@miaws/miaw 1.18.4 → 1.18.5

package/test/server/httpapi-exercise/index.ts

@@ -0,0 +1,1685 @@
+/**
+ * End-to-end exerciser for the Effect HttpApi routes.
+ *
+ * The goal is not to be a normal unit test file. This is a route-coverage harness:
+ * every public route should have a small scenario that proves the route decodes
+ * requests, uses the right instance context, mutates storage when expected, and
+ * returns the expected response shape.
+ *
+ * The script intentionally isolates `MIAW_DB` before importing modules that touch
+ * storage. Scenarios may create/delete sessions and reset the database after each run,
+ * so this must never point at a developer's real session database.
+ *
+ * DSL shape:
+ * - `http.protected.get/post/...` starts a scenario for one OpenAPI route key.
+ * - `.seeded(...)` creates typed per-scenario state using Effect helpers on `ctx`.
+ * - `.at(...)` builds the request from that typed state.
+ * - `.json(...)` / `.jsonEffect(...)` assert response shape and optional side effects.
+ * - `.mutating()` tells the runner to reset isolated state after destructive routes.
+ */
+import { Effect } from "effect"
+import { OpenApi } from "effect/unstable/httpapi"
+import { TestLLMServer } from "../../lib/llm-server"
+import path from "path"
+import { array, boolean, check, isRecord, message, object, stable } from "./assertions"
+import { controlledPtyInput, http, route } from "./dsl"
+import {
+  cleanupExercisePaths,
+  exerciseConfigDirectory,
+  exerciseDataDirectory,
+  exerciseDatabasePath,
+  exerciseGlobalRoot,
+} from "./environment"
+import { color, printHeader, printResults } from "./report"
+import { coverageResult, parseOptions, routeKey, routeKeys, selectedScenarios } from "./routing"
+import { runScenario } from "./runner"
+import { disposeApps } from "./backend"
+import { runtime } from "./runtime"
+import { type Scenario } from "./types"
+
+function cursor(input: Record<string, unknown>) {
+  return Buffer.from(JSON.stringify(input)).toString("base64url")
+}
+
+function data(validate: (value: any) => void) {
+  return (body: any) => {
+    object(body)
+    validate(body.data)
+  }
+}
+
+function locationData(validate: (value: any) => void) {
+  return (body: any) => {
+    object(body)
+    object(body.location)
+    object(body.location.project)
+    validate(body.data)
+  }
+}
+
+const scenarios: Scenario[] = [
+  http.protected
+    .get("/global/health", "global.health")
+    .global()
+    .json(200, (body) => {
+      object(body)
+      check(body.healthy === true, "server should report healthy")
+    }),
+  http.protected
+    .get("/global/event", "global.event")
+    .global()
+    .stream()
+    .status(
+      200,
+      (_ctx, result) =>
+        Effect.sync(() => {
+          check(result.contentType.includes("text/event-stream"), "global event should be an SSE stream")
+          check(result.text.includes("server.connected"), "global event should emit initial connection event")
+        }),
+      "status",
+    ),
+  http.protected.get("/global/config", "global.config.get").global().json(),
+  http.protected
+    .patch("/global/config", "global.config.update")
+    .global()
+    .seeded(() =>
+      Effect.promise(() =>
+        Bun.write(
+          path.join(exerciseConfigDirectory, "miaw.jsonc"),
+          JSON.stringify({ username: "httpapi-global" }, null, 2),
+        ),
+      ),
+    )
+    .at(() => ({ path: "/global/config", body: { username: "httpapi-global" } }))
+    .jsonEffect(
+      200,
+      (body) =>
+        Effect.gen(function* () {
+          object(body)
+          check(body.username === "httpapi-global", "global config update should return patched config")
+          const text = yield* Effect.promise(() =>
+            Bun.file(path.join(exerciseConfigDirectory, "miaw.jsonc")).text(),
+          )
+          check(text.includes('"username": "httpapi-global"'), "global config update should write isolated config file")
+        }),
+      "status",
+    ),
+  http.protected
+    .post("/global/dispose", "global.dispose")
+    .global()
+    .mutating()
+    .json(
+      200,
+      (body) => {
+        check(body === true, "global dispose should return true")
+      },
+      "status",
+    ),
+  http.protected.get("/path", "path.get").json(200, (body, ctx) => {
+    object(body)
+    check(body.directory === ctx.directory, "directory should resolve from x-miaw-directory")
+    check(body.worktree === ctx.directory, "worktree should resolve from x-miaw-directory")
+  }),
+  http.protected.get("/vcs", "vcs.get").json(),
+  http.protected.get("/vcs/status", "vcs.status").json(200, array),
+  http.protected
+    .get("/vcs/diff", "vcs.diff")
+    .at((ctx) => ({ path: "/vcs/diff?mode=git", headers: ctx.headers() }))
+    .json(200, array),
+  http.protected.get("/vcs/diff/raw", "vcs.diff.raw").status(
+    200,
+    (_ctx, result) =>
+      Effect.sync(() => {
+        check(typeof result.text === "string", "raw VCS diff should return text")
+      }),
+    "status",
+  ),
+  http.protected
+    .post("/vcs/apply", "vcs.apply")
+    .inProject({ git: false })
+    .at((ctx) => ({ path: "/vcs/apply", headers: ctx.headers(), body: { patch: "" } }))
+    .status(400, undefined, "status"),
+  http.protected.get("/command", "command.list").json(200, array, "status"),
+  http.protected.get("/agent", "app.agents").json(200, array, "status"),
+  http.protected.get("/skill", "app.skills").json(200, array, "status"),
+  http.protected.get("/lsp", "lsp.status").json(200, array),
+  http.protected.get("/formatter", "formatter.status").json(200, array),
+  http.protected.get("/config", "config.get").json(200, undefined, "status"),
+  http.protected
+    .patch("/config", "config.update")
+    .mutating()
+    .at((ctx) => ({ path: "/config", headers: ctx.headers(), body: { username: "httpapi-local" } }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(body.username === "httpapi-local", "local config update should return patched config")
+      },
+      "status",
+    ),
+  http.protected
+    .patch("/config", "config.update.invalid")
+    .at((ctx) => ({ path: "/config", headers: ctx.headers(), body: { username: 1 } }))
+    .status(400),
+  http.protected.get("/config/providers", "config.providers").json(),
+  http.protected.get("/project", "project.list").json(200, array, "status"),
+  http.protected.get("/project/current", "project.current").json(
+    200,
+    (body, ctx) => {
+      object(body)
+      check(body.worktree === ctx.directory, "current project should resolve from scenario directory")
+    },
+    "status",
+  ),
+  http.protected
+    .patch("/project/{projectID}", "project.update")
+    .mutating()
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/project/{projectID}", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: { name: "HTTP API Project", commands: { start: "bun --version" } },
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(body.name === "HTTP API Project", "project update should return patched name")
+        check(
+          isRecord(body.commands) && body.commands.start === "bun --version",
+          "project update should return patched command",
+        )
+      },
+      "status",
+    ),
+  http.protected
+    .patch("/project/{projectID}", "project.update.missing")
+    .mutating()
+    .at((ctx) => ({
+      path: route("/project/{projectID}", { projectID: "project_httpapi_missing" }),
+      headers: ctx.headers(),
+      body: { name: "Missing Project" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/project/git/init", "project.initGit")
+    .mutating()
+    .inProject({ git: false })
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.worktree === ctx.directory, "git init should return current project")
+        check(body.vcs === "git", "git init should mark the project as git-backed")
+      },
+      "status",
+    ),
+  http.protected
+    .get("/project/{projectID}/directories", "project.directories")
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/project/{projectID}/directories", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, array, "status"),
+  http.protected
+    .post("/experimental/project/{projectID}/copy/generate-name", "experimental.projectCopy.generateName")
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/experimental/project/{projectID}/copy/generate-name", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .json(200, (body) => {
+      object(body)
+      check(typeof body.name === "string" && body.name.length > 0, "generated copy name should be non-empty")
+    }),
+  http.protected
+    .post("/experimental/project/{projectID}/copy", "experimental.projectCopy.create")
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/experimental/project/{projectID}/copy", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .status(400),
+  http.protected
+    .delete("/experimental/project/{projectID}/copy", "experimental.projectCopy.remove")
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/experimental/project/{projectID}/copy", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .status(400),
+  http.protected
+    .post("/experimental/project/{projectID}/copy/refresh", "experimental.projectCopy.refresh")
+    .mutating()
+    .seeded((ctx) => ctx.project())
+    .at((ctx) => ({
+      path: route("/experimental/project/{projectID}/copy/refresh", { projectID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .status(204, undefined, "status"),
+  http.protected.get("/provider", "provider.list").json(),
+  http.protected.get("/provider/auth", "provider.auth").json(),
+  http.protected
+    .post("/provider/{providerID}/oauth/authorize", "provider.oauth.authorize")
+    .at((ctx) => ({
+      path: route("/provider/{providerID}/oauth/authorize", { providerID: "httpapi" }),
+      headers: ctx.headers(),
+      body: { method: "bad" },
+    }))
+    .status(400),
+  http.protected
+    .post("/provider/{providerID}/oauth/callback", "provider.oauth.callback")
+    .at((ctx) => ({
+      path: route("/provider/{providerID}/oauth/callback", { providerID: "httpapi" }),
+      headers: ctx.headers(),
+      body: { method: "bad" },
+    }))
+    .status(400),
+  http.protected.get("/permission", "permission.list").json(200, array),
+  http.protected
+    .post("/permission/{requestID}/reply", "permission.reply.invalid")
+    .at((ctx) => ({
+      path: route("/permission/{requestID}/reply", { requestID: "per_httpapi" }),
+      headers: ctx.headers(),
+      body: { reply: "bad" },
+    }))
+    .status(400),
+  http.protected
+    .post("/permission/{requestID}/reply", "permission.reply")
+    .at((ctx) => ({
+      path: route("/permission/{requestID}/reply", { requestID: "per_httpapi" }),
+      headers: ctx.headers(),
+      body: { reply: "once" },
+    }))
+    .json(404, object, "status"),
+  http.protected.get("/question", "question.list").json(200, array),
+  http.protected
+    .post("/question/{requestID}/reply", "question.reply.invalid")
+    .at((ctx) => ({
+      path: route("/question/{requestID}/reply", { requestID: "que_httpapi_reply" }),
+      headers: ctx.headers(),
+      body: { answers: "Yes" },
+    }))
+    .status(400),
+  http.protected
+    .post("/question/{requestID}/reply", "question.reply")
+    .at((ctx) => ({
+      path: route("/question/{requestID}/reply", { requestID: "que_httpapi_reply" }),
+      headers: ctx.headers(),
+      body: { answers: [["Yes"]] },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/question/{requestID}/reject", "question.reject")
+    .at((ctx) => ({
+      path: route("/question/{requestID}/reject", { requestID: "que_httpapi_reject" }),
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/file", "file.list")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({ path: `/file?${new URLSearchParams({ path: "." })}`, headers: ctx.headers() }))
+    .json(200, array),
+  http.protected
+    .get("/file/content", "file.read")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({ path: `/file/content?${new URLSearchParams({ path: "hello.txt" })}`, headers: ctx.headers() }))
+    .json(200, (body) => {
+      object(body)
+      check(body.content === "hello", `content should match seeded file: ${JSON.stringify(body)}`)
+    }),
+  http.protected
+    .get("/file/content", "file.read.missing")
+    .at((ctx) => ({ path: `/file/content?${new URLSearchParams({ path: "missing.txt" })}`, headers: ctx.headers() }))
+    .json(200, (body) => {
+      object(body)
+      check(body.type === "text" && body.content === "", "missing file content should return an empty text result")
+    }),
+  http.protected.get("/file/status", "file.status").json(200, array),
+  http.protected
+    .get("/find", "find.text")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({ path: `/find?${new URLSearchParams({ pattern: "hello" })}`, headers: ctx.headers() }))
+    .json(200, array),
+  http.protected
+    .get("/find/file", "find.files")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({
+      path: `/find/file?${new URLSearchParams({ query: "hello", dirs: "false" })}`,
+      headers: ctx.headers(),
+    }))
+    .json(200, array),
+  http.protected
+    .get("/find/symbol", "find.symbols")
+    .seeded((ctx) => ctx.file("hello.ts", "export const hello = 1\n"))
+    .at((ctx) => ({ path: `/find/symbol?${new URLSearchParams({ query: "hello" })}`, headers: ctx.headers() }))
+    .json(200, array),
+  http.protected
+    .get("/event", "event.stream")
+    .stream()
+    .status(
+      200,
+      (_ctx, result) =>
+        Effect.sync(() => {
+          check(result.contentType.includes("text/event-stream"), "event should be an SSE stream")
+          check(result.text.includes("server.connected"), "event should emit initial connection event")
+        }),
+      "status",
+    ),
+  http.protected.get("/mcp", "mcp.status").json(),
+  http.protected
+    .post("/mcp", "mcp.add")
+    .mutating()
+    .at((ctx) => ({
+      path: "/mcp",
+      headers: ctx.headers(),
+      body: { name: "httpapi-disabled", config: { type: "local", command: ["bun", "--version"], enabled: false } },
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        object(body["httpapi-disabled"])
+        check(body["httpapi-disabled"].status === "disabled", "disabled MCP server should be added without spawning")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/mcp", "mcp.add.invalid")
+    .at((ctx) => ({
+      path: "/mcp",
+      headers: ctx.headers(),
+      body: { name: "httpapi-invalid", config: { type: "invalid" } },
+    }))
+    .status(400),
+  http.protected
+    .post("/mcp/{name}/auth", "mcp.auth.start")
+    .at((ctx) => ({ path: route("/mcp/{name}/auth", { name: "httpapi-missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .delete("/mcp/{name}/auth", "mcp.auth.remove")
+    .mutating()
+    .at((ctx) => ({ path: route("/mcp/{name}/auth", { name: "httpapi-missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/mcp/{name}/auth/authenticate", "mcp.auth.authenticate")
+    .at((ctx) => ({
+      path: route("/mcp/{name}/auth/authenticate", { name: "httpapi-missing" }),
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/mcp/{name}/auth/callback", "mcp.auth.callback")
+    .at((ctx) => ({
+      path: route("/mcp/{name}/auth/callback", { name: "httpapi-missing" }),
+      headers: ctx.headers(),
+      body: { code: "code" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/mcp/{name}/connect", "mcp.connect")
+    .mutating()
+    .at((ctx) => ({ path: route("/mcp/{name}/connect", { name: "httpapi-missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/mcp/{name}/disconnect", "mcp.disconnect")
+    .mutating()
+    .at((ctx) => ({ path: route("/mcp/{name}/disconnect", { name: "httpapi-missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected.get("/pty/shells", "pty.shells").json(200, array),
+  http.protected.get("/pty", "pty.list").json(200, array),
+  http.protected
+    .post("/pty", "pty.create")
+    .mutating()
+    .at((ctx) => ({ path: "/pty", headers: ctx.headers(), body: controlledPtyInput("HTTP API PTY") }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.title === "HTTP API PTY", "PTY create should return requested title")
+        check(body.command === "/bin/sh", "PTY create should use controlled shell command")
+        check(body.cwd === ctx.directory, "PTY create should default cwd to scenario directory")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/pty", "pty.create.invalid")
+    .at((ctx) => ({ path: "/pty", headers: ctx.headers(), body: { command: 1 } }))
+    .status(400),
+  http.protected
+    .post("/pty/{ptyID}/connect-token", "pty.connectToken.invalid")
+    .at((ctx) => ({
+      path: route("/pty/{ptyID}/connect-token", { ptyID: "pty_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(403, undefined, "status"),
+  http.protected
+    .get("/pty/{ptyID}", "pty.get")
+    .at((ctx) => ({ path: route("/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }), headers: ctx.headers() }))
+    .status(404),
+  http.protected
+    .put("/pty/{ptyID}", "pty.update")
+    .mutating()
+    .at((ctx) => ({
+      path: route("/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }),
+      headers: ctx.headers(),
+      body: { size: { rows: 0, cols: 0 } },
+    }))
+    .status(400),
+  http.protected
+    .delete("/pty/{ptyID}", "pty.remove")
+    .mutating()
+    .at((ctx) => ({ path: route("/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/pty/{ptyID}/connect", "pty.connect")
+    .at((ctx) => ({ path: route("/pty/{ptyID}/connect", { ptyID: "pty_httpapi_missing" }), headers: ctx.headers() }))
+    .status(404, undefined, "none"),
+  http.protected.get("/experimental/console", "experimental.console.get").json(),
+  http.protected.get("/experimental/console/orgs", "experimental.console.listOrgs").json(),
+  http.protected
+    .post("/experimental/console/switch", "experimental.console.switchOrg")
+    .at((ctx) => ({
+      path: "/experimental/console/switch",
+      headers: ctx.headers(),
+      body: { accountID: "httpapi-account", orgID: "httpapi-org" },
+    }))
+    .status(400, undefined, "none"),
+  http.protected.get("/experimental/workspace/adapter", "experimental.workspace.adapter.list").json(200, array),
+  http.protected.get("/experimental/workspace", "experimental.workspace.list").json(200, array),
+  http.protected.get("/experimental/workspace/status", "experimental.workspace.status").json(200, array),
+  http.protected
+    .post("/experimental/workspace", "experimental.workspace.create")
+    .at((ctx) => ({ path: "/experimental/workspace", headers: ctx.headers(), body: {} }))
+    .status(400),
+  http.protected
+    .post("/experimental/workspace/sync-list", "experimental.workspace.syncList")
+    .status(204, undefined, "status"),
+  http.protected
+    .delete("/experimental/workspace/{id}", "experimental.workspace.remove")
+    .mutating()
+    .at((ctx) => ({
+      path: route("/experimental/workspace/{id}", { id: "wrk_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(200),
+  http.protected
+    .post("/experimental/workspace/warp", "experimental.workspace.warp")
+    .at((ctx) => ({
+      path: "/experimental/workspace/warp",
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .status(400),
+  http.protected
+    .post("/experimental/control-plane/move-session", "experimental.controlPlane.moveSession")
+    .global()
+    .at(() => ({
+      path: "/experimental/control-plane/move-session",
+      body: {},
+    }))
+    .status(400),
+  http.protected
+    .get("/experimental/tool", "tool.list")
+    .at((ctx) => ({
+      path: `/experimental/tool?${new URLSearchParams({ provider: "miaw", model: "test" })}`,
+      headers: ctx.headers(),
+    }))
+    .json(200, array, "status"),
+  http.protected.get("/experimental/tool/ids", "tool.ids").json(200, array),
+  http.protected.get("/experimental/worktree", "worktree.list").json(200, array),
+  http.protected
+    .post("/experimental/worktree", "worktree.create")
+    .mutating()
+    .at((ctx) => ({ path: "/experimental/worktree", headers: ctx.headers(), body: { name: "api-dsl" } }))
+    .jsonEffect(
+      200,
+      (body, ctx) =>
+        Effect.gen(function* () {
+          object(body)
+          check(typeof body.directory === "string", "created worktree should include directory")
+          yield* ctx.worktreeRemove(body.directory)
+        }),
+      "status",
+    ),
+  http.protected
+    .post("/experimental/worktree", "worktree.create.invalid")
+    .at((ctx) => ({ path: "/experimental/worktree", headers: ctx.headers(), body: { name: 1 } }))
+    .status(400),
+  http.protected
+    .delete("/experimental/worktree", "worktree.remove")
+    .mutating()
+    .seeded((ctx) => ctx.worktree({ name: "api-remove" }))
+    .at((ctx) => ({ path: "/experimental/worktree", headers: ctx.headers(), body: { directory: ctx.state.directory } }))
+    .json(200, (body) => {
+      check(body === true, "worktree remove should return true")
+    }),
+  http.protected
+    .post("/experimental/worktree/reset", "worktree.reset")
+    .mutating()
+    .seeded((ctx) => ctx.worktree({ name: "api-reset" }))
+    .at((ctx) => ({
+      path: "/experimental/worktree/reset",
+      headers: ctx.headers(),
+      body: { directory: ctx.state.directory },
+    }))
+    .jsonEffect(200, (body, ctx) =>
+      Effect.gen(function* () {
+        check(body === true, "worktree reset should return true")
+        yield* ctx.worktreeRemove(ctx.state.directory)
+      }),
+    ),
+  http.protected
+    .get("/experimental/session", "experimental.session.list")
+    .at((ctx) => ({ path: "/experimental/session?roots=false&archived=false", headers: ctx.headers() }))
+    .json(200, array),
+  http.protected
+    .post("/experimental/session/{sessionID}/background", "experimental.session.background")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Background route owner" }))
+    .at((ctx) => ({
+      path: route("/experimental/session/{sessionID}/background", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, (body) => {
+      check(body === false, "background route should be a no-op without running subagents")
+    }),
+  http.protected.get("/experimental/resource", "experimental.resource.list").json(),
+  http.protected
+    .post("/sync/history", "sync.history.list")
+    .at((ctx) => ({ path: "/sync/history", headers: ctx.headers(), body: {} }))
+    .json(200, array),
+  http.protected
+    .post("/sync/replay", "sync.replay")
+    .at((ctx) => ({ path: "/sync/replay", headers: ctx.headers(), body: { directory: ctx.directory, events: [] } }))
+    .status(400),
+  http.protected
+    .post("/sync/steal", "sync.steal.invalid")
+    .at((ctx) => ({ path: "/sync/steal", headers: ctx.headers(), body: {} }))
+    .status(400, undefined, "status"),
+  http.protected
+    .post("/sync/start", "sync.start")
+    .mutating()
+    .preserveDatabase()
+    .json(200, (body) => {
+      check(body === true, "sync start should return true when no workspace sessions exist")
+    }),
+  http.protected
+    .post("/instance/dispose", "instance.dispose")
+    .mutating()
+    .json(200, (body) => {
+      check(body === true, "instance dispose should return true")
+    }),
+  http.protected
+    .post("/log", "app.log")
+    .global()
+    .at(() => ({ path: "/log", body: { service: "httpapi-exercise", level: "info", message: "route coverage" } }))
+    .json(200, (body) => {
+      check(body === true, "log route should return true")
+    }),
+  http.protected
+    .put("/auth/{providerID}", "auth.set")
+    .global()
+    .at(() => ({ path: route("/auth/{providerID}", { providerID: "test" }), body: { type: "api", key: "test-key" } }))
+    .jsonEffect(200, (body) =>
+      Effect.gen(function* () {
+        check(body === true, "auth set should return true")
+        const auth = yield* Effect.promise(() => Bun.file(path.join(exerciseDataDirectory, "auth.json")).json())
+        object(auth)
+        check(isRecord(auth.test) && auth.test.key === "test-key", "auth set should write isolated auth file")
+      }),
+    ),
+  http.protected
+    .delete("/auth/{providerID}", "auth.remove")
+    .global()
+    .seeded(() =>
+      Effect.promise(() =>
+        Bun.write(
+          path.join(exerciseDataDirectory, "auth.json"),
+          JSON.stringify({ test: { type: "api", key: "remove-me" } }),
+        ),
+      ),
+    )
+    .at(() => ({ path: route("/auth/{providerID}", { providerID: "test" }) }))
+    .jsonEffect(200, (body) =>
+      Effect.gen(function* () {
+        check(body === true, "auth remove should return true")
+        const auth = yield* Effect.promise(() => Bun.file(path.join(exerciseDataDirectory, "auth.json")).json())
+        object(auth)
+        check(auth.test === undefined, "auth remove should delete provider from isolated auth file")
+      }),
+    ),
+  http.protected.get("/api/health", "v2.health.get").json(200, (body) => {
+    object(body)
+    check(body.healthy === true, "v2 server should report healthy")
+  }),
+  http.protected.get("/api/location", "v2.location.get").json(200, object),
+  http.protected.get("/api/agent", "v2.agent.list").json(200, locationData(array)),
+  http.protected.get("/api/model", "v2.model.list").json(200, locationData(array)),
+  http.protected.get("/api/provider", "v2.provider.list").json(200, locationData(array)),
+  http.protected.get("/api/integration", "v2.integration.list").json(200, locationData(array)),
+  http.protected
+    .get("/api/integration/{integrationID}", "v2.integration.get")
+    .at((ctx) => ({
+      path: route("/api/integration/{integrationID}", { integrationID: "missing" }),
+      headers: ctx.headers(),
+    }))
+    .json(200, object),
+  http.protected
+    .post("/api/integration/{integrationID}/connect/key", "v2.integration.connect.key")
+    .at((ctx) => ({
+      path: route("/api/integration/{integrationID}/connect/key", { integrationID: "missing" }),
+      headers: ctx.headers(),
+      body: { key: "test" },
+    }))
+    .status(500, undefined, "status"),
+  http.protected
+    .post("/api/integration/{integrationID}/connect/oauth", "v2.integration.connect.oauth")
+    .at((ctx) => ({
+      path: route("/api/integration/{integrationID}/connect/oauth", { integrationID: "missing" }),
+      headers: ctx.headers(),
+      body: { methodID: "missing", inputs: {} },
+    }))
+    .status(500, undefined, "status"),
+  http.protected
+    .get("/api/integration/attempt/{attemptID}", "v2.integration.attempt.status")
+    .at((ctx) => ({
+      path: route("/api/integration/attempt/{attemptID}", { attemptID: "con_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(500, undefined, "status"),
+  http.protected
+    .post("/api/integration/attempt/{attemptID}/complete", "v2.integration.attempt.complete")
+    .at((ctx) => ({
+      path: route("/api/integration/attempt/{attemptID}/complete", { attemptID: "con_missing" }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .status(500, undefined, "status"),
+  http.protected
+    .delete("/api/integration/attempt/{attemptID}", "v2.integration.attempt.cancel")
+    .at((ctx) => ({
+      path: route("/api/integration/attempt/{attemptID}", { attemptID: "con_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(204, undefined, "status"),
+  http.protected
+    .delete("/api/credential/{credentialID}", "v2.credential.remove")
+    .at((ctx) => ({
+      path: route("/api/credential/{credentialID}", { credentialID: "cred_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(204, undefined, "status"),
+  http.protected
+    .patch("/api/credential/{credentialID}", "v2.credential.update")
+    .at((ctx) => ({
+      path: route("/api/credential/{credentialID}", { credentialID: "cred_missing" }),
+      headers: ctx.headers(),
+      body: { label: "Work" },
+    }))
+    .status(204, undefined, "status"),
+  http.protected.get("/api/command", "v2.command.list").json(200, locationData(array)),
+  http.protected.get("/api/skill", "v2.skill.list").json(200, locationData(array)),
+  http.protected
+    .get("/api/event", "v2.event.subscribe")
+    .stream()
+    .status(
+      200,
+      (ctx, result) =>
+        Effect.sync(() => {
+          check(result.contentType.includes("text/event-stream"), "v2 event should be an SSE stream")
+          check(result.text.includes("server.connected"), "v2 event should emit initial connection event")
+          check(!!ctx.directory && result.text.includes(ctx.directory), "v2 event should include the resolved location")
+        }),
+      "status",
+    ),
+  http.protected
+    .get("/api/fs/read/*", "v2.fs.read")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({ path: "/api/fs/read/hello.txt", headers: ctx.headers() }))
+    .status(
+      200,
+      (_ctx, result) =>
+        Effect.sync(() => {
+          check(result.text === "hello\n", "v2 fs read should return the file body")
+          check(result.contentType.includes("text/plain"), "v2 fs read should return the file content type")
+        }),
+      "status",
+    ),
+  http.protected.get("/api/fs/list", "v2.fs.list").json(200, locationData(array)),
+  http.protected
+    .get("/api/fs/find", "v2.fs.find")
+    .seeded((ctx) => ctx.file("hello.txt", "hello\n"))
+    .at((ctx) => ({ path: "/api/fs/find?query=hello&type=file", headers: ctx.headers() }))
+    .json(200, locationData(array)),
+  http.protected.get("/api/pty", "v2.pty.list").json(200, locationData(array)),
+  http.protected
+    .post("/api/pty", "v2.pty.create")
+    .mutating()
+    .at((ctx) => ({ path: "/api/pty", headers: ctx.headers(), body: controlledPtyInput("HTTP API V2 PTY") }))
+    .json(200, locationData(object)),
+  http.protected
+    .get("/api/pty/{ptyID}", "v2.pty.get")
+    .at((ctx) => ({ path: route("/api/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .put("/api/pty/{ptyID}", "v2.pty.update")
+    .mutating()
+    .at((ctx) => ({
+      path: route("/api/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }),
+      headers: ctx.headers(),
+      body: { title: "missing" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .delete("/api/pty/{ptyID}", "v2.pty.remove")
+    .mutating()
+    .at((ctx) => ({ path: route("/api/pty/{ptyID}", { ptyID: "pty_httpapi_missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/api/pty/{ptyID}/connect-token", "v2.pty.connectToken")
+    .at((ctx) => ({
+      path: route("/api/pty/{ptyID}/connect-token", { ptyID: "pty_httpapi_missing" }),
+      headers: { ...ctx.headers(), "x-miaw-ticket": "1" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/api/pty/{ptyID}/connect", "v2.pty.connect")
+    .at((ctx) => ({
+      path: route("/api/pty/{ptyID}/connect", { ptyID: "pty_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(404, undefined, "none"),
+  http.protected.get("/api/reference", "v2.reference.list").json(200, object),
+  http.protected
+    .get("/api/provider/{providerID}", "v2.provider.get")
+    .at((ctx) => ({ path: route("/api/provider/{providerID}", { providerID: "missing" }), headers: ctx.headers() }))
+    .json(404, object, "status"),
+  http.protected.get("/api/permission/request", "v2.permission.request.list").json(200, (body) => {
+    object(body)
+    object(body.location)
+    array(body.data)
+  }),
+  http.protected.get("/api/question/request", "v2.question.request.list").json(200, (body) => {
+    object(body)
+    object(body.location)
+    array(body.data)
+  }),
+  http.protected
+    .get("/api/session/{sessionID}/permission", "v2.session.permission.list")
+    .seeded((ctx) => ctx.session({ title: "Permission list owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/permission", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, data(array)),
+  http.protected
+    .get("/api/session/{sessionID}/question", "v2.session.question.list")
+    .seeded((ctx) => ctx.session({ title: "Question list owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/question", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, data(array)),
+  http.protected
+    .post("/api/session/{sessionID}/permission/{requestID}/reply", "v2.session.permission.reply")
+    .seeded((ctx) => ctx.session({ title: "Permission owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/permission/{requestID}/reply", {
+        sessionID: ctx.state.id,
+        requestID: "per_httpapi_missing",
+      }),
+      headers: ctx.headers(),
+      body: { reply: "once" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/api/session/{sessionID}/question/{requestID}/reply", "v2.session.question.reply")
+    .seeded((ctx) => ctx.session({ title: "Question reply owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/question/{requestID}/reply", {
+        sessionID: ctx.state.id,
+        requestID: "que_httpapi_missing",
+      }),
+      headers: ctx.headers(),
+      body: { answers: [] },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/api/session/{sessionID}/question/{requestID}/reject", "v2.session.question.reject")
+    .seeded((ctx) => ctx.session({ title: "Question reject owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/question/{requestID}/reject", {
+        sessionID: ctx.state.id,
+        requestID: "que_httpapi_missing",
+      }),
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected.get("/api/permission/saved", "v2.permission.saved.list").json(200, (body) => {
+    object(body)
+    array(body.data)
+  }),
+  http.protected
+    .delete("/api/permission/saved/{id}", "v2.permission.saved.remove")
+    .at((ctx) => ({ path: route("/api/permission/saved/{id}", { id: "psv_httpapi_missing" }), headers: ctx.headers() }))
+    .status(204, undefined, "status"),
+  http.protected
+    .get("/api/session", "v2.session.list")
+    .at((ctx) => ({ path: "/api/session?roots=true", headers: ctx.headers() }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        array(body.data)
+        object(body.cursor)
+      },
+      "none",
+    ),
+  http.protected
+    .get("/api/session", "v2.session.list.filters")
+    .at((ctx) => ({
+      path: `/api/session?${new URLSearchParams({
+        limit: "2",
+        order: "asc",
+        path: ".",
+        roots: "false",
+        start: "0",
+        search: "missing",
+        directory: ctx.directory ?? "",
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        array(body.data)
+        object(body.cursor)
+      },
+      "none",
+    ),
+  http.protected
+    .get("/api/session", "v2.session.list.cursor")
+    .at((ctx) => ({
+      path: `/api/session?${new URLSearchParams({
+        limit: "2",
+        cursor: cursor({
+          order: "desc",
+          directory: ctx.directory,
+          anchor: { id: "ses_httpapi_missing", time: 0, direction: "next" },
+        }),
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        array(body.data)
+        object(body.cursor)
+      },
+      "none",
+    ),
+  http.protected
+    .get("/api/session", "v2.session.list.cursor.invalid")
+    .at((ctx) => ({
+      path: `/api/session?${new URLSearchParams({
+        cursor: "invalid",
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .status(400, undefined, "none"),
+  http.protected
+    .post("/api/session", "v2.session.create")
+    .at((ctx) => ({
+      path: "/api/session",
+      headers: { ...ctx.headers(), "content-type": "application/json" },
+      body: {},
+    }))
+    .json(200, data(object)),
+  http.protected
+    .get("/api/session/{sessionID}", "v2.session.get")
+    .seeded((ctx) => ctx.session({ title: "Session get" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, data(object)),
+  http.protected
+    .get("/api/session/{sessionID}/context", "v2.session.context")
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/context", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/api/session/{sessionID}/message", "v2.session.messages")
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/message", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/api/session/{sessionID}/message", "v2.session.messages.params")
+    .at((ctx) => ({
+      path: `${route("/api/session/{sessionID}/message", { sessionID: "ses_httpapi_missing" })}?${new URLSearchParams({
+        limit: "2",
+        order: "asc",
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/api/session/{sessionID}/message", "v2.session.messages.cursor")
+    .at((ctx) => ({
+      path: `${route("/api/session/{sessionID}/message", { sessionID: "ses_httpapi_missing" })}?${new URLSearchParams({
+        limit: "2",
+        directory: ctx.directory ?? "",
+        cursor: cursor({ id: "msg_httpapi_missing", time: 0, order: "desc", direction: "next" }),
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .get("/api/session/{sessionID}/message", "v2.session.messages.cursor.invalid")
+    .seeded((ctx) => ctx.session({ title: "Invalid message cursor owner" }))
+    .at((ctx) => ({
+      path: `${route("/api/session/{sessionID}/message", { sessionID: ctx.state.id })}?${new URLSearchParams({
+        cursor: cursor({ id: "msg_httpapi_missing", time: 0, order: "desc", direction: "next" }),
+        order: "asc",
+      })}`,
+      headers: ctx.headers(),
+    }))
+    .status(400, undefined, "none"),
+  http.protected
+    .post("/api/session/{sessionID}/prompt", "v2.session.prompt.invalid")
+    .seeded((ctx) => ctx.session({ title: "Invalid prompt owner" }))
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/prompt", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .status(400, undefined, "none"),
+  http.protected
+    .post("/api/session/{sessionID}/compact", "v2.session.compact")
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/compact", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(404, undefined, "status"),
+  http.protected
+    .post("/api/session/{sessionID}/wait", "v2.session.wait")
+    .at((ctx) => ({
+      path: route("/api/session/{sessionID}/wait", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(404, undefined, "status"),
+  http.protected
+    .get("/session", "session.list")
+    .seeded((ctx) => ctx.session({ title: "List me" }))
+    .at((ctx) => ({ path: "/session?roots=true", headers: ctx.headers() }))
+    .json(200, (body, ctx) => {
+      array(body)
+      check(
+        body.some((item) => isRecord(item) && item.id === ctx.state.id && item.title === "List me"),
+        "seeded session should be listed",
+      )
+    }),
+  http.protected
+    .get("/session/status", "session.status")
+    .seeded((ctx) => ctx.session({ title: "Status session" }))
+    .json(200, object),
+  http.protected
+    .post("/session", "session.create")
+    .mutating()
+    .at((ctx) => ({ path: "/session", headers: ctx.headers(), body: { title: "Created session" } }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.title === "Created session", "created session should use requested title")
+        check(body.directory === ctx.directory, "created session should use scenario directory")
+      },
+      "status",
+    ),
+  http.protected
+    .get("/session/{sessionID}", "session.get")
+    .seeded((ctx) => ctx.session({ title: "Get me" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(200, (body, ctx) => {
+      object(body)
+      check(body.id === ctx.state.id, "should return requested session")
+      check(body.title === "Get me", "should preserve seeded title")
+    }),
+  http.protected
+    .get("/session/{sessionID}", "session.get.missing")
+    .at((ctx) => ({
+      path: route("/session/{sessionID}", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .status(404),
+  http.protected
+    .patch("/session/{sessionID}", "session.update")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Before rename" }))
+    .at((ctx) => ({
+      path: route("/session/{sessionID}", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: { title: "After rename" },
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(body.title === "After rename", "updated session should use new title")
+      },
+      "status",
+    ),
+  http.protected
+    .patch("/session/{sessionID}", "session.update.invalid")
+    .mutating()
+    .at((ctx) => ({
+      path: route("/session/{sessionID}", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+      body: { title: 1 },
+    }))
+    .status(400),
+  http.protected
+    .delete("/session/{sessionID}", "session.delete")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Delete me" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .jsonEffect(200, (body, ctx) =>
+      Effect.gen(function* () {
+        check(body === true, "delete should return true")
+        check((yield* ctx.sessionGet(ctx.state.id)) === undefined, "deleted session should not remain in storage")
+      }),
+    ),
+  http.protected
+    .get("/session/{sessionID}/children", "session.children")
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const parent = yield* ctx.session({ title: "Parent" })
+        const child = yield* ctx.session({ title: "Child", parentID: parent.id })
+        return { parent, child }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/children", { sessionID: ctx.state.parent.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, (body, ctx) => {
+      array(body)
+      check(
+        body.some((item) => isRecord(item) && item.id === ctx.state.child.id && item.parentID === ctx.state.parent.id),
+        "children should include seeded child",
+      )
+    }),
+  http.protected
+    .get("/session/{sessionID}/todo", "session.todo")
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Todo session" })
+        const todos = [{ content: "cover session todo", status: "pending", priority: "high" }]
+        yield* ctx.todos(session.id, todos)
+        return { session, todos }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/todo", { sessionID: ctx.state.session.id }),
+      headers: ctx.headers(),
+    }))
+    .json(200, (body, ctx) => {
+      check(stable(body) === stable(ctx.state.todos), "todos should match seeded state")
+    }),
+  http.protected
+    .get("/session/{sessionID}/diff", "session.diff")
+    .seeded((ctx) => ctx.session({ title: "Diff session" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}/diff", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(200, array),
+  http.protected
+    .get("/session/{sessionID}/message", "session.messages")
+    .seeded((ctx) => ctx.session({ title: "Messages session" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}/message", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(200, (body) => {
+      array(body)
+      check(body.length === 0, "new session should have no messages")
+    }),
+  http.protected
+    .get("/session/{sessionID}/message/{messageID}", "session.message")
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Message get session" })
+        const message = yield* ctx.message(session.id, { text: "read me" })
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/message/{messageID}", {
+        sessionID: ctx.state.session.id,
+        messageID: ctx.state.message.info.id,
+      }),
+      headers: ctx.headers(),
+    }))
+    .json(200, (body, ctx) => {
+      object(body)
+      check(isRecord(body.info) && body.info.id === ctx.state.message.info.id, "should return requested message")
+      check(
+        Array.isArray(body.parts) && body.parts.some((part) => isRecord(part) && part.id === ctx.state.message.part.id),
+        "message should include seeded part",
+      )
+    }),
+  http.protected
+    .patch("/session/{sessionID}/message/{messageID}/part/{partID}", "part.update")
+    .mutating()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Part update session" })
+        const message = yield* ctx.message(session.id, { text: "before" })
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/message/{messageID}/part/{partID}", {
+        sessionID: ctx.state.session.id,
+        messageID: ctx.state.message.info.id,
+        partID: ctx.state.message.part.id,
+      }),
+      headers: ctx.headers(),
+      body: { ...ctx.state.message.part, text: "after" },
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(body.type === "text" && body.text === "after", "updated part should be returned")
+      },
+      "status",
+    ),
+  http.protected
+    .delete("/session/{sessionID}/message/{messageID}/part/{partID}", "part.delete")
+    .mutating()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Part delete session" })
+        const message = yield* ctx.message(session.id, { text: "delete part" })
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/message/{messageID}/part/{partID}", {
+        sessionID: ctx.state.session.id,
+        messageID: ctx.state.message.info.id,
+        partID: ctx.state.message.part.id,
+      }),
+      headers: ctx.headers(),
+    }))
+    .jsonEffect(200, (body, ctx) =>
+      Effect.gen(function* () {
+        check(body === true, "delete part should return true")
+        const messages = yield* ctx.messages(ctx.state.session.id)
+        check(messages[0]?.parts.length === 0, "deleted part should not remain on message")
+      }),
+    ),
+  http.protected
+    .delete("/session/{sessionID}/message/{messageID}", "session.deleteMessage")
+    .mutating()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Message delete session" })
+        const message = yield* ctx.message(session.id, { text: "delete message" })
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/message/{messageID}", {
+        sessionID: ctx.state.session.id,
+        messageID: ctx.state.message.info.id,
+      }),
+      headers: ctx.headers(),
+    }))
+    .jsonEffect(200, (body, ctx) =>
+      Effect.gen(function* () {
+        check(body === true, "delete message should return true")
+        check((yield* ctx.messages(ctx.state.session.id)).length === 0, "deleted message should not remain")
+      }),
+    ),
+  http.protected
+    .post("/session/{sessionID}/fork", "session.fork")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Fork source" }))
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/fork", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {},
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(typeof body.id === "string", "fork should return a session")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/abort", "session.abort")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Abort session" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}/abort", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(200, (body) => {
+      check(body === true, "abort should return true")
+    }),
+  http.protected
+    .post("/session/{sessionID}/abort", "session.abort.missing")
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/abort", { sessionID: "ses_httpapi_missing" }),
+      headers: ctx.headers(),
+    }))
+    .json(200, (body) => {
+      check(body === true, "missing session abort should remain a no-op success")
+    }),
+  http.protected
+    .post("/session/{sessionID}/init", "session.init")
+    .preserveDatabase()
+    .withLlm()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Init session" })
+        const message = yield* ctx.message(session.id, { text: "initialize" })
+        yield* ctx.llmText("initialized")
+        yield* ctx.llmText("initialized")
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/init", { sessionID: ctx.state.session.id }),
+      headers: ctx.headers(),
+      body: { providerID: "test", modelID: "test-model", messageID: ctx.state.message.info.id },
+    }))
+    .jsonEffect(200, (body, ctx) =>
+      Effect.gen(function* () {
+        check(body === true, "init should return true")
+        yield* ctx.llmWait(1)
+      }),
+    ),
+  http.protected
+    .post("/session/{sessionID}/message", "session.prompt")
+    .preserveDatabase()
+    .withLlm()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "LLM prompt session" })
+        yield* ctx.llmText("fake assistant")
+        yield* ctx.llmText("fake assistant")
+        return session
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/message", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {
+        agent: "build",
+        model: { providerID: "test", modelID: "test-model" },
+        parts: [{ type: "text", text: "hello llm" }],
+      },
+    }))
+    .jsonEffect(
+      200,
+      (body, ctx) =>
+        Effect.gen(function* () {
+          object(body)
+          check(isRecord(body.info) && body.info.role === "assistant", "prompt should return assistant message")
+          check(
+            Array.isArray(body.parts) && body.parts.some((part) => isRecord(part) && part.text === "fake assistant"),
+            "assistant message should use fake LLM text",
+          )
+          yield* ctx.llmWait(1)
+        }),
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/prompt_async", "session.prompt_async")
+    .preserveDatabase()
+    .withLlm()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Async prompt session" })
+        yield* ctx.llmText("fake async assistant")
+        yield* ctx.llmText("fake async assistant")
+        return session
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/prompt_async", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: {
+        agent: "build",
+        model: { providerID: "test", modelID: "test-model" },
+        parts: [{ type: "text", text: "hello async" }],
+      },
+    }))
+    .status(204, (ctx) =>
+      Effect.gen(function* () {
+        yield* ctx.llmWait(1)
+      }),
+    ),
+  http.protected
+    .post("/session/{sessionID}/command", "session.command")
+    .preserveDatabase()
+    .withLlm()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Command session" })
+        yield* ctx.llmText("command done")
+        yield* ctx.llmText("command done")
+        return session
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/command", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: { command: "init", arguments: "", model: "test/test-model" },
+    }))
+    .jsonEffect(
+      200,
+      (body, ctx) =>
+        Effect.gen(function* () {
+          object(body)
+          check(isRecord(body.info) && body.info.role === "assistant", "command should return assistant message")
+          yield* ctx.llmWait(1)
+        }),
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/shell", "session.shell")
+    .preserveDatabase()
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Shell session" }))
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/shell", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: { agent: "build", model: { providerID: "test", modelID: "test-model" }, command: "printf shell-ok" },
+    }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(isRecord(body.info) && body.info.role === "assistant", "shell should return assistant message")
+        check(
+          Array.isArray(body.parts) && body.parts.some((part) => isRecord(part) && part.type === "tool"),
+          "shell should return a tool part",
+        )
+      },
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/summarize", "session.summarize")
+    .preserveDatabase()
+    .withLlm()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Summarize session" })
+        yield* ctx.message(session.id, { text: "summarize this work" })
+        const summary = [
+          "## Goal",
+          "- Exercise session summarize.",
+          "",
+          "## Constraints & Preferences",
+          "- Use fake LLM.",
+          "",
+          "## Progress",
+          "### Done",
+          "- Summary generated.",
+          "",
+          "### In Progress",
+          "- (none)",
+          "",
+          "### Blocked",
+          "- (none)",
+          "",
+          "## Key Decisions",
+          "- Keep route local.",
+          "",
+          "## Next Steps",
+          "- (none)",
+          "",
+          "## Critical Context",
+          "- Test fixture.",
+          "",
+          "## Relevant Files",
+          "- test/server/httpapi-exercise/index.ts: scenario",
+        ].join("\n")
+        yield* ctx.llmText(summary)
+        yield* ctx.llmText(summary)
+        return session
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/summarize", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+      body: { providerID: "test", modelID: "test-model", auto: false },
+    }))
+    .jsonEffect(
+      200,
+      (body, ctx) =>
+        Effect.gen(function* () {
+          check(body === true, "summarize should return true")
+          const messages = yield* ctx.messages(ctx.state.id)
+          check(
+            messages.some((message) => message.info.role === "assistant" && message.info.summary === true),
+            "summarize should create a summary assistant message",
+          )
+          yield* ctx.llmWait(1)
+        }),
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/revert", "session.revert")
+    .mutating()
+    .seeded((ctx) =>
+      Effect.gen(function* () {
+        const session = yield* ctx.session({ title: "Revert session" })
+        const message = yield* ctx.message(session.id, { text: "revert me" })
+        return { session, message }
+      }),
+    )
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/revert", { sessionID: ctx.state.session.id }),
+      headers: ctx.headers(),
+      body: { messageID: ctx.state.message.info.id },
+    }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.id === ctx.state.session.id, "revert should return the session")
+        check(
+          isRecord(body.revert) && body.revert.messageID === ctx.state.message.info.id,
+          "revert should record reverted message",
+        )
+      },
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/unrevert", "session.unrevert")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Unrevert session" }))
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/unrevert", { sessionID: ctx.state.id }),
+      headers: ctx.headers(),
+    }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.id === ctx.state.id, "unrevert should return the session")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/session/{sessionID}/permissions/{permissionID}", "permission.respond")
+    .seeded((ctx) => ctx.session({ title: "Deprecated permission session" }))
+    .at((ctx) => ({
+      path: route("/session/{sessionID}/permissions/{permissionID}", {
+        sessionID: ctx.state.id,
+        permissionID: "per_httpapi_deprecated",
+      }),
+      headers: ctx.headers(),
+      body: { response: "once" },
+    }))
+    .json(404, object, "status"),
+  http.protected
+    .post("/session/{sessionID}/share", "session.share")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Share session" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}/share", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.id === ctx.state.id, "share should return the session")
+      },
+      "status",
+    ),
+  http.protected
+    .delete("/session/{sessionID}/share", "session.unshare")
+    .mutating()
+    .seeded((ctx) => ctx.session({ title: "Unshare session" }))
+    .at((ctx) => ({ path: route("/session/{sessionID}/share", { sessionID: ctx.state.id }), headers: ctx.headers() }))
+    .json(
+      200,
+      (body, ctx) => {
+        object(body)
+        check(body.id === ctx.state.id, "unshare should return the session")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/tui/append-prompt", "tui.appendPrompt")
+    .at((ctx) => ({ path: "/tui/append-prompt", headers: ctx.headers(), body: { text: "hello" } }))
+    .json(200, boolean, "status"),
+  http.protected
+    .post("/tui/select-session", "tui.selectSession.invalid")
+    .at((ctx) => ({ path: "/tui/select-session", headers: ctx.headers(), body: { sessionID: "invalid" } }))
+    .status(400),
+  http.protected.post("/tui/open-help", "tui.openHelp").json(200, boolean, "status"),
+  http.protected.post("/tui/open-sessions", "tui.openSessions").json(200, boolean, "status"),
+  http.protected.post("/tui/open-themes", "tui.openThemes").json(200, boolean, "status"),
+  http.protected.post("/tui/open-models", "tui.openModels").json(200, boolean, "status"),
+  http.protected.post("/tui/submit-prompt", "tui.submitPrompt").json(200, boolean, "status"),
+  http.protected.post("/tui/clear-prompt", "tui.clearPrompt").json(200, boolean, "status"),
+  http.protected
+    .post("/tui/execute-command", "tui.executeCommand")
+    .at((ctx) => ({ path: "/tui/execute-command", headers: ctx.headers(), body: { command: "agent_cycle" } }))
+    .json(200, boolean, "status"),
+  http.protected
+    .post("/tui/show-toast", "tui.showToast")
+    .at((ctx) => ({
+      path: "/tui/show-toast",
+      headers: ctx.headers(),
+      body: { title: "Exercise", message: "covered", variant: "info", duration: 1000 },
+    }))
+    .json(200, boolean, "status"),
+  http.protected
+    .post("/tui/publish", "tui.publish")
+    .at((ctx) => ({
+      path: "/tui/publish",
+      headers: ctx.headers(),
+      body: { type: "tui.prompt.append", properties: { text: "published" } },
+    }))
+    .json(200, boolean, "status"),
+  http.protected
+    .post("/tui/select-session", "tui.selectSession")
+    .seeded((ctx) => ctx.session({ title: "TUI select" }))
+    .at((ctx) => ({ path: "/tui/select-session", headers: ctx.headers(), body: { sessionID: ctx.state.id } }))
+    .json(200, boolean, "status"),
+  http.protected
+    .post("/tui/control/response", "tui.control.response")
+    .at((ctx) => ({ path: "/tui/control/response", headers: ctx.headers(), body: { ok: true } }))
+    .json(200, boolean, "status"),
+  http.protected
+    .get("/tui/control/next", "tui.control.next")
+    .mutating()
+    .seeded((ctx) => ctx.tuiRequest({ path: "/tui/exercise", body: { text: "queued" } }))
+    .json(
+      200,
+      (body) => {
+        object(body)
+        check(body.path === "/tui/exercise", "control next should return queued path")
+        object(body.body)
+        check(body.body.text === "queued", "control next should return queued body")
+      },
+      "status",
+    ),
+  http.protected
+    .post("/global/upgrade", "global.upgrade")
+    .global()
+    .probe({ path: "/global/upgrade", body: { target: 1 } })
+    .at(() => ({ path: "/global/upgrade", body: { target: 1 } }))
+    .status(400),
+]
+
+const llmScenarios = new Set([
+  "session.init",
+  "session.prompt",
+  "session.prompt_async",
+  "session.command",
+  "session.summarize",
+])
+
+const main = Effect.gen(function* () {
+  yield* Effect.addFinalizer(() => Effect.promise(() => disposeApps()).pipe(Effect.andThen(cleanupExercisePaths)))
+  const options = parseOptions(Bun.argv.slice(2))
+  const modules = yield* Effect.promise(() => runtime())
+  const effectRoutes = routeKeys(OpenApi.fromApi(modules.PublicApi))
+  const selected = selectedScenarios(options, scenarios)
+  const missing = effectRoutes.filter((route) => !scenarios.some((scenario) => route === routeKey(scenario)))
+  const extra = scenarios.filter((scenario) => !effectRoutes.includes(routeKey(scenario)))
+
+  for (const scenario of scenarios) {
+    if (scenario.kind === "active" && llmScenarios.has(scenario.name) && !scenario.project?.llm) {
+      return yield* Effect.fail(new Error(`${scenario.name} must use TestLLMServer via .withLlm()`))
+    }
+  }
+
+  printHeader(options, effectRoutes, selected, missing, extra, {
+    database: exerciseDatabasePath,
+    global: exerciseGlobalRoot,
+  })
+
+  const results =
+    options.mode === "coverage"
+      ? selected.map(coverageResult)
+      : yield* Effect.forEach(
+          selected,
+          (scenario) =>
+            Effect.gen(function* () {
+              if (options.progress) console.log(`${color.dim}RUN ${routeKey(scenario)} ${scenario.name}${color.reset}`)
+              return yield* runScenario(options)(scenario)
+            }),
+          { concurrency: 1 },
+        )
+  printResults(results, missing, extra)
+
+  if (results.some((result) => result.status === "fail"))
+    return yield* Effect.fail(new Error("one or more scenarios failed"))
+  if (options.failOnSkip && results.some((result) => result.status === "skip"))
+    return yield* Effect.fail(new Error("one or more scenarios are skipped"))
+  if (options.failOnMissing && missing.length > 0)
+    return yield* Effect.fail(new Error("one or more routes have no scenario"))
+  return undefined
+})
+
+Effect.runPromise(main.pipe(Effect.provide(TestLLMServer.layer), Effect.scoped)).then(
+  () => process.exit(0),
+  (error: unknown) => {
+    console.error(`${color.red}${message(error)}${color.reset}`)
+    process.exit(1)
+  },
+)