availsync 0.1.0

package/tests/integration/onboarding.verify.route.test.ts

@@ -0,0 +1,163 @@
+import { afterAll, beforeAll, describe, expect, test } from '@jest/globals';
+import pool from '../../src/db/client';
+import {
+  api,
+  closeDatabase,
+  createAgent,
+  createOrgAndAgent,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+describe('onboarding verification', () => {
+  beforeAll(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('verifies an org by showing external meeting agent winning over internal agent', async () => {
+    const org = await createOrgAndAgent('Sales Bot', 'external_meeting');
+    const internal = await createAgent(org.orgId, 'Recruiting Bot', 'internal');
+
+    const response = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: internal.agentId })
+      .expect(200);
+
+    expect(response.body).toMatchObject({
+      resource_key: expect.stringMatching(/^verify-/),
+      winner: {
+        agent_id: org.agentId,
+        agent_name: 'Sales Bot',
+        agent_type: 'external_meeting',
+        outcome: 'claimed',
+      },
+      loser: {
+        agent_id: internal.agentId,
+        agent_name: 'Recruiting Bot',
+        agent_type: 'internal',
+        claim_id: null,
+        outcome: 'blocked',
+      },
+      rule_applied: 'agent_type',
+    });
+    expect(response.body.rule_explanation).toContain("external_meeting");
+    expect(response.body.verified_at).toEqual(expect.any(String));
+
+    const stored = await pool.query('SELECT verified_at FROM orgs WHERE id = $1', [org.orgId]);
+    expect(stored.rows[0].verified_at.toISOString()).toBe(response.body.verified_at);
+  });
+
+  test('verification can run again with a new resource key while preserving original verified_at', async () => {
+    const org = await createOrgAndAgent('Sales Bot 2', 'external_meeting');
+    const internal = await createAgent(org.orgId, 'Recruiting Bot 2', 'internal');
+
+    const first = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: internal.agentId })
+      .expect(200);
+
+    const second = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: internal.agentId })
+      .expect(200);
+
+    expect(second.body.resource_key).not.toBe(first.body.resource_key);
+    expect(second.body.verified_at).toBe(first.body.verified_at);
+  });
+
+  test('returns insufficient_agents when org has only one agent', async () => {
+    const org = await createOrgAndAgent('Solo Bot', 'generic');
+
+    const response = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({})
+      .expect(422);
+
+    expect(response.body).toMatchObject({
+      error: 'insufficient_agents',
+      message: 'Create at least 2 agents to run verification',
+    });
+  });
+
+  test('returns tie warning when agents tie on type and priority', async () => {
+    const org = await createOrgAndAgent('Generic A', 'generic', 0);
+    const genericB = await createAgent(org.orgId, 'Generic B', 'generic', 0);
+
+    const response = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: genericB.agentId })
+      .expect(200);
+
+    expect(response.body).toMatchObject({
+      rule_applied: 'first_created',
+      tie_warning: expect.stringContaining('Both agents tied on priority'),
+      winner: { agent_id: org.agentId },
+      loser: { agent_id: genericB.agentId },
+    });
+  });
+
+  test('cleanup removes verification resource and keeps work events', async () => {
+    const org = await createOrgAndAgent('Sales Bot 3', 'external_meeting');
+    const internal = await createAgent(org.orgId, 'Recruiting Bot 3', 'internal');
+
+    const response = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: internal.agentId })
+      .expect(200);
+
+    const resource = await pool.query(
+      `SELECT COUNT(*)::int AS count
+       FROM work_resources
+       WHERE org_id = $1
+         AND resource_key = $2`,
+      [org.orgId, response.body.resource_key],
+    );
+    expect(resource.rows[0].count).toBe(0);
+
+    const activeClaims = await pool.query(
+      `SELECT COUNT(*)::int AS count
+       FROM work_claims
+       WHERE org_id = $1
+         AND metadata->>'resource_key' = $2`,
+      [org.orgId, response.body.resource_key],
+    );
+    expect(activeClaims.rows[0].count).toBe(0);
+
+    const events = await pool.query(
+      `SELECT event_type, metadata
+       FROM work_claim_events
+       WHERE org_id = $1
+         AND metadata->>'source' = 'onboarding_verification'
+         AND metadata->>'resource_key' = $2
+       ORDER BY created_at ASC`,
+      [org.orgId, response.body.resource_key],
+    );
+    expect(events.rows.map((row) => row.event_type).sort()).toEqual(['blocked', 'created', 'released']);
+  });
+
+  test('rejects selected agents outside the workspace', async () => {
+    const org = await createOrgAndAgent('Local Bot', 'external_meeting');
+    const otherOrg = await createOrgAndAgent('Foreign Bot', 'internal');
+
+    const response = await api
+      .post('/v1/onboarding/verify')
+      .set('Cookie', getWorkspaceCookie(org.orgId))
+      .send({ agent_a_id: org.agentId, agent_b_id: otherOrg.agentId })
+      .expect(403);
+
+    expect(response.body).toMatchObject({ error: 'forbidden' });
+  });
+});

package/tests/integration/preferences.route.test.ts

@@ -0,0 +1,53 @@
+import { afterAll, beforeAll, describe, expect, test } from '@jest/globals';
+import {
+  api,
+  closeDatabase,
+  createOrgAndAgent,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+describe('preferences routes', () => {
+  let agentId: string;
+  let apiKey: string;
+
+  beforeAll(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+    const created = await createOrgAndAgent();
+    agentId = created.agentId;
+    apiKey = created.apiKey;
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('GET /v1/preferences returns defaults', async () => {
+    const response = await api
+      .get(`/v1/preferences/${agentId}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .expect(200);
+
+    expect(response.body.preferences.buffer_minutes_after).toBe(15);
+  });
+
+  test('PUT /v1/preferences updates buffer_minutes_after', async () => {
+    const response = await api
+      .put(`/v1/preferences/${agentId}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ buffer_minutes_after: 30 })
+      .expect(200);
+
+    expect(response.body.preferences.buffer_minutes_after).toBe(30);
+  });
+
+  test('PUT /v1/preferences with invalid weekday returns 422', async () => {
+    await api
+      .put(`/v1/preferences/${agentId}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ focus_blocks: [{ weekday: 7, start_time: '09:00', end_time: '10:00' }] })
+      .expect(422);
+  });
+});

package/tests/integration/session.route.test.ts

@@ -0,0 +1,97 @@
+import { afterAll, beforeAll, describe, expect, test } from '@jest/globals';
+import { api, closeDatabase, migrateTestDatabase, resetDatabase } from './helpers';
+
+describe('session routes', () => {
+  beforeAll(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('signup creates a workspace session and GET /v1/session restores workspace context', async () => {
+    const response = await api
+      .post('/v1/auth/signup')
+      .send({
+        workspace_name: 'Session Org',
+        email: 'session@example.com',
+        password: 'password123',
+        agent: { name: 'Session Bot', agent_type: 'generic' },
+      })
+      .expect(201);
+    const cookie = response.headers['set-cookie'];
+
+    const session = await api
+      .get('/v1/session')
+      .set('Cookie', cookie)
+      .expect(200);
+
+    expect(session.body.org.id).toBe(response.body.org.id);
+    expect(session.body.user.email).toBe('session@example.com');
+    expect(session.body.user.password_hash).toBeUndefined();
+    expect(response.body.api_key).toBeTruthy();
+  });
+
+  test('login and logout manage workspace sessions', async () => {
+    const signup = await api
+      .post('/v1/auth/signup')
+      .send({
+        workspace_name: 'Login Org',
+        email: 'login@example.com',
+        password: 'password123',
+        agent: { name: 'Login Bot', agent_type: 'generic' },
+      })
+      .expect(201);
+
+    const login = await api
+      .post('/v1/auth/login')
+      .send({ email: 'login@example.com', password: 'password123' })
+      .expect(200);
+
+    await api.get('/v1/session').set('Cookie', login.headers['set-cookie']).expect(200);
+    await api.post('/v1/auth/logout').set('Cookie', signup.headers['set-cookie']).expect(200);
+  });
+
+  test('GET /v1/session rejects missing auth', async () => {
+    await api.get('/v1/session').expect(401);
+  });
+
+  test('agent management requires a workspace session', async () => {
+    const signup = await api
+      .post('/v1/auth/signup')
+      .send({
+        workspace_name: 'Agents Org',
+        email: 'agents@example.com',
+        password: 'password123',
+        agent: { name: 'First Agent', agent_type: 'generic' },
+      })
+      .expect(201);
+
+    const orgId = signup.body.org.id;
+    const apiKey = signup.body.api_key;
+
+    await api.get(`/v1/orgs/${orgId}/agents`).expect(401);
+    await api
+      .post(`/v1/orgs/${orgId}/agents`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ name: 'Blocked Agent', agent_type: 'generic' })
+      .expect(401);
+
+    const created = await api
+      .post(`/v1/orgs/${orgId}/agents`)
+      .set('Cookie', signup.headers['set-cookie'])
+      .send({ name: 'Second Agent', agent_type: 'generic' })
+      .expect(201);
+
+    const agents = await api
+      .get(`/v1/orgs/${orgId}/agents`)
+      .set('Cookie', signup.headers['set-cookie'])
+      .expect(200);
+
+    expect(created.body.api_key).toBeTruthy();
+    expect(agents.body.agents).toHaveLength(2);
+  });
+});

package/tests/integration/system.route.test.ts

@@ -0,0 +1,92 @@
+import { afterAll, afterEach, beforeEach, describe, expect, test } from '@jest/globals';
+import pool from '../../src/db/client';
+import {
+  api,
+  closeDatabase,
+  createOrgAndAgent,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+async function ownerEmail(orgId: string): Promise<string> {
+  const result = await pool.query(
+    `SELECT email
+     FROM workspace_users
+     WHERE org_id = $1
+     ORDER BY created_at ASC
+     LIMIT 1`,
+    [orgId],
+  );
+  return result.rows[0].email;
+}
+
+describe('system diagnostics routes', () => {
+  const previousAdminEmails = process.env.ADMIN_EMAILS;
+
+  beforeEach(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+    process.env.ADMIN_EMAILS = '';
+  });
+
+  afterEach(() => {
+    process.env.ADMIN_EMAILS = previousAdminEmails;
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('health returns public database and migration status', async () => {
+    const response = await api.get('/health').expect((res) => {
+      expect([200, 503]).toContain(res.status);
+    });
+
+    expect(response.headers['x-request-id']).toEqual(expect.any(String));
+    expect(response.body).toMatchObject({
+      db: 'connected',
+      version: expect.any(String),
+      migrations: {
+        total: expect.any(Number),
+        applied: expect.any(Number),
+        failed: expect.any(Number),
+      },
+    });
+  });
+
+  test('admin system requires admin session and redacts env values', async () => {
+    const { orgId } = await createOrgAndAgent('System Admin', 'generic', 0);
+
+    await api.get('/v1/admin/system').expect(401);
+    await api.get('/v1/admin/system').set('Cookie', getWorkspaceCookie(orgId)).expect(403);
+
+    process.env.ADMIN_EMAILS = await ownerEmail(orgId);
+    process.env.STRIPE_SECRET_KEY = 'sk_test_should_not_leak';
+    const response = await api
+      .get('/v1/admin/system')
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    expect(response.body).toMatchObject({
+      app: {
+        version: expect.any(String),
+        node_version: expect.any(String),
+      },
+      database: { connected: true },
+      env: {
+        required: expect.any(Array),
+        missing: expect.any(Array),
+      },
+      stripe: {
+        configured: true,
+      },
+      migrations: {
+        total: expect.any(Number),
+        applied: expect.any(Number),
+      },
+    });
+    expect(JSON.stringify(response.body)).not.toContain('sk_test_should_not_leak');
+  });
+});

package/tests/integration/value.route.test.ts

@@ -0,0 +1,235 @@
+import { afterAll, beforeAll, beforeEach, describe, expect, test } from '@jest/globals';
+import {
+  api,
+  closeDatabase,
+  createAgent,
+  createOrgAndAgent,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+import pool from '../../src/db/client';
+
+describe('value health route', () => {
+  beforeAll(async () => {
+    await migrateTestDatabase();
+  });
+
+  beforeEach(async () => {
+    await resetDatabase();
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('excludes setup and verification traffic from real activity and value metrics', async () => {
+    const workspace = await createOrgAndAgent('Setup Only Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+
+    await pool.query(
+      `INSERT INTO agent_activity_events (org_id, agent_id, activity_type, status, metadata)
+       VALUES
+         ($1, $2, 'setup_test_work_claim', 'success', '{"source":"setup_test"}'),
+         ($1, $2, 'verification_run', 'success', '{"source":"onboarding_verification"}'),
+         ($1, $2, 'connection_test', 'success', '{}')`,
+      [workspace.orgId, workspace.agentId],
+    );
+    await pool.query(
+      `INSERT INTO work_claim_events (event_type, agent_id, org_id, metadata)
+       VALUES ('blocked', $1, $2, '{"source":"setup_test"}')`,
+      [workspace.agentId, workspace.orgId],
+    );
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.summary).toMatchObject({
+      conflicts_prevented_7d: 0,
+      blocked_work_runs_7d: 0,
+      calendar_conflicts_7d: 0,
+      api_calls_7d: 0,
+      errors_7d: 0,
+      latest_real_activity_at: null,
+    });
+    expect(response.body.agent_health[0]).toMatchObject({
+      agent_id: workspace.agentId,
+      status: 'never_connected',
+    });
+    expect(response.body.next_best_action).toBe('connect_first_agent');
+  });
+
+  test('counts real blocked work runs, calendar conflicts, and recent API activity', async () => {
+    const workspace = await createOrgAndAgent('Real Agent', 'external_meeting');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+
+    await pool.query(
+      `INSERT INTO agent_activity_events (org_id, agent_id, activity_type, status, metadata)
+       VALUES ($1, $2, 'work_check', 'success', '{}')`,
+      [workspace.orgId, workspace.agentId],
+    );
+    await pool.query(
+      `INSERT INTO work_claim_events (event_type, agent_id, org_id, metadata)
+       VALUES ('blocked', $1, $2, '{}')`,
+      [workspace.agentId, workspace.orgId],
+    );
+    const hold = await pool.query<{ id: string }>(
+      `INSERT INTO holds (agent_id, org_id, start_at, end_at, status)
+       VALUES ($1, $2, NOW() + INTERVAL '1 day', NOW() + INTERVAL '1 day 30 minutes', 'confirmed')
+       RETURNING id`,
+      [workspace.agentId, workspace.orgId],
+    );
+    await pool.query(
+      `INSERT INTO hold_events (hold_id, event_type, agent_id, org_id, metadata)
+       VALUES ($1, 'conflict_won', $2, $3, '{}')`,
+      [hold.rows[0].id, workspace.agentId, workspace.orgId],
+    );
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.summary).toMatchObject({
+      conflicts_prevented_7d: 2,
+      blocked_work_runs_7d: 1,
+      would_have_blocked_runs_7d: 0,
+      calendar_conflicts_7d: 1,
+      api_calls_7d: 1,
+      errors_7d: 0,
+    });
+    expect(response.body.summary.latest_real_activity_at).toEqual(expect.any(String));
+    expect(response.body.agent_health[0]).toMatchObject({
+      agent_id: workspace.agentId,
+      status: 'healthy',
+      mcp_status: 'offline',
+    });
+    expect(response.body.next_best_action).toBe('none');
+  });
+
+  test('counts shadow blocked runs separately from prevented conflicts', async () => {
+    const workspace = await createOrgAndAgent('Shadow Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+
+    await pool.query(
+      `INSERT INTO agent_activity_events (org_id, agent_id, activity_type, status, metadata)
+       VALUES ($1, $2, 'automation_shadow_blocked', 'success', '{"source":"shadow_mode"}')`,
+      [workspace.orgId, workspace.agentId],
+    );
+    await pool.query(
+      `INSERT INTO work_claim_events (event_type, agent_id, org_id, metadata)
+       VALUES ('shadow_blocked', $1, $2, '{"source":"shadow_mode"}')`,
+      [workspace.agentId, workspace.orgId],
+    );
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.summary).toMatchObject({
+      conflicts_prevented_7d: 0,
+      blocked_work_runs_7d: 0,
+      would_have_blocked_runs_7d: 1,
+      api_calls_7d: 1,
+    });
+    expect(response.body.agent_health[0]).toMatchObject({
+      agent_id: workspace.agentId,
+      status: 'healthy',
+    });
+  });
+
+  test('classifies quiet, error, and never connected agents', async () => {
+    const workspace = await createOrgAndAgent('Quiet Agent', 'generic');
+    const errorAgent = await createAgent(workspace.orgId, 'Error Agent', 'generic');
+    const neverAgent = await createAgent(workspace.orgId, 'Never Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+
+    await pool.query(
+      `INSERT INTO agent_activity_events (org_id, agent_id, activity_type, status, created_at, metadata)
+       VALUES
+         ($1, $2, 'work_check', 'success', NOW() - INTERVAL '4 days', '{}'),
+         ($1, $3, 'work_claim', 'error', NOW() - INTERVAL '1 hour', '{}')`,
+      [workspace.orgId, workspace.agentId, errorAgent.agentId],
+    );
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    const byId = new Map(response.body.agent_health.map((agent: { agent_id: string; status: string }) => [agent.agent_id, agent.status]));
+    expect(byId.get(workspace.agentId)).toBe('quiet');
+    expect(byId.get(errorAgent.agentId)).toBe('error');
+    expect(byId.get(neverAgent.agentId)).toBe('never_connected');
+    expect(response.body.next_best_action).toBe('review_errors');
+  });
+
+  test('uses agent last_seen_at for SDK and REST connectivity without requiring MCP heartbeat', async () => {
+    const workspace = await createOrgAndAgent('SDK Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+    await pool.query('UPDATE agents SET last_seen_at = NOW() WHERE id = $1', [workspace.agentId]);
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.agent_health[0]).toMatchObject({
+      agent_id: workspace.agentId,
+      status: 'healthy',
+      last_seen_at: expect.any(String),
+      last_activity_at: null,
+      mcp_status: 'offline',
+    });
+  });
+
+  test('classifies stale last_seen_at as quiet when no newer activity exists', async () => {
+    const workspace = await createOrgAndAgent('Old SDK Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+    await pool.query("UPDATE agents SET last_seen_at = NOW() - INTERVAL '4 days' WHERE id = $1", [workspace.agentId]);
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.agent_health[0]).toMatchObject({
+      agent_id: workspace.agentId,
+      status: 'quiet',
+      mcp_status: 'offline',
+    });
+  });
+
+  test('returns check_inactive_agents when workspace only has stale activity', async () => {
+    const workspace = await createOrgAndAgent('Stale Agent', 'generic');
+    await pool.query('UPDATE orgs SET verified_at = NOW() WHERE id = $1', [workspace.orgId]);
+    await pool.query(
+      `INSERT INTO agent_activity_events (org_id, agent_id, activity_type, status, created_at, metadata)
+       VALUES ($1, $2, 'work_check', 'success', NOW() - INTERVAL '4 days', '{}')`,
+      [workspace.orgId, workspace.agentId],
+    );
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.agent_health[0].status).toBe('quiet');
+    expect(response.body.next_best_action).toBe('check_inactive_agents');
+  });
+
+  test('prioritizes onboarding verification before other next actions', async () => {
+    const workspace = await createOrgAndAgent('Unverified Agent', 'generic');
+
+    const response = await api
+      .get('/v1/value/health')
+      .set('Cookie', getWorkspaceCookie(workspace.orgId))
+      .expect(200);
+
+    expect(response.body.next_best_action).toBe('run_verification');
+  });
+});