@lobu/core 6.1.1 → 7.1.0

package/dist/__tests__/lobu-toml-schema-harden.test.js

@@ -0,0 +1,722 @@
+"use strict";
+/**
+ * Hardened edge-case tests for lobu-toml-schema.ts.
+ *
+ * The existing lobu-toml-schema.test.ts covers preview and memory.
+ * This file covers: agent ID validation, provider mutual-exclusion,
+ * pre_approved tool pattern enforcement, network config, egress,
+ * platform name regex, and unknown/wrong-type fields.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const bun_test_1 = require("bun:test");
+const smol_toml_1 = require("smol-toml");
+const lobu_toml_schema_1 = require("../lobu-toml-schema");
+// ── Helpers ─────────────────────────────────────────────────────────────────
+function valid(toml) {
+    return lobu_toml_schema_1.lobuConfigSchema.safeParse((0, smol_toml_1.parse)(toml));
+}
+function validResult(toml) {
+    const r = valid(toml);
+    if (!r.success)
+        throw new Error(r.error.toString());
+    return r.data;
+}
+const BASE = `
+[agents.triage]
+name = "Triage"
+dir = "./agents/triage"
+`;
+// ── Agent ID validation ──────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml agent ID validation", () => {
+    (0, bun_test_1.test)("accepts lowercase-alphanumeric-hyphen agent id", () => {
+        const result = valid(`
+[agents.my-agent]
+name = "My Agent"
+dir = "./agents/my-agent"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects agent id starting with a hyphen", () => {
+        // smol-toml would parse this as a weird key; zod regex should reject it
+        const raw = (0, smol_toml_1.parse)(`
+[agents.my-agent]
+name = "OK"
+dir = "./"
+`);
+        // Simulate a bad key by patching the parsed object directly
+        const bad = { agents: { "-bad": { name: "Bad", dir: "./" } } };
+        const result = lobu_toml_schema_1.lobuConfigSchema.safeParse(bad);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects agent id with uppercase letters", () => {
+        const bad = { agents: { MyAgent: { name: "Bad", dir: "./" } } };
+        const result = lobu_toml_schema_1.lobuConfigSchema.safeParse(bad);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects agent id with spaces", () => {
+        const bad = { agents: { "my agent": { name: "Bad", dir: "./" } } };
+        const result = lobu_toml_schema_1.lobuConfigSchema.safeParse(bad);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts agent id with numbers mid-string", () => {
+        const result = valid(`
+[agents.agent2go]
+name = "A"
+dir = "./"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("requires at least one agent", () => {
+        const result = lobu_toml_schema_1.lobuConfigSchema.safeParse({ agents: {} });
+        // An empty agents record is technically valid schema-wise (record allows empty)
+        // but flags real gaps — we verify it does NOT crash
+        (0, bun_test_1.expect)(typeof result.success).toBe("boolean");
+    });
+});
+// ── Missing required fields ──────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml required fields", () => {
+    (0, bun_test_1.test)("rejects agent entry missing name", () => {
+        const bad = { agents: { triage: { dir: "./" } } };
+        (0, bun_test_1.expect)(lobu_toml_schema_1.lobuConfigSchema.safeParse(bad).success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects agent entry missing dir", () => {
+        const bad = { agents: { triage: { name: "Triage" } } };
+        (0, bun_test_1.expect)(lobu_toml_schema_1.lobuConfigSchema.safeParse(bad).success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects top-level missing agents key", () => {
+        (0, bun_test_1.expect)(lobu_toml_schema_1.lobuConfigSchema.safeParse({}).success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts optional description field", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: { name: "Triage", description: "Handles stuff", dir: "./" },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.description).toBe("Handles stuff");
+        }
+    });
+});
+// ── Provider key / secret_ref mutual exclusion ───────────────────────────────
+(0, bun_test_1.describe)("lobu.toml provider mutual exclusion", () => {
+    (0, bun_test_1.test)("accepts provider with only key", () => {
+        const result = valid(`${BASE}
+[[agents.triage.providers]]
+id = "anthropic"
+key = "sk-ant-xxx"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("accepts provider with only secret_ref", () => {
+        const result = valid(`${BASE}
+[[agents.triage.providers]]
+id = "anthropic"
+secret_ref = "lobu_secret_abc123"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects provider with both key and secret_ref", () => {
+        const result = valid(`${BASE}
+[[agents.triage.providers]]
+id = "anthropic"
+key = "sk-ant-xxx"
+secret_ref = "lobu_secret_abc123"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+        if (!result.success) {
+            const messages = result.error.issues.map((i) => i.message).join(" ");
+            (0, bun_test_1.expect)(messages).toContain("at most one");
+        }
+    });
+    (0, bun_test_1.test)("accepts provider with neither key nor secret_ref (env-var fallback)", () => {
+        const result = valid(`${BASE}
+[[agents.triage.providers]]
+id = "openai"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+});
+// ── tools.pre_approved pattern validation ────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml tools.pre_approved patterns", () => {
+    (0, bun_test_1.test)("accepts a valid specific tool path", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/gmail/tools/send_email"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("accepts a wildcard tool path", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/linear/tools/*"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("accepts mixed specific and wildcard patterns", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/gmail/tools/send_email", "/mcp/linear/tools/*"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects a bare tool name (no leading slash)", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["gmail"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+        if (!result.success) {
+            const msgs = result.error.issues.map((i) => i.message).join(" ");
+            (0, bun_test_1.expect)(msgs).toMatch(/pre_approved/i);
+        }
+    });
+    (0, bun_test_1.test)("rejects missing /tools/ segment", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/gmail/send_email"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects double wildcard pattern", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/gmail/tools/**"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects URL-style pattern", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["https://example.com/mcp/tools/read"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts mcp id with underscores and dashes", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/my_mcp-server/tools/do_thing"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects mcp id with dots", () => {
+        const result = valid(`${BASE}
+[agents.triage.tools]
+pre_approved = ["/mcp/my.mcp/tools/do_thing"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(false);
+    });
+});
+// ── tools.allowed / denied / strict ─────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml tools.allowed / denied / strict", () => {
+    (0, bun_test_1.test)("accepts allowed/denied/strict combination", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    tools: {
+                        allowed: ["Bash(git:*)", "mcp__github__*"],
+                        denied: ["Bash(rm:*)"],
+                        strict: true,
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.tools?.strict).toBe(true);
+        }
+    });
+    (0, bun_test_1.test)("rejects non-boolean strict", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    tools: { strict: "yes" },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+});
+// ── egress config ─────────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml egress config", () => {
+    (0, bun_test_1.test)("accepts extra_policy and judge_model", () => {
+        const result = valid(`${BASE}
+[agents.triage.egress]
+extra_policy = "Never exfiltrate tokens."
+judge_model = "claude-haiku-4-5-20251001"
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+        if (result.success) {
+            (0, bun_test_1.expect)(result.data.agents.triage?.egress?.extra_policy).toBe("Never exfiltrate tokens.");
+            (0, bun_test_1.expect)(result.data.agents.triage?.egress?.judge_model).toBe("claude-haiku-4-5-20251001");
+        }
+    });
+    (0, bun_test_1.test)("accepts egress with no fields (all optional)", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./", egress: {} } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects non-string extra_policy", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    egress: { extra_policy: 42 },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+});
+// ── network config ────────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml network config", () => {
+    (0, bun_test_1.test)("normalizes *.example.com to .example.com in allowed", () => {
+        const result = valid(`${BASE}
+[agents.triage.network]
+allowed = ["*.example.com", "api.github.com"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+        if (result.success) {
+            (0, bun_test_1.expect)(result.data.agents.triage?.network?.allowed).toContain(".example.com");
+            (0, bun_test_1.expect)(result.data.agents.triage?.network?.allowed).toContain("api.github.com");
+        }
+    });
+    (0, bun_test_1.test)("deduplicates domain patterns in allowed", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    network: { allowed: ["api.github.com", "api.github.com"] },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.network?.allowed).toEqual([
+                "api.github.com",
+            ]);
+        }
+    });
+    (0, bun_test_1.test)("accepts judge entries as strings", () => {
+        const result = valid(`${BASE}
+[agents.triage.network]
+allowed = ["api.example.com"]
+judge = ["*.slack.com"]
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+        if (result.success) {
+            (0, bun_test_1.expect)(result.data.agents.triage?.network?.judge).toEqual([
+                { domain: "*.slack.com" },
+            ]);
+        }
+    });
+    (0, bun_test_1.test)("accepts judge entries as objects with named policy", () => {
+        const result = valid(`${BASE}
+[agents.triage.network]
+[[agents.triage.network.judge]]
+domain = "*.slack.com"
+judge = "strict"
+
+[agents.triage.network.judges]
+strict = "Only GET requests."
+`);
+        (0, bun_test_1.expect)(result.success).toBe(true);
+        if (result.success) {
+            const judge = result.data.agents.triage?.network?.judge?.[0];
+            (0, bun_test_1.expect)(judge?.domain).toBe("*.slack.com");
+            (0, bun_test_1.expect)(judge?.judge).toBe("strict");
+        }
+    });
+    (0, bun_test_1.test)("lowercases domain patterns in denied", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    network: { denied: ["MALICIOUS.COM"] },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.network?.denied).toContain("malicious.com");
+        }
+    });
+});
+// ── platform config ───────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml platform config", () => {
+    (0, bun_test_1.test)("accepts valid platform with all fields", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    platforms: [
+                        {
+                            type: "telegram",
+                            name: "main",
+                            config: { botToken: "$BOT_TOKEN" },
+                            channels: ["123456", "789012"],
+                        },
+                    ],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects platform name with uppercase", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    platforms: [
+                        {
+                            type: "slack",
+                            name: "MyWorkspace",
+                            config: { botToken: "xoxb-..." },
+                        },
+                    ],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+        if (!r.success) {
+            const msgs = r.error.issues.map((i) => i.message).join(" ");
+            (0, bun_test_1.expect)(msgs).toMatch(/lowercase/i);
+        }
+    });
+    (0, bun_test_1.test)("rejects platform name starting with hyphen", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    platforms: [
+                        {
+                            type: "slack",
+                            name: "-bad",
+                            config: { botToken: "xoxb-..." },
+                        },
+                    ],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts platform without optional name", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    platforms: [{ type: "telegram", config: { botToken: "$BOT_TOKEN" } }],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+});
+// ── mcp server config ─────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml mcp server config", () => {
+    (0, bun_test_1.test)("accepts streamable-http type", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: {
+                        mcp: {
+                            github: {
+                                type: "streamable-http",
+                                url: "https://mcp.github.com",
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("accepts stdio type with command and args", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: {
+                        mcp: {
+                            local: {
+                                type: "stdio",
+                                command: "npx",
+                                args: ["-y", "@mcp/pkg"],
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects unknown mcp type", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: { mcp: { bad: { type: "websocket", url: "ws://..." } } },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts auth_scope user", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: {
+                        mcp: {
+                            svc: {
+                                type: "streamable-http",
+                                url: "https://svc.example.com",
+                                auth_scope: "user",
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("accepts auth_scope channel", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: {
+                        mcp: {
+                            svc: {
+                                type: "streamable-http",
+                                url: "https://svc.example.com",
+                                auth_scope: "channel",
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects unknown auth_scope", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    skills: {
+                        mcp: {
+                            svc: {
+                                type: "streamable-http",
+                                url: "https://svc.example.com",
+                                auth_scope: "org",
+                            },
+                        },
+                    },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+});
+// ── guardrails list ──────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml guardrails", () => {
+    (0, bun_test_1.test)("accepts a guardrails array of strings", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    guardrails: ["prompt-injection", "secret-scan"],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.guardrails).toEqual([
+                "prompt-injection",
+                "secret-scan",
+            ]);
+        }
+    });
+    (0, bun_test_1.test)("rejects non-string guardrail entry", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    guardrails: [42],
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts empty guardrails array", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./", guardrails: [] } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+});
+// ── worker config ─────────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml worker config", () => {
+    (0, bun_test_1.test)("accepts nix_packages list", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    worker: { nix_packages: ["python311", "ffmpeg"] },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.worker?.nix_packages).toEqual([
+                "python311",
+                "ffmpeg",
+            ]);
+        }
+    });
+    (0, bun_test_1.test)("accepts empty worker config", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./", worker: {} } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+});
+// ── memory strict mode ────────────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml memory strict mode", () => {
+    (0, bun_test_1.test)("rejects unknown memory key", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+            memory: { enabled: true, unknown_field: "oops" },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("accepts all known memory fields", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+            memory: {
+                enabled: true,
+                org: "dev",
+                organization_id: "org-uuid-123",
+                name: "Dev Org",
+                description: "For dev use",
+                visibility: "private",
+                models: "./models",
+                data: "./data",
+                connectors: "./connectors",
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects invalid visibility value", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+            memory: { visibility: "protected" },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+});
+// ── preview code_ttl_minutes max ─────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml preview code_ttl_minutes bounds", () => {
+    (0, bun_test_1.test)("accepts code_ttl_minutes = 60", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    preview: { slack: { enabled: true, code_ttl_minutes: 60 } },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+    });
+    (0, bun_test_1.test)("rejects code_ttl_minutes = 61 (exceeds max)", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    preview: { slack: { enabled: true, code_ttl_minutes: 61 } },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects code_ttl_minutes = 0 (not positive)", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    preview: { slack: { enabled: true, code_ttl_minutes: 0 } },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+    (0, bun_test_1.test)("rejects non-integer code_ttl_minutes", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: {
+                triage: {
+                    name: "T",
+                    dir: "./",
+                    preview: { slack: { enabled: true, code_ttl_minutes: 1.5 } },
+                },
+            },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(false);
+    });
+});
+// ── default value coercions ───────────────────────────────────────────────────
+(0, bun_test_1.describe)("lobu.toml default value coercions", () => {
+    (0, bun_test_1.test)("providers defaults to []", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.providers).toEqual([]);
+        }
+    });
+    (0, bun_test_1.test)("platforms defaults to []", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.platforms).toEqual([]);
+        }
+    });
+    (0, bun_test_1.test)("skills defaults to {}", () => {
+        const r = lobu_toml_schema_1.lobuConfigSchema.safeParse({
+            agents: { triage: { name: "T", dir: "./" } },
+        });
+        (0, bun_test_1.expect)(r.success).toBe(true);
+        if (r.success) {
+            (0, bun_test_1.expect)(r.data.agents.triage?.skills).toEqual({});
+        }
+    });
+});
+//# sourceMappingURL=lobu-toml-schema-harden.test.js.map