npm - @lobu/gateway - Versions diffs - 3.0.8 → 3.0.12 - Mend

@lobu/gateway 3.0.8 → 3.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (219) hide show

package/dist/api/platform.d.ts.map +1 -1
package/dist/api/platform.js +8 -26
package/dist/api/platform.js.map +1 -1
package/dist/auth/mcp/proxy.d.ts +14 -0
package/dist/auth/mcp/proxy.d.ts.map +1 -1
package/dist/auth/mcp/proxy.js +149 -13
package/dist/auth/mcp/proxy.js.map +1 -1
package/dist/cli/gateway.d.ts.map +1 -1
package/dist/cli/gateway.js +29 -0
package/dist/cli/gateway.js.map +1 -1
package/dist/cli/index.js +2 -2
package/dist/cli/index.js.map +1 -1
package/dist/connections/chat-instance-manager.d.ts.map +1 -1
package/dist/connections/chat-instance-manager.js +2 -1
package/dist/connections/chat-instance-manager.js.map +1 -1
package/dist/connections/interaction-bridge.d.ts +9 -2
package/dist/connections/interaction-bridge.d.ts.map +1 -1
package/dist/connections/interaction-bridge.js +132 -230
package/dist/connections/interaction-bridge.js.map +1 -1
package/dist/connections/message-handler-bridge.d.ts.map +1 -1
package/dist/connections/message-handler-bridge.js +44 -26
package/dist/connections/message-handler-bridge.js.map +1 -1
package/dist/interactions.d.ts +9 -43
package/dist/interactions.d.ts.map +1 -1
package/dist/interactions.js +10 -52
package/dist/interactions.js.map +1 -1
package/dist/orchestration/base-deployment-manager.js +7 -7
package/dist/orchestration/base-deployment-manager.js.map +1 -1
package/dist/platform/unified-thread-consumer.d.ts.map +1 -1
package/dist/platform/unified-thread-consumer.js +38 -34
package/dist/platform/unified-thread-consumer.js.map +1 -1
package/dist/routes/public/agent.d.ts +4 -0
package/dist/routes/public/agent.d.ts.map +1 -1
package/dist/routes/public/agent.js +21 -0
package/dist/routes/public/agent.js.map +1 -1
package/dist/services/core-services.d.ts.map +1 -1
package/dist/services/core-services.js +4 -0
package/dist/services/core-services.js.map +1 -1
package/package.json +2 -2
package/src/__tests__/agent-config-routes.test.ts +0 -254
package/src/__tests__/agent-history-routes.test.ts +0 -72
package/src/__tests__/agent-routes.test.ts +0 -68
package/src/__tests__/agent-schedules-routes.test.ts +0 -59
package/src/__tests__/agent-settings-store.test.ts +0 -323
package/src/__tests__/bedrock-model-catalog.test.ts +0 -40
package/src/__tests__/bedrock-openai-service.test.ts +0 -157
package/src/__tests__/bedrock-provider-module.test.ts +0 -56
package/src/__tests__/chat-instance-manager-slack.test.ts +0 -204
package/src/__tests__/chat-response-bridge.test.ts +0 -131
package/src/__tests__/config-memory-plugins.test.ts +0 -92
package/src/__tests__/config-request-store.test.ts +0 -127
package/src/__tests__/connection-routes.test.ts +0 -144
package/src/__tests__/core-services-store-selection.test.ts +0 -92
package/src/__tests__/docker-deployment.test.ts +0 -1211
package/src/__tests__/embedded-deployment.test.ts +0 -342
package/src/__tests__/grant-store.test.ts +0 -148
package/src/__tests__/http-proxy.test.ts +0 -281
package/src/__tests__/instruction-service.test.ts +0 -37
package/src/__tests__/link-buttons.test.ts +0 -112
package/src/__tests__/lobu.test.ts +0 -32
package/src/__tests__/mcp-config-service.test.ts +0 -347
package/src/__tests__/mcp-proxy.test.ts +0 -694
package/src/__tests__/message-handler-bridge.test.ts +0 -17
package/src/__tests__/model-selection.test.ts +0 -172
package/src/__tests__/oauth-templates.test.ts +0 -39
package/src/__tests__/platform-adapter-slack-send.test.ts +0 -114
package/src/__tests__/platform-helpers-model-resolution.test.ts +0 -253
package/src/__tests__/provider-inheritance.test.ts +0 -212
package/src/__tests__/routes/cli-auth.test.ts +0 -337
package/src/__tests__/routes/interactions.test.ts +0 -121
package/src/__tests__/secret-proxy.test.ts +0 -85
package/src/__tests__/session-manager.test.ts +0 -572
package/src/__tests__/setup.ts +0 -133
package/src/__tests__/skill-and-mcp-registry.test.ts +0 -203
package/src/__tests__/slack-routes.test.ts +0 -161
package/src/__tests__/system-config-resolver.test.ts +0 -75
package/src/__tests__/system-message-limiter.test.ts +0 -89
package/src/__tests__/system-skills-service.test.ts +0 -362
package/src/__tests__/transcription-service.test.ts +0 -222
package/src/__tests__/utils/rate-limiter.test.ts +0 -102
package/src/__tests__/worker-connection-manager.test.ts +0 -497
package/src/__tests__/worker-job-router.test.ts +0 -722
package/src/api/index.ts +0 -1
package/src/api/platform.ts +0 -292
package/src/api/response-renderer.ts +0 -157
package/src/auth/agent-metadata-store.ts +0 -168
package/src/auth/api-auth-middleware.ts +0 -69
package/src/auth/api-key-provider-module.ts +0 -213
package/src/auth/base-provider-module.ts +0 -201
package/src/auth/bedrock/provider-module.ts +0 -110
package/src/auth/chatgpt/chatgpt-oauth-module.ts +0 -185
package/src/auth/chatgpt/device-code-client.ts +0 -218
package/src/auth/chatgpt/index.ts +0 -1
package/src/auth/claude/oauth-module.ts +0 -280
package/src/auth/cli/token-service.ts +0 -249
package/src/auth/external/client.ts +0 -560
package/src/auth/external/device-code-client.ts +0 -235
package/src/auth/mcp/config-service.ts +0 -420
package/src/auth/mcp/proxy.ts +0 -1086
package/src/auth/mcp/string-substitution.ts +0 -17
package/src/auth/mcp/tool-cache.ts +0 -90
package/src/auth/oauth/base-client.ts +0 -267
package/src/auth/oauth/client.ts +0 -153
package/src/auth/oauth/credentials.ts +0 -7
package/src/auth/oauth/providers.ts +0 -69
package/src/auth/oauth/state-store.ts +0 -150
package/src/auth/oauth-templates.ts +0 -179
package/src/auth/provider-catalog.ts +0 -220
package/src/auth/provider-model-options.ts +0 -41
package/src/auth/settings/agent-settings-store.ts +0 -565
package/src/auth/settings/auth-profiles-manager.ts +0 -216
package/src/auth/settings/index.ts +0 -12
package/src/auth/settings/model-preference-store.ts +0 -52
package/src/auth/settings/model-selection.ts +0 -135
package/src/auth/settings/resolved-settings-view.ts +0 -298
package/src/auth/settings/template-utils.ts +0 -44
package/src/auth/settings/token-service.ts +0 -88
package/src/auth/system-env-store.ts +0 -98
package/src/auth/user-agents-store.ts +0 -68
package/src/channels/binding-service.ts +0 -214
package/src/channels/index.ts +0 -4
package/src/cli/gateway.ts +0 -1312
package/src/cli/index.ts +0 -74
package/src/commands/built-in-commands.ts +0 -80
package/src/commands/command-dispatcher.ts +0 -94
package/src/commands/command-reply-adapters.ts +0 -27
package/src/config/file-loader.ts +0 -618
package/src/config/index.ts +0 -588
package/src/config/network-allowlist.ts +0 -71
package/src/connections/chat-instance-manager.ts +0 -1284
package/src/connections/chat-response-bridge.ts +0 -618
package/src/connections/index.ts +0 -7
package/src/connections/interaction-bridge.ts +0 -831
package/src/connections/message-handler-bridge.ts +0 -415
package/src/connections/platform-auth-methods.ts +0 -15
package/src/connections/types.ts +0 -84
package/src/gateway/connection-manager.ts +0 -291
package/src/gateway/index.ts +0 -698
package/src/gateway/job-router.ts +0 -201
package/src/gateway-main.ts +0 -200
package/src/index.ts +0 -41
package/src/infrastructure/queue/index.ts +0 -12
package/src/infrastructure/queue/queue-producer.ts +0 -148
package/src/infrastructure/queue/redis-queue.ts +0 -361
package/src/infrastructure/queue/types.ts +0 -133
package/src/infrastructure/redis/system-message-limiter.ts +0 -94
package/src/interactions/config-request-store.ts +0 -198
package/src/interactions.ts +0 -363
package/src/lobu.ts +0 -311
package/src/metrics/prometheus.ts +0 -159
package/src/modules/module-system.ts +0 -179
package/src/orchestration/base-deployment-manager.ts +0 -900
package/src/orchestration/deployment-utils.ts +0 -98
package/src/orchestration/impl/docker-deployment.ts +0 -620
package/src/orchestration/impl/embedded-deployment.ts +0 -268
package/src/orchestration/impl/index.ts +0 -8
package/src/orchestration/impl/k8s/deployment.ts +0 -1061
package/src/orchestration/impl/k8s/helpers.ts +0 -610
package/src/orchestration/impl/k8s/index.ts +0 -1
package/src/orchestration/index.ts +0 -333
package/src/orchestration/message-consumer.ts +0 -584
package/src/orchestration/scheduled-wakeup.ts +0 -704
package/src/permissions/approval-policy.ts +0 -36
package/src/permissions/grant-store.ts +0 -219
package/src/platform/file-handler.ts +0 -66
package/src/platform/link-buttons.ts +0 -57
package/src/platform/renderer-utils.ts +0 -44
package/src/platform/response-renderer.ts +0 -84
package/src/platform/unified-thread-consumer.ts +0 -187
package/src/platform.ts +0 -318
package/src/proxy/http-proxy.ts +0 -752
package/src/proxy/proxy-manager.ts +0 -81
package/src/proxy/secret-proxy.ts +0 -402
package/src/proxy/token-refresh-job.ts +0 -143
package/src/routes/internal/audio.ts +0 -141
package/src/routes/internal/device-auth.ts +0 -652
package/src/routes/internal/files.ts +0 -226
package/src/routes/internal/history.ts +0 -69
package/src/routes/internal/images.ts +0 -127
package/src/routes/internal/interactions.ts +0 -84
package/src/routes/internal/middleware.ts +0 -23
package/src/routes/internal/schedule.ts +0 -226
package/src/routes/internal/types.ts +0 -22
package/src/routes/openapi-auto.ts +0 -239
package/src/routes/public/agent-access.ts +0 -23
package/src/routes/public/agent-config.ts +0 -675
package/src/routes/public/agent-history.ts +0 -422
package/src/routes/public/agent-schedules.ts +0 -296
package/src/routes/public/agent.ts +0 -1086
package/src/routes/public/agents.ts +0 -373
package/src/routes/public/channels.ts +0 -191
package/src/routes/public/cli-auth.ts +0 -896
package/src/routes/public/connections.ts +0 -574
package/src/routes/public/landing.ts +0 -16
package/src/routes/public/oauth.ts +0 -147
package/src/routes/public/settings-auth.ts +0 -104
package/src/routes/public/slack.ts +0 -173
package/src/routes/shared/agent-ownership.ts +0 -101
package/src/routes/shared/token-verifier.ts +0 -34
package/src/services/bedrock-model-catalog.ts +0 -217
package/src/services/bedrock-openai-service.ts +0 -658
package/src/services/core-services.ts +0 -1072
package/src/services/image-generation-service.ts +0 -257
package/src/services/instruction-service.ts +0 -318
package/src/services/mcp-registry.ts +0 -94
package/src/services/platform-helpers.ts +0 -287
package/src/services/session-manager.ts +0 -262
package/src/services/settings-resolver.ts +0 -74
package/src/services/system-config-resolver.ts +0 -89
package/src/services/system-skills-service.ts +0 -229
package/src/services/transcription-service.ts +0 -684
package/src/session.ts +0 -110
package/src/spaces/index.ts +0 -1
package/src/spaces/space-resolver.ts +0 -17
package/src/stores/in-memory-agent-store.ts +0 -403
package/src/stores/redis-agent-store.ts +0 -279
package/src/utils/public-url.ts +0 -44
package/src/utils/rate-limiter.ts +0 -94
package/tsconfig.json +0 -33

package/src/__tests__/docker-deployment.test.ts DELETED Viewed

@@ -1,1211 +0,0 @@
-import {
-  afterEach,
-  beforeEach,
-  describe,
-  expect,
-  mock,
-  spyOn,
-  test,
-} from "bun:test";
-import fs from "node:fs";
-import type {
-  MessagePayload,
-  OrchestratorConfig,
-} from "../orchestration/base-deployment-manager";
-// ---------------------------------------------------------------------------
-// Mock dockerode
-// ---------------------------------------------------------------------------
-const mockContainer = {
-  id: "container-id-123",
-  start: mock(async () => {
-    /* noop */
-  }),
-  stop: mock(async () => {
-    /* noop */
-  }),
-  remove: mock(async () => {
-    /* noop */
-  }),
-  inspect: mock(async () => ({ State: { Running: true } })),
-  wait: mock(async () => {
-    /* noop */
-  }),
-};
-const mockVolume = {
-  inspect: mock(async () => ({})),
-};
-const mockNetwork = {
-  inspect: mock(async () => ({ Internal: true })),
-  connect: mock(async () => {
-    /* noop */
-  }),
-};
-const mockDocker = {
-  info: mock(async () => ({ Runtimes: {} })),
-  createContainer: mock(async () => mockContainer),
-  getContainer: mock(() => mockContainer),
-  createVolume: mock(async () => mockVolume),
-  getVolume: mock(() => mockVolume),
-  createNetwork: mock(async () => mockNetwork),
-  getNetwork: mock(() => mockNetwork),
-  listContainers: mock(async () => []),
-  getImage: mock(() => ({ inspect: mock(async () => ({})) })),
-  pull: mock((_name: string, cb: Function) =>
-    cb(null, {
-      on: () => {
-        /* noop */
-      },
-    })
-  ),
-  modem: { followProgress: (_stream: any, cb: Function) => cb(null) },
-};
-mock.module("dockerode", () => ({
-  default: class MockDocker {
-    constructor() {
-      Object.assign(this, mockDocker);
-    }
-  },
-}));
-// Must import after mocks are set up
-const { DockerDeploymentManager } = await import(
-  "../orchestration/impl/docker-deployment"
-);
-// ---------------------------------------------------------------------------
-// Constants & helpers
-// ---------------------------------------------------------------------------
-const TEST_ENCRYPTION_KEY =
-  "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-const TEST_CONFIG: OrchestratorConfig = {
-  queues: {
-    connectionString: "redis://localhost:6379",
-    retryLimit: 3,
-    retryDelay: 5,
-    expireInSeconds: 300,
-  },
-  worker: {
-    image: {
-      repository: "lobu-worker",
-      tag: "latest",
-      pullPolicy: "IfNotPresent",
-    },
-    resources: {
-      requests: { cpu: "100m", memory: "128Mi" },
-      limits: { cpu: "500m", memory: "512Mi" },
-    },
-    idleCleanupMinutes: 30,
-    maxDeployments: 10,
-  },
-  kubernetes: { namespace: "default" },
-  cleanup: { initialDelayMs: 5000, intervalMs: 60000, veryOldDays: 7 },
-};
-function createTestMessagePayload(
-  overrides?: Partial<MessagePayload>
-): MessagePayload {
-  return {
-    userId: "user-1",
-    conversationId: "conv-1",
-    channelId: "ch-1",
-    messageId: "msg-1",
-    teamId: "team-1",
-    agentId: "test-agent",
-    botId: "bot-1",
-    platform: "slack",
-    messageText: "hello",
-    platformMetadata: {},
-    agentOptions: {},
-    ...overrides,
-  } as MessagePayload;
-}
-const MOCK_DEFAULTS: Array<
-  [{ mockReset: Function; mockImplementation: Function }, Function]
-> = [
-  [
-    mockContainer.start,
-    async () => {
-      /* noop */
-    },
-  ],
-  [
-    mockContainer.stop,
-    async () => {
-      /* noop */
-    },
-  ],
-  [
-    mockContainer.remove,
-    async () => {
-      /* noop */
-    },
-  ],
-  [mockContainer.inspect, async () => ({ State: { Running: true } })],
-  [mockDocker.info, async () => ({ Runtimes: {} })],
-  [mockDocker.createContainer, async () => mockContainer],
-  [mockDocker.getContainer, () => mockContainer],
-  [mockDocker.createVolume, async () => mockVolume],
-  [mockDocker.getVolume, () => mockVolume],
-  [mockDocker.createNetwork, async () => mockNetwork],
-  [mockDocker.getNetwork, () => mockNetwork],
-  [mockDocker.listContainers, async () => []],
-  [mockDocker.getImage, () => ({ inspect: mock(async () => ({})) })],
-  [
-    mockDocker.pull,
-    (_name: string, cb: Function) =>
-      cb(null, {
-        on: () => {
-          /* noop */
-        },
-      }),
-  ],
-  [mockVolume.inspect, async () => ({})],
-  [mockNetwork.inspect, async () => ({ Internal: true })],
-  [
-    mockNetwork.connect,
-    async () => {
-      /* noop */
-    },
-  ],
-];
-function resetAllMocks() {
-  for (const [mockFn, impl] of MOCK_DEFAULTS) {
-    mockFn.mockReset();
-    mockFn.mockImplementation(impl);
-  }
-}
-/** Extract the main container creation options (skips init containers like alpine). */
-function getMainCreateOpts(): any {
-  const call = mockDocker.createContainer.mock.calls.find(
-    (c: any) => c[0]?.name === "test-deploy"
-  );
-  return call?.[0];
-}
-// ---------------------------------------------------------------------------
-// Test suite
-// ---------------------------------------------------------------------------
-describe("DockerDeploymentManager", () => {
-  let savedEnv: NodeJS.ProcessEnv;
-  beforeEach(() => {
-    savedEnv = { ...process.env };
-    process.env.ENCRYPTION_KEY = TEST_ENCRYPTION_KEY;
-    resetAllMocks();
-  });
-  afterEach(() => {
-    process.env = savedEnv;
-  });
-  function createManager(configOverrides?: Partial<OrchestratorConfig>) {
-    const config = { ...TEST_CONFIG, ...configOverrides };
-    return new DockerDeploymentManager(config);
-  }
-  // =========================================================================
-  // ResourceParser (tested indirectly via createContainer args)
-  // =========================================================================
-  describe("ResourceParser (via createDeployment)", () => {
-    test("parseMemory: 512Mi -> 512 * 1024 * 1024", async () => {
-      const manager = createManager({
-        worker: {
-          ...TEST_CONFIG.worker,
-          resources: {
-            requests: { cpu: "100m", memory: "128Mi" },
-            limits: { cpu: "500m", memory: "512Mi" },
-          },
-        },
-      });
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const opts = mockDocker.createContainer.mock.calls[0]?.[0] as any;
-      expect(opts.HostConfig.Memory).toBe(512 * 1024 * 1024);
-    });
-    test("parseMemory: 1Gi -> 1024 * 1024 * 1024", async () => {
-      const manager = createManager({
-        worker: {
-          ...TEST_CONFIG.worker,
-          resources: {
-            requests: { cpu: "100m", memory: "128Mi" },
-            limits: { cpu: "1", memory: "1Gi" },
-          },
-        },
-      });
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const opts = mockDocker.createContainer.mock.calls[0]?.[0] as any;
-      expect(opts.HostConfig.Memory).toBe(1024 * 1024 * 1024);
-    });
-    test("parseCpu: 500m -> 500_000_000 nanocpus", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const opts = mockDocker.createContainer.mock.calls[0]?.[0] as any;
-      expect(opts.HostConfig.NanoCpus).toBe(500_000_000);
-    });
-    test("parseCpu: 1 core -> 1_000_000_000 nanocpus", async () => {
-      const manager = createManager({
-        worker: {
-          ...TEST_CONFIG.worker,
-          resources: {
-            requests: { cpu: "100m", memory: "128Mi" },
-            limits: { cpu: "1", memory: "512Mi" },
-          },
-        },
-      });
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const opts = mockDocker.createContainer.mock.calls[0]?.[0] as any;
-      expect(opts.HostConfig.NanoCpus).toBe(1_000_000_000);
-    });
-  });
-  // =========================================================================
-  // Container creation & security
-  // =========================================================================
-  describe("createDeployment", () => {
-    test("calls docker.createContainer with correct image", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const opts = getMainCreateOpts();
-      expect(opts).toBeDefined();
-      expect(opts.Image).toBe("lobu-worker:latest");
-    });
-    test("drops all capabilities: CapDrop=['ALL']", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.CapDrop).toEqual(["ALL"]);
-    });
-    test("adds configurable capabilities via WORKER_CAPABILITIES env var", async () => {
-      process.env.WORKER_CAPABILITIES = "NET_BIND_SERVICE,SYS_PTRACE";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.CapAdd).toEqual([
-        "NET_BIND_SERVICE",
-        "SYS_PTRACE",
-      ]);
-    });
-    test("empty CapAdd when WORKER_CAPABILITIES not set", async () => {
-      delete process.env.WORKER_CAPABILITIES;
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.CapAdd).toEqual([]);
-    });
-    test("enables no-new-privileges security option", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.SecurityOpt).toContain(
-        "no-new-privileges:true"
-      );
-    });
-    test("uses readonly rootfs by default", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.ReadonlyRootfs).toBe(true);
-    });
-    test("disables readonly rootfs when Nix packages configured", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({ nixConfig: { packages: ["nodejs"] } })
-      );
-      expect(getMainCreateOpts().HostConfig.ReadonlyRootfs).toBe(false);
-    });
-    test("disables readonly rootfs when Nix flakeUrl configured", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({
-          nixConfig: { flakeUrl: "github:owner/repo" },
-        })
-      );
-      expect(getMainCreateOpts().HostConfig.ReadonlyRootfs).toBe(false);
-    });
-    test("adds tmpfs for /tmp when readonly rootfs enabled", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.Tmpfs).toEqual({
-        "/tmp": "rw,noexec,nosuid,size=100m",
-      });
-    });
-    test("does not add tmpfs when Nix packages configured", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({ nixConfig: { packages: ["nodejs"] } })
-      );
-      expect(getMainCreateOpts().HostConfig.Tmpfs).toBeUndefined();
-    });
-    test("sets ShmSize to 256MB (268435456)", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.ShmSize).toBe(268435456);
-    });
-    test("uses gvisor runtime when available", async () => {
-      mockDocker.info.mockImplementation(async () => ({
-        Runtimes: { runsc: {} },
-      }));
-      const manager = createManager();
-      await new Promise((r) => setTimeout(r, 50));
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.Runtime).toBe("runsc");
-    });
-    test("uses default runtime when gvisor unavailable", async () => {
-      const manager = createManager();
-      await new Promise((r) => setTimeout(r, 50));
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.Runtime).toBeUndefined();
-    });
-    test("starts container after creation", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(mockContainer.start).toHaveBeenCalled();
-    });
-    test("removes container if start fails", async () => {
-      const removeMock = mock(async () => {
-        /* noop */
-      });
-      mockDocker.createContainer.mockImplementation(async (opts: any) => {
-        if (opts?.name === "test-deploy") {
-          return {
-            ...mockContainer,
-            id: "failed-container",
-            start: mock(async () => {
-              throw new Error("start failed");
-            }),
-            remove: removeMock,
-          };
-        }
-        return mockContainer;
-      });
-      const manager = createManager();
-      await expect(
-        manager.createDeployment(
-          "test-deploy",
-          "user",
-          "user-id",
-          createTestMessagePayload()
-        )
-      ).rejects.toThrow();
-      expect(removeMock).toHaveBeenCalledWith({ force: true });
-    });
-    test("sets WorkingDir to /workspace", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().WorkingDir).toBe("/workspace");
-    });
-  });
-  // =========================================================================
-  // Docker volume management
-  // =========================================================================
-  describe("volume management", () => {
-    test("volume created as lobu-workspace-{agentId}", async () => {
-      // Make getVolume throw so ensureVolume creates a new one
-      mockDocker.getVolume.mockImplementation(() => ({
-        inspect: mock(async () => {
-          throw new Error("no such volume");
-        }),
-      }));
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({ agentId: "my-agent" })
-      );
-      expect(mockDocker.createVolume).toHaveBeenCalledWith(
-        expect.objectContaining({
-          Name: "lobu-workspace-my-agent",
-        })
-      );
-    });
-    test("volume shared across threads with same agentId", async () => {
-      const manager = createManager();
-      // First deployment
-      await manager.createDeployment(
-        "deploy-1",
-        "user",
-        "user-id",
-        createTestMessagePayload({ agentId: "shared-agent" })
-      );
-      // Second deployment with same agentId
-      await manager.createDeployment(
-        "deploy-2",
-        "user",
-        "user-id",
-        createTestMessagePayload({ agentId: "shared-agent" })
-      );
-      // Both main container calls should reference the same volume name
-      const mainCalls = mockDocker.createContainer.mock.calls.filter(
-        (call: any) =>
-          call[0]?.name === "deploy-1" || call[0]?.name === "deploy-2"
-      );
-      expect(mainCalls.length).toBe(2);
-      // In production mode (non-development), uses Mounts with volume
-      for (const call of mainCalls) {
-        const opts = call[0] as any;
-        if (opts.HostConfig.Mounts) {
-          expect(opts.HostConfig.Mounts[0].Source).toBe(
-            "lobu-workspace-shared-agent"
-          );
-        }
-      }
-    });
-    test("handles race condition on concurrent volume creation (409 conflict)", async () => {
-      mockDocker.getVolume.mockImplementation(() => ({
-        inspect: mock(async () => {
-          throw new Error("no such volume");
-        }),
-      }));
-      mockDocker.createVolume.mockImplementation(async () => {
-        const err: any = new Error("already exists");
-        err.statusCode = 409;
-        throw err;
-      });
-      const manager = createManager();
-      // Should not throw despite 409
-      await expect(
-        manager.createDeployment(
-          "test-deploy",
-          "user",
-          "user-id",
-          createTestMessagePayload()
-        )
-      ).resolves.toBeUndefined();
-    });
-    test("development mode uses bind mounts", async () => {
-      process.env.NODE_ENV = "development";
-      process.env.DEPLOYMENT_MODE = "docker";
-      process.env.LOBU_DEV_PROJECT_PATH = "/app";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({ agentId: "dev-agent" })
-      );
-      const mainCall = mockDocker.createContainer.mock.calls.find(
-        (call: any) => call[0]?.name === "test-deploy"
-      );
-      const opts = mainCall![0] as any;
-      expect(opts.HostConfig.Binds).toBeDefined();
-      expect(opts.HostConfig.Binds[0]).toContain(
-        "/app/workspaces/dev-agent:/workspace"
-      );
-    });
-  });
-  // =========================================================================
-  // Docker network
-  // =========================================================================
-  describe("network management", () => {
-    test("internal network created/checked with Internal flag", async () => {
-      // The constructor calls ensureInternalNetwork
-      delete process.env.WORKER_NETWORK;
-      mockNetwork.inspect.mockImplementation(async () => ({ Internal: true }));
-      createManager();
-      // ensureInternalNetwork is fire-and-forget, give it time
-      await new Promise((r) => setTimeout(r, 50));
-      expect(mockDocker.getNetwork).toHaveBeenCalled();
-    });
-    test("WORKER_NETWORK env var overrides network name", async () => {
-      process.env.WORKER_NETWORK = "custom-network";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.NetworkMode).toBe("custom-network");
-    });
-    test("uses compose project name for default network", async () => {
-      delete process.env.WORKER_NETWORK;
-      process.env.COMPOSE_PROJECT_NAME = "myproject";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.NetworkMode).toBe(
-        "myproject_lobu-internal"
-      );
-    });
-    test("host mode connects to public network too", async () => {
-      delete process.env.WORKER_NETWORK;
-      // Simulate running on host (not in container)
-      delete process.env.CONTAINER;
-      const existsSpy = spyOn(fs, "existsSync").mockReturnValue(false);
-      const manager = createManager();
-      await new Promise((r) => setTimeout(r, 50));
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      // Should attempt to connect to public network
-      expect(mockNetwork.connect).toHaveBeenCalled();
-      existsSpy.mockRestore();
-    });
-  });
-  // =========================================================================
-  // Dispatcher host
-  // =========================================================================
-  describe("dispatcher host", () => {
-    function getDispatcherUrlEnv() {
-      return (getMainCreateOpts().Env as string[]).find((e: string) =>
-        e.startsWith("DISPATCHER_URL=")
-      );
-    }
-    test('returns "gateway" when running in container (/.dockerenv exists)', async () => {
-      const existsSpy = spyOn(fs, "existsSync").mockImplementation(
-        (p: any) => String(p) === "/.dockerenv"
-      );
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getDispatcherUrlEnv()).toContain("gateway");
-      existsSpy.mockRestore();
-    });
-    test('returns "gateway" when CONTAINER=true', async () => {
-      process.env.CONTAINER = "true";
-      const existsSpy = spyOn(fs, "existsSync").mockReturnValue(false);
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getDispatcherUrlEnv()).toContain("gateway");
-      existsSpy.mockRestore();
-    });
-    test('returns "host.docker.internal" when running on host', async () => {
-      delete process.env.CONTAINER;
-      const existsSpy = spyOn(fs, "existsSync").mockReturnValue(false);
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getDispatcherUrlEnv()).toContain("host.docker.internal");
-      existsSpy.mockRestore();
-    });
-  });
-  // =========================================================================
-  // Docker image reference
-  // =========================================================================
-  describe("image reference", () => {
-    test("uses digest reference when configured: repo@sha256:abc123", async () => {
-      const manager = createManager({
-        worker: {
-          ...TEST_CONFIG.worker,
-          image: {
-            repository: "lobu-worker",
-            tag: "latest",
-            digest: "abc123def456",
-            pullPolicy: "IfNotPresent",
-          },
-        },
-      });
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().Image).toBe("lobu-worker@sha256:abc123def456");
-    });
-    test("uses tag reference when no digest: repo:tag", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().Image).toBe("lobu-worker:latest");
-    });
-    test("handles digest that already has sha256: prefix", async () => {
-      const manager = createManager({
-        worker: {
-          ...TEST_CONFIG.worker,
-          image: {
-            repository: "lobu-worker",
-            tag: "latest",
-            digest: "sha256:abc123def456",
-            pullPolicy: "IfNotPresent",
-          },
-        },
-      });
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().Image).toBe("lobu-worker@sha256:abc123def456");
-    });
-  });
-  // =========================================================================
-  // deleteDeployment
-  // =========================================================================
-  describe("deleteDeployment", () => {
-    test("calls stop + remove on container", async () => {
-      const manager = createManager();
-      await manager.deleteDeployment("test-deploy");
-      expect(mockContainer.stop).toHaveBeenCalled();
-      expect(mockContainer.remove).toHaveBeenCalled();
-    });
-    test("handles 404 (container already deleted) gracefully", async () => {
-      const stopMock = mock(async () => {
-        /* noop */
-      });
-      const removeMock = mock(async () => {
-        const err: any = new Error("not found");
-        err.statusCode = 404;
-        throw err;
-      });
-      mockDocker.getContainer.mockImplementation(() => ({
-        stop: stopMock,
-        remove: removeMock,
-      }));
-      const manager = createManager();
-      // Should not throw on 404
-      await expect(
-        manager.deleteDeployment("nonexistent")
-      ).resolves.toBeUndefined();
-    });
-    test("handles already-stopped container gracefully", async () => {
-      mockContainer.stop.mockImplementation(async () => {
-        throw new Error("container already stopped");
-      });
-      const manager = createManager();
-      // Should not throw - stop failure is caught
-      await expect(
-        manager.deleteDeployment("test-deploy")
-      ).resolves.toBeUndefined();
-      expect(mockContainer.remove).toHaveBeenCalled();
-    });
-  });
-  // =========================================================================
-  // scaleDeployment
-  // =========================================================================
-  describe("scaleDeployment", () => {
-    test("scaleDeployment(0) stops running container", async () => {
-      mockContainer.inspect.mockImplementation(async () => ({
-        State: { Running: true },
-      }));
-      const manager = createManager();
-      await manager.scaleDeployment("test-deploy", 0);
-      expect(mockContainer.stop).toHaveBeenCalled();
-    });
-    test("scaleDeployment(1) starts stopped container", async () => {
-      mockContainer.inspect.mockImplementation(async () => ({
-        State: { Running: false },
-      }));
-      const manager = createManager();
-      await manager.scaleDeployment("test-deploy", 1);
-      expect(mockContainer.start).toHaveBeenCalled();
-    });
-    test("scaleDeployment(0) is a no-op if container already stopped", async () => {
-      mockContainer.inspect.mockImplementation(async () => ({
-        State: { Running: false },
-      }));
-      const manager = createManager();
-      await manager.scaleDeployment("test-deploy", 0);
-      expect(mockContainer.stop).not.toHaveBeenCalled();
-    });
-    test("scaleDeployment(1) is a no-op if container already running", async () => {
-      mockContainer.inspect.mockImplementation(async () => ({
-        State: { Running: true },
-      }));
-      const manager = createManager();
-      await manager.scaleDeployment("test-deploy", 1);
-      expect(mockContainer.start).not.toHaveBeenCalled();
-    });
-  });
-  // =========================================================================
-  // listDeployments
-  // =========================================================================
-  describe("listDeployments", () => {
-    test("with no containers returns empty", async () => {
-      mockDocker.listContainers.mockImplementation(async () => []);
-      const manager = createManager();
-      const result = await manager.listDeployments();
-      expect(result).toEqual([]);
-    });
-    test("with containers returns DeploymentInfo entries", async () => {
-      const now = Math.floor(Date.now() / 1000);
-      mockDocker.listContainers.mockImplementation(async () => [
-        {
-          Names: ["/lobu-worker-test-123"],
-          State: "running",
-          Created: now - 60, // 60 seconds ago
-          Labels: {
-            "app.kubernetes.io/component": "worker",
-            "lobu.io/created": new Date((now - 60) * 1000).toISOString(),
-          },
-        },
-        {
-          Names: ["/lobu-worker-test-456"],
-          State: "exited",
-          Created: now - 3600, // 1 hour ago
-          Labels: {
-            "app.kubernetes.io/component": "worker",
-          },
-        },
-      ]);
-      const manager = createManager();
-      const result = await manager.listDeployments();
-      expect(result).toHaveLength(2);
-      expect(result[0].deploymentName).toBe("lobu-worker-test-123");
-      expect(result[0].replicas).toBe(1); // running
-      expect(result[1].deploymentName).toBe("lobu-worker-test-456");
-      expect(result[1].replicas).toBe(0); // exited
-    });
-    test("filters by worker label", async () => {
-      const manager = createManager();
-      await manager.listDeployments();
-      expect(mockDocker.listContainers).toHaveBeenCalledWith({
-        all: true,
-        filters: {
-          label: ["app.kubernetes.io/component=worker"],
-        },
-      });
-    });
-  });
-  // =========================================================================
-  // Activity tracking
-  // =========================================================================
-  describe("activity tracking", () => {
-    test("updateDeploymentActivity stores timestamp", async () => {
-      const manager = createManager();
-      await manager.updateDeploymentActivity("test-deploy");
-      // Verify by listing deployments with a container matching the name
-      const now = Math.floor(Date.now() / 1000);
-      mockDocker.listContainers.mockImplementation(async () => [
-        {
-          Names: ["/test-deploy"],
-          State: "running",
-          Created: now - 86400, // 1 day ago
-          Labels: {
-            "app.kubernetes.io/component": "worker",
-            "lobu.io/created": new Date((now - 86400) * 1000).toISOString(),
-          },
-        },
-      ]);
-      const deployments = await manager.listDeployments();
-      // The tracked activity should be very recent (just now), not 1 day ago
-      expect(deployments[0].minutesIdle).toBeLessThan(1);
-    });
-    test("listDeployments uses most recent of tracked vs label activity", async () => {
-      const manager = createManager();
-      const now = Math.floor(Date.now() / 1000);
-      // Set up a container with an old label timestamp
-      mockDocker.listContainers.mockImplementation(async () => [
-        {
-          Names: ["/tracked-deploy"],
-          State: "running",
-          Created: now - 7200, // 2 hours ago
-          Labels: {
-            "app.kubernetes.io/component": "worker",
-            "lobu.io/last-activity": new Date(
-              (now - 7200) * 1000
-            ).toISOString(),
-          },
-        },
-      ]);
-      // Update activity in-memory (very recent)
-      await manager.updateDeploymentActivity("tracked-deploy");
-      const deployments = await manager.listDeployments();
-      // Should use tracked (recent) not label (2 hours ago)
-      expect(deployments[0].minutesIdle).toBeLessThan(1);
-    });
-  });
-  // =========================================================================
-  // validateWorkerImage
-  // =========================================================================
-  describe("validateWorkerImage", () => {
-    test("succeeds when image exists locally", async () => {
-      const manager = createManager();
-      await expect(manager.validateWorkerImage()).resolves.toBeUndefined();
-    });
-    test("pulls image when not found locally", async () => {
-      mockDocker.getImage.mockImplementation(() => ({
-        inspect: mock(async () => {
-          throw new Error("No such image");
-        }),
-      }));
-      const manager = createManager();
-      await expect(manager.validateWorkerImage()).resolves.toBeUndefined();
-      expect(mockDocker.pull).toHaveBeenCalled();
-    });
-    test("throws when image not found and pull fails", async () => {
-      mockDocker.getImage.mockImplementation(() => ({
-        inspect: mock(async () => {
-          throw new Error("No such image");
-        }),
-      }));
-      mockDocker.pull.mockImplementation((_name: string, cb: Function) =>
-        cb(new Error("pull failed"))
-      );
-      const manager = createManager();
-      await expect(manager.validateWorkerImage()).rejects.toThrow(
-        "does not exist locally and pull failed"
-      );
-    });
-  });
-  // =========================================================================
-  // Labels & compose integration
-  // =========================================================================
-  describe("labels", () => {
-    test("sets base worker labels", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const labels = getMainCreateOpts().Labels;
-      expect(labels["app.kubernetes.io/name"]).toBe("lobu");
-      expect(labels["app.kubernetes.io/component"]).toBe("worker");
-      expect(labels["lobu/managed-by"]).toBe("orchestrator");
-    });
-    test("sets Docker Compose project labels", async () => {
-      process.env.COMPOSE_PROJECT_NAME = "myproject";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const labels = getMainCreateOpts().Labels;
-      expect(labels["com.docker.compose.project"]).toBe("myproject");
-      expect(labels["com.docker.compose.service"]).toBe("test-deploy");
-    });
-    test("sets agent-id label", async () => {
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload({ agentId: "my-agent-123" })
-      );
-      expect(getMainCreateOpts().Labels["lobu.io/agent-id"]).toBe(
-        "my-agent-123"
-      );
-    });
-  });
-  // =========================================================================
-  // Extra hosts & host mode
-  // =========================================================================
-  describe("extra hosts", () => {
-    test("adds ExtraHosts when running on host (not in container)", async () => {
-      delete process.env.CONTAINER;
-      const existsSpy = spyOn(fs, "existsSync").mockReturnValue(false);
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.ExtraHosts).toEqual([
-        "host.docker.internal:host-gateway",
-      ]);
-      existsSpy.mockRestore();
-    });
-    test("does not add ExtraHosts when running in container", async () => {
-      process.env.CONTAINER = "true";
-      const existsSpy = spyOn(fs, "existsSync").mockReturnValue(false);
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.ExtraHosts).toBeUndefined();
-      existsSpy.mockRestore();
-    });
-  });
-  // =========================================================================
-  // Security options
-  // =========================================================================
-  describe("advanced security options", () => {
-    test("adds seccomp profile when WORKER_SECCOMP_PROFILE set", async () => {
-      process.env.WORKER_SECCOMP_PROFILE = "/path/to/seccomp.json";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.SecurityOpt).toContain(
-        "seccomp=/path/to/seccomp.json"
-      );
-    });
-    test("adds apparmor profile when WORKER_APPARMOR_PROFILE set", async () => {
-      process.env.WORKER_APPARMOR_PROFILE = "docker-custom";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      expect(getMainCreateOpts().HostConfig.SecurityOpt).toContain(
-        "apparmor=docker-custom"
-      );
-    });
-    test("disables readonly rootfs when WORKER_READONLY_ROOTFS=false", async () => {
-      process.env.WORKER_READONLY_ROOTFS = "false";
-      const manager = createManager();
-      await manager.createDeployment(
-        "test-deploy",
-        "user",
-        "user-id",
-        createTestMessagePayload()
-      );
-      const hc = getMainCreateOpts().HostConfig;
-      expect(hc.ReadonlyRootfs).toBe(false);
-      expect(hc.Tmpfs).toBeUndefined();
-    });
-  });
-});