create-workframe 0.1.0 → 0.1.2

package/workframe-api/tests/test_onboarding_bootstrap.py

@@ -1,248 +0,0 @@
-"""Auto-bootstrap default workspace on API startup."""
-import json
-import os
-import tempfile
-import unittest
-from pathlib import Path
-from unittest import mock
-
-import server
-
-
-class OnboardingBootstrapTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self.tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self.tmp.cleanup)
-        data = Path(self.tmp.name) / "data"
-        data.mkdir()
-        self.patches = [
-            mock.patch.object(server, "DATA_DIR", data),
-            mock.patch.object(server, "WORKSPACE", Path(self.tmp.name) / "Files"),
-            mock.patch.object(server, "_workframe_db_path", return_value=data / "workframe.db"),
-            mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Workframe", "WORKFRAME_NATIVE_PROFILE": "workframe-agent"}, clear=False),
-        ]
-        for patch in self.patches:
-            patch.start()
-            self.addCleanup(patch.stop)
-        server._ensure_workframe_db_schema()
-
-    def test_ensure_default_workspace_idempotent(self) -> None:
-        server._ensure_default_workspace()
-        server._ensure_default_workspace()
-        conn = server._workframe_db()
-        ws = conn.execute("SELECT slug, display_name FROM workspaces WHERE slug='default'").fetchone()
-        agents = conn.execute("SELECT slug FROM agent_profiles WHERE deleted_at IS NULL ORDER BY slug").fetchall()
-        rooms = conn.execute("SELECT slug FROM rooms WHERE deleted_at IS NULL").fetchall()
-        conn.close()
-        self.assertEqual(ws["slug"], "default")
-        self.assertEqual(ws["display_name"], "Workframe")
-        self.assertEqual([r[0] for r in agents], ["workframe-agent"])
-        room_slugs = [r[0] for r in rooms]
-        self.assertIn("general", room_slugs)
-
-    def test_sync_workspace_home_room_mirrors_branding(self) -> None:
-        server._ensure_default_workspace()
-        conn = server._workframe_db()
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        ws_id = str(ws["id"])
-        settings = json.dumps({"tagline": "Let's go!"}, sort_keys=True)
-        conn.execute(
-            "UPDATE workspaces SET display_name = ?, settings_json = ?, updated_at = ? WHERE id = ?",
-            ("My Business", settings, "2", ws_id),
-        )
-        server._sync_workspace_home_room(conn, ws_id)
-        conn.commit()
-        room = conn.execute(
-            "SELECT name, topic FROM rooms WHERE workspace_id = ? AND slug = 'general'",
-            (ws_id,),
-        ).fetchone()
-        conn.close()
-        self.assertEqual(room["name"], "My Business")
-        self.assertEqual(room["topic"], "Let's go!")
-        server._ensure_default_workspace()
-        owner = "owner-user-id"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (owner, "owner@test.com", "Owner", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m1", ws["id"], owner, "owner", "active", now, now),
-        )
-        conn.commit()
-        conn.close()
-        with mock.patch.object(server, "_install_complete", return_value=False):
-            payload = server._onboarding_payload(owner)
-        self.assertFalse(payload["complete"])
-        self.assertEqual(payload["step"], "admin_integrations")
-        self.assertEqual(payload["credential_mode"], "byok")
-
-    def test_onboarding_complete_when_install_finished(self) -> None:
-        server._ensure_default_workspace()
-        owner = "owner-install-done"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (owner, "done@test.com", "Owner", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m-done", ws["id"], owner, "owner", "active", now, now),
-        )
-        conn.commit()
-        conn.close()
-        with mock.patch.object(server, "_install_complete", return_value=True), mock.patch.object(
-            server, "_user_has_llm_provider", return_value=True
-        ):
-            payload = server._onboarding_payload(owner)
-        self.assertTrue(payload["complete"])
-        self.assertEqual(payload["step"], "done")
-
-    def test_onboarding_workspace_provider_after_company_mode(self) -> None:
-        server._ensure_default_workspace()
-        owner = "owner-workspace-keys"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (owner, "owner2@test.com", "Owner", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m2", ws["id"], owner, "owner", "active", now, now),
-        )
-        settings = '{"credential_mode":"workspace","admin_integrations_done":true,"admin_onboarding_done":true}'
-        conn.execute(
-            "UPDATE workspaces SET settings_json = ? WHERE id = ?",
-            (settings, ws["id"]),
-        )
-        conn.commit()
-        conn.close()
-        payload = server._onboarding_payload(owner)
-        self.assertFalse(payload["complete"])
-        self.assertEqual(payload["step"], "workspace_provider")
-
-    def test_member_can_mark_integrations_done_during_install(self) -> None:
-        server._ensure_default_workspace()
-        user_id = "installer-member"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (user_id, "installer@test.com", "Installer", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m-install", ws["id"], user_id, "member", "active", now, now),
-        )
-        conn.commit()
-        conn.close()
-        with mock.patch.object(server, "_install_window_open", return_value=True):
-            status, payload = server._patch_workspace_integrations(
-                str(ws["id"]),
-                {"admin_integrations_done": True},
-                user_id,
-            )
-        self.assertEqual(status, 200)
-        self.assertTrue(payload.get("ok"))
-        conn = server._workframe_db()
-        settings = server._parse_workspace_settings(
-            conn.execute("SELECT * FROM workspaces WHERE id = ?", (ws["id"],)).fetchone()
-        )
-        conn.close()
-        self.assertTrue(settings.get("admin_integrations_done"))
-
-    def test_owner_id_repairs_stale_member_role(self) -> None:
-        server._ensure_default_workspace()
-        user_id = "stale-owner"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "UPDATE workspaces SET owner_id = ? WHERE id = ?",
-            (user_id, ws["id"]),
-        )
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (user_id, "stale@test.com", "Stale", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m-stale", ws["id"], user_id, "member", "active", now, now),
-        )
-        conn.commit()
-        conn.close()
-        status, payload = server._patch_workspace_integrations(
-            str(ws["id"]),
-            {"admin_integrations_done": True},
-            user_id,
-        )
-        self.assertEqual(status, 200)
-        self.assertTrue(payload.get("ok"))
-        conn = server._workframe_db()
-        role = conn.execute(
-            "SELECT role FROM workspace_memberships WHERE workspace_id = ? AND user_id = ?",
-            (ws["id"], user_id),
-        ).fetchone()
-        conn.close()
-        self.assertEqual(role["role"], "owner")
-
-    def test_patch_workspace_tagline_uses_existing_row(self) -> None:
-        server._ensure_default_workspace()
-        owner = "owner-tagline"
-        conn = server._workframe_db()
-        now = str(int(__import__("time").time()))
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            (owner, "tagline@test.com", "Owner", "user", "active", now, now),
-        )
-        conn.execute(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-            ("m-tagline", ws["id"], owner, "owner", "active", now, now),
-        )
-        conn.commit()
-        conn.close()
-        status, payload = server._patch_workspace(
-            str(ws["id"]),
-            {"display_name": "Acme", "tagline": "We ship", "description": "Mission"},
-            owner,
-        )
-        self.assertEqual(status, 200)
-        self.assertTrue(payload.get("ok"))
-        self.assertEqual(payload["workspace"]["tagline"], "We ship")
-        self.assertEqual(payload["workspace"]["display_name"], "Acme")
-        conn = server._workframe_db()
-        raw = conn.execute(
-            "SELECT settings_json FROM workspaces WHERE id = ?",
-            (ws["id"],),
-        ).fetchone()
-        conn.close()
-        settings = __import__("json").loads(raw["settings_json"] or "{}")
-        self.assertEqual(settings.get("tagline"), "We ship")
-
-    def test_files_tree_root_uses_workspace_display_name(self) -> None:
-        server._ensure_default_workspace()
-        conn = server._workframe_db()
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        conn.execute(
-            "UPDATE workspaces SET display_name = ?, updated_at = ? WHERE id = ?",
-            ("Acme Corp", "3", ws["id"]),
-        )
-        conn.commit()
-        conn.close()
-        with mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Shmorkframe"}, clear=False):
-            self.assertEqual(server._files_tree_root_name(), "Acme Corp")
-            tree = server.files_tree()
-        self.assertEqual(tree["name"], "Acme Corp")
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_platform_auth.py

@@ -1,47 +0,0 @@
-import hashlib
-import hmac
-import unittest
-
-import platform_auth
-import stack_config
-
-
-class PlatformAuthTests(unittest.TestCase):
-    def test_verify_telegram_login_accepts_valid_hash(self) -> None:
-        bot_token = "123456:ABC-DEF"
-        payload = {
-            "id": "424242",
-            "first_name": "Test",
-            "username": "tester",
-            "auth_date": "1700000000",
-        }
-        check_line = "\n".join(f"{k}={payload[k]}" for k in sorted(payload))
-        secret = hashlib.sha256(bot_token.encode("utf-8")).digest()
-        payload["hash"] = hmac.new(secret, check_line.encode("utf-8"), hashlib.sha256).hexdigest()
-
-        old = stack_config._read_raw
-        stack_config._read_raw = lambda: {
-            "telegram_login": {"bot_username": "wfbot", "bot_token": bot_token},
-        }
-        try:
-            result = platform_auth.verify_telegram_login(payload)
-        finally:
-            stack_config._read_raw = old
-
-        self.assertTrue(result.get("ok"))
-        self.assertEqual(result.get("platform_ids", {}).get("telegram"), "424242")
-
-    def test_verify_telegram_login_rejects_bad_hash(self) -> None:
-        old = stack_config._read_raw
-        stack_config._read_raw = lambda: {
-            "telegram_login": {"bot_username": "wfbot", "bot_token": "1:2"},
-        }
-        try:
-            result = platform_auth.verify_telegram_login({"id": "1", "hash": "bad"})
-        finally:
-            stack_config._read_raw = old
-        self.assertFalse(result.get("ok"))
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_config_path.py

@@ -1,56 +0,0 @@
-"""Hermes:latest profiles use profile.yaml instead of config.yaml."""
-import tempfile
-import unittest
-from pathlib import Path
-from unittest import mock
-
-import server
-
-
-class ProfileConfigPathTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self.tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self.tmp.cleanup)
-        self.hermes = Path(self.tmp.name) / "Agents"
-        profiles = self.hermes / "profiles" / "workframe-agent"
-        profiles.mkdir(parents=True)
-        (profiles / "profile.yaml").write_text("description: test\n", encoding="utf-8")
-        self.patch = mock.patch.object(server, "HERMES_DATA", self.hermes)
-        self.patch.start()
-        self.addCleanup(self.patch.stop)
-
-    def test_profile_config_path_prefers_either_yaml(self) -> None:
-        path = server._profile_config_path("workframe-agent")
-        self.assertIsNotNone(path)
-        self.assertEqual(path.name, "profile.yaml")
-
-    def test_runtime_profile_on_disk_accepts_profile_yaml(self) -> None:
-        self.assertTrue(server._runtime_profile_on_disk("workframe-agent"))
-
-    def test_inherit_runtime_profile_config_copies_template_yaml(self) -> None:
-        runtime = "u-test-user-workframe-agent"
-        runtime_dir = self.hermes / "profiles" / runtime
-        runtime_dir.mkdir(parents=True)
-        (runtime_dir / ".env").write_text("X=1\n", encoding="utf-8")
-        server._inherit_runtime_profile_config(runtime, "workframe-agent")
-        inherited = runtime_dir / "profile.yaml"
-        self.assertTrue(inherited.is_file())
-        self.assertIn("description:", inherited.read_text(encoding="utf-8"))
-
-    def test_configure_profile_api_writes_config_yaml_on_disk(self) -> None:
-        runtime = "z-test-runtime-agent"
-        runtime_dir = self.hermes / "profiles" / runtime
-        runtime_dir.mkdir(parents=True)
-        (runtime_dir / "config.yaml").write_text("platforms: {}\n", encoding="utf-8")
-        with mock.patch.object(server, "NATIVE_PROFILE", "workframe-agent"):
-            ok, out, port = server._configure_profile_api(runtime)
-        self.assertTrue(ok)
-        self.assertEqual(out, "ok")
-        self.assertGreater(port, 18610)
-        text = (runtime_dir / "config.yaml").read_text(encoding="utf-8")
-        self.assertIn("api_server", text)
-        self.assertIn("enabled: true", text)
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_config_yaml_repair.py

@@ -1,63 +0,0 @@
-"""Repair invalid scalar model: headers in profile config.yaml."""
-import tempfile
-import unittest
-from pathlib import Path
-from unittest import mock
-
-import server
-import yaml
-
-
-class ProfileConfigYamlRepairTests(unittest.TestCase):
-    def test_fix_invalid_model_header_scalar_empty(self) -> None:
-        raw = "model: ''\n  base_url: http://example/v1\n  provider: custom\n"
-        fixed = server._fix_invalid_model_header(raw)
-        data = yaml.safe_load(fixed)
-        self.assertIsInstance(data.get("model"), dict)
-        self.assertEqual(data["model"]["base_url"], "http://example/v1")
-
-    def test_normalize_writes_repaired_file(self) -> None:
-        with tempfile.TemporaryDirectory() as tmp:
-            prof = "u-test-user-dev"
-            prof_dir = Path(tmp) / "profiles" / prof
-            prof_dir.mkdir(parents=True)
-            cfg = prof_dir / "config.yaml"
-            cfg.write_text(
-                "model: ''\n  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n"
-                "  provider: custom\n",
-                encoding="utf-8",
-            )
-            with mock.patch.object(server, "_profile_gateway_config_path", return_value=cfg):
-                server._normalize_profile_config_yaml(prof)
-            yaml.safe_load(cfg.read_text(encoding="utf-8"))
-
-    def test_scrub_orphan_top_level_list_lines(self) -> None:
-        with tempfile.TemporaryDirectory() as tmp:
-            prof = "u-test-user-dev"
-            prof_dir = Path(tmp) / "profiles" / prof
-            prof_dir.mkdir(parents=True)
-            cfg = prof_dir / "config.yaml"
-            cfg.write_text(
-                "model:\n  default: openrouter/owl-alpha\n"
-                "- provider: openrouter\n"
-                "model:\n  default: openrouter/nex-agi\n",
-                encoding="utf-8",
-            )
-            with mock.patch.object(server, "_profile_gateway_config_path", return_value=cfg), mock.patch.object(
-                server,
-                "_read_model_block",
-                return_value={
-                    "default": "openrouter/owl-alpha",
-                    "provider": "custom",
-                    "base_url": "",
-                    "fallback_chain": [],
-                },
-            ):
-                server._normalize_profile_config_yaml(prof)
-            text = cfg.read_text(encoding="utf-8")
-            self.assertNotIn("- provider: openrouter\n", text)
-            yaml.safe_load(text)
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_create.py

@@ -1,72 +0,0 @@
-import unittest
-from unittest.mock import patch
-
-import server
-
-
-class ProfileCreateTest(unittest.TestCase):
-    @patch.object(server, "_gateway_exec", return_value=(0, "created"))
-    @patch.object(server, "_patch_profile_gateway_run_script", return_value=(True, "ok"))
-    @patch.object(server, "_configure_profile_api", return_value=(True, "ok", 19001))
-    @patch.object(server, "_profile_dir")
-    def test_new_profile_uses_slug_not_route_validation(
-        self,
-        profile_dir,
-        configure_api,
-        patch_run,
-        gateway_exec,
-    ) -> None:
-        profile_dir.return_value.exists.return_value = False
-        with patch.object(server, "resolve_validated_profile", return_value="workframe-agent") as resolve, patch.object(
-            server, "_ensure_workspace_agent_profile_row", return_value="agent-id"
-        ), patch.object(server, "_upsert_agent_registry_row"), patch.object(
-            server, "_assign_agent_avatar", return_value={"avatar_id": "a1"}
-        ), patch.object(server, "_strip_forbidden_child_skills", return_value=[]), patch.object(
-            server, "_install_child_base_artifacts", return_value=False
-        ), patch.object(
-            server, "profile_gateway_lifecycle", return_value={"state": "running"}
-        ):
-            result = server.profile_create("architect", description="Systems design")
-            resolve.assert_called()
-        self.assertEqual(result["profile"], "architect")
-        gateway_exec.assert_called_once()
-        prof, cmd = gateway_exec.call_args[0]
-        self.assertEqual(prof, server._primary_profile())
-        self.assertEqual(cmd[:3], ["profile", "create", "--clone-from"])
-        self.assertEqual(cmd[-1], "architect")
-
-    @patch.object(server, "_gateway_exec", return_value=(0, "created"))
-    @patch.object(server, "_patch_profile_gateway_run_script", return_value=(True, "ok"))
-    @patch.object(server, "_configure_profile_api", return_value=(True, "ok", 19001))
-    @patch.object(server, "_profile_dir")
-    @patch.object(server, "bootstrap_agent_dm_lane", return_value={"ok": True, "runtime": "u-user-architect"})
-    def test_new_profile_registers_route_before_bootstrap(
-        self,
-        bootstrap,
-        profile_dir,
-        configure_api,
-        patch_run,
-        gateway_exec,
-    ) -> None:
-        profile_dir.return_value.exists.return_value = False
-        with patch.object(server, "resolve_validated_profile", return_value="workframe-agent"), patch.object(
-            server, "_register_profile_route", return_value=True
-        ) as register, patch.object(
-            server, "_ensure_workspace_agent_profile_row", return_value="agent-id"
-        ), patch.object(server, "_upsert_agent_registry_row"), patch.object(
-            server, "_assign_agent_avatar", return_value={"avatar_id": "a1"}
-        ), patch.object(server, "_strip_forbidden_child_skills", return_value=[]), patch.object(
-            server, "_install_child_base_artifacts", return_value=False
-        ), patch.object(server, "profile_gateway_lifecycle", return_value={"state": "running"}):
-            server.profile_create(
-                "elvis",
-                description="Custom agent",
-                user_id="user-1",
-                workspace_id="ws-1",
-            )
-        register.assert_called_once()
-        bootstrap.assert_called_once()
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_identity_overlay.py

@@ -1,61 +0,0 @@
-"""User identity overlays concatenate onto base SOUL — never replace it."""
-import tempfile
-import unittest
-from pathlib import Path
-from unittest import mock
-
-import server
-
-
-class ProfileIdentityOverlayTests(unittest.TestCase):
-    def test_user_soul_concatenates_on_base(self) -> None:
-        with tempfile.TemporaryDirectory() as tmp:
-            root = Path(tmp)
-            prof_dir = root / "profiles" / "elvis"
-            prof_dir.mkdir(parents=True)
-            (prof_dir / "SOUL.md").write_text(
-                "# Elvis\n\nBase Workframe child agent.\n" + ("operate hermes. " * 20),
-                encoding="utf-8",
-            )
-            agents = root / "workframe" / "agents.json"
-            agents.parent.mkdir(parents=True)
-            agents.write_text(
-                '{"version":1,"agents":{"elvis":{"profile":"elvis","user_soul":"Always cite sources.","display_name":"Elvis","role":"Rock legend"}}}',
-                encoding="utf-8",
-            )
-            with mock.patch.object(server, "_profile_dir", side_effect=lambda p: root / "profiles" / p), mock.patch.object(
-                server, "AGENTS_JSON", agents
-            ), mock.patch.object(server, "_is_runtime_profile_slug", return_value=False):
-                text = server._profile_soul_text("elvis")
-            self.assertIn("Base Workframe child agent", text)
-            self.assertIn("## User identity", text)
-            self.assertIn("**Name:** Elvis", text)
-            self.assertIn("## Additional instructions", text)
-            self.assertIn("Always cite sources.", text)
-
-    def test_profile_soul_set_stores_child_overlay(self) -> None:
-        with tempfile.TemporaryDirectory() as tmp:
-            root = Path(tmp)
-            prof_dir = root / "profiles" / "dev"
-            prof_dir.mkdir(parents=True)
-            (prof_dir / "SOUL.md").write_text("# Dev\n\n" + ("x" * 80), encoding="utf-8")
-            agents = root / "workframe" / "agents.json"
-            agents.parent.mkdir(parents=True)
-            agents.write_text('{"version":1,"agents":{}}', encoding="utf-8")
-            with mock.patch.object(server, "_profile_dir", side_effect=lambda p: root / "profiles" / p), mock.patch.object(
-                server, "AGENTS_JSON", agents
-            ), mock.patch.object(server, "ROUTES_JSON", root / "workframe" / "routes.json"), mock.patch.object(
-                server, "load_routes",
-                return_value={"routes": [{"profile": "dev"}]},
-            ), mock.patch.object(server, "profile_exists", return_value=True), mock.patch.object(
-                server, "_is_native_profile", return_value=False
-            ), mock.patch.object(server, "_is_runtime_profile_slug", return_value=False):
-                out = server.profile_soul_set("dev", "Ship small diffs.")
-            self.assertEqual(out.get("target"), "user_soul_overlay")
-            data = agents.read_text(encoding="utf-8")
-            self.assertIn("Ship small diffs.", data)
-            self.assertIn("# Dev", (prof_dir / "SOUL.md").read_text(encoding="utf-8"))
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_install_health.py

@@ -1,45 +0,0 @@
-"""Install-time profile gateway health policy — cold u-* start must not flake finish-setup."""
-import importlib.util
-import inspect
-import unittest
-from pathlib import Path
-
-ROOT = Path(__file__).resolve().parents[2]
-API = ROOT / "workframe-api" / "server.py"
-
-
-def _load_api():
-    spec = importlib.util.spec_from_file_location("workframe_api", API)
-    mod = importlib.util.module_from_spec(spec)
-    assert spec and spec.loader
-    spec.loader.exec_module(mod)
-    return mod
-
-
-class ProfileInstallHealthPolicyTest(unittest.TestCase):
-    def test_wait_default_covers_cold_runtime_start(self) -> None:
-        api = _load_api()
-        sig = inspect.signature(api._wait_profile_api_healthy)
-        self.assertEqual(sig.parameters["attempts"].default, 60)
-        self.assertGreaterEqual(sig.parameters["delay"].default * 60, 30.0)
-
-    def test_profile_health_uses_gateway_dns_not_container_exec(self) -> None:
-        api = _load_api()
-        src = inspect.getsource(api._profile_api_healthy)
-        self.assertIn("http://gateway:", src)
-        self.assertNotIn("_gateway_container_exec", src)
-
-    def test_wait_does_not_short_circuit_primary_without_probe(self) -> None:
-        api = _load_api()
-        src = inspect.getsource(api._wait_profile_api_healthy)
-        self.assertNotIn("_primary_profile() or _profile_api_healthy", src)
-
-    def test_bootstrap_lane_retries_gateway_start(self) -> None:
-        api = _load_api()
-        src = inspect.getsource(api.bootstrap_agent_dm_lane)
-        self.assertIn("for attempt in range(3)", src)
-        self.assertIn("ensure_profile_api(runtime", src)
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_profile_secret_policy.py

@@ -1,57 +0,0 @@
-import unittest
-
-from profile_secret_policy import (
-    exec_blocked_for_profile,
-    is_secret_read_attempt,
-    touches_foreign_profile_secrets,
-)
-
-
-class ProfileSecretPolicyTests(unittest.TestCase):
-    def test_blocks_direct_secret_paths(self) -> None:
-        self.assertTrue(is_secret_read_attempt(["cat", "profiles/u-alice-dev/.env"]))
-        self.assertTrue(is_secret_read_attempt(["cat", "profiles/u-alice-dev/auth.json"]))
-
-    def test_blocks_wildcard_and_bypass_patterns(self) -> None:
-        self.assertTrue(is_secret_read_attempt("cat profiles/u-alice-dev/*"))
-        self.assertTrue(is_secret_read_attempt("cd profiles/u-x && cat .env"))
-        self.assertTrue(is_secret_read_attempt("cat profiles/u-x/.e''nv"))
-        self.assertTrue(is_secret_read_attempt("find profiles/u-x -exec cat {} +"))
-        self.assertTrue(is_secret_read_attempt("base64 profiles/u-x/.env"))
-        self.assertTrue(is_secret_read_attempt("tar -cf - profiles/u-x"))
-
-    def test_blocks_head_python_and_absolute_paths(self) -> None:
-        self.assertTrue(is_secret_read_attempt("cd /opt/data/profiles/u-bob && head .env"))
-        self.assertTrue(is_secret_read_attempt("cd profiles/u-x && python3 -c \"print(open('.env').read())\""))
-        self.assertTrue(is_secret_read_attempt("grep wf_rt_ /opt/data/profiles/u-bob/.env"))
-
-    def test_foreign_profile_touch_blocked_for_actor(self) -> None:
-        self.assertTrue(
-            touches_foreign_profile_secrets("cd profiles/u-bob && head .env", "u-alice-dev"),
-        )
-        self.assertFalse(
-            touches_foreign_profile_secrets("hermes -p u-alice-dev gateway status", "u-alice-dev"),
-        )
-
-    def test_exec_blocked_for_profile_combines_checks(self) -> None:
-        self.assertTrue(exec_blocked_for_profile("cd profiles/u-bob && head .env", "u-alice-dev"))
-        self.assertFalse(exec_blocked_for_profile(["hermes", "-p", "workframe-agent", "gateway", "status"], "workframe-agent"))
-
-    def test_allows_legitimate_gateway_commands(self) -> None:
-        self.assertFalse(is_secret_read_attempt(["hermes", "-p", "dev", "gateway", "run"]))
-        self.assertFalse(is_secret_read_attempt(["hermes", "-p", "workframe-agent", "gateway", "status"]))
-
-    def test_blocks_shell_variable_indirection(self) -> None:
-        self.assertTrue(is_secret_read_attempt("P=/opt/data/profiles/u-bob; cat $P/.env"))
-        self.assertTrue(is_secret_read_attempt("P=/opt/data/profiles/u-bob; dd if=$P/.env"))
-        self.assertTrue(exec_blocked_for_profile("P=/opt/data/profiles/u-bob; cat $P/.env", "u-alice-dev"))
-
-    def test_known_concat_ceiling_documented(self) -> None:
-        # ponytail: documented ceiling — regex cannot see through python string concat.
-        self.assertFalse(
-            is_secret_read_attempt("python3 -c \"p='/opt/data/pro'+'files/u-bob/.env';print(open(p).read())\"")
-        )
-
-
-if __name__ == "__main__":
-    unittest.main()