@knotpad/app 0.1.5 → 0.1.6

package/lib/email.ts

@@ -0,0 +1,159 @@
+/**
+ * Transactional email service backed by Brevo (formerly Sendinblue).
+ *
+ * Identities are read from environment variables so they can be swapped
+ * without code changes:
+ *
+ *   BREVO_API_KEY           – shared API key
+ *   EMAIL_AUTH_FROM         – "Display Name <addr>"  (auth emails)
+ *   EMAIL_AUTH_NAME         – sender display name
+ *   EMAIL_AUTH_EMAIL        – sender address
+ *   EMAIL_NOTIFY_FROM       – "Display Name <addr>"  (notifications)
+ *   EMAIL_NOTIFY_NAME       – sender display name
+ *   EMAIL_NOTIFY_EMAIL      – sender address
+ *
+ * If a given identity is not configured the call is silently skipped (and a
+ * warning is logged) so local/dev environments without Brevo still work.
+ */
+
+// ---------------------------------------------------------------------------
+// Types
+// ---------------------------------------------------------------------------
+
+export type EmailIdentity = "auth" | "notify";
+
+export interface SendEmailOptions {
+  /** Which sender identity to use. */
+  identity: EmailIdentity;
+  /** Recipient email address. */
+  to: string;
+  /** Email subject line. */
+  subject: string;
+  /** HTML body. */
+  html: string;
+  /** Optional plain-text body. */
+  text?: string;
+  /** Optional reply-to address. */
+  replyTo?: string;
+}
+
+interface BrevoSender {
+  name: string;
+  email: string;
+}
+
+// ---------------------------------------------------------------------------
+// Identity helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Parse a "Display Name <addr>" string into { name, email }.
+ * Falls back to the env-provided name/email pair if FROM isn't set.
+ */
+function parseFromHeader(
+  fromEnv: string | undefined,
+  nameEnv: string | undefined,
+  emailEnv: string | undefined
+): BrevoSender | null {
+  if (fromEnv) {
+    const match = /^(.+?)\s*<([^>]+)>$/.exec(fromEnv);
+    if (match) return { name: match[1].trim(), email: match[2].trim() };
+  }
+  if (nameEnv && emailEnv) return { name: nameEnv, email: emailEnv };
+  return null;
+}
+
+function getSender(identity: EmailIdentity): BrevoSender | null {
+  if (identity === "auth") {
+    return parseFromHeader(
+      process.env.EMAIL_AUTH_FROM,
+      process.env.EMAIL_AUTH_NAME,
+      process.env.EMAIL_AUTH_EMAIL
+    );
+  }
+  return parseFromHeader(
+    process.env.EMAIL_NOTIFY_FROM,
+    process.env.EMAIL_NOTIFY_NAME,
+    process.env.EMAIL_NOTIFY_EMAIL
+  );
+}
+
+// ---------------------------------------------------------------------------
+// Public API
+// ---------------------------------------------------------------------------
+
+/**
+ * Send a transactional email via Brevo.  Returns `true` on success, `false`
+ * when the email could not be sent (missing config, API error, etc.).
+ */
+export async function sendEmail(opts: SendEmailOptions): Promise<boolean> {
+  const apiKey = process.env.BREVO_API_KEY;
+  if (!apiKey) {
+    console.warn("[email] BREVO_API_KEY not configured — skipping email send.");
+    return false;
+  }
+
+  const sender = getSender(opts.identity);
+  if (!sender) {
+    console.warn(
+      `[email] Sender identity "${opts.identity}" not configured — skipping email send.`
+    );
+    return false;
+  }
+
+  const body: Record<string, unknown> = {
+    sender,
+    to: [{ email: opts.to }],
+    subject: opts.subject,
+    htmlContent: opts.html,
+  };
+  if (opts.text) body.textContent = opts.text;
+  if (opts.replyTo) body.replyTo = { email: opts.replyTo };
+
+  try {
+    const res = await fetch("https://api.brevo.com/v3/smtp/email", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        accept: "application/json",
+        "api-key": apiKey,
+      },
+      body: JSON.stringify(body),
+    });
+
+    if (!res.ok) {
+      const detail = await res.text().catch(() => "");
+      console.error(`[email] Brevo API ${res.status}: ${detail}`);
+      return false;
+    }
+
+    return true;
+  } catch (err) {
+    console.error("[email] Brevo send failed:", err);
+    return false;
+  }
+}
+
+/**
+ * Convenience: send an auth-related email (magic link, password reset, etc.).
+ */
+export function sendAuthEmail(
+  to: string,
+  subject: string,
+  html: string,
+  text?: string
+) {
+  return sendEmail({ identity: "auth", to, subject, html, text });
+}
+
+/**
+ * Convenience: send a system notification email (report, update, etc.).
+ */
+export function sendNotifyEmail(
+  to: string,
+  subject: string,
+  html: string,
+  text?: string
+) {
+  return sendEmail({ identity: "notify", to, subject, html, text });
+}

package/lib/encryption.test.ts

@@ -0,0 +1,41 @@
+import { describe, it, expect } from "vitest";
+import { encryptNote, decryptNote, isEncrypted, generateSalt, ENC_PREFIX } from "@/lib/encryption";
+
+const SECRET = "test-pepper-do-not-use-in-prod";
+
+describe("encryption", () => {
+  it("round-trips plaintext through encrypt/decrypt", async () => {
+    const salt = generateSalt();
+    const plain = "# Title\n\n- [ ] do thing @alice 2026-01-02";
+    const cipher = await encryptNote(plain, SECRET, salt);
+    expect(cipher.startsWith(ENC_PREFIX)).toBe(true);
+    expect(cipher).not.toContain("do thing");
+    expect(await decryptNote(cipher, SECRET, salt)).toBe(plain);
+  });
+
+  it("marks ciphertext and not plaintext via isEncrypted", async () => {
+    const salt = generateSalt();
+    expect(isEncrypted("just some text")).toBe(false);
+    expect(isEncrypted(await encryptNote("hello", SECRET, salt))).toBe(true);
+  });
+
+  it("is idempotent — never double-encrypts", async () => {
+    const salt = generateSalt();
+    const once = await encryptNote("hello", SECRET, salt);
+    const twice = await encryptNote(once, SECRET, salt);
+    expect(twice).toBe(once);
+  });
+
+  it("returns legacy plaintext unchanged on decrypt", async () => {
+    const salt = generateSalt();
+    expect(await decryptNote("legacy plaintext", SECRET, salt)).toBe("legacy plaintext");
+  });
+
+  it("produces different ciphertext for the same input (random IV)", async () => {
+    const salt = generateSalt();
+    const a = await encryptNote("hello", SECRET, salt);
+    const b = await encryptNote("hello", SECRET, salt);
+    expect(a).not.toBe(b);
+    expect(await decryptNote(b, SECRET, salt)).toBe("hello");
+  });
+});

package/lib/encryption.ts

@@ -0,0 +1,98 @@
+/**
+ * AES-256-GCM encryption-at-rest for Brief note content.
+ *
+ * Architecture (server-side, NOT end-to-end):
+ *  - Server key:      ENCRYPTION_PEPPER env var (never stored in the DB)
+ *  - Workspace salt:  random 16 bytes, stored in workspace.encryptionSalt (not sensitive)
+ *  - Derived key:     PBKDF2(pepper, salt, 100_000 iterations, SHA-256) → 256-bit AES key
+ *  - Ciphertext:      "enc:v1:" + base64( [IV (12 bytes)] + [GCM ciphertext+tag] )
+ *
+ * The server holds the key, so this protects against a database dump / at-rest
+ * exposure — it is deliberately NOT E2E (that was dropped to keep multi-device
+ * and team sync simple). Note content must never be persisted as plaintext.
+ */
+
+const PBKDF2_ITERATIONS = 100_000;
+const SALT_BYTES = 16;
+const IV_BYTES = 12; // AES-GCM standard
+
+// Version marker prepended to every ciphertext. Lets us detect encrypted vs
+// plaintext content unambiguously (the old base64 heuristic mis-classified
+// plaintext that happened to look base64-ish).
+export const ENC_PREFIX = "enc:v1:";
+
+export function generateSalt(): string {
+  const bytes = crypto.getRandomValues(new Uint8Array(SALT_BYTES));
+  return Buffer.from(bytes).toString("base64");
+}
+
+// --- Key derivation ---
+
+async function deriveKey(secret: string, saltBase64: string): Promise<CryptoKey> {
+  const enc = new TextEncoder();
+  const keyMaterial = await crypto.subtle.importKey(
+    "raw",
+    enc.encode(secret),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  const salt = Buffer.from(saltBase64, "base64");
+  return crypto.subtle.deriveKey(
+    { name: "PBKDF2", salt, iterations: PBKDF2_ITERATIONS, hash: "SHA-256" },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["encrypt", "decrypt"]
+  );
+}
+
+// --- Encrypt / Decrypt ---
+
+/**
+ * Encrypt plaintext using the server key + workspace salt.
+ * Returns: ENC_PREFIX + base64([IV] + [ciphertext]).
+ * Returns already-encrypted input unchanged (idempotent).
+ */
+export async function encryptNote(plaintext: string, secret: string, saltBase64: string): Promise<string> {
+  if (isEncrypted(plaintext)) return plaintext;
+  const key = await deriveKey(secret, saltBase64);
+  const iv = crypto.getRandomValues(new Uint8Array(IV_BYTES));
+  const enc = new TextEncoder();
+  const ciphertext = await crypto.subtle.encrypt(
+    { name: "AES-GCM", iv },
+    key,
+    enc.encode(plaintext)
+  );
+  const combined = new Uint8Array(IV_BYTES + ciphertext.byteLength);
+  combined.set(iv, 0);
+  combined.set(new Uint8Array(ciphertext), IV_BYTES);
+  return ENC_PREFIX + Buffer.from(combined).toString("base64");
+}
+
+/**
+ * Decrypt a value produced by encryptNote. If the input is not encrypted
+ * (legacy plaintext row), it is returned unchanged.
+ */
+export async function decryptNote(encrypted: string, secret: string, saltBase64: string): Promise<string> {
+  if (!isEncrypted(encrypted)) return encrypted; // legacy / plaintext safety
+  try {
+    const key = await deriveKey(secret, saltBase64);
+    const combined = Buffer.from(encrypted.slice(ENC_PREFIX.length), "base64");
+    const iv = combined.subarray(0, IV_BYTES);
+    const ciphertext = combined.subarray(IV_BYTES);
+    const dec = new TextDecoder();
+    const plaintext = await crypto.subtle.decrypt({ name: "AES-GCM", iv }, key, ciphertext);
+    return dec.decode(plaintext);
+  } catch {
+    // Not genuinely our ciphertext (e.g. a note that literally starts with the
+    // marker, or a corrupted row). Return the raw value rather than throwing so
+    // a single bad row can't 500 the whole note read.
+    return encrypted;
+  }
+}
+
+/** True if a string is Brief-encrypted ciphertext (carries the version marker). */
+export function isEncrypted(content: string): boolean {
+  return content.startsWith(ENC_PREFIX);
+}

package/lib/extract-snippet.test.ts

@@ -0,0 +1,123 @@
+import { describe, it, expect } from "vitest";
+import { extractSnippet } from "./extract-snippet";
+
+describe("extractSnippet", () => {
+  it("extracts snippet from a checkbox task line", () => {
+    const content = [
+      "# Meeting notes",
+      "- [ ] ship docs @alice",
+      "- [ ] review PR",
+      "Some follow-up text",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    expect(result).toContain("- [ ] ship docs @alice");
+    expect(result).toContain("# Meeting notes");
+    expect(result).toContain("- [ ] review PR");
+  });
+
+  it("extracts snippet from a ((task title)) wikilink in plain text", () => {
+    const content = [
+      "Plan for the week:",
+      "We need to ((ship docs)) before Friday.",
+      "Then we can relax.",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    expect(result).toContain("We need to ship docs before Friday.");
+    expect(result).not.toContain("((ship docs))");
+    expect(result).toContain("Plan for the week:");
+    expect(result).toContain("Then we can relax.");
+  });
+
+  it("extracts snippet from a ((task title)) wikilink in a bullet list", () => {
+    const content = [
+      "- First item",
+      "- Check ((ship docs)) status",
+      "- Last item",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    expect(result).toContain("- Check ship docs status");
+    expect(result).not.toContain("((ship docs))");
+  });
+
+  it("finds multiple references in one note", () => {
+    const content = [
+      "Line one",
+      "((ship docs))",
+      "Line three",
+      "Line four",
+      "Line five",
+      "((ship docs)) again",
+      "Line seven",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    const blocks = result.split("\n---\n");
+    expect(blocks).toHaveLength(2);
+    expect(blocks[0]).toContain("ship docs");
+    expect(blocks[1]).toContain("ship docs");
+  });
+
+  it("returns empty string when there is no match", () => {
+    const content = "Just some random text.\nNothing here.";
+    expect(extractSnippet(content, "nonexistent task")).toBe("");
+  });
+
+  it("does not duplicate when a checkbox line also contains a wikilink", () => {
+    const content = [
+      "- [ ] ((ship docs)) @alice",
+      "Next line",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    const blocks = result.split("\n---\n").filter(Boolean);
+    expect(blocks).toHaveLength(1);
+  });
+
+  it("strips wikilink syntax even when it spans multiple lines in a block", () => {
+    const content = [
+      "Context line",
+      "See ((ship docs)) for details",
+      "More context",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    expect(result).not.toContain("((ship docs))");
+    expect(result).toContain("See ship docs for details");
+  });
+
+  it("finds checkbox lines that contain [[note refs]] and dates", () => {
+    const content = [
+      "# Meeting notes",
+      "- [ ] review [[Spec]] ((Task)) @bob <file.md> 2026-06-01..2026-06-05",
+      "- [ ] something else",
+    ].join("\n");
+
+    const result = extractSnippet(content, "review");
+    expect(result).toContain(
+      "- [ ] review [[Spec]] ((Task)) @bob <file.md> 2026-06-01..2026-06-05"
+    );
+  });
+
+  it("finds checkbox lines that contain a single date", () => {
+    const content = [
+      "- [ ] ship docs 2026-05-20",
+      "- [ ] other task",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship docs");
+    expect(result).toContain("- [ ] ship docs 2026-05-20");
+  });
+
+  it("does not collapse whitespace when matching checkbox titles", () => {
+    const content = [
+      "- [ ] ship   docs",
+      "- [ ] other task",
+    ].join("\n");
+
+    const result = extractSnippet(content, "ship   docs");
+    expect(result).toContain("- [ ] ship   docs");
+  });
+});

package/lib/extract-snippet.ts

@@ -0,0 +1,69 @@
+function escapeRegExp(str: string): string {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+const MENTION_RE = /@[\w-]+/g;
+const FILEREF_RE = /<[^>]+>/g;
+const NOTE_REF_RE = /\[\[[^\]]*\]\]/g;
+const TASK_REF_RE = /\(\([^)]*\)\)/g;
+const STATUS_COMMENT_RE = /\s*<!--task::[A-Z_]+-->/g;
+const DATE_RANGE_RE = /\d{4}-\d{2}-\d{2}\.\.\d{4}-\d{2}-\d{2}/g;
+const DATE_RE = /\d{4}-\d{2}-\d{2}/g;
+
+function cleanTaskTitle(text: string): string {
+  return text
+    .replace(NOTE_REF_RE, "")
+    .replace(TASK_REF_RE, "")
+    .replace(MENTION_RE, "")
+    .replace(FILEREF_RE, "")
+    .replace(DATE_RANGE_RE, "")
+    .replace(DATE_RE, "")
+    .replace(STATUS_COMMENT_RE, "")
+    .trim();
+}
+
+export function extractSnippet(content: string, taskTitle: string): string {
+  const lines = content.split("\n");
+  const usedIndices = new Set<number>();
+  const snippets: string[] = [];
+  const wikilinkPattern = `\\(\\(\\s*${escapeRegExp(taskTitle)}\\s*\\)\\)`;
+  const wikilinkRe = new RegExp(wikilinkPattern);
+
+  for (let i = 0; i < lines.length; i++) {
+    if (usedIndices.has(i)) continue;
+
+    let isMatch = false;
+    let isWikilink = false;
+
+    // Pattern 1: checkbox task line
+    const checkboxPrefix = lines[i].match(/^(\s*)-\s+\[([ x])\]\s*/);
+    if (checkboxPrefix) {
+      const textAfterCheckbox = lines[i].slice(checkboxPrefix[0].length);
+      if (cleanTaskTitle(textAfterCheckbox) === taskTitle) {
+        isMatch = true;
+      }
+    }
+
+    // Pattern 2: wikilink reference ((task title))
+    if (!isMatch && lines[i].match(wikilinkRe)) {
+      isMatch = true;
+      isWikilink = true;
+    }
+
+    if (!isMatch) continue;
+    usedIndices.add(i);
+
+    const start = Math.max(0, i - 2);
+    const end = Math.min(lines.length, i + 3);
+    let block = lines.slice(start, end).join("\n");
+
+    if (isWikilink) {
+      // Strip ((...)) syntax so the snippet reads as natural text
+      block = block.replace(new RegExp(wikilinkPattern, "g"), taskTitle);
+    }
+
+    snippets.push(block);
+  }
+
+  return snippets.join("\n---\n");
+}

package/lib/kanban-status.ts

@@ -0,0 +1,55 @@
+import { prisma } from "@/lib/prisma";
+
+export type KanbanStatusConfig = {
+  key: string;
+  label: string;
+  color: string;
+  order: number;
+  isVisible: boolean;
+};
+
+const DEFAULT_STATUSES: KanbanStatusConfig[] = [
+  { key: "OPEN", label: "Open", color: "border-zinc-700", order: 0, isVisible: true },
+  { key: "CLAIMED", label: "Claimed", color: "border-violet-700", order: 1, isVisible: true },
+  { key: "IN_PROGRESS", label: "In Progress", color: "border-blue-700", order: 2, isVisible: true },
+  { key: "REVIEW", label: "Review", color: "border-amber-700", order: 3, isVisible: true },
+  { key: "DONE", label: "Done", color: "border-emerald-700", order: 4, isVisible: true },
+];
+
+export async function getKanbanStatuses(workspaceId: string): Promise<KanbanStatusConfig[]> {
+  const rows = await prisma.kanbanStatus.findMany({
+    where: { workspaceId },
+    orderBy: { order: "asc" },
+  });
+
+  if (rows.length === 0) {
+    return DEFAULT_STATUSES;
+  }
+
+  return rows.map((r) => ({
+    key: r.key,
+    label: r.label,
+    color: r.color,
+    order: r.order,
+    isVisible: r.isVisible,
+  }));
+}
+
+export async function seedDefaultKanbanStatuses(
+  workspaceId: string,
+  tx?: Parameters<Parameters<typeof prisma.$transaction>[0]>[0]
+) {
+  const client = tx ?? prisma;
+  const existing = await client.kanbanStatus.findFirst({
+    where: { workspaceId },
+  });
+  if (existing) return;
+
+  await client.kanbanStatus.createMany({
+    data: DEFAULT_STATUSES.map((s) => ({ ...s, workspaceId })),
+  });
+}
+
+export function getDefaultKanbanStatuses(): KanbanStatusConfig[] {
+  return DEFAULT_STATUSES.map((s) => ({ ...s }));
+}

package/lib/license.ts

@@ -0,0 +1,21 @@
+// Derive Pro / Cloud entitlement from the canonical license fields rather than
+// the denormalized `isPro` / `isCloud` boolean columns. Those booleans are a
+// cache kept in sync by the admin license route and the Stripe webhook, but they
+// drift when `planType` / `licenseType` are edited directly in the DB. The gating
+// paths should treat this derivation as authoritative.
+//
+// Entitlement rule (mirrors prisma/schema.prisma:73-74):
+//   isPro / isCloud  ===  planType != FREE  ||  licenseType == COMPLIMENTARY
+
+type LicenseFields = {
+  planType: string;
+  licenseType: string;
+};
+
+export function isWorkspacePro(ws: LicenseFields): boolean {
+  return ws.planType !== "FREE" || ws.licenseType === "COMPLIMENTARY";
+}
+
+// Today Cloud access has the same derivation as Pro. Kept as a separate export so
+// call sites read clearly and the two can diverge later without a refactor.
+export const isWorkspaceCloud = isWorkspacePro;

package/lib/limits.ts

@@ -0,0 +1,31 @@
+// Shared guard rails for note size. Kept in lib (not a route) so both route
+// handlers and zod validation schemas can import them without a circular dep.
+export const MAX_CONTENT_LEN = 1_000_000; // ~1 MB of markdown
+export const MAX_TITLE_LEN = 500;
+
+// Calendar feed (read-only .ics import) limits.
+export const MAX_CALENDAR_FEEDS = 5;
+export const MAX_FEED_LABEL_LEN = 60;
+export const ICS_FETCH_TIMEOUT_MS = 10_000;
+export const ICS_MAX_BYTES = 2_000_000; // 2 MB
+export const CALENDAR_FEED_PAST_DAYS = 30;
+export const CALENDAR_FEED_FUTURE_DAYS = 180;
+
+/**
+ * Predefined palette for calendar feed colour chips.  Keys are stored in the DB;
+ * values map to Tailwind bg-* classes used in the calendar view.
+ */
+export const FEED_COLORS = {
+  sky:      { bg: "bg-sky-600",      bgLight: "bg-sky-600/20",      border: "border-sky-500/50",      text: "text-sky-300",      label: "Sky" },
+  violet:   { bg: "bg-violet-600",   bgLight: "bg-violet-600/20",   border: "border-violet-500/50",   text: "text-violet-300",   label: "Violet" },
+  emerald:  { bg: "bg-emerald-600",  bgLight: "bg-emerald-600/20",  border: "border-emerald-500/50",  text: "text-emerald-300",  label: "Emerald" },
+  amber:    { bg: "bg-amber-600",    bgLight: "bg-amber-600/20",    border: "border-amber-500/50",    text: "text-amber-300",    label: "Amber" },
+  rose:     { bg: "bg-rose-600",     bgLight: "bg-rose-600/20",     border: "border-rose-500/50",     text: "text-rose-300",     label: "Rose" },
+  cyan:     { bg: "bg-cyan-600",     bgLight: "bg-cyan-600/20",     border: "border-cyan-500/50",     text: "text-cyan-300",     label: "Cyan" },
+  fuchsia:  { bg: "bg-fuchsia-600",  bgLight: "bg-fuchsia-600/20",  border: "border-fuchsia-500/50",  text: "text-fuchsia-300",  label: "Fuchsia" },
+  orange:   { bg: "bg-orange-600",   bgLight: "bg-orange-600/20",   border: "border-orange-500/50",   text: "text-orange-300",   label: "Orange" },
+} as const;
+
+export type FeedColorKey = keyof typeof FEED_COLORS;
+export const FEED_COLOR_KEYS = Object.keys(FEED_COLORS) as FeedColorKey[];
+export const DEFAULT_FEED_COLOR: FeedColorKey = "sky";

package/lib/mcp-auth.test.ts

@@ -0,0 +1,58 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+const findUnique = vi.fn();
+
+vi.mock("@/lib/prisma", () => ({
+  prisma: {
+    mcpToken: {
+      findUnique,
+      update: vi.fn().mockResolvedValue(undefined),
+    },
+  },
+}));
+
+vi.mock("jose", () => ({
+  jwtVerify: vi.fn().mockResolvedValue({
+    payload: { userId: "user-1", workspaceId: "ws-1", tokenId: "tok-1" },
+  }),
+  SignJWT: class {},
+}));
+
+describe("verifyMcpToken", () => {
+  beforeEach(() => {
+    findUnique.mockReset();
+  });
+
+  it("rejects a token if the workspace does not match the JWT payload", async () => {
+    findUnique.mockResolvedValue({
+      id: "tok-1",
+      userId: "user-1",
+      workspaceId: "ws-2",
+      revokedAt: null,
+      alias: "Laptop",
+    });
+
+    const { verifyMcpToken } = await import("@/lib/mcp-auth");
+
+    await expect(verifyMcpToken("secret")).resolves.toBeNull();
+  });
+
+  it("accepts a token when the workspace matches the JWT payload", async () => {
+    findUnique.mockResolvedValue({
+      id: "tok-1",
+      userId: "user-1",
+      workspaceId: "ws-1",
+      revokedAt: null,
+      alias: "Laptop",
+    });
+
+    const { verifyMcpToken } = await import("@/lib/mcp-auth");
+
+    await expect(verifyMcpToken("secret")).resolves.toEqual({
+      userId: "user-1",
+      workspaceId: "ws-1",
+      tokenId: "tok-1",
+      alias: "Laptop",
+    });
+  });
+});