@wopr-network/platform-ui-core 1.27.8 → 1.27.9

package/next.config.ts

@@ -1,7 +1,6 @@
 import type { NextConfig } from "next";
 
-const isSecureOrigin =
-  (process.env.NEXT_PUBLIC_API_URL ?? "").startsWith("https://");
+const isSecureOrigin = (process.env.NEXT_PUBLIC_API_URL ?? "").startsWith("https://");
 
 const nextConfig: NextConfig = {
   output: "standalone",

package/package.json

@@ -1,13 +1,12 @@
 {
   "name": "@wopr-network/platform-ui-core",
-  "version": "1.27.8",
+  "version": "1.27.9",
   "description": "Brand-agnostic AI agent platform UI — deploy as any brand via env vars",
   "repository": {
     "type": "git",
     "url": "https://github.com/wopr-network/platform-ui-core.git"
   },
   "license": "UNLICENSED",
-  "packageManager": "pnpm@10.31.0",
   "exports": {
     ".": "./src/lib/index.ts",
     "./app/*": "./src/app/*",
@@ -32,22 +31,13 @@
     "vitest.config.ts",
     ".env.wopr"
   ],
-  "scripts": {
-    "dev": "next dev",
-    "build": "next build",
-    "start": "next start",
-    "lint": "biome check src/",
-    "format": "biome format --write src/",
-    "check": "biome check src/ && tsc --noEmit",
-    "test": "vitest run",
-    "test:e2e": "playwright test"
-  },
   "dependencies": {
     "@hookform/resolvers": "^5.2.2",
     "@noble/hashes": "^2.0.1",
+    "@radix-ui/react-portal": "^1.1.10",
     "@scure/bip32": "^2.0.1",
     "@scure/bip39": "^2.0.1",
-    "@stripe/react-stripe-js": "^5.6.0",
+    "@stripe/react-stripe-js": "^6.0.0",
     "@stripe/stripe-js": "^8.7.0",
     "@tanstack/react-query": "^5.90.21",
     "@trpc/client": "^11.10.0",
@@ -56,7 +46,7 @@
     "class-variance-authority": "^0.7.1",
     "clsx": "^2.1.1",
     "framer-motion": "^12.34.0",
-    "lucide-react": "^0.563.0",
+    "lucide-react": "^1.7.0",
     "next": "16.1.6",
     "next-themes": "^0.4.6",
     "qrcode.react": "^4.2.0",
@@ -84,9 +74,9 @@
     "@types/node": "^20",
     "@types/react": "^19",
     "@types/react-dom": "^19",
-    "@vitejs/plugin-react": "^5.1.4",
+    "@vitejs/plugin-react": "^6.0.0",
     "@vitest/coverage-v8": "^4.0.18",
-    "jsdom": "^28.0.0",
+    "jsdom": "^29.0.1",
     "shadcn": "^3.8.4",
     "tailwindcss": "^4",
     "tw-animate-css": "^1.4.0",
@@ -95,5 +85,15 @@
   },
   "release": {
     "extends": "@wopr-network/semantic-release-config"
+  },
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "biome check src/",
+    "format": "biome format --write src/",
+    "check": "biome check src/ && tsc --noEmit",
+    "test": "vitest run",
+    "test:e2e": "playwright test"
   }
-}
+}

package/src/__tests__/account-switcher.test.tsx

@@ -1,5 +1,4 @@
 import { render, screen } from "@testing-library/react";
-import userEvent from "@testing-library/user-event";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 
 const mockSwitchTenant = vi.fn();
@@ -39,36 +38,38 @@ describe("AccountSwitcher", () => {
     expect(screen.getByText("Alice")).toBeInTheDocument();
   });
 
-  it("shows PERSONAL badge for personal account", () => {
+  it("renders a fallback icon for tenants without images", () => {
     render(<AccountSwitcher />);
-    expect(screen.getByText("PERSONAL")).toBeInTheDocument();
+    // The component renders a span with bg-sidebar-accent class as the fallback icon
+    const icon = document.querySelector(".bg-sidebar-accent");
+    expect(icon).not.toBeNull();
   });
 
-  it("shows all tenants when clicked", async () => {
-    const user = userEvent.setup();
-    render(<AccountSwitcher />);
-    await user.click(screen.getByRole("button"));
-    expect(screen.getByText("My Team")).toBeInTheDocument();
-  });
+  it("renders nothing when no tenants exist", () => {
+    mockUseTenant.mockReturnValue({
+      activeTenantId: "",
+      tenants: [],
+      isLoading: false,
+      switchTenant: mockSwitchTenant,
+    });
 
-  it("calls switchTenant when an org is selected", async () => {
-    const user = userEvent.setup();
-    render(<AccountSwitcher />);
-    await user.click(screen.getByRole("button"));
-    await user.click(screen.getByText("My Team"));
-    expect(mockSwitchTenant).toHaveBeenCalledWith("org-1");
+    const { container } = render(<AccountSwitcher />);
+    expect(container.firstChild).toBeNull();
   });
 
-  it("renders nothing when only one tenant exists", () => {
+  it("falls back to first tenant when activeTenantId does not match", () => {
     mockUseTenant.mockReturnValue({
-      activeTenantId: "user-1",
-      tenants: [{ id: "user-1", name: "Alice", type: "personal" as const, image: null }],
+      activeTenantId: "nonexistent",
+      tenants: [
+        { id: "user-1", name: "Alice", type: "personal" as const, image: null },
+        { id: "org-1", name: "My Team", type: "org" as const, image: null },
+      ],
       isLoading: false,
       switchTenant: mockSwitchTenant,
     });
 
-    const { container } = render(<AccountSwitcher />);
-    expect(container.firstChild).toBeNull();
+    render(<AccountSwitcher />);
+    expect(screen.getByText("Alice")).toBeInTheDocument();
   });
 
   it("renders nothing while loading", () => {

package/src/__tests__/activity-page.test.tsx

@@ -120,9 +120,7 @@ describe("ActivityPage", () => {
     // Wait for debounce (300ms) + API call
     await vi.waitFor(
       () => {
-        expect(mockFetchAuditLog).toHaveBeenLastCalledWith(
-          expect.objectContaining({ search: "billing", offset: 0 }),
-        );
+        expect(mockFetchAuditLog).toHaveBeenLastCalledWith(expect.objectContaining({ search: "billing", offset: 0 }));
       },
       { timeout: 1000 },
     );
@@ -160,9 +158,7 @@ describe("ActivityPage", () => {
     });
     await user.click(screen.getByRole("button", { name: "Next" }));
 
-    expect(mockFetchAuditLog).toHaveBeenLastCalledWith(
-      expect.objectContaining({ offset: 50, limit: 50 }),
-    );
+    expect(mockFetchAuditLog).toHaveBeenLastCalledWith(expect.objectContaining({ offset: 50, limit: 50 }));
   });
 
   it("calls fetchAuditLog with correct params", async () => {

package/src/__tests__/add-payment-method-dialog.test.tsx

@@ -8,9 +8,7 @@ const mockUseStripe = vi.fn(() => ({ confirmSetup: mockConfirmSetup }));
 const mockUseElements = vi.fn(() => ({}));
 
 vi.mock("@stripe/react-stripe-js", () => ({
-  Elements: ({ children }: { children: React.ReactNode }) => (
-    <div data-testid="stripe-elements">{children}</div>
-  ),
+  Elements: ({ children }: { children: React.ReactNode }) => <div data-testid="stripe-elements">{children}</div>,
   PaymentElement: () => <div data-testid="payment-element" />,
   useStripe: () => mockUseStripe(),
   useElements: () => mockUseElements(),
@@ -44,9 +42,7 @@ describe("AddPaymentMethodDialog", () => {
   });
 
   it("fetches setup intent and renders PaymentElement when opened", async () => {
-    render(
-      <AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     await waitFor(() => {
       expect(createSetupIntent).toHaveBeenCalledOnce();
@@ -56,13 +52,9 @@ describe("AddPaymentMethodDialog", () => {
   });
 
   it("shows error and retry button when setup intent fails", async () => {
-    (createSetupIntent as ReturnType<typeof vi.fn>).mockRejectedValueOnce(
-      new Error("Network error"),
-    );
+    (createSetupIntent as ReturnType<typeof vi.fn>).mockRejectedValueOnce(new Error("Network error"));
 
-    render(
-      <AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     await waitFor(() => {
       expect(screen.getByText(/failed to initialize/i)).toBeInTheDocument();
@@ -74,9 +66,7 @@ describe("AddPaymentMethodDialog", () => {
   it("calls confirmSetup on form submit and triggers onSuccess", async () => {
     mockConfirmSetup.mockResolvedValueOnce({ setupIntent: { status: "succeeded" } });
 
-    render(
-      <AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     await waitFor(() => {
       expect(screen.getByTestId("payment-element")).toBeInTheDocument();
@@ -96,9 +86,7 @@ describe("AddPaymentMethodDialog", () => {
       error: { message: "Your card was declined." },
     });
 
-    render(
-      <AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     await waitFor(() => {
       expect(screen.getByTestId("payment-element")).toBeInTheDocument();
@@ -115,17 +103,13 @@ describe("AddPaymentMethodDialog", () => {
   });
 
   it("does not fetch setup intent when closed", () => {
-    render(
-      <AddPaymentMethodDialog open={false} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={false} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     expect(createSetupIntent).not.toHaveBeenCalled();
   });
 
   it("closes dialog when cancel is clicked", async () => {
-    render(
-      <AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} />);
 
     await waitFor(() => {
       expect(screen.getByTestId("payment-element")).toBeInTheDocument();
@@ -142,14 +126,7 @@ describe("AddPaymentMethodDialog", () => {
       clientSecret: "seti_org_test_secret_456",
     });
 
-    render(
-      <AddPaymentMethodDialog
-        open={true}
-        onOpenChange={onOpenChange}
-        onSuccess={onSuccess}
-        orgId="org-123"
-      />,
-    );
+    render(<AddPaymentMethodDialog open={true} onOpenChange={onOpenChange} onSuccess={onSuccess} orgId="org-123" />);
 
     await waitFor(() => {
       expect(createOrgSetupIntent).toHaveBeenCalledWith("org-123");

package/src/__tests__/admin-api.test.ts

@@ -48,12 +48,7 @@ import {
   getAffiliateVelocity,
 } from "@/lib/admin-affiliate-api";
 
-import {
-  getCacheStats,
-  getDailyCost,
-  getPageCost,
-  getSessionCost,
-} from "@/lib/admin-inference-api";
+import { getCacheStats, getDailyCost, getPageCost, getSessionCost } from "@/lib/admin-inference-api";
 
 beforeEach(() => {
   vi.clearAllMocks();

package/src/__tests__/admin-gpu-api.test.ts

@@ -112,9 +112,7 @@ describe("provisionGpuNode", () => {
 
   it("throws when provisioning fails", async () => {
     mockApiFetch.mockRejectedValue(new Error("Quota exceeded"));
-    await expect(
-      provisionGpuNode({ name: "x", region: "nyc3", size: "gpu-h100x1" }),
-    ).rejects.toThrow("Quota exceeded");
+    await expect(provisionGpuNode({ name: "x", region: "nyc3", size: "gpu-h100x1" })).rejects.toThrow("Quota exceeded");
   });
 });
 

package/src/__tests__/admin-marketplace-api.test.ts

@@ -74,10 +74,7 @@ describe("getAllPlugins", () => {
 
 describe("getDiscoveryQueue", () => {
   it("returns only unreviewed plugins from tRPC", async () => {
-    const plugins = [
-      fakePlugin({ id: "a", reviewed: true }),
-      fakePlugin({ id: "b", reviewed: false }),
-    ];
+    const plugins = [fakePlugin({ id: "a", reviewed: true }), fakePlugin({ id: "b", reviewed: false })];
     mockListPlugins.query.mockResolvedValue(plugins);
 
     const result = await getDiscoveryQueue();

package/src/__tests__/admin-middleware.test.ts

@@ -1,8 +1,7 @@
-import { beforeEach, describe, expect, it, vi } from "vitest";
+import { describe, expect, it } from "vitest";
 
 // We test the middleware function directly by importing from the module.
-// The middleware was renamed from proxy.ts to middleware.ts by WOP-1128.
-import middleware from "../proxy";
+import middleware, { validateCsrfOrigin } from "../proxy";
 
 // Minimal NextRequest-compatible mock
 function mockRequest(opts: {
@@ -16,9 +15,7 @@ function mockRequest(opts: {
   if (!headers.has("host")) {
     headers.set("host", url.host);
   }
-  const cookieMap = new Map(
-    Object.entries(opts.cookies ?? {}).map(([k, v]) => [k, { name: k, value: v }]),
-  );
+  const cookieMap = new Map(Object.entries(opts.cookies ?? {}).map(([k, v]) => [k, { name: k, value: v }]));
   return {
     method: opts.method ?? "GET",
     url: opts.url,
@@ -32,126 +29,122 @@ function mockRequest(opts: {
   } as unknown as Parameters<typeof middleware>[0];
 }
 
-// Mock global fetch for Better Auth session calls
-const originalFetch = globalThis.fetch;
-
-beforeEach(() => {
-  globalThis.fetch = originalFetch;
-});
-
-describe("Admin route middleware authorization", () => {
-  it("redirects non-admin users from /admin/tenants to /marketplace", async () => {
-    // Mock Better Auth get-session returning a regular user
-    globalThis.fetch = vi.fn().mockResolvedValue({
-      ok: true,
-      json: async () => ({
-        session: { id: "s1" },
-        user: { id: "u1", role: "user" },
-      }),
-    });
-
+describe("Middleware — CSP, CSRF, nonce, tenant forwarding", () => {
+  it("sets Content-Security-Policy header on responses", async () => {
     const req = mockRequest({
-      url: "https://localhost:3000/admin/tenants",
-      cookies: { "better-auth.session_token": "valid-token" },
+      url: "https://localhost:3000/marketplace",
     });
 
     const res = await middleware(req);
-    // Should redirect to /marketplace
-    expect(res.status).toBe(307);
-    expect(res.headers.get("location")).toContain("/marketplace");
+    expect(res.headers.get("content-security-policy")).not.toBeNull();
+    expect(res.headers.get("content-security-policy")).toContain("default-src 'self'");
   });
 
-  it("allows platform_admin users to access /admin/tenants", async () => {
-    globalThis.fetch = vi.fn().mockResolvedValue({
-      ok: true,
-      json: async () => ({
-        session: { id: "s1" },
-        user: { id: "u1", role: "platform_admin" },
-      }),
+  it("sets Vary header on responses", async () => {
+    const req = mockRequest({
+      url: "https://localhost:3000/marketplace",
     });
 
+    const res = await middleware(req);
+    expect(res.headers.get("vary")).toBe("*");
+  });
+
+  it("passes through GET requests to any route without auth check", async () => {
     const req = mockRequest({
       url: "https://localhost:3000/admin/tenants",
-      cookies: { "better-auth.session_token": "valid-token" },
     });
 
     const res = await middleware(req);
-    // Should pass through (not a redirect)
+    // Middleware no longer checks auth — just sets CSP headers and passes through
     expect(res.status).not.toBe(307);
+    expect(res.headers.get("content-security-policy")).not.toBeNull();
   });
 
-  it("redirects unauthenticated users from /admin to /login", async () => {
+  it("rejects CSRF-invalid POST to /api routes with 403", async () => {
     const req = mockRequest({
-      url: "https://localhost:3000/admin/tenants",
-      // No session cookie
+      method: "POST",
+      url: "https://localhost:3000/api/some-endpoint",
+      headers: {
+        host: "localhost:3000",
+        // No origin or referer — CSRF fails
+      },
     });
 
     const res = await middleware(req);
-    // Existing auth check should redirect to /login
-    expect(res.status).toBe(307);
-    expect(res.headers.get("location")).toContain("/login");
+    expect(res.status).toBe(403);
   });
 
-  it("redirects to /marketplace when session fetch fails", async () => {
-    // Simulate network error or 500 from Better Auth
-    globalThis.fetch = vi.fn().mockResolvedValue({
-      ok: false,
-      status: 500,
-      json: async () => ({}),
-    });
-
+  it("allows CSRF-valid POST to /api routes", async () => {
     const req = mockRequest({
-      url: "https://localhost:3000/admin/tenants",
-      cookies: { "better-auth.session_token": "valid-token" },
+      method: "POST",
+      url: "https://localhost:3000/api/some-endpoint",
+      headers: {
+        host: "localhost:3000",
+        origin: "https://localhost:3000",
+      },
     });
 
     const res = await middleware(req);
-    // On failure, deny access (fail closed)
-    expect(res.status).toBe(307);
-    expect(res.headers.get("location")).toContain("/marketplace");
+    expect(res.status).not.toBe(403);
   });
 
-  it("sets no-cache headers on admin page responses for admin users", async () => {
-    globalThis.fetch = vi.fn().mockResolvedValue({
-      ok: true,
-      json: async () => ({
-        session: { id: "s1" },
-        user: { id: "u1", role: "platform_admin" },
-      }),
-    });
-
+  it("exempts /api/auth/callback POST from CSRF checks", async () => {
     const req = mockRequest({
-      url: "https://localhost:3000/admin/tenants",
-      cookies: { "better-auth.session_token": "valid-token" },
+      method: "POST",
+      url: "https://localhost:3000/api/auth/callback",
+      headers: {
+        host: "localhost:3000",
+        // No origin — would normally fail CSRF
+      },
     });
 
     const res = await middleware(req);
-    expect(res.headers.get("cache-control")).toBe("no-store, no-cache, must-revalidate");
-    expect(res.headers.get("pragma")).toBe("no-cache");
+    expect(res.status).not.toBe(403);
   });
 
-  it("does not set restrictive cache headers on non-admin pages", async () => {
+  it("does not perform CSRF checks on GET requests to /api", async () => {
     const req = mockRequest({
-      url: "https://localhost:3000/marketplace",
-      cookies: { "better-auth.session_token": "valid-token" },
+      method: "GET",
+      url: "https://localhost:3000/api/some-endpoint",
     });
 
     const res = await middleware(req);
-    expect(res.headers.get("cache-control")).toBeNull();
-    expect(res.headers.get("pragma")).toBeNull();
+    expect(res.status).not.toBe(403);
   });
+});
 
-  it("does not call get-session for non-admin routes", async () => {
-    const fetchSpy = vi.fn();
-    globalThis.fetch = fetchSpy;
+describe("validateCsrfOrigin", () => {
+  it("returns true when origin matches host", () => {
+    const req = mockRequest({
+      url: "https://localhost:3000/api/test",
+      headers: {
+        host: "localhost:3000",
+        origin: "https://localhost:3000",
+      },
+    });
+    expect(validateCsrfOrigin(req)).toBe(true);
+  });
 
+  it("returns false when origin does not match host", () => {
     const req = mockRequest({
-      url: "https://localhost:3000/marketplace",
-      cookies: { "better-auth.session_token": "valid-token" },
+      url: "https://localhost:3000/api/test",
+      headers: {
+        host: "localhost:3000",
+        origin: "https://evil.com",
+      },
     });
+    expect(validateCsrfOrigin(req)).toBe(false);
+  });
 
-    await middleware(req);
-    // Should NOT have called Better Auth — not an admin route
-    expect(fetchSpy).not.toHaveBeenCalled();
+  it("returns false when no host header", () => {
+    const req = mockRequest({
+      url: "https://localhost:3000/api/test",
+      headers: {
+        origin: "https://localhost:3000",
+      },
+    });
+    // Override host to empty
+    req.headers.delete("host");
+    expect(validateCsrfOrigin(req)).toBe(false);
   });
 });

package/src/__tests__/affiliate-dashboard.test.tsx

@@ -164,8 +164,8 @@ describe("Affiliate Dashboard error state", () => {
   });
 });
 
-describe("Billing layout with Referrals nav", () => {
-  it("renders Refer & Earn navigation link", async () => {
+describe("Billing layout with Referrals content", () => {
+  it("renders child content inside billing layout", async () => {
     const { default: BillingLayout } = await import("../app/(dashboard)/billing/layout");
     render(
       <BillingLayout>
@@ -173,6 +173,6 @@ describe("Billing layout with Referrals nav", () => {
       </BillingLayout>,
     );
 
-    expect(screen.getByText("Refer & Earn")).toBeInTheDocument();
+    expect(screen.getByText("child content")).toBeInTheDocument();
   });
 });

package/src/__tests__/api-401-redirect.test.ts

@@ -5,6 +5,17 @@ vi.mock("@/lib/api-config", () => ({
   PLATFORM_BASE_URL: "https://api.test",
 }));
 
+/**
+ * Helper: wait for all pending microtasks/promises to flush.
+ * handleUnauthorized fires an async session check internally;
+ * we need to let that settle before asserting on mockLocation.href.
+ */
+function flushPromises() {
+  return new Promise<void>((resolve) => {
+    setTimeout(resolve, 0);
+  });
+}
+
 describe("401 redirect handling", () => {
   const mockLocation = { href: "", pathname: "/dashboard", search: "" };
   const mockFetch = vi.fn();
@@ -23,9 +34,15 @@ describe("401 redirect handling", () => {
     vi.unstubAllGlobals();
   });
 
-  it("handleUnauthorized redirects to /login with reason and callbackUrl", async () => {
+  it("handleUnauthorized throws UnauthorizedError and redirects when session is expired", async () => {
+    // Mock the internal session check to return no session (expired)
+    mockFetch.mockResolvedValueOnce({
+      json: () => Promise.resolve({ session: null }),
+    });
     const { handleUnauthorized } = await import("@/lib/fetch-utils");
     expect(() => handleUnauthorized()).toThrow("Session expired");
+    // Wait for the async session check to complete and trigger redirect
+    await flushPromises();
     expect(mockLocation.href).toBe("/login?reason=expired&callbackUrl=%2Fdashboard");
   });
 
@@ -37,27 +54,41 @@ describe("401 redirect handling", () => {
   });
 
   it("apiFetch redirects on 401", async () => {
+    // First call: the API request itself returns 401
     mockFetch.mockResolvedValueOnce({ ok: false, status: 401, statusText: "Unauthorized" });
+    // Second call: the internal session check returns expired
+    mockFetch.mockResolvedValueOnce({
+      json: () => Promise.resolve({ session: null }),
+    });
     const { getProfile } = await import("@/lib/api");
     await expect(getProfile()).rejects.toThrow("Session expired");
+    await flushPromises();
     expect(mockLocation.href).toContain("/login?reason=expired");
   });
 
-  it("fleetFetch redirects on 401", async () => {
+  it("fleetFetch (updateInstanceConfig) redirects on 401", async () => {
     mockFetch.mockResolvedValueOnce({ ok: false, status: 401, statusText: "Unauthorized" });
-    const { listInstances } = await import("@/lib/api");
-    await expect(listInstances()).rejects.toThrow("Session expired");
+    mockFetch.mockResolvedValueOnce({
+      json: () => Promise.resolve({ session: null }),
+    });
+    const { updateInstanceConfig } = await import("@/lib/api");
+    await expect(updateInstanceConfig("bot-1", {})).rejects.toThrow("Session expired");
+    await flushPromises();
     expect(mockLocation.href).toContain("/login?reason=expired");
   });
 
-  it("trpcFetch redirects on 401", async () => {
+  it("apiFetch (listProviderKeys) redirects on 401", async () => {
     mockFetch.mockResolvedValueOnce({ ok: false, status: 401, statusText: "Unauthorized" });
-    const { getCurrentPlan } = await import("@/lib/api");
-    await expect(getCurrentPlan()).rejects.toThrow("Session expired");
+    mockFetch.mockResolvedValueOnce({
+      json: () => Promise.resolve({ session: null }),
+    });
+    const { listProviderKeys } = await import("@/lib/api");
+    await expect(listProviderKeys()).rejects.toThrow("Session expired");
+    await flushPromises();
     expect(mockLocation.href).toContain("/login?reason=expired");
   });
 
-  it("non-401 errors still throw generic message from apiFetch", async () => {
+  it("non-401 errors still throw without redirecting", async () => {
     mockFetch.mockResolvedValueOnce({
       ok: false,
       status: 500,
@@ -65,14 +96,20 @@ describe("401 redirect handling", () => {
       json: () => Promise.resolve({}),
     });
     const { getProfile } = await import("@/lib/api");
-    await expect(getProfile()).rejects.toThrow("API error: 500 Internal Server Error");
+    // getProfile uses tRPC, so the error message comes from tRPC internals
+    await expect(getProfile()).rejects.toThrow();
+    // The key assertion: non-401 errors must NOT redirect to /login
     expect(mockLocation.href).toBe("");
   });
 
   it("bot-settings-data apiFetch redirects on 401", async () => {
     mockFetch.mockResolvedValueOnce({ ok: false, status: 401, statusText: "Unauthorized" });
+    mockFetch.mockResolvedValueOnce({
+      json: () => Promise.resolve({ session: null }),
+    });
     const { getBotSettings } = await import("@/lib/bot-settings-data");
     await expect(getBotSettings("bot-1")).rejects.toThrow("Session expired");
+    await flushPromises();
     expect(mockLocation.href).toContain("/login?reason=expired");
   });
 });