// These tests use macOS platform to exercise the execSync/keychain path
+// ===========================================================================
+describe("getUsageLimits", () => {
+  const EMPTY = { five_hour: null, seven_day: null, extra_usage: null };
+  beforeEach(() => {
+    Object.defineProperty(process, "platform", { value: "darwin" });
+  });
+  it("returns empty when no credentials are available", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockImplementation(() => {
+      throw new Error("no keychain");
+    });
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(EMPTY);
+  });
+  it("returns limits and caches the result", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN));
+    mockFetch.mockReturnValue(makeFetchResponse(SAMPLE_LIMITS));
+    const first = await darwinMod.getUsageLimits();
+    expect(first).toEqual(SAMPLE_LIMITS);
+    // Second call should use cache - fetch should not be called again
+    const second = await darwinMod.getUsageLimits();
+    expect(second).toEqual(SAMPLE_LIMITS);
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+  });
+  it("refreshes cache after TTL expires", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN));
+    mockFetch.mockReturnValue(makeFetchResponse(SAMPLE_LIMITS));
+    await darwinMod.getUsageLimits();
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+    // Manually expire the cache by advancing Date.now via spy
+    const realNow = Date.now();
+    vi.spyOn(Date, "now").mockReturnValue(realNow + 61_000);
+    const updated = {
+      ...SAMPLE_LIMITS,
+      five_hour: { utilization: 99, resets_at: null },
+    };
+    mockFetch.mockReturnValue(makeFetchResponse(updated));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(updated);
+    expect(mockFetch).toHaveBeenCalledTimes(2);
+    vi.spyOn(Date, "now").mockRestore();
+  });
+  it("returns empty when fetch fails", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN));
+    mockFetch.mockReturnValue(makeFetchResponse({}, false));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(EMPTY);
+  });
+});
+// ===========================================================================
+// Token refresh flow (via getUsageLimits -> getValidAccessToken)
+// These tests use macOS platform to exercise the execSync/keychain path
+// ===========================================================================
+describe("token refresh", () => {
+  const EMPTY = { five_hour: null, seven_day: null, extra_usage: null };
+  beforeEach(() => {
+    Object.defineProperty(process, "platform", { value: "darwin" });
+  });
+  it("refreshes an expired token and uses the new one", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    mockExecSync.mockReset();
+    mockExecFileSync.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    // Provide an expired token
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN, { expired: true }));
+    // First call = token refresh, second call = usage API
+    mockFetch
+      .mockReturnValueOnce(
+        makeFetchResponse({
+          access_token: "sk-ant-new-token",
+          refresh_token: "sk-ant-new-refresh",
+          expires_in: 3600,
+        }),
+      )
+      .mockReturnValueOnce(makeFetchResponse(SAMPLE_LIMITS));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(SAMPLE_LIMITS);
+    // First fetch = refresh call to platform.claude.com
+    expect(mockFetch).toHaveBeenCalledTimes(2);
+    const [refreshUrl, refreshOpts] = mockFetch.mock.calls[0];
+    expect(refreshUrl).toContain("oauth/token");
+    expect(refreshOpts.method).toBe("POST");
+    // Second fetch = usage API with refreshed token
+    const [usageUrl, usageOpts] = mockFetch.mock.calls[1];
+    expect(usageUrl).toContain("oauth/usage");
+    expect(usageOpts.headers.Authorization).toBe("Bearer sk-ant-new-token");
+    // Credentials should have been written back via execFileSync (macOS keychain)
+    expect(mockExecFileSync).toHaveBeenCalled();
+  });
+  it("returns empty when token is expired and refresh fails", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    mockExecSync.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN, { expired: true }));
+    // Refresh call fails
+    mockFetch.mockReturnValueOnce(makeFetchResponse({}, false));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(EMPTY);
+    // Only the refresh call, no usage call
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+  });
+  it("returns empty when token is expired and refresh throws", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    mockExecSync.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN, { expired: true }));
+    mockFetch.mockRejectedValueOnce(new Error("network error"));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(EMPTY);
+  });
+  it("uses valid (non-expired) token without refreshing", async () => {
+    vi.resetModules();
+    mockFetch.mockReset();
+    mockExecSync.mockReset();
+    const darwinMod = await import("./usage-limits.js");
+    // Token has a future expiry (default in makeCredentialsJson)
+    mockExecSync.mockReturnValue(makeCredentialsJson(SAMPLE_TOKEN));
+    mockFetch.mockReturnValueOnce(makeFetchResponse(SAMPLE_LIMITS));
+    const result = await darwinMod.getUsageLimits();
+    expect(result).toEqual(SAMPLE_LIMITS);
+    // Only one fetch call (usage API), no refresh call
+    expect(mockFetch).toHaveBeenCalledTimes(1);
+    const [url] = mockFetch.mock.calls[0];
+    expect(url).toContain("oauth/usage");
+  });
+});