availsync 0.1.0

package/tests/integration/work.route.test.ts

@@ -0,0 +1,745 @@
+import { afterAll, beforeEach, describe, expect, test } from '@jest/globals';
+import pool from '../../src/db/client';
+import {
+  api,
+  closeDatabase,
+  createAgent,
+  createOrgAndAgent,
+  getWorkspaceCookie,
+  migrateTestDatabase,
+  resetDatabase,
+} from './helpers';
+
+describe('work coordination routes', () => {
+  beforeEach(async () => {
+    await migrateTestDatabase();
+    await resetDatabase();
+  });
+
+  afterAll(async () => {
+    await resetDatabase();
+    await closeDatabase();
+  });
+
+  test('work/check returns available without mutating claims', async () => {
+    const { agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+
+    const response = await api
+      .post('/v1/work/check')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(200);
+
+    expect(response.body.status).toBe('available');
+    expect(response.body.resource.resource_key).toBe('owner/repo');
+
+    const claims = await pool.query('SELECT * FROM work_claims');
+    expect(claims.rowCount).toBe(0);
+  });
+
+  test('work/claim blocks lower priority agent on same resource', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 10);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(201);
+
+    const blocked = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(409);
+
+    expect(blocked.body.error).toBe('work_claim_blocked');
+
+    const events = await pool.query(
+      `SELECT activity_type, status
+       FROM agent_activity_events
+       WHERE org_id = $1
+       ORDER BY created_at DESC`,
+      [orgId],
+    );
+    expect(events.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ activity_type: 'work_claim', status: 'success' }),
+        expect.objectContaining({ activity_type: 'work_blocked', status: 'error' }),
+      ]),
+    );
+  });
+
+  test('work/claim is idempotent for active claims', async () => {
+    const { agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const payload = {
+      agent_id: agentId,
+      resource_type: 'repo',
+      resource_key: 'owner/repo',
+      duration_minutes: 45,
+    };
+
+    const first = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'claim-owner-repo-once')
+      .send(payload)
+      .expect(201);
+
+    const second = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'claim-owner-repo-once')
+      .send(payload)
+      .expect(200);
+
+    expect(second.body.idempotent_replay).toBe(true);
+    expect(second.body.claim.id).toBe(first.body.claim.id);
+
+    const claims = await pool.query('SELECT COUNT(*)::int AS count FROM work_claims');
+    expect(claims.rows[0].count).toBe(1);
+  });
+
+  test('work/run/start creates an automation claim and records activity', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex Automation', 'generic', 0);
+
+    const response = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'automation-owner-repo-once')
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+        reason: 'Hourly Codex automation',
+        client_name: 'openclaw',
+      })
+      .expect(200);
+
+    expect(response.body.action).toBe('proceed');
+    expect(response.body.claim.id).toBeTruthy();
+    expect(response.body.resource.resource_key).toBe('owner/repo');
+    expect(response.body.extend_url).toBe('/v1/work/run/extend');
+    expect(response.body.finish_url).toBe('/v1/work/run/finish');
+
+    const claim = await pool.query('SELECT metadata, idempotency_key FROM work_claims WHERE id = $1', [
+      response.body.claim.id,
+    ]);
+    expect(claim.rows[0].idempotency_key).toBe('automation-owner-repo-once');
+    expect(claim.rows[0].metadata.source).toBe('automation_guardrail');
+
+    const activity = await pool.query(
+      `SELECT activity_type, status, client_name, metadata
+       FROM agent_activity_events
+       WHERE org_id = $1
+       ORDER BY created_at DESC
+       LIMIT 1`,
+      [orgId],
+    );
+    expect(activity.rows[0]).toMatchObject({ activity_type: 'automation_start', status: 'success', client_name: 'openclaw' });
+    expect(JSON.stringify(activity.rows[0].metadata)).not.toContain(apiKey);
+  });
+
+  test('work/run/start is idempotent and Idempotency-Key header wins over body key', async () => {
+    const { agentId, apiKey } = await createOrgAndAgent('Codex Automation', 'generic', 0);
+    const payload = {
+      agent_id: agentId,
+      resource_type: 'repo',
+      resource_key: 'owner/repo',
+      duration_minutes: 45,
+      reason: 'Hourly Codex automation',
+      idempotency_key: 'body-key-that-should-not-win',
+    };
+
+    const first = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'header-key-wins')
+      .send(payload)
+      .expect(200);
+
+    const second = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'header-key-wins')
+      .send(payload)
+      .expect(200);
+
+    expect(second.body.action).toBe('proceed');
+    expect(second.body.idempotent_replay).toBe(true);
+    expect(second.body.claim.id).toBe(first.body.claim.id);
+
+    const claims = await pool.query('SELECT COUNT(*)::int AS count, MAX(idempotency_key) AS key FROM work_claims');
+    expect(claims.rows[0].count).toBe(1);
+    expect(claims.rows[0].key).toBe('header-key-wins');
+  });
+
+  test('work/run/start returns skip_run without creating a claim when blocked', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 10);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(200);
+
+    const blocked = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(200);
+
+    expect(blocked.body.action).toBe('skip_run');
+    expect(blocked.body.claim).toBeNull();
+    expect(blocked.body.blocking_claim.id).toBeTruthy();
+
+    const claims = await pool.query('SELECT COUNT(*)::int AS count FROM work_claims WHERE status = $1', ['active']);
+    expect(claims.rows[0].count).toBe(1);
+
+    const activity = await pool.query(
+      `SELECT activity_type, status
+       FROM agent_activity_events
+       WHERE org_id = $1
+       ORDER BY created_at DESC`,
+      [orgId],
+    );
+    expect(activity.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ activity_type: 'automation_start', status: 'success' }),
+        expect.objectContaining({ activity_type: 'automation_skip', status: 'success' }),
+      ]),
+    );
+  });
+
+  test('new agents default to enforce and workspace can switch an agent to observe', async () => {
+    const { orgId, agentId } = await createOrgAndAgent('Codex Observe', 'generic', 0);
+
+    const listed = await api
+      .get(`/v1/orgs/${orgId}/agents`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    expect(listed.body.agents[0]).toMatchObject({
+      id: agentId,
+      enforcement_mode: 'enforce',
+    });
+
+    const updated = await api
+      .put(`/v1/orgs/${orgId}/agents/${agentId}`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .send({
+        name: 'Codex Observe',
+        agent_type: 'generic',
+        priority: 0,
+        enforcement_mode: 'observe',
+      })
+      .expect(200);
+
+    expect(updated.body.agent.enforcement_mode).toBe('observe');
+  });
+
+  test('agent key cannot change enforcement mode', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex Observe', 'generic', 0);
+
+    await api
+      .put(`/v1/orgs/${orgId}/agents/${agentId}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        name: 'Codex Observe',
+        agent_type: 'generic',
+        priority: 0,
+        enforcement_mode: 'observe',
+      })
+      .expect(401);
+  });
+
+  test('observe mode proceeds when blocked without creating a claim and records shadow events', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 10);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    await api
+      .put(`/v1/orgs/${orgId}/agents/${second.agentId}`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .send({
+        name: 'Codex B',
+        agent_type: 'generic',
+        priority: 0,
+        enforcement_mode: 'observe',
+      })
+      .expect(200);
+
+    const first = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+      })
+      .expect(200);
+
+    const observed = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+        duration_minutes: 45,
+        client_name: 'openclaw',
+      })
+      .expect(200);
+
+    expect(observed.body).toMatchObject({
+      action: 'proceed',
+      claim: null,
+      shadow_mode: true,
+      would_have_blocked: true,
+      shadow_decision: {
+        action: 'skip_run',
+        rule_applied: expect.any(String),
+      },
+    });
+    expect(observed.body.shadow_decision.blocking_claim.id).toBe(first.body.claim.id);
+
+    const claims = await pool.query('SELECT id, agent_id, status FROM work_claims WHERE status = $1', ['active']);
+    expect(claims.rows).toHaveLength(1);
+    expect(claims.rows[0].agent_id).toBe(agentId);
+
+    const workEvents = await pool.query(
+      `SELECT event_type, agent_id, metadata
+       FROM work_claim_events
+       WHERE org_id = $1
+       ORDER BY created_at ASC`,
+      [orgId],
+    );
+    expect(workEvents.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ event_type: 'created', agent_id: agentId }),
+        expect.objectContaining({ event_type: 'shadow_blocked', agent_id: second.agentId }),
+      ]),
+    );
+    expect(workEvents.rows.find((event) => event.event_type === 'shadow_blocked')?.metadata.source).toBe('shadow_mode');
+
+    const activity = await pool.query(
+      `SELECT activity_type, status, client_name, metadata
+       FROM agent_activity_events
+       WHERE org_id = $1
+       ORDER BY created_at ASC`,
+      [orgId],
+    );
+    expect(activity.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ activity_type: 'automation_start', status: 'success' }),
+        expect.objectContaining({
+          activity_type: 'automation_shadow_blocked',
+          status: 'success',
+          client_name: 'openclaw',
+        }),
+      ]),
+    );
+  });
+
+  test('observe mode proceeds when available without creating a claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex Observe', 'generic', 0);
+
+    await api
+      .put(`/v1/orgs/${orgId}/agents/${agentId}`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .send({
+        name: 'Codex Observe',
+        agent_type: 'generic',
+        priority: 0,
+        enforcement_mode: 'observe',
+      })
+      .expect(200);
+
+    const observed = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/available-repo',
+      })
+      .expect(200);
+
+    expect(observed.body).toMatchObject({
+      action: 'proceed',
+      claim: null,
+      shadow_mode: true,
+      would_have_blocked: false,
+      shadow_decision: null,
+    });
+
+    const claims = await pool.query('SELECT COUNT(*)::int AS count FROM work_claims');
+    expect(claims.rows[0].count).toBe(0);
+
+    const events = await pool.query('SELECT event_type, metadata FROM work_claim_events WHERE org_id = $1', [orgId]);
+    expect(events.rows).toEqual([
+      expect.objectContaining({ event_type: 'shadow_allowed' }),
+    ]);
+  });
+
+  test('work/run/start allows higher priority automation to supersede lower priority claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 20);
+
+    const first = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(200);
+
+    const winner = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({ agent_id: second.agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(200);
+
+    expect(winner.body.action).toBe('proceed');
+    expect(winner.body.superseded_claim_ids).toContain(first.body.claim.id);
+
+    const superseded = await pool.query('SELECT status FROM work_claims WHERE id = $1', [
+      first.body.claim.id,
+    ]);
+    expect(superseded.rows[0].status).toBe('superseded');
+  });
+
+  test('work/run/extend extends and work/run/finish releases idempotently', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex Automation', 'generic', 0);
+    const started = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo', duration_minutes: 10 })
+      .expect(200);
+
+    const extended = await api
+      .post('/v1/work/run/extend')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ claim_id: started.body.claim.id, duration_minutes: 45 })
+      .expect(200);
+
+    expect(extended.body.action).toBe('extended');
+    expect(extended.body.claim.renewal_count).toBe(1);
+
+    const finished = await api
+      .post('/v1/work/run/finish')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ claim_id: started.body.claim.id, outcome: 'success' })
+      .expect(200);
+
+    expect(finished.body.action).toBe('finished');
+
+    const repeated = await api
+      .post('/v1/work/run/finish')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ claim_id: started.body.claim.id, outcome: 'success' })
+      .expect(200);
+
+    expect(repeated.body.action).toBe('already_finished');
+
+    const activity = await pool.query(
+      `SELECT activity_type
+       FROM agent_activity_events
+       WHERE org_id = $1
+       ORDER BY created_at ASC`,
+      [orgId],
+    );
+    expect(activity.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ activity_type: 'automation_start' }),
+        expect.objectContaining({ activity_type: 'automation_extend' }),
+        expect.objectContaining({ activity_type: 'automation_finish' }),
+      ]),
+    );
+  });
+
+  test('agent key cannot use work/run endpoints for another agent claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: second.agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(403);
+
+    const started = await api
+      .post('/v1/work/run/start')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(200);
+
+    await api
+      .post('/v1/work/run/extend')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({ claim_id: started.body.claim.id, duration_minutes: 45 })
+      .expect(404);
+
+    await api
+      .post('/v1/work/run/finish')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({ claim_id: started.body.claim.id })
+      .expect(404);
+  });
+
+  test('reusing idempotency key after release returns 409', async () => {
+    const { agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const created = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'released-key')
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(201);
+
+    await api
+      .delete(`/v1/work/claims/${created.body.claim.id}`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .expect(200);
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .set('Idempotency-Key', 'released-key')
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(409);
+  });
+
+  test('agent can extend own work claim and workspace can extend org claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const created = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo', duration_minutes: 10 })
+      .expect(201);
+
+    const agentExtend = await api
+      .post(`/v1/work/claims/${created.body.claim.id}/extend`)
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ duration_minutes: 45 })
+      .expect(200);
+
+    expect(agentExtend.body.claim.renewal_count).toBe(1);
+    expect(agentExtend.body.claim.expires_at).toBeTruthy();
+
+    const workspaceExtend = await api
+      .post(`/v1/work/claims/${created.body.claim.id}/extend`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .send({ duration_minutes: 45 })
+      .expect(200);
+
+    expect(workspaceExtend.body.claim.renewal_count).toBe(2);
+  });
+
+  test('agent key cannot extend another agent claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+    const created = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(201);
+
+    await api
+      .post(`/v1/work/claims/${created.body.claim.id}/extend`)
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({ duration_minutes: 45 })
+      .expect(404);
+  });
+
+  test('higher priority agent supersedes lower priority claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 20);
+
+    const first = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+      })
+      .expect(201);
+
+    const winner = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+      })
+      .expect(201);
+
+    expect(winner.body.superseded_claim_ids).toContain(first.body.claim.id);
+
+    const superseded = await pool.query('SELECT status FROM work_claims WHERE id = $1', [
+      first.body.claim.id,
+    ]);
+    expect(superseded.rows[0].status).toBe('superseded');
+  });
+
+  test('agent key cannot claim or release another agent work slot', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+      })
+      .expect(403);
+
+    const created = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({
+        agent_id: agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+      })
+      .expect(201);
+
+    await api
+      .delete(`/v1/work/claims/${created.body.claim.id}`)
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .expect(404);
+  });
+
+  test('workspace can list all claims and agent key lists only own claims', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+    await pool.query("UPDATE orgs SET plan = 'team', agent_limit = 9999 WHERE id = $1", [orgId]);
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo-a' })
+      .expect(201);
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({ agent_id: second.agentId, resource_type: 'repo', resource_key: 'owner/repo-b' })
+      .expect(201);
+
+    const workspace = await api
+      .get('/v1/work/claims')
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+    expect(workspace.body.claims).toHaveLength(2);
+
+    const agent = await api
+      .get('/v1/work/claims')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .expect(200);
+    expect(agent.body.claims).toHaveLength(1);
+    expect(agent.body.claims[0].agent_id).toBe(agentId);
+  });
+
+  test('expired claim does not block a new claim', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const second = await createAgent(orgId, 'Codex B', 'generic', 0);
+
+    const resource = await pool.query(
+      `INSERT INTO work_resources (org_id, resource_type, resource_key, label)
+       VALUES ($1, 'repo', 'owner/repo', 'owner/repo')
+       RETURNING id`,
+      [orgId],
+    );
+    await pool.query(
+      `INSERT INTO work_claims (
+         org_id,
+         agent_id,
+         resource_id,
+         start_at,
+         end_at,
+         expires_at,
+         last_renewed_at,
+         status
+       )
+       VALUES (
+         $1,
+         $2,
+         $3,
+         NOW() - INTERVAL '2 hours',
+         NOW() - INTERVAL '1 hour',
+         NOW() - INTERVAL '1 hour',
+         NOW() - INTERVAL '2 hours',
+         'active'
+       )`,
+      [orgId, agentId, resource.rows[0].id],
+    );
+
+    await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${second.apiKey}`)
+      .send({
+        agent_id: second.agentId,
+        resource_type: 'repo',
+        resource_key: 'owner/repo',
+      })
+      .expect(201);
+  });
+
+  test('release writes work event with workspace actor metadata', async () => {
+    const { orgId, agentId, apiKey } = await createOrgAndAgent('Codex A', 'generic', 0);
+    const created = await api
+      .post('/v1/work/claim')
+      .set('Authorization', `Bearer ${apiKey}`)
+      .send({ agent_id: agentId, resource_type: 'repo', resource_key: 'owner/repo' })
+      .expect(201);
+
+    await api
+      .delete(`/v1/work/claims/${created.body.claim.id}`)
+      .set('Cookie', getWorkspaceCookie(orgId))
+      .expect(200);
+
+    const events = await pool.query(
+      `SELECT event_type, actor_type, actor_label
+       FROM work_claim_events
+       WHERE claim_id = $1
+       ORDER BY created_at DESC`,
+      [created.body.claim.id],
+    );
+
+    expect(events.rows).toEqual(
+      expect.arrayContaining([
+        expect.objectContaining({ event_type: 'released', actor_type: 'workspace' }),
+      ]),
+    );
+    expect(events.rows.find((event) => event.event_type === 'released')?.actor_label).toContain('@');
+  });
+});