create-workframe 0.1.0

package/workframe-api/tests/test_agent_profile_sync.py

@@ -0,0 +1,76 @@
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+import server
+from db_setup import ensure_workframe_schemas
+
+
+class AgentProfileSyncTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        ensure_workframe_schemas()
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                """
+                INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?)
+                """,
+                ("ws-1", "default", "Default", "user-1", "active", now, now),
+            )
+            conn.execute(
+                """
+                INSERT INTO agent_profiles (
+                    id, workspace_id, slug, display_name, status, created_at, updated_at
+                ) VALUES (?, ?, ?, ?, ?, ?, ?)
+                """,
+                ("agent-1", "ws-1", "workframe-agent", "Workframe Agent", "available", now, now),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+
+    def test_sync_agent_profile_db_writes_avatar_url(self) -> None:
+        avatar = "data:image/png;base64,abc"
+        server._sync_agent_profile_db("workframe-agent", {"avatar_url": avatar, "display_name": "WF"})
+        conn = server._workframe_db()
+        try:
+            row = conn.execute(
+                "SELECT display_name, avatar_url FROM agent_profiles WHERE slug = ?",
+                ("workframe-agent",),
+            ).fetchone()
+        finally:
+            conn.close()
+        self.assertIsNotNone(row)
+        self.assertEqual(row["display_name"], "WF")
+        self.assertEqual(row["avatar_url"], avatar)
+
+    @patch.object(server, "route_status_for_profile", return_value="available")
+    @patch.object(server, "_gateway_platform", return_value="local")
+    def test_crew_data_reads_registry_by_full_profile_slug(self, *_mocks) -> None:
+        registry = {
+            "workframe-agent": {
+                "profile": "workframe-agent",
+                "avatar_url": "data:image/png;base64,crew",
+            },
+        }
+        with patch.object(server, "load_agent_registry", return_value=registry):
+            crew = server.crew_data(["workframe-agent"], "workframe-agent", {"ok": True, "state": "running"})
+        self.assertEqual(len(crew), 1)
+        self.assertEqual(crew[0]["avatar_url"], "data:image/png;base64,crew")
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_auth_email.py

@@ -0,0 +1,222 @@
+"""Auth email / OTP start behavior."""
+
+from __future__ import annotations
+
+import os
+import sqlite3
+import tempfile
+import unittest
+import json
+from pathlib import Path
+from unittest import mock
+
+import zk_auth as zk
+
+
+class AuthEmailStartTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmpdir = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmpdir.cleanup)
+        os.environ["WORKFRAME_API_DATA_DIR"] = self._tmpdir.name
+
+    @mock.patch("email_sender.send_verification_email")
+    def test_dev_unsafe_returns_otp_when_smtp_missing(self, send_email: mock.MagicMock) -> None:
+        send_email.side_effect = RuntimeError("SMTP_HOST not configured")
+
+        result = zk.start_email_verification("user@example.com", dev_local_unsafe=True)
+
+        self.assertFalse(result["email_sent"])
+        self.assertIn("SMTP_HOST", result.get("email_error", ""))
+        self.assertEqual(len(result["otp_code"]), 6)
+        self.assertTrue(result["otp_code"].isdigit())
+
+    @mock.patch("email_sender.send_verification_email")
+    def test_secure_mode_does_not_return_otp_when_smtp_missing(self, send_email: mock.MagicMock) -> None:
+        send_email.side_effect = RuntimeError("SMTP_HOST not configured")
+
+        result = zk.start_email_verification("user@example.com", dev_local_unsafe=False)
+
+        self.assertFalse(result["email_sent"])
+        self.assertNotIn("otp_code", result)
+
+    @mock.patch("email_sender.send_verification_email")
+    def test_email_sent_does_not_return_otp_even_in_dev(self, send_email: mock.MagicMock) -> None:
+        send_email.return_value = None
+
+        result = zk.start_email_verification("user@example.com", dev_local_unsafe=True)
+
+        self.assertTrue(result["email_sent"])
+        self.assertNotIn("otp_code", result)
+
+    @mock.patch("email_sender.send_verification_email")
+    def test_expose_otp_returns_code_when_email_sent(self, send_email: mock.MagicMock) -> None:
+        send_email.return_value = None
+
+        result = zk.start_email_verification("user@example.com", expose_otp=True)
+
+        self.assertTrue(result["email_sent"])
+        self.assertEqual(len(result["otp_code"]), 6)
+
+
+class StackConfigTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmpdir = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmpdir.cleanup)
+        os.environ["WORKFRAME_API_DATA_DIR"] = self._tmpdir.name
+        import importlib
+
+        import stack_config as sc
+
+        self.sc = importlib.reload(sc)
+
+    def test_patch_and_resolve_smtp(self) -> None:
+        self.sc.patch_stack_config(
+            {
+                "deployment_mode": "trusted_team",
+                "smtp": {
+                    "provider": "gmail",
+                    "host": "smtp.gmail.com",
+                    "port": 587,
+                    "user": "ops@example.com",
+                    "password": "secret",
+                    "from": "ops@example.com",
+                },
+            }
+        )
+        cfg = self.sc.get_stack_config()
+        self.assertEqual(cfg["deployment_mode"], "trusted_team")
+        self.assertTrue(self.sc.smtp_configured())
+        resolved = self.sc.resolved_smtp()
+        self.assertEqual(resolved["host"], "smtp.gmail.com")
+        self.assertEqual(resolved["user"], "ops@example.com")
+
+    def test_env_overrides_stack_file(self) -> None:
+        self.sc.patch_stack_config({"smtp": {"host": "smtp.file.test", "user": "a", "password": "b"}})
+        os.environ["SMTP_HOST"] = "smtp.env.test"
+        os.environ["SMTP_USER"] = "env-user"
+        resolved = self.sc.resolved_smtp()
+        self.assertEqual(resolved["source"], "env")
+        self.assertEqual(resolved["host"], "smtp.env.test")
+        os.environ.pop("SMTP_HOST", None)
+        os.environ.pop("SMTP_USER", None)
+
+
+class OtpLockoutTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmpdir = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmpdir.cleanup)
+        os.environ["WORKFRAME_API_DATA_DIR"] = self._tmpdir.name
+
+    @mock.patch("email_sender.send_verification_email", return_value=None)
+    def test_lockout_before_correct_code_after_max_wrong(self, _send: mock.MagicMock) -> None:
+        started = zk.start_email_verification(
+            "lock@example.com", dev_local_unsafe=True, expose_otp=True,
+        )
+        good = started["otp_code"]
+        for wrong in ("000000", "111111", "222222", "333333", "444444"):
+            with self.assertRaises(ValueError) as ctx:
+                zk.verify_email_code("lock@example.com", wrong)
+            self.assertEqual(str(ctx.exception), "Invalid or expired verification code.")
+        with self.assertRaises(ValueError) as ctx:
+            zk.verify_email_code("lock@example.com", good)
+        self.assertEqual(str(ctx.exception), "Invalid or expired verification code.")
+
+
+class InstallWindowTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmpdir = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmpdir.cleanup)
+        os.environ["WORKFRAME_API_DATA_DIR"] = self._tmpdir.name
+        import importlib
+
+        import stack_config as sc
+        import install_api as ia
+
+        self.sc = importlib.reload(sc)
+        self.ia = importlib.reload(ia)
+        self.db_path = str(Path(self._tmpdir.name) / "workframe.db")
+
+    def test_window_open_until_install_complete_even_with_users(self) -> None:
+        Path(self.db_path).write_text("", encoding="utf-8")
+        conn = sqlite3.connect(self.db_path)
+        conn.execute(
+            "CREATE TABLE users (id TEXT PRIMARY KEY, email TEXT, display_name TEXT, role TEXT, status TEXT, created_at TEXT, updated_at TEXT)"
+        )
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("u1", "a@b.com", "A", "owner", "active", "1", "1"),
+        )
+        conn.commit()
+        conn.close()
+        self.assertTrue(self.ia.install_window_open(self.db_path))
+        self.sc.patch_stack_config({"install_complete": True})
+        self.assertFalse(self.ia.install_window_open(self.db_path))
+
+
+class SmtpSecureNormalizeTests(unittest.TestCase):
+    def test_port_465_uses_ssl_even_when_starttls(self) -> None:
+        import stack_config as sc
+
+        self.assertEqual(sc.normalize_smtp_secure(465, "starttls"), "ssl")
+        self.assertEqual(sc.normalize_smtp_secure(465, "true"), "ssl")
+        self.assertEqual(sc.normalize_smtp_secure(587, "true"), "ssl")
+        self.assertEqual(sc.normalize_smtp_secure(587, "starttls"), "starttls")
+        self.assertEqual(sc.normalize_smtp_secure(587, ""), "starttls")
+
+
+class ResolvedSmtpTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmpdir = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmpdir.cleanup)
+        os.environ["WORKFRAME_API_DATA_DIR"] = self._tmpdir.name
+        import importlib
+
+        import stack_config as sc
+
+        self.sc = importlib.reload(sc)
+
+    def test_stack_password_not_redacted_from_public_get(self) -> None:
+        cfg_path = Path(self._tmpdir.name) / "stack_config.json"
+        cfg_path.write_text(
+            json.dumps(
+                {
+                    "smtp": {
+                        "host": "smtp.test",
+                        "user": "login@test.com",
+                        "password": "secret-pass",
+                        "from": "alias@test.com",
+                        "port": 465,
+                        "secure": "ssl",
+                    }
+                }
+            ),
+            encoding="utf-8",
+        )
+        public = self.sc.get_stack_config()["smtp"]
+        self.assertTrue(public["has_password"])
+        self.assertNotIn("password", public)
+        resolved = self.sc.resolved_smtp()
+        self.assertEqual(resolved["password"], "secret-pass")
+        self.assertEqual(resolved["from"], "alias@test.com")
+        self.assertEqual(resolved["user"], "login@test.com")
+
+    def test_env_pass_falls_back_to_stack_password(self) -> None:
+        cfg_path = Path(self._tmpdir.name) / "stack_config.json"
+        cfg_path.write_text(
+            json.dumps({"smtp": {"password": "stack-secret"}}),
+            encoding="utf-8",
+        )
+        os.environ["SMTP_HOST"] = "smtp.env.test"
+        os.environ["SMTP_USER"] = "env-user@test.com"
+        os.environ["EMAIL_FROM"] = "alias@test.com"
+        self.addCleanup(os.environ.pop, "SMTP_HOST", None)
+        self.addCleanup(os.environ.pop, "SMTP_USER", None)
+        self.addCleanup(os.environ.pop, "EMAIL_FROM", None)
+        resolved = self.sc.resolved_smtp()
+        self.assertEqual(resolved["password"], "stack-secret")
+        self.assertEqual(resolved["from"], "alias@test.com")
+        self.assertEqual(resolved["user"], "env-user@test.com")
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_auth_hole_fix_selfcheck.py

@@ -0,0 +1,99 @@
+"""Runnable self-check for the four signup-hole fixes (no pytest fixtures)."""
+
+from __future__ import annotations
+
+import os
+import tempfile
+import time
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import stack_config
+from db_setup import ensure_workframe_schemas
+
+
+class AuthHoleFixSelfCheck(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._env = dict(os.environ)
+        self.addCleanup(lambda: os.environ.clear() or os.environ.update(self._env))
+
+        import server
+
+        self.server = server
+        self._old_data = server.DATA_DIR
+        self._old_auth = server.AUTH_DB_PATH
+        self._old_mode = server.DEPLOYMENT_MODE
+        server.DATA_DIR = Path(self._tmp.name) / "data"
+        server.DATA_DIR.mkdir(parents=True, exist_ok=True)
+        server.AUTH_DB_PATH = server.DATA_DIR / "auth.db"
+        stack_config.DATA_DIR = server.DATA_DIR
+        stack_config.CONFIG_PATH = server.DATA_DIR / "stack_config.json"
+        server.DEV_LOCAL_UNSAFE = False
+        ensure_workframe_schemas()
+        stack_config.patch_stack_config({"install_complete": True, "deployment_mode": "trusted_team"})
+        conn = server._workframe_db()
+        try:
+            now = str(int(time.time()))
+            conn.execute(
+                "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                ("owner-1", "owner@biz.test", "Owner", "owner", "active", now, now),
+            )
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                ("ws-1", "default", "Acme", "owner-1", "active", now, now),
+            )
+            conn.execute(
+                "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                ("wm-1", "ws-1", "owner-1", "owner", "active", now, now),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+
+    def tearDown(self) -> None:
+        self.server.DATA_DIR = self._old_data
+        self.server.AUTH_DB_PATH = self._old_auth
+        self.server.DEPLOYMENT_MODE = self._old_mode
+
+    def test_env_beats_stale_stack_config(self) -> None:
+        os.environ["WORKFRAME_DEPLOYMENT_MODE"] = "public_multi_user"
+        self.assertEqual(stack_config.resolve_deployment_mode("trusted_team"), "public_multi_user")
+        self.assertEqual(stack_config.effective_deployment_mode("trusted_team"), "public_multi_user")
+        self.assertEqual(self.server._resolve_deployment_mode(), "public_multi_user")
+
+    def test_invite_trust_not_public_post(self) -> None:
+        from http.server import BaseHTTPRequestHandler
+
+        handler = mock.Mock(spec=BaseHTTPRequestHandler)
+        handler.command = "POST"
+        handler.path = "/api/auth/invite-trust"
+        handler.headers = {}
+        with mock.patch.object(self.server, "_session_id_from_request", return_value=""):
+            self.assertFalse(self.server._auth_check(handler))
+
+    def test_trusted_team_stranger_denied_at_auth_start_policy(self) -> None:
+        self.server.DEPLOYMENT_MODE = "trusted_team"
+        with mock.patch.object(self.server, "_install_window_open", return_value=False):
+            self.assertTrue(self.server._invite_only_login_enforced())
+            allowed, meta = self.server._email_allowed_to_authenticate("stranger@evil.test")
+        self.assertFalse(allowed)
+        self.assertEqual(meta.get("error"), "private_workspace")
+
+    def test_install_url_test_get_allowed_without_session_during_install(self) -> None:
+        from http.server import BaseHTTPRequestHandler
+
+        stack_config.patch_stack_config({"install_complete": False})
+        handler = mock.Mock(spec=BaseHTTPRequestHandler)
+        handler.command = "GET"
+        handler.path = "/api/install/url/test?url=https://example.com"
+        handler.headers = {}
+        with mock.patch.object(self.server, "_install_window_open", return_value=True):
+            with mock.patch.object(self.server, "_session_id_from_request", return_value=""):
+                self.assertTrue(self.server._auth_check(handler))
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_auth_rate_limit.py

@@ -0,0 +1,19 @@
+import unittest
+
+import auth_rate_limit
+
+
+class AuthRateLimitTests(unittest.TestCase):
+    def setUp(self) -> None:
+        auth_rate_limit.reset_for_tests()
+
+    def test_blocks_burst_auth_start(self) -> None:
+        ip = "198.51.100.9"
+        email = "user@example.com"
+        for _ in range(5):
+            self.assertTrue(auth_rate_limit.allow_auth_request("start", ip, email))
+        self.assertFalse(auth_rate_limit.allow_auth_request("start", ip, email))
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_avatar_resolve.py

@@ -0,0 +1,77 @@
+import unittest
+
+import server
+
+
+class AvatarResolveTests(unittest.TestCase):
+    def test_avatar_url_for_id_uses_catalog_file(self) -> None:
+        url = server._avatar_url_for_id("ada")
+        self.assertTrue(url.endswith("/ada.png"))
+
+    def test_resolve_avatar_fields_from_id(self) -> None:
+        row = {"avatar_id": "grace"}
+        server._resolve_avatar_fields(row)
+        self.assertIn("avatar_url", row)
+        self.assertTrue(str(row["avatar_url"]).endswith("/grace.png"))
+
+    def test_avatar_id_from_catalog_url(self) -> None:
+        catalog_id = str((server._load_avatar_catalog().get("avatars") or [{}])[0].get("id") or "")
+        self.assertTrue(catalog_id)
+        url = server._avatar_url_for_id(catalog_id)
+        self.assertEqual(server._avatar_id_from_url(url), catalog_id)
+
+    def test_avatar_id_from_custom_url_is_empty(self) -> None:
+        self.assertEqual(server._avatar_id_from_url("/files/uploads/my-face.png"), "")
+
+    def test_explicit_url_survives_resolve_after_reconcile(self) -> None:
+        # Reconciled catalog pick: id matches url, resolver reproduces the chosen url.
+        catalog_id = str((server._load_avatar_catalog().get("avatars") or [{}])[0].get("id") or "")
+        chosen = server._avatar_url_for_id(catalog_id)
+        row = {"avatar_url": chosen, "avatar_id": server._avatar_id_from_url(chosen)}
+        server._resolve_avatar_fields(row)
+        self.assertEqual(row["avatar_url"], chosen)
+
+    def test_custom_url_survives_resolve_when_id_cleared(self) -> None:
+        row = {"avatar_url": "/files/uploads/my-face.png", "avatar_id": ""}
+        server._resolve_avatar_fields(row)
+        self.assertEqual(row["avatar_url"], "/files/uploads/my-face.png")
+
+    def test_avatar_id_from_vite_hashed_url(self) -> None:
+        self.assertEqual(server._avatar_id_from_url("/assets/frida-DAkwYbrd.png"), "frida")
+        self.assertEqual(
+            server._avatar_id_from_url("http://127.0.0.1:18644/assets/steve-CvzbBEg_.png"),
+            "steve",
+        )
+
+    def test_normalize_agent_avatar_patch_stable(self) -> None:
+        out = server._normalize_agent_avatar_patch("/assets/frida-DAkwYbrd.png", "")
+        self.assertEqual(out["avatar_id"], "frida")
+        self.assertTrue(out["avatar_url"].endswith("/frida.png"))
+
+    def test_native_assign_uses_steve(self) -> None:
+        native = str(server.NATIVE_PROFILE or "workframe-agent")
+        picked = server._assign_agent_avatar(native)
+        self.assertEqual(picked["avatar_id"], "steve")
+        self.assertTrue(picked["avatar_url"].endswith("/steve.png"))
+
+    def test_normalize_user_avatar_vite_hash(self) -> None:
+        out = server._normalize_user_avatar_url("/assets/grace-CnKLjc4q.png")
+        self.assertTrue(out.endswith("/grace.png"))
+
+    def test_normalize_logo_vite_hash(self) -> None:
+        out = server._normalize_logo_url("/assets/4-DGVBPxhf.png")
+        self.assertTrue(out.endswith("/4.png"))
+
+    def test_pick_logo_url_from_catalog(self) -> None:
+        url = server._pick_logo_url()
+        self.assertTrue(url.startswith("/assets/project-logos/"))
+        self.assertTrue(url.endswith(".png"))
+
+    def test_pick_user_avatar_url_from_catalog(self) -> None:
+        url = server._pick_user_avatar_url()
+        self.assertTrue(url.startswith("/assets/avatars/"))
+        self.assertTrue(url.endswith(".png"))
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_child_soul_template.py

@@ -0,0 +1,71 @@
+"""Child agent SOUL templates and native overlay seeding."""
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import server
+
+
+class ChildSoulTemplateTests(unittest.TestCase):
+    def test_format_child_template_expands_native_agent_name(self) -> None:
+        body = server._format_child_template(
+            server._CHILD_SOUL_TEMPLATE,
+            display_name="Elvis",
+            role="Rock legend",
+        )
+        self.assertNotIn("{nativeAgentName}", body)
+        self.assertIn("Workframe Agent", body)
+        self.assertIn("Elvis", body)
+
+    def test_install_child_base_artifacts_no_placeholder_error(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            root = Path(tmp)
+            prof = "elvis"
+            prof_dir = root / "profiles" / prof
+            prof_dir.mkdir(parents=True)
+            (prof_dir / "SOUL.md").write_text("test", encoding="utf-8")
+            with mock.patch.object(server, "_profile_dir", side_effect=lambda p: root / "profiles" / p), mock.patch.object(
+                server, "PROJECT_NAME", "Workframe"
+            ), mock.patch.object(server, "_is_native_profile", return_value=False):
+                ok = server._install_child_base_artifacts(prof, display_name="Elvis", role="Rock legend")
+            self.assertTrue(ok)
+            agents = (prof_dir / "AGENTS.md").read_text(encoding="utf-8")
+            self.assertNotIn("{nativeAgentName}", agents)
+
+    def test_seed_native_user_overlay_keeps_base_soul(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            root = Path(tmp)
+            template = root / "profiles" / "workframe-agent"
+            runtime = root / "profiles" / "u-user-workframe-agent"
+            template.mkdir(parents=True)
+            runtime.mkdir(parents=True)
+            (template / "SOUL.md").write_text(
+                "# Workframe Agent\n\nBase native system prompt.\n" + ("operate. " * 20),
+                encoding="utf-8",
+            )
+            (runtime / "SOUL.md").write_text("test", encoding="utf-8")
+            agents = root / "workframe" / "agents.json"
+            agents.parent.mkdir(parents=True)
+            agents.write_text('{"version":1,"agents":{}}', encoding="utf-8")
+            with mock.patch.object(server, "_profile_dir", side_effect=lambda p: root / "profiles" / p), mock.patch.object(
+                server, "AGENTS_JSON", agents
+            ), mock.patch.object(server, "_is_runtime_profile_slug", return_value=True), mock.patch.object(
+                server, "_runtime_template_slug", return_value="workframe-agent"
+            ):
+                server._seed_native_user_overlay(
+                    "u-user-workframe-agent",
+                    "workframe-agent",
+                    display_name="Andy",
+                    user_soul="Always be cheerful.",
+                )
+                base = (runtime / "SOUL.md").read_text(encoding="utf-8")
+                merged = server._profile_soul_text("u-user-workframe-agent")
+            self.assertIn("Base native system prompt", base)
+            self.assertIn("Base native system prompt", merged)
+            self.assertIn("## Additional instructions", merged)
+            self.assertIn("Always be cheerful.", merged)
+
+
+if __name__ == "__main__":
+    unittest.main()