npm - @hellcoder/companion - Versions diffs - 0.96.0 - Mend

@hellcoder/companion 0.96.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (242) hide show

package/bin/cli.ts +168 -0
package/bin/ctl.ts +528 -0
package/bin/generate-token.ts +28 -0
package/dist/apple-touch-icon.png +0 -0
package/dist/assets/AgentsPage-DCFhrJ28.js +13 -0
package/dist/assets/CronManager-EGwLJONv.js +1 -0
package/dist/assets/IntegrationsPage-CTMRnbQS.js +1 -0
package/dist/assets/LinearOAuthSettingsPage-CgQFMIgr.js +1 -0
package/dist/assets/LinearSettingsPage-C9nok1qi.js +1 -0
package/dist/assets/Playground-BV3k0RbV.js +109 -0
package/dist/assets/PromptsPage-CFojqNKP.js +4 -0
package/dist/assets/RunsPage-DUJ1QUSa.js +1 -0
package/dist/assets/SandboxManager-CrVQ-VU_.js +8 -0
package/dist/assets/SettingsPage-D1fPCL19.js +1 -0
package/dist/assets/TailscalePage-D06cyvyC.js +1 -0
package/dist/assets/index-BhUa1e6X.css +1 -0
package/dist/assets/index-DkqeP-R9.js +134 -0
package/dist/assets/sw-register-BibwRdvC.js +1 -0
package/dist/assets/workbox-window.prod.es5-BIl4cyR9.js +2 -0
package/dist/favicon.svg +8 -0
package/dist/fonts/MesloLGSNerdFontMono-Bold.woff2 +0 -0
package/dist/fonts/MesloLGSNerdFontMono-Regular.woff2 +0 -0
package/dist/icon-192.png +0 -0
package/dist/icon-512.png +0 -0
package/dist/index.html +20 -0
package/dist/logo-codex.svg +14 -0
package/dist/logo-docker.svg +4 -0
package/dist/logo.svg +14 -0
package/dist/manifest.json +24 -0
package/dist/sw.js +2 -0
package/package.json +104 -0
package/server/agent-cron-migrator.test.ts +610 -0
package/server/agent-cron-migrator.ts +85 -0
package/server/agent-executor.test.ts +1108 -0
package/server/agent-executor.ts +346 -0
package/server/agent-store.test.ts +588 -0
package/server/agent-store.ts +185 -0
package/server/agent-types.ts +138 -0
package/server/ai-validation-settings.test.ts +128 -0
package/server/ai-validation-settings.ts +35 -0
package/server/ai-validator.test.ts +387 -0
package/server/ai-validator.ts +271 -0
package/server/auth-manager.test.ts +83 -0
package/server/auth-manager.ts +150 -0
package/server/auto-namer.test.ts +252 -0
package/server/auto-namer.ts +78 -0
package/server/backend-adapter.test.ts +38 -0
package/server/backend-adapter.ts +54 -0
package/server/cache-headers.test.ts +98 -0
package/server/cache-headers.ts +61 -0
package/server/claude-adapter.test.ts +1363 -0
package/server/claude-adapter.ts +889 -0
package/server/claude-container-auth.test.ts +44 -0
package/server/claude-container-auth.ts +30 -0
package/server/claude-protocol-contract.test.ts +71 -0
package/server/claude-protocol-drift.test.ts +78 -0
package/server/claude-session-discovery.test.ts +132 -0
package/server/claude-session-discovery.ts +157 -0
package/server/claude-session-history.test.ts +158 -0
package/server/claude-session-history.ts +410 -0
package/server/cli-launcher.test.ts +1343 -0
package/server/cli-launcher.ts +1298 -0
package/server/cli.test.ts +16 -0
package/server/codex-adapter.test.ts +5545 -0
package/server/codex-adapter.ts +3062 -0
package/server/codex-container-auth.test.ts +50 -0
package/server/codex-container-auth.ts +24 -0
package/server/codex-home.test.ts +61 -0
package/server/codex-home.ts +26 -0
package/server/codex-protocol-contract.test.ts +96 -0
package/server/codex-protocol-drift.test.ts +123 -0
package/server/codex-ws-proxy.cjs +226 -0
package/server/commands-discovery.test.ts +179 -0
package/server/commands-discovery.ts +81 -0
package/server/constants.ts +7 -0
package/server/container-manager.test.ts +1211 -0
package/server/container-manager.ts +1053 -0
package/server/cron-scheduler.test.ts +957 -0
package/server/cron-scheduler.ts +243 -0
package/server/cron-store.test.ts +422 -0
package/server/cron-store.ts +148 -0
package/server/cron-types.ts +63 -0
package/server/env-manager.test.ts +268 -0
package/server/env-manager.ts +161 -0
package/server/event-bus-types.ts +64 -0
package/server/event-bus.test.ts +244 -0
package/server/event-bus.ts +124 -0
package/server/execution-store.test.ts +307 -0
package/server/execution-store.ts +170 -0
package/server/fs-utils.ts +15 -0
package/server/git-utils.test.ts +938 -0
package/server/git-utils.ts +421 -0
package/server/github-pr.test.ts +498 -0
package/server/github-pr.ts +379 -0
package/server/image-pull-manager.test.ts +303 -0
package/server/image-pull-manager.ts +279 -0
package/server/index.ts +396 -0
package/server/linear-agent-bridge.test.ts +1157 -0
package/server/linear-agent-bridge.ts +629 -0
package/server/linear-agent.test.ts +473 -0
package/server/linear-agent.ts +479 -0
package/server/linear-cache.test.ts +136 -0
package/server/linear-cache.ts +113 -0
package/server/linear-connections.test.ts +350 -0
package/server/linear-connections.ts +231 -0
package/server/linear-credential-migration.test.ts +337 -0
package/server/linear-credential-migration.ts +63 -0
package/server/linear-oauth-connections-migration.test.ts +268 -0
package/server/linear-oauth-connections.test.ts +365 -0
package/server/linear-oauth-connections.ts +294 -0
package/server/linear-project-manager.test.ts +162 -0
package/server/linear-project-manager.ts +111 -0
package/server/linear-prompt-builder.test.ts +74 -0
package/server/linear-prompt-builder.ts +61 -0
package/server/linear-staging.test.ts +276 -0
package/server/linear-staging.ts +142 -0
package/server/logger.test.ts +393 -0
package/server/logger.ts +259 -0
package/server/metrics-collector.test.ts +413 -0
package/server/metrics-collector.ts +350 -0
package/server/metrics-types.ts +108 -0
package/server/middleware/managed-auth.test.ts +264 -0
package/server/middleware/managed-auth.ts +195 -0
package/server/novnc-proxy.test.ts +333 -0
package/server/novnc-proxy.ts +99 -0
package/server/path-resolver.test.ts +552 -0
package/server/path-resolver.ts +186 -0
package/server/paths.test.ts +31 -0
package/server/paths.ts +11 -0
package/server/pr-poller.test.ts +191 -0
package/server/pr-poller.ts +162 -0
package/server/prompt-manager.test.ts +211 -0
package/server/prompt-manager.ts +211 -0
package/server/protocol/claude-upstream/README.md +19 -0
package/server/protocol/claude-upstream/sdk.d.ts.txt +1943 -0
package/server/protocol/codex-upstream/ClientNotification.ts.txt +5 -0
package/server/protocol/codex-upstream/ClientRequest.ts.txt +60 -0
package/server/protocol/codex-upstream/README.md +18 -0
package/server/protocol/codex-upstream/ServerNotification.ts.txt +41 -0
package/server/protocol/codex-upstream/ServerRequest.ts.txt +16 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallParams.ts.txt +6 -0
package/server/protocol/codex-upstream/v2/DynamicToolCallResponse.ts.txt +6 -0
package/server/protocol-monitor.ts +50 -0
package/server/recorder.test.ts +454 -0
package/server/recorder.ts +374 -0
package/server/recording-hub/compat-validator.test.ts +150 -0
package/server/recording-hub/compat-validator.ts +284 -0
package/server/recording-hub/diagnostics.test.ts +140 -0
package/server/recording-hub/diagnostics.ts +299 -0
package/server/recording-hub/hub-config.test.ts +44 -0
package/server/recording-hub/hub-config.ts +19 -0
package/server/recording-hub/hub-routes.test.ts +417 -0
package/server/recording-hub/hub-routes.ts +236 -0
package/server/recording-hub/hub-store.test.ts +262 -0
package/server/recording-hub/hub-store.ts +265 -0
package/server/recording-hub/replay-adapter.test.ts +294 -0
package/server/recording-hub/replay-adapter.ts +207 -0
package/server/relay-client.test.ts +337 -0
package/server/relay-client.ts +320 -0
package/server/replay.test.ts +200 -0
package/server/replay.ts +78 -0
package/server/routes/agent-routes.test.ts +1400 -0
package/server/routes/agent-routes.ts +409 -0
package/server/routes/cron-routes.test.ts +881 -0
package/server/routes/cron-routes.ts +103 -0
package/server/routes/env-routes.test.ts +383 -0
package/server/routes/env-routes.ts +95 -0
package/server/routes/fs-routes.test.ts +1198 -0
package/server/routes/fs-routes.ts +605 -0
package/server/routes/git-routes.test.ts +813 -0
package/server/routes/git-routes.ts +97 -0
package/server/routes/linear-agent-routes.test.ts +721 -0
package/server/routes/linear-agent-routes.ts +304 -0
package/server/routes/linear-connection-routes.test.ts +927 -0
package/server/routes/linear-connection-routes.ts +244 -0
package/server/routes/linear-oauth-connection-routes.test.ts +406 -0
package/server/routes/linear-oauth-connection-routes.ts +129 -0
package/server/routes/linear-routes.test.ts +1510 -0
package/server/routes/linear-routes.ts +953 -0
package/server/routes/metrics-routes.test.ts +103 -0
package/server/routes/metrics-routes.ts +13 -0
package/server/routes/prompt-routes.ts +67 -0
package/server/routes/sandbox-routes.test.ts +513 -0
package/server/routes/sandbox-routes.ts +127 -0
package/server/routes/settings-routes.ts +270 -0
package/server/routes/skills-routes.test.ts +690 -0
package/server/routes/skills-routes.ts +100 -0
package/server/routes/system-routes.test.ts +637 -0
package/server/routes/system-routes.ts +228 -0
package/server/routes/tailscale-routes.test.ts +176 -0
package/server/routes/tailscale-routes.ts +22 -0
package/server/routes.test.ts +4655 -0
package/server/routes.ts +1277 -0
package/server/sandbox-manager.test.ts +378 -0
package/server/sandbox-manager.ts +168 -0
package/server/service.test.ts +1419 -0
package/server/service.ts +718 -0
package/server/session-creation-service.test.ts +661 -0
package/server/session-creation-service.ts +473 -0
package/server/session-git-info.ts +104 -0
package/server/session-linear-issues.test.ts +118 -0
package/server/session-linear-issues.ts +88 -0
package/server/session-names.test.ts +94 -0
package/server/session-names.ts +67 -0
package/server/session-orchestrator.test.ts +1784 -0
package/server/session-orchestrator.ts +973 -0
package/server/session-state-machine.test.ts +606 -0
package/server/session-state-machine.ts +207 -0
package/server/session-store.test.ts +290 -0
package/server/session-store.ts +146 -0
package/server/session-types.ts +509 -0
package/server/settings-manager.test.ts +275 -0
package/server/settings-manager.ts +173 -0
package/server/tailscale-manager.test.ts +553 -0
package/server/tailscale-manager.ts +451 -0
package/server/terminal-manager.ts +240 -0
package/server/update-checker.test.ts +306 -0
package/server/update-checker.ts +197 -0
package/server/usage-limits.test.ts +536 -0
package/server/usage-limits.ts +225 -0
package/server/worktree-tracker.test.ts +243 -0
package/server/worktree-tracker.ts +84 -0
package/server/ws-auth.test.ts +59 -0
package/server/ws-auth.ts +41 -0
package/server/ws-bridge-browser-ingest.test.ts +272 -0
package/server/ws-bridge-browser-ingest.ts +72 -0
package/server/ws-bridge-browser.ts +112 -0
package/server/ws-bridge-cli-ingest.test.ts +302 -0
package/server/ws-bridge-cli-ingest.ts +81 -0
package/server/ws-bridge-codex.test.ts +1837 -0
package/server/ws-bridge-codex.ts +266 -0
package/server/ws-bridge-controls.test.ts +124 -0
package/server/ws-bridge-controls.ts +20 -0
package/server/ws-bridge-persist.test.ts +296 -0
package/server/ws-bridge-persist.ts +66 -0
package/server/ws-bridge-publish.test.ts +234 -0
package/server/ws-bridge-publish.ts +79 -0
package/server/ws-bridge-replay.test.ts +44 -0
package/server/ws-bridge-replay.ts +61 -0
package/server/ws-bridge-types.ts +106 -0
package/server/ws-bridge.test.ts +4777 -0
package/server/ws-bridge.ts +1279 -0

package/server/linear-agent.test.ts ADDED Viewed

@@ -0,0 +1,473 @@
+// Tests for the Linear Agent Interaction SDK client module.
+// Covers webhook verification, OAuth token management, GraphQL calls,
+// activity posting, and configuration checks.
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { createHmac } from "node:crypto";
+import type { LinearOAuthCredentials } from "./linear-agent.js";
+import {
+  verifyWebhookSignature,
+  isLinearOAuthConfigured,
+  getOAuthAuthorizeUrl,
+  exchangeCodeForTokens,
+  refreshAccessToken,
+  linearGraphQL,
+  postActivity,
+  updateSessionUrls,
+  updateSessionPlan,
+  generateOAuthState,
+  validateOAuthState,
+} from "./linear-agent.js";
+// Mock global fetch
+const mockFetch = vi.fn();
+vi.stubGlobal("fetch", mockFetch);
+// Default test credentials matching the LinearOAuthCredentials interface
+const testCreds: LinearOAuthCredentials = {
+  clientId: "client-id",
+  clientSecret: "client-secret",
+  webhookSecret: "webhook-secret",
+  accessToken: "access-token",
+  refreshToken: "refresh-token",
+};
+beforeEach(() => {
+  vi.clearAllMocks();
+});
+// ─── Webhook signature verification ──────────────────────────────────────────
+describe("verifyWebhookSignature", () => {
+  it("returns true for valid HMAC-SHA256 signature", () => {
+    const body = '{"type":"AgentSessionEvent"}';
+    const signature = createHmac("sha256", "test-secret").update(body).digest("hex");
+    expect(verifyWebhookSignature("test-secret", body, signature)).toBe(true);
+  });
+  it("returns false for invalid signature", () => {
+    expect(verifyWebhookSignature("test-secret", "body", "bad-signature")).toBe(false);
+  });
+  it("returns false when webhook secret is not configured", () => {
+    expect(verifyWebhookSignature("", "body", "some-sig")).toBe(false);
+  });
+  it("returns false when signature is null", () => {
+    expect(verifyWebhookSignature("webhook-secret", "body", null)).toBe(false);
+  });
+  it("returns false for malformed hex signature (timing-safe compare failure)", () => {
+    // Non-hex string will cause Buffer.from to produce different length
+    expect(verifyWebhookSignature("test-secret", "body", "not-valid-hex!!")).toBe(false);
+  });
+});
+// ─── OAuth configuration checks ─────────────────────────────────────────────
+describe("isLinearOAuthConfigured", () => {
+  it("returns true when all required fields are present", () => {
+    expect(isLinearOAuthConfigured(testCreds)).toBe(true);
+  });
+  it("returns false when client ID is missing", () => {
+    expect(isLinearOAuthConfigured({ ...testCreds, clientId: "" })).toBe(false);
+  });
+  it("returns false when access token is missing", () => {
+    expect(isLinearOAuthConfigured({ ...testCreds, accessToken: "" })).toBe(false);
+  });
+});
+describe("getOAuthAuthorizeUrl", () => {
+  it("returns authorization URL and state nonce with correct parameters", () => {
+    const result = getOAuthAuthorizeUrl("my-client-id", "http://localhost:3456/api/linear/oauth/callback");
+    expect(result).not.toBeNull();
+    expect(result!.url).toContain("linear.app/oauth/authorize");
+    expect(result!.url).toContain("client_id=my-client-id");
+    expect(result!.url).toContain("response_type=code");
+    expect(result!.url).toContain("actor=app");
+    expect(result!.url).toContain("app%3Amentionable");
+    expect(result!.url).toContain("state=");
+    expect(result!.state).toBeTruthy();
+  });
+  it("returns null when client ID is not configured", () => {
+    expect(getOAuthAuthorizeUrl("", "http://localhost/callback")).toBeNull();
+  });
+});
+// ─── OAuth state CSRF protection ─────────────────────────────────────────────
+describe("OAuth state nonce (CSRF protection)", () => {
+  it("generates unique state nonces", () => {
+    const state1 = generateOAuthState();
+    const state2 = generateOAuthState();
+    expect(state1).not.toBe(state2);
+    expect(state1.length).toBe(48); // 24 bytes → 48 hex chars
+  });
+  it("validates a generated state nonce (single use)", () => {
+    const state = generateOAuthState();
+    expect(validateOAuthState(state)).toEqual({ valid: true });
+    // Second use should fail — consumed
+    expect(validateOAuthState(state)).toEqual({ valid: false });
+  });
+  it("rejects unknown state nonces", () => {
+    expect(validateOAuthState("unknown-nonce")).toEqual({ valid: false });
+  });
+  it("rejects null/undefined state", () => {
+    expect(validateOAuthState(null)).toEqual({ valid: false });
+    expect(validateOAuthState(undefined)).toEqual({ valid: false });
+  });
+  it("preserves returnTo path in state", () => {
+    const state = generateOAuthState({ returnTo: "/#/setup/linear-agent" });
+    const result = validateOAuthState(state);
+    expect(result).toEqual({ valid: true, returnTo: "/#/setup/linear-agent" });
+  });
+  it("works without returnTo", () => {
+    const state = generateOAuthState();
+    const result = validateOAuthState(state);
+    expect(result).toEqual({ valid: true });
+  });
+  it("preserves stagingId in state round-trip", () => {
+    const state = generateOAuthState({ stagingId: "abc123def456" });
+    const result = validateOAuthState(state);
+    expect(result).toEqual({ valid: true, stagingId: "abc123def456" });
+  });
+  it("preserves both stagingId and returnTo in state round-trip", () => {
+    const state = generateOAuthState({ stagingId: "slot-42", returnTo: "/#/agents" });
+    const result = validateOAuthState(state);
+    expect(result).toEqual({ valid: true, stagingId: "slot-42", returnTo: "/#/agents" });
+  });
+  it("returns stagingId as undefined when not provided", () => {
+    const state = generateOAuthState({ returnTo: "/#/settings" });
+    const result = validateOAuthState(state);
+    expect(result.valid).toBe(true);
+    expect(result.stagingId).toBeUndefined();
+    expect(result.returnTo).toBe("/#/settings");
+  });
+});
+// ─── Token exchange ─────────────────────────────────────────────────────────
+describe("exchangeCodeForTokens", () => {
+  it("exchanges authorization code for tokens", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "new-access",
+        refresh_token: "new-refresh",
+        expires_in: 86400,
+        scope: "read,write",
+      }),
+    });
+    const result = await exchangeCodeForTokens(
+      { clientId: testCreds.clientId, clientSecret: testCreds.clientSecret },
+      "auth-code",
+      "http://localhost/callback",
+    );
+    expect(result).toEqual({ accessToken: "new-access", refreshToken: "new-refresh" });
+    expect(mockFetch).toHaveBeenCalledWith("https://api.linear.app/oauth/token", expect.objectContaining({
+      method: "POST",
+    }));
+  });
+  it("returns null when client credentials are missing", async () => {
+    const result = await exchangeCodeForTokens(
+      { clientId: "", clientSecret: testCreds.clientSecret },
+      "code",
+      "http://localhost/callback",
+    );
+    expect(result).toBeNull();
+  });
+  it("returns null when token exchange fails", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: false,
+      status: 400,
+      text: () => Promise.resolve("Bad Request"),
+    });
+    const result = await exchangeCodeForTokens(
+      { clientId: testCreds.clientId, clientSecret: testCreds.clientSecret },
+      "bad-code",
+      "http://localhost/callback",
+    );
+    expect(result).toBeNull();
+  });
+  it("returns null when fetch throws a network error", async () => {
+    mockFetch.mockRejectedValueOnce(new Error("Network error"));
+    const result = await exchangeCodeForTokens(
+      { clientId: testCreds.clientId, clientSecret: testCreds.clientSecret },
+      "code",
+      "http://localhost/callback",
+    );
+    expect(result).toBeNull();
+  });
+});
+// ─── Token refresh ──────────────────────────────────────────────────────────
+describe("refreshAccessToken", () => {
+  it("refreshes token and invokes onTokensRefreshed callback", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "refreshed-access",
+        refresh_token: "refreshed-refresh",
+        expires_in: 86400,
+      }),
+    });
+    const onTokensRefreshed = vi.fn();
+    const result = await refreshAccessToken(testCreds, onTokensRefreshed);
+    expect(result).toBe("refreshed-access");
+    expect(onTokensRefreshed).toHaveBeenCalledWith({
+      accessToken: "refreshed-access",
+      refreshToken: "refreshed-refresh",
+    });
+  });
+  it("returns null when refresh credentials are missing", async () => {
+    const result = await refreshAccessToken({ ...testCreds, refreshToken: "" });
+    expect(result).toBeNull();
+  });
+  it("returns null when refresh request fails", async () => {
+    mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
+    const result = await refreshAccessToken(testCreds);
+    expect(result).toBeNull();
+  });
+  it("keeps old refresh token if new one is not provided", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "new-access",
+        // No refresh_token in response
+        expires_in: 86400,
+      }),
+    });
+    const onTokensRefreshed = vi.fn();
+    await refreshAccessToken(
+      { ...testCreds, refreshToken: "old-refresh" },
+      onTokensRefreshed,
+    );
+    expect(onTokensRefreshed).toHaveBeenCalledWith({
+      accessToken: "new-access",
+      refreshToken: "old-refresh",
+    });
+  });
+});
+// ─── GraphQL helper ─────────────────────────────────────────────────────────
+describe("linearGraphQL", () => {
+  it("sends authenticated GraphQL request and returns data", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { viewer: { id: "user-1" } } }),
+    });
+    const result = await linearGraphQL(testCreds, "{ viewer { id } }");
+    expect(result).toEqual({ data: { viewer: { id: "user-1" } } });
+    expect(mockFetch).toHaveBeenCalledWith("https://api.linear.app/graphql", expect.objectContaining({
+      method: "POST",
+      headers: expect.objectContaining({
+        Authorization: "Bearer access-token",
+      }),
+    }));
+  });
+  it("throws when no access token is configured", async () => {
+    await expect(
+      linearGraphQL({ ...testCreds, accessToken: "" }, "{ viewer { id } }")
+    ).rejects.toThrow("Linear OAuth not configured");
+  });
+  it("throws on non-OK response without 401", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: false,
+      status: 500,
+      text: () => Promise.resolve("Internal Server Error"),
+    });
+    await expect(linearGraphQL(testCreds, "{ viewer { id } }")).rejects.toThrow(
+      "Linear API error 500"
+    );
+  });
+  it("auto-refreshes token on 401 and retries", async () => {
+    // First call: 401
+    mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
+    // Token refresh call
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "new-token",
+        refresh_token: "new-refresh",
+        expires_in: 86400,
+      }),
+    });
+    // Retry with new token: success
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { viewer: { id: "user-1" } } }),
+    });
+    const result = await linearGraphQL(testCreds, "{ viewer { id } }");
+    expect(result).toEqual({ data: { viewer: { id: "user-1" } } });
+    // Should have made 3 fetch calls: initial GraphQL, token refresh, retry GraphQL
+    expect(mockFetch).toHaveBeenCalledTimes(3);
+  });
+  it("persists refreshed tokens via callback when a 401 is recovered", async () => {
+    mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "new-token",
+        refresh_token: "new-refresh",
+        expires_in: 86400,
+      }),
+    });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { viewer: { id: "user-1" } } }),
+    });
+    const onTokensRefreshed = vi.fn();
+    await linearGraphQL(testCreds, "{ viewer { id } }", undefined, onTokensRefreshed);
+    expect(onTokensRefreshed).toHaveBeenCalledWith({
+      accessToken: "new-token",
+      refreshToken: "new-refresh",
+    });
+  });
+});
+// ─── Activity posting ───────────────────────────────────────────────────────
+describe("postActivity", () => {
+  it("sends agentActivityCreate mutation with correct input", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { agentActivityCreate: { success: true } } }),
+    });
+    await postActivity(testCreds, "session-123", { type: "thought", body: "Thinking...", ephemeral: true });
+    const fetchBody = JSON.parse(mockFetch.mock.calls[0][1].body);
+    expect(fetchBody.variables.input).toEqual({
+      agentSessionId: "session-123",
+      content: { type: "thought", body: "Thinking...", ephemeral: true },
+    });
+  });
+  it("logs error when activity creation returns errors", async () => {
+    const consoleSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ errors: [{ message: "Session not found" }] }),
+    });
+    await postActivity(testCreds, "bad-session", { type: "response", body: "Done" });
+    expect(consoleSpy).toHaveBeenCalledWith(
+      "[linear-agent] Activity creation failed:",
+      "Session not found"
+    );
+    consoleSpy.mockRestore();
+  });
+  it("passes token refresh callback through to linearGraphQL", async () => {
+    mockFetch.mockResolvedValueOnce({ ok: false, status: 401 });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      json: () => Promise.resolve({
+        access_token: "new-access",
+        refresh_token: "new-refresh",
+        expires_in: 86400,
+      }),
+    });
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { agentActivityCreate: { success: true } } }),
+    });
+    const onTokensRefreshed = vi.fn();
+    await postActivity(testCreds, "session-123", { type: "response", body: "Done" }, onTokensRefreshed);
+    expect(onTokensRefreshed).toHaveBeenCalledWith({
+      accessToken: "new-access",
+      refreshToken: "new-refresh",
+    });
+  });
+});
+// ─── Session updates ────────────────────────────────────────────────────────
+describe("updateSessionUrls", () => {
+  it("sends agentSessionUpdate mutation with external URLs", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { agentSessionUpdate: { success: true } } }),
+    });
+    await updateSessionUrls(testCreds, "session-123", [
+      { label: "Companion", url: "http://localhost:3456/#/session/abc" },
+    ]);
+    const fetchBody = JSON.parse(mockFetch.mock.calls[0][1].body);
+    expect(fetchBody.variables.input.externalUrls).toEqual([
+      { label: "Companion", url: "http://localhost:3456/#/session/abc" },
+    ]);
+  });
+});
+describe("updateSessionPlan", () => {
+  it("sends agentSessionUpdate mutation with plan items", async () => {
+    mockFetch.mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: () => Promise.resolve({ data: { agentSessionUpdate: { success: true } } }),
+    });
+    const plan = [
+      { content: "Analyze issue", status: "completed" as const },
+      { content: "Fix bug", status: "inProgress" as const },
+    ];
+    await updateSessionPlan(testCreds, "session-123", plan);
+    const fetchBody = JSON.parse(mockFetch.mock.calls[0][1].body);
+    expect(fetchBody.variables.input.plan).toEqual(plan);
+  });
+});