create-workframe 0.1.0 → 0.1.2

package/workframe-api/tests/test_user_cohort.py

@@ -1,113 +0,0 @@
-import tempfile
-import unittest
-from pathlib import Path
-from unittest.mock import patch
-
-import server
-from db_setup import ensure_workframe_schemas
-
-
-class UserCohortTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self._tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self._tmp.cleanup)
-        self._old_data_dir = server.DATA_DIR
-        self._old_auth_db_path = server.AUTH_DB_PATH
-        self._old_hermes_data = server.HERMES_DATA
-        server.DATA_DIR = Path(self._tmp.name)
-        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
-        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
-        (server.HERMES_DATA / "profiles").mkdir(parents=True)
-        ensure_workframe_schemas()
-        self.workspace_id = "ws-1"
-        self.user_id = "cb6a2db4-ac86-4c49-8aaa-user"
-        conn = server._workframe_db()
-        try:
-            now = "1"
-            conn.execute(
-                "INSERT INTO users (id, display_name, email, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-                (self.user_id, "Fab", "fab@example.com", "member", "active", now, now),
-            )
-            conn.execute(
-                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-                (self.workspace_id, "proj", "Project", self.user_id, "active", now, now),
-            )
-            for slug, name, is_native in (
-                ("workframe-agent", "Workframe Agent", 1),
-                ("architect", "Architect", 0),
-                ("dev", "Dev", 0),
-            ):
-                conn.execute(
-                    """
-                    INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
-                    VALUES (?, ?, ?, ?, ?, 'available', ?, ?)
-                    """,
-                    (f"ap-{slug}", self.workspace_id, slug, name, is_native, now, now),
-                )
-            conn.commit()
-        finally:
-            conn.close()
-
-    def tearDown(self) -> None:
-        server.DATA_DIR = self._old_data_dir
-        server.AUTH_DB_PATH = self._old_auth_db_path
-        server.HERMES_DATA = self._old_hermes_data
-
-    def test_user_handle_from_display_name(self) -> None:
-        self.assertEqual(server._user_handle(self.user_id), "fab")
-
-    def test_cohort_alias(self) -> None:
-        self.assertEqual(server._cohort_alias(self.user_id, "architect"), "fab-architect")
-
-    def test_runtime_display_label_specialist(self) -> None:
-        label = server._runtime_display_label(self.user_id, "architect", self.workspace_id)
-        self.assertEqual(label, "Architect")
-
-    def test_runtime_display_label_concierge(self) -> None:
-        label = server._runtime_display_label(self.user_id, "workframe-agent", self.workspace_id)
-        self.assertEqual(label, "Workframe Agent")
-
-    def test_runtime_display_label_personalized_without_db_name(self) -> None:
-        label = server._runtime_display_label(self.user_id, "research", self.workspace_id)
-        self.assertEqual(label, "Fab's Research")
-
-    def test_resolve_runtime_assignee_slug(self) -> None:
-        with patch.object(server, "ensure_runtime_profile") as ensure:
-            slug = server.resolve_runtime_assignee("architect", self.user_id, self.workspace_id)
-        self.assertTrue(slug.startswith("u-"))
-        self.assertTrue(slug.endswith("-architect"))
-        ensure.assert_called_once()
-
-    @patch.object(server, "ensure_runtime_profile")
-    def test_ensure_user_agent_cohort_writes_manifest(self, _ensure: object) -> None:
-        cohort = server.ensure_user_agent_cohort(self.user_id, self.workspace_id)
-        self.assertEqual(len(cohort), 3)
-        assignees = {row["template_slug"]: row["runtime_slug"] for row in cohort}
-        self.assertTrue(assignees["architect"].startswith("u-"))
-        concierge = assignees["workframe-agent"]
-        manifest = server._profile_dir(concierge) / "WORKFRAME_COHORT.md"
-        self.assertTrue(manifest.is_file())
-        text = manifest.read_text(encoding="utf-8")
-        self.assertIn("Fab's Workframe cohort", text)
-        self.assertIn(assignees["architect"], text)
-        self.assertIn("fab-architect", text)
-        self.assertIn("workspace_kind", text)
-
-    def test_cohort_manifest_markdown_includes_rules(self) -> None:
-        body = server._cohort_manifest_markdown(
-            self.user_id,
-            [
-                {
-                    "role": "Architect",
-                    "display_name": "Fab's Architect",
-                    "runtime_slug": "u-cb6a2db4-architect",
-                    "alias": "fab-architect",
-                }
-            ],
-        )
-        self.assertIn("never bare template names", body)
-        self.assertIn("`scratch`", body)
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_vault_envelope.py

@@ -1,110 +0,0 @@
-"""Vault envelope encryption (KEK + per-secret DEK)."""
-
-from __future__ import annotations
-
-import json
-import tempfile
-import unittest
-from pathlib import Path
-
-import credential_vault
-import vault_kek
-import zk_auth
-
-
-class VaultEnvelopeTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self._tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self._tmp.cleanup)
-        self._old_data = credential_vault.DATA_DIR
-        self._old_db = credential_vault.VAULT_DB
-        self._old_kek_file = vault_kek.VAULT_KEK_FILE
-        credential_vault.DATA_DIR = Path(self._tmp.name)
-        credential_vault.VAULT_DB = credential_vault.DATA_DIR / "credential_vault.db"
-        vault_kek.DATA_DIR = credential_vault.DATA_DIR
-        vault_kek.VAULT_KEK_FILE = credential_vault.DATA_DIR / ".vault_kek"
-        vault_kek.clear_kek()
-        credential_vault.ensure_schema()
-
-    def tearDown(self) -> None:
-        vault_kek.clear_kek()
-        credential_vault.DATA_DIR = self._old_data
-        credential_vault.VAULT_DB = self._old_db
-        vault_kek.VAULT_KEK_FILE = self._old_kek_file
-
-    def test_v2_envelope_roundtrip(self) -> None:
-        credential_vault.unseal_for_tests()
-        credential_vault.store_secret("bid-1", "sk-live-secret", provider="openrouter")
-        conn = credential_vault._connect()
-        try:
-            row = conn.execute(
-                "SELECT encrypted_secret FROM credential_secrets WHERE binding_id = ?",
-                ("bid-1",),
-            ).fetchone()
-            blob = str(row["encrypted_secret"])
-            parsed = json.loads(blob)
-            self.assertEqual(parsed["v"], 2)
-            self.assertIn("wrapped_dek", parsed)
-        finally:
-            conn.close()
-        self.assertEqual(credential_vault.read_secret("bid-1"), "sk-live-secret")
-
-    def test_legacy_v1_readable_after_unseal(self) -> None:
-        legacy = json.dumps(zk_auth.encrypt_string("legacy-key", zk_auth.ZK_AUTH_ENCRYPTION_KEY))
-        conn = credential_vault._connect()
-        now = "1"
-        conn.execute(
-            """
-            INSERT INTO credential_secrets (
-                binding_id, encrypted_secret, env_var, provider, scope,
-                user_id, workspace_id, created_at, updated_at
-            ) VALUES (?,?,?,?,?,?,?,?,?)
-            """,
-            ("legacy-1", legacy, "OPENROUTER_API_KEY", "openrouter", "user", "u1", None, now, now),
-        )
-        conn.commit()
-        conn.close()
-        credential_vault.unseal_for_tests()
-        self.assertEqual(credential_vault.read_secret("legacy-1"), "legacy-key")
-        conn = credential_vault._connect()
-        try:
-            row = conn.execute(
-                "SELECT encrypted_secret FROM credential_secrets WHERE binding_id = ?",
-                ("legacy-1",),
-            ).fetchone()
-            self.assertEqual(json.loads(str(row["encrypted_secret"]))["v"], 2)
-        finally:
-            conn.close()
-
-    def test_sealed_vault_blocks_store_without_passphrase_bootstrap(self) -> None:
-        credential_vault.unseal_for_tests()
-        credential_vault.init_vault_passphrase("long-passphrase-1")
-        credential_vault.seal_vault()
-        with self.assertRaises(RuntimeError):
-            credential_vault.store_secret("x", "secret")
-
-    def test_passphrase_unlock_restores_access(self) -> None:
-        credential_vault.unseal_for_tests()
-        credential_vault.store_secret("k1", "before-seal")
-        credential_vault.init_vault_passphrase("another-long-pass")
-        credential_vault.seal_vault()
-        status = credential_vault.unlock_vault("another-long-pass")
-        self.assertFalse(status["sealed"])
-        self.assertEqual(credential_vault.read_secret("k1"), "before-seal")
-
-    def test_wipe_deletes_ciphertext(self) -> None:
-        credential_vault.unseal_for_tests()
-        credential_vault.store_secret("w1", "to-delete")
-        deleted = credential_vault.wipe_all_secrets()
-        self.assertEqual(deleted, 1)
-        self.assertEqual(credential_vault.read_secret("w1"), "")
-
-    def test_bootstrap_generates_kek_file_for_local(self) -> None:
-        vault_kek.clear_kek()
-        status = credential_vault.bootstrap_vault(allow_generate_file=True)
-        self.assertFalse(status["sealed"])
-        self.assertTrue(vault_kek.VAULT_KEK_FILE.is_file())
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_workspace_members.py

@@ -1,183 +0,0 @@
-from __future__ import annotations
-
-import importlib.util
-from pathlib import Path
-from types import SimpleNamespace
-from typing import Any
-
-import pytest
-
-SERVER_PATH = Path(__file__).resolve().parents[1] / "server.py"
-spec = importlib.util.spec_from_file_location("workframe_server", SERVER_PATH)
-server = importlib.util.module_from_spec(spec)
-assert spec.loader is not None
-spec.loader.exec_module(server)
-
-
-class FakeHandler:
-    def __init__(self, auth_user: str = "u_owner", auth_role: str = "owner") -> None:
-        self.auth_user = auth_user
-        self.auth_role = auth_role
-        self.headers = {}
-        self.client_address = ("127.0.0.1", 12345)
-
-
-@pytest.fixture(autouse=True)
-def isolate_server(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setattr(server, "DATA_DIR", tmp_path)
-    monkeypatch.setattr(server, "AUTH_DB_PATH", tmp_path / "auth.db")
-    monkeypatch.setattr(server, "SECURE_MODE", False)
-    monkeypatch.setattr(server, "DEV_LOCAL_UNSAFE", True)
-    server._ensure_workframe_db_schema()
-    server._ensure_agent_runs_schema()
-    server._ensure_invites_schema()
-    server._ensure_memory_schema()
-    server._ensure_policies_schema()
-    server._ensure_budgets_grants_schema()
-    server._ensure_user_prefs_schema()
-    server._ensure_runtime_tokens_table()
-    seed_db(tmp_path)
-    yield
-
-
-def seed_db(tmp_path: Path) -> None:
-    conn = server._workframe_db()
-    try:
-        now = "1700000000"
-        conn.execute(
-            "INSERT INTO workspaces (id, slug, display_name, owner_id, created_at, updated_at) VALUES (?,?,?,?,?,?)",
-            ("ws", "default", "Default", "u_owner", now, now),
-        )
-        conn.executemany(
-            "INSERT INTO users (id, email, display_name, avatar_url, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
-            [
-                ("u_owner", "owner@example.com", "Owner", None, "owner", "active", now, now),
-                ("u_bob", "bob@example.com", "Bob", None, "member", "active", now, now),
-                ("u_carol", "carol@example.com", "Carol", None, "member", "active", now, now),
-                ("u_outsider", "outsider@example.com", "Outsider", None, "member", "active", now, now),
-            ],
-        )
-        conn.executemany(
-            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, invited_by, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
-            [
-                ("m_owner", "ws", "u_owner", "owner", "active", None, now, now),
-                ("m_bob", "ws", "u_bob", "member", "active", "u_owner", now, now),
-                ("m_carol", "ws", "u_carol", "member", "active", "u_owner", now, now),
-            ],
-        )
-        conn.commit()
-    finally:
-        conn.close()
-
-
-def membership_by_user(payload: dict[str, Any], user_id: str) -> dict[str, Any]:
-    return next(item for item in payload["members"] if item["user_id"] == user_id)
-
-
-def test_list_workspace_members_returns_active_memberships_with_user_fields() -> None:
-    status, payload = server._list_workspace_members("ws", FakeHandler())
-
-    assert status == 200
-    assert payload["ok"] is True
-    assert payload["workspace_id"] == "ws"
-    assert [item["user_id"] for item in payload["members"]] == ["u_bob", "u_carol", "u_owner"]
-    bob = membership_by_user(payload, "u_bob")
-    assert bob["membership_id"] == "m_bob"
-    assert bob["email"] == "bob@example.com"
-    assert bob["display_name"] == "Bob"
-    assert bob["role"] == "member"
-    assert bob["status"] == "active"
-
-
-def test_patch_updates_member_role_and_status() -> None:
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {"user_id": "u_bob", "role": "admin", "status": "active"},
-        FakeHandler(),
-    )
-
-    assert status == 200
-    assert payload["membership"]["user_id"] == "u_bob"
-    assert payload["membership"]["role"] == "admin"
-    assert payload["membership"]["status"] == "active"
-    assert payload["membership"]["updated_at"] != "1700000000"
-
-    _, listed = server._list_workspace_members("ws", FakeHandler())
-    assert membership_by_user(listed, "u_bob")["role"] == "admin"
-
-
-def test_patch_status_removed_soft_deletes_member() -> None:
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {"user_id": "u_carol", "status": "removed"},
-        FakeHandler(),
-    )
-
-    assert status == 200
-    assert payload["membership"]["status"] == "removed"
-
-    _, listed = server._list_workspace_members("ws", FakeHandler())
-    assert "u_carol" not in [item["user_id"] for item in listed["members"]]
-
-
-def test_patch_bulk_updates_memberships() -> None:
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {
-            "memberships": [
-                {"user_id": "u_bob", "role": "admin"},
-                {"user_id": "u_carol", "role": "member"},
-            ],
-        },
-        FakeHandler(),
-    )
-
-    assert status == 200
-    assert [item["user_id"] for item in payload["memberships"]] == ["u_bob", "u_carol"]
-    assert payload["memberships"][0]["role"] == "admin"
-    assert payload["memberships"][1]["role"] == "member"
-
-
-def test_patch_requires_owner_or_admin_when_secure(monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setattr(server, "SECURE_MODE", True)
-
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {"user_id": "u_bob", "role": "admin"},
-        FakeHandler(auth_user="u_bob", auth_role="member"),
-    )
-
-    assert status == 403
-    assert payload["error"] == "forbidden"
-
-
-def test_patch_rejects_invalid_role() -> None:
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {"user_id": "u_bob", "role": "superadmin"},
-        FakeHandler(),
-    )
-
-    assert status == 400
-    assert payload["error"] == "invalid_role"
-    assert "superadmin" not in payload["allowed"]
-
-
-def test_patch_prevents_removing_last_owner() -> None:
-    status, payload = server._patch_workspace_members(
-        "ws",
-        {"user_id": "u_owner", "status": "removed"},
-        FakeHandler(),
-    )
-
-    assert status == 409
-    assert payload["error"] == "cannot_remove_last_owner"
-
-
-def test_list_workspace_members_requires_workspace_access_when_secure(monkeypatch: pytest.MonkeyPatch) -> None:
-    monkeypatch.setattr(server, "SECURE_MODE", True)
-
-    status, payload = server._list_workspace_members("ws", FakeHandler(auth_user="u_outsider", auth_role="member"))
-
-    assert status == 403
-    assert payload["error"] == "forbidden"

package/workframe-api/tests/test_workspace_messaging_sync.py

@@ -1,125 +0,0 @@
-"""Workspace messaging: vault store, settings merge, gateway env overlay."""
-
-import json
-import tempfile
-import unittest
-from pathlib import Path
-from unittest.mock import patch
-
-import credential_vault
-import server
-import vault_kek
-from db_setup import ensure_workframe_schemas
-
-
-class WorkspaceMessagingSyncTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self._tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self._tmp.cleanup)
-        self._old_data_dir = server.DATA_DIR
-        self._old_auth_db_path = server.AUTH_DB_PATH
-        self._old_hermes_data = server.HERMES_DATA
-        self._old_vault_data_dir = credential_vault.DATA_DIR
-        self._old_vault_db = credential_vault.VAULT_DB
-        self._old_kek_data_dir = vault_kek.DATA_DIR
-        self._old_kek_file = vault_kek.VAULT_KEK_FILE
-        server.DATA_DIR = Path(self._tmp.name)
-        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
-        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
-        profile_dir = server._profile_dir("workframe-agent")
-        profile_dir.mkdir(parents=True, exist_ok=True)
-        credential_vault.DATA_DIR = server.DATA_DIR
-        credential_vault.VAULT_DB = server.DATA_DIR / "credential_vault.db"
-        vault_kek.DATA_DIR = server.DATA_DIR
-        vault_kek.VAULT_KEK_FILE = server.DATA_DIR / ".vault_kek"
-        credential_vault.ensure_schema()
-        credential_vault.unseal_for_tests()
-        ensure_workframe_schemas()
-        self.workspace_id = "ws-msg"
-        self.admin_id = "admin-msg-user"
-        conn = server._workframe_db()
-        try:
-            now = "1"
-            conn.execute(
-                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, settings_json, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
-                (self.workspace_id, "default", "Default", self.admin_id, "active", "{}", now, now),
-            )
-            conn.execute(
-                "INSERT INTO users (id, display_name, platform_ids, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
-                (self.admin_id, "Admin", json.dumps({"discord": "999888777"}), "owner", "active", now, now),
-            )
-            conn.execute(
-                """
-                INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
-                VALUES (?, ?, ?, 'owner', 'active', ?, ?)
-                """,
-                ("wm-admin", self.workspace_id, self.admin_id, now, now),
-            )
-            conn.execute(
-                """
-                INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
-                VALUES (?, ?, 'workframe-agent', 'Workframe Agent', 1, 'available', ?, ?)
-                """,
-                ("ap-native", self.workspace_id, now, now),
-            )
-            conn.commit()
-        finally:
-            conn.close()
-
-    def tearDown(self) -> None:
-        server.DATA_DIR = self._old_data_dir
-        server.AUTH_DB_PATH = self._old_auth_db_path
-        server.HERMES_DATA = self._old_hermes_data
-        credential_vault.DATA_DIR = self._old_vault_data_dir
-        credential_vault.VAULT_DB = self._old_vault_db
-        vault_kek.DATA_DIR = self._old_kek_data_dir
-        vault_kek.VAULT_KEK_FILE = self._old_kek_file
-
-    @patch.object(server, "_primary_profile", return_value="workframe-agent")
-    @patch.object(server, "_restart_stack_gateway", return_value={"ok": True})
-    @patch.object(server, "_set_primary_messaging_platforms", return_value=(True, "ok"))
-    def test_store_and_sync_writes_gateway_env(self, _platforms, _restart, _primary) -> None:
-        server._store_workspace_credential(
-            self.workspace_id,
-            "discord",
-            "api_key",
-            "discord-bot-secret",
-            "DISCORD_BOT_TOKEN",
-            "Discord",
-            self.admin_id,
-        )
-        status, payload = server._patch_workspace_integrations(
-            self.workspace_id,
-            {
-                "messaging": {
-                    "discord": {
-                        "home_channel": "chan-123",
-                        "allowed_users": "111",
-                    },
-                },
-            },
-            self.admin_id,
-        )
-        self.assertEqual(status, 200)
-        self.assertTrue(payload.get("ok"))
-        env = server._read_env_map(server._profile_dir("workframe-agent") / ".env")
-        self.assertEqual(env.get("DISCORD_BOT_TOKEN"), "discord-bot-secret")
-        self.assertEqual(env.get("DISCORD_HOME_CHANNEL"), "chan-123")
-        self.assertIn("111", env.get("DISCORD_ALLOWED_USERS", ""))
-        self.assertIn("999888777", env.get("DISCORD_ALLOWED_USERS", ""))
-
-    def test_workspace_store_rejects_user_only_providers(self) -> None:
-        with self.assertRaises(ValueError):
-            server._store_workspace_credential(
-                self.workspace_id,
-                "vercel",
-                "api_key",
-                "pat-secret",
-                "VERCEL_TOKEN",
-                "Vercel",
-                self.admin_id,
-            )
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-api/tests/test_workspace_provider_list.py

@@ -1,57 +0,0 @@
-"""Workspace LLM keys surface in provider list for company-pay onboarding."""
-import os
-import tempfile
-import unittest
-from pathlib import Path
-from unittest import mock
-
-import server
-
-
-class WorkspaceProviderListTests(unittest.TestCase):
-    def setUp(self) -> None:
-        self.tmp = tempfile.TemporaryDirectory()
-        self.addCleanup(self.tmp.cleanup)
-        data = Path(self.tmp.name) / "data"
-        agents = Path(self.tmp.name) / "Agents"
-        profiles = agents / "profiles" / "workframe-agent"
-        profiles.mkdir(parents=True)
-        (profiles / "profile.yaml").write_text("description: test\n", encoding="utf-8")
-        (profiles / ".env").write_text("OPENROUTER_API_KEY=sk-test-workspace\n", encoding="utf-8")
-        self.patches = [
-            mock.patch.object(server, "DATA_DIR", data),
-            mock.patch.object(server, "HERMES_DATA", agents),
-            mock.patch.object(server, "WORKSPACE", Path(self.tmp.name) / "Files"),
-            mock.patch.object(server, "_workframe_db_path", return_value=data / "workframe.db"),
-            mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Workframe", "WORKFRAME_NATIVE_PROFILE": "workframe-agent"}, clear=False),
-        ]
-        for patch in self.patches:
-            patch.start()
-            self.addCleanup(patch.stop)
-        server._ensure_workframe_db_schema()
-        server._ensure_default_workspace()
-
-    def test_list_user_providers_shows_workspace_llm_connected(self) -> None:
-        conn = server._workframe_db()
-        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
-        now = server._utc_now()
-        conn.execute(
-            """INSERT INTO credential_bindings
-               (id, workspace_id, user_id, agent_profile_id, provider, credential_type,
-                credential_ref, label, is_active, created_by, created_at, updated_at)
-               VALUES (?,?,?,?,?,?,?,?,?,?,?,?)""",
-            (
-                "cred-ws-1", ws["id"], None, None, "openrouter", "api_key",
-                "env:OPENROUTER_API_KEY", "OpenRouter", 1, "admin", now, now,
-            ),
-        )
-        conn.commit()
-        conn.close()
-        payload = server.list_user_providers("user-no-keys", str(ws["id"]))
-        row = next(p for p in payload["providers"] if p["id"] == "openrouter")
-        self.assertTrue(row["connected"])
-        self.assertEqual(row["source"], "workspace")
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-supervisor/tests/test_exec_guard.py

@@ -1,42 +0,0 @@
-"""Supervisor gateway exec must not expose sibling u-* credential files."""
-
-from __future__ import annotations
-
-import unittest
-from unittest.mock import patch
-
-import server
-
-
-class SupervisorExecGuardTests(unittest.TestCase):
-    def test_blocks_cat_peer_env(self) -> None:
-        cmd = ["sh", "-lc", "cat /opt/data/profiles/u-deadbeef-architect/.env"]
-        with patch.object(server, "DEPLOYMENT_MODE", "trusted_team"):
-            self.assertTrue(server._exec_targets_runtime_profile_secrets(cmd))
-
-    def test_allows_single_user_local(self) -> None:
-        cmd = ["sh", "-lc", "cat /opt/data/profiles/u-deadbeef-architect/.env"]
-        with patch.object(server, "DEPLOYMENT_MODE", "single_user_local"):
-            self.assertFalse(server._exec_targets_runtime_profile_secrets(cmd))
-
-    def test_docker_exec_short_circuits(self) -> None:
-        cmd = ["cat", "/opt/data/profiles/u-abc-architect/auth.json"]
-        with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"), patch.object(
-            server, "_docker_request"
-        ) as docker_request:
-            code, out = server._docker_exec("workframe-gateway", cmd)
-            docker_request.assert_not_called()
-        self.assertEqual(code, 1)
-        self.assertIn("blocked", out)
-
-    def test_profile_api_health_uses_gateway_container_exec(self) -> None:
-        with patch.object(server, "_docker_exec", return_value=(0, "ok")) as docker_exec:
-            self.assertTrue(server._profile_api_healthy("architect"))
-        docker_exec.assert_called_once()
-        self.assertEqual(docker_exec.call_args[0][0], server.GATEWAY_CONTAINER_NAME)
-        script = docker_exec.call_args[0][1][-1]
-        self.assertIn("127.0.0.1", script)
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-supervisor/tests/test_server_import.py

@@ -1,21 +0,0 @@
-"""Supervisor server must import cleanly (catches missing profile_secret_policy import)."""
-
-from __future__ import annotations
-
-import importlib.util
-import unittest
-from pathlib import Path
-
-
-class SupervisorImportTests(unittest.TestCase):
-    def test_server_module_loads(self) -> None:
-        root = Path(__file__).resolve().parents[1]
-        spec = importlib.util.spec_from_file_location("workframe_supervisor_server", root / "server.py")
-        assert spec and spec.loader
-        mod = importlib.util.module_from_spec(spec)
-        spec.loader.exec_module(mod)
-        self.assertTrue(mod._exec_targets_runtime_profile_secrets(["cat", "profiles/u-x/.env"]))
-
-
-if __name__ == "__main__":
-    unittest.main()

package/workframe-ui/public/assets/architecture-7EHR7CIX-CtbQKTuT.js

@@ -1 +0,0 @@
-import"./chunk-NNHCCRGN-DlpIbxXb.js";import{x as e}from"./mermaid-parser.core-Bkimsnqj.js";export{e as createArchitectureServices};

package/workframe-ui/public/assets/channel-Dy4Z4-jn.js

@@ -1 +0,0 @@
-import{at as e,it as t}from"./chunk-CSCIHK7Q-kuqN8EIY.js";var n=(n,r)=>e.lang.round(t.parse(n)[r]);export{n as t};

package/workframe-ui/public/assets/chunk-QZHKN3VN-CtBEchFK.js

@@ -1 +0,0 @@
-import{h as e}from"./src-B_od6b6h.js";var t=class{constructor(e){this.init=e,this.records=this.init()}static{e(this,`ImperativeState`)}reset(){this.records=this.init()}};export{t};

package/workframe-ui/public/assets/chunk-WU5MYG2G-B9pBtriN.js

@@ -1 +0,0 @@
-import{h as e,p as t}from"./src-B_od6b6h.js";import{x as n}from"./chunk-CSCIHK7Q-kuqN8EIY.js";var r=e(e=>{let{securityLevel:r}=n(),i=t(`body`);return r===`sandbox`&&(i=t((t(`#i${e}`).node()?.contentDocument??document).body)),i.select(`#${e}`)},`selectSvgElement`);export{r as t};

package/workframe-ui/public/assets/classDiagram-4FO5ZUOK-BMAEA8jI.js

@@ -1 +0,0 @@
-import{h as e}from"./src-B_od6b6h.js";import"./chunk-CSCIHK7Q-kuqN8EIY.js";import"./chunk-5ZQYHXKU-DOesfiCI.js";import"./chunk-O5CBEL6O-ClHc56ib.js";import"./chunk-FMBD7UC4-DyPgYHCg.js";import"./chunk-BSJP7CBP-a0cMNFb2.js";import"./chunk-L5ZTLDWV-Dq9NoWmK.js";import"./chunk-ND2GUHAM-DBD2u1Gz.js";import"./chunk-55IACEB6-C-mLFr7z.js";import"./chunk-2J33WTMH-w7uu7R-b.js";import"./chunk-NZK2D7GU-BeIeYFnd.js";import"./chunk-3OPIFGDE-Cb9LtnDX.js";import"./chunk-KSCS5N6A-CdUuvR0V.js";import"./chunk-LZXEDZCA-p74rddlO.js";import{i as t,n,r,t as i}from"./chunk-727SXJPM-BJ3oBZuz.js";var a={parser:n,get db(){return new i},renderer:r,styles:t,init:e(e=>{e.class||={},e.class.arrowMarkerAbsolute=e.arrowMarkerAbsolute},`init`)};export{a as diagram};