create-workframe 0.1.0

package/workframe-api/tests/test_credential_canary.py

@@ -0,0 +1,135 @@
+"""Canary / red-team tests: cross-profile reads, exec guards, public tool gating."""
+
+from __future__ import annotations
+
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+import server
+from db_setup import ensure_workframe_schemas
+
+
+class CredentialCanaryTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        (server.HERMES_DATA / "profiles").mkdir(parents=True)
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-canary"
+        self.user_a = "cb6a2db4-ac86-4c49-8247-14a1d68aca72"
+        self.user_b = "44fb344c-0954-47b6-a19a-ebbcf20e9680"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.workspace_id, "canary", "Canary", self.user_a, "active", now, now),
+            )
+            for uid, name, role in (
+                (self.user_a, "Alice", "owner"),
+                (self.user_b, "Bob", "member"),
+            ):
+                conn.execute(
+                    "INSERT INTO users (id, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?)",
+                    (uid, name, "member", "active", now, now),
+                )
+                conn.execute(
+                    """
+                    INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
+                    VALUES (?, ?, ?, ?, 'active', ?, ?)
+                    """,
+                    (f"wm-{uid}", self.workspace_id, uid, role, now, now),
+                )
+            conn.execute(
+                """
+                INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?, 'available', ?, ?)
+                """,
+                ("ap-architect", self.workspace_id, "architect", "Architect", 0, now, now),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        self.runtime_a = server._runtime_profile_slug(self.user_a, "architect")
+        self.runtime_b = server._runtime_profile_slug(self.user_b, "architect")
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+
+    def test_member_cannot_access_peer_runtime_profile_public_mode(self) -> None:
+        with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"):
+            self.assertFalse(
+                server._user_may_access_runtime_profile(self.user_b, self.runtime_a, self.workspace_id)
+            )
+            self.assertTrue(
+                server._user_may_access_runtime_profile(self.user_a, self.runtime_a, self.workspace_id)
+            )
+
+    def test_owner_can_access_peer_runtime_in_trusted_team(self) -> None:
+        with patch.object(server, "DEPLOYMENT_MODE", "trusted_team"):
+            self.assertTrue(
+                server._user_may_access_runtime_profile(self.user_a, self.runtime_b, self.workspace_id)
+            )
+            self.assertFalse(
+                server._user_may_access_runtime_profile(self.user_b, self.runtime_a, self.workspace_id)
+            )
+
+    def test_gateway_exec_blocks_cross_profile_env_cat(self) -> None:
+        victim_env = f"/opt/data/profiles/{self.runtime_a}/.env"
+        with patch.object(server, "DEPLOYMENT_MODE", "trusted_team"):
+            self.assertTrue(
+                server._exec_targets_runtime_profile_secrets(["sh", "-lc", f"cat {victim_env}"])
+            )
+
+    def test_gateway_exec_denies_foreign_runtime_profile(self) -> None:
+        with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"), patch.object(
+            server, "resolve_validated_profile", return_value=self.runtime_a
+        ), patch.object(server, "_gateway_exec") as gateway_exec:
+            out = server.hermes_gateway_exec(
+                "/help",
+                self.runtime_a,
+                user_id=self.user_b,
+                workspace_id=self.workspace_id,
+            )
+            gateway_exec.assert_not_called()
+        self.assertFalse(out.get("ok"))
+        self.assertEqual(out.get("error"), "profile_access_denied")
+
+    def test_docker_exec_guard_returns_blocked_without_running(self) -> None:
+        victim_env = f"/opt/data/profiles/{self.runtime_b}/.env"
+        with patch.object(server, "DEPLOYMENT_MODE", "trusted_team"), patch.object(
+            server, "_docker_request"
+        ) as docker_request:
+            code, out = server._docker_exec("workframe-gateway", ["cat", victim_env])
+            docker_request.assert_not_called()
+        self.assertEqual(code, 1)
+        self.assertIn("blocked", out)
+
+    def test_public_mode_toolsets_include_terminal(self) -> None:
+        with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"):
+            self.assertEqual(server._chat_toolsets_for_profile("architect"), ("hermes-cli", "terminal"))
+
+    def test_public_mode_ensure_toolsets_enables_terminal(self) -> None:
+        prof_dir = server._profile_dir("architect")
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        cfg_path = prof_dir / "config.yaml"
+        cfg_path.write_text("toolsets: []\n", encoding="utf-8")
+        with patch.object(server, "DEPLOYMENT_MODE", "public_multi_user"):
+            server._ensure_profile_toolsets("architect")
+        text = cfg_path.read_text(encoding="utf-8")
+        self.assertIn("hermes-cli", text)
+        self.assertIn("terminal", text)
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_credential_isolation.py

@@ -0,0 +1,448 @@
+"""Red-team oriented tests: credential resolution, cohort assignee boundaries, runtime ownership."""
+
+import os
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+import internal_proxy_auth
+import server
+from db_setup import ensure_workframe_schemas
+import credential_vault
+import turn_credentials
+import vault_kek
+
+
+class CredentialIsolationTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        (server.HERMES_DATA / "profiles").mkdir(parents=True)
+        (server._profile_dir("workframe-agent")).mkdir(parents=True, exist_ok=True)
+        credential_vault.DATA_DIR = server.DATA_DIR
+        credential_vault.VAULT_DB = server.DATA_DIR / "credential_vault.db"
+        vault_kek.DATA_DIR = server.DATA_DIR
+        vault_kek.VAULT_KEK_FILE = server.DATA_DIR / ".vault_kek"
+        credential_vault.ensure_schema()
+        credential_vault.unseal_for_tests()
+        turn_credentials.DATA_DIR = server.DATA_DIR
+        turn_credentials.WORKFRAME_DB = server.DATA_DIR / "workframe.db"
+        turn_credentials.ensure_schema()
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-iso"
+        self.user_a = "cb6a2db4-ac86-4c49-8247-14a1d68aca72"
+        self.user_b = "44fb344c-0954-47b6-a19a-ebbcf20e9680"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.workspace_id, "iso", "Iso", self.user_a, "active", now, now),
+            )
+            for uid, name in ((self.user_a, "Fab"), (self.user_b, "Alan Borger")):
+                conn.execute(
+                    "INSERT INTO users (id, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?)",
+                    (uid, name, "member", "active", now, now),
+                )
+                conn.execute(
+                    """
+                    INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
+                    VALUES (?, ?, ?, 'member', 'active', ?, ?)
+                    """,
+                    (f"wm-{uid}", self.workspace_id, uid, now, now),
+                )
+            for slug, name in (("workframe-agent", "Workframe Agent"), ("architect", "Architect")):
+                conn.execute(
+                    """
+                    INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
+                    VALUES (?, ?, ?, ?, ?, 'available', ?, ?)
+                    """,
+                    (f"ap-{slug}", self.workspace_id, slug, name, slug == "workframe-agent", now, now),
+                )
+            conn.executemany(
+                """
+                INSERT INTO credential_bindings (
+                    id, workspace_id, user_id, agent_profile_id, provider,
+                    credential_type, credential_ref, label, is_active,
+                    expires_at, created_by, created_at, updated_at, deleted_at
+                ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+                """,
+                [
+                    (
+                        "fab-or", None, self.user_a, None, "openrouter",
+                        "api_key", credential_vault.vault_ref("fab-or"), "Fab OR", 1, None, self.user_a,
+                        now, now, None,
+                    ),
+                    (
+                        "alan-or", None, self.user_b, None, "openrouter",
+                        "api_key", credential_vault.vault_ref("alan-or"), "Alan OR", 1, None, self.user_b,
+                        now, now, None,
+                    ),
+                ],
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        credential_vault.store_secret("fab-or", "sk-fab-only", env_var="OPENROUTER_API_KEY", provider="openrouter", user_id=self.user_a)
+        credential_vault.store_secret("alan-or", "sk-alan-only", env_var="OPENROUTER_API_KEY", provider="openrouter", user_id=self.user_b)
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+
+    def test_runtime_slug_ownership_is_distinct_per_user(self) -> None:
+        fab_arch = server._runtime_profile_slug(self.user_a, "architect")
+        alan_arch = server._runtime_profile_slug(self.user_b, "architect")
+        self.assertNotEqual(fab_arch, alan_arch)
+        self.assertEqual(server._user_id_for_runtime_slug(fab_arch, self.workspace_id), self.user_a)
+        self.assertEqual(server._user_id_for_runtime_slug(alan_arch, self.workspace_id), self.user_b)
+
+    def test_user_a_cannot_assign_kanban_to_user_b_runtime(self) -> None:
+        alan_arch = server._runtime_profile_slug(self.user_b, "architect")
+        ok, reason = server.validate_kanban_assignee(alan_arch, self.user_a, self.workspace_id)
+        self.assertFalse(ok)
+        self.assertEqual(reason, "assignee_owner_forbidden")
+
+    def test_user_a_can_assign_to_own_runtime(self) -> None:
+        fab_arch = server._runtime_profile_slug(self.user_a, "architect")
+        ok, owner = server.validate_kanban_assignee(fab_arch, self.user_a, self.workspace_id)
+        self.assertTrue(ok)
+        self.assertEqual(owner, self.user_a)
+
+    def test_template_assignee_rejected_by_default(self) -> None:
+        ok, reason = server.validate_kanban_assignee("architect", self.user_a, self.workspace_id)
+        self.assertFalse(ok)
+        self.assertEqual(reason, "template_assignee_forbidden")
+
+    def test_delegate_grant_allows_partner_assignee(self) -> None:
+        alan_arch = server._runtime_profile_slug(self.user_b, "architect")
+        ok, owner = server.validate_kanban_assignee(
+            alan_arch,
+            self.user_a,
+            self.workspace_id,
+            delegate_user_ids=frozenset({self.user_b}),
+        )
+        self.assertTrue(ok)
+        self.assertEqual(owner, self.user_b)
+
+    @patch.object(server, "_wait_profile_api_healthy", return_value=True)
+    def test_overlay_writes_only_acting_user_secret(self, _wait_mock) -> None:
+        cred_id = "fab-or"
+        credential_vault.store_secret(cred_id, "sk-fab-only", env_var="OPENROUTER_API_KEY", provider="openrouter", user_id=self.user_a)
+        conn = server._workframe_db()
+        try:
+            conn.execute(
+                "UPDATE credential_bindings SET credential_ref = ? WHERE id = ?",
+                (credential_vault.vault_ref(cred_id), cred_id),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        runtime = server._runtime_profile_slug(self.user_a, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        env_path = prof_dir / ".env"
+        run_id = "run-iso-1"
+        server._overlay_turn_provider_env(runtime, self.user_a, self.workspace_id, "openrouter", run_id)
+        text = env_path.read_text(encoding="utf-8")
+        self.assertIn("wf_rt_", text)
+        self.assertNotIn("sk-fab-only", text)
+        self.assertNotIn("sk-alan-only", text)
+        token = next(
+            line.split("=", 1)[1].strip()
+            for line in text.splitlines()
+            if line.startswith("OPENAI_API_KEY=") or line.startswith("OPENROUTER_API_KEY=")
+        )
+        server._revoke_turn_credential_lease(run_id, runtime)
+        self.assertIsNone(turn_credentials.validate_lease(token))
+
+    def test_sync_runtime_strips_foreign_llm_key_and_sets_proxy(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text("model:\n  default: openrouter/x\n", encoding="utf-8")
+        server._upsert_env_secret(prof_dir / ".env", "OPENROUTER_API_KEY", "sk-fab-only")
+        server._prepare_runtime_profile_credentials(runtime, self.user_b, self.workspace_id)
+        text = (prof_dir / ".env").read_text(encoding="utf-8") if (prof_dir / ".env").is_file() else ""
+        self.assertNotIn("sk-fab-only", text)
+        self.assertIn("base_url: http://workframe-api:8080/internal/llm/openrouter/v1", (prof_dir / "config.yaml").read_text(encoding="utf-8"))
+
+    def test_sync_runtime_strips_foreign_key_when_owner_has_none(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        server._upsert_env_secret(prof_dir / ".env", "OPENROUTER_API_KEY", "sk-fab-only")
+        server._prepare_runtime_profile_credentials(runtime, self.user_b, self.workspace_id)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertNotIn("sk-fab-only", text)
+        self.assertNotIn("OPENROUTER_API_KEY=", text)
+
+    def test_runtime_profile_rejects_stack_operator_key_bleed(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        primary = server._primary_profile() or "workframe-agent"
+        primary_dir = server._profile_dir(primary)
+        primary_dir.mkdir(parents=True, exist_ok=True)
+        server._upsert_env_secret(primary_dir / ".env", "OPENROUTER_API_KEY", "sk-stack-only")
+        server._upsert_env_secret(prof_dir / ".env", "OPENROUTER_API_KEY", "sk-stack-only")
+        server._prepare_runtime_profile_credentials(runtime, self.user_b, self.workspace_id)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertNotIn("sk-stack-only", text)
+        self.assertNotIn("OPENROUTER_API_KEY=", text)
+
+    @patch.object(server, "ensure_runtime_profile")
+    def test_cohort_slugs_are_user_scoped(self, _ensure: object) -> None:
+        fab_cohort = server.cohort_runtime_slugs(self.user_a, self.workspace_id)
+        alan_cohort = server.cohort_runtime_slugs(self.user_b, self.workspace_id)
+        self.assertTrue(fab_cohort.isdisjoint(alan_cohort))
+
+    def test_resolve_credential_user_only_never_crosses_users(self) -> None:
+        fab = server._resolve_credential(self.user_a, self.workspace_id, "openrouter", user_only=True)
+        alan = server._resolve_credential(self.user_b, self.workspace_id, "openrouter", user_only=True)
+        assert fab and alan
+        self.assertEqual(fab["credential_ref"], credential_vault.vault_ref("fab-or"))
+        self.assertEqual(alan["credential_ref"], credential_vault.vault_ref("alan-or"))
+        self.assertNotEqual(
+            server._credential_secret(fab, self.user_a),
+            server._credential_secret(alan, self.user_b),
+        )
+
+
+    def test_stack_install_key_does_not_show_admin_connected(self) -> None:
+        primary = server._primary_profile() or "workframe-agent"
+        primary_dir = server._profile_dir(primary)
+        primary_dir.mkdir(parents=True, exist_ok=True)
+        server._upsert_env_secret(primary_dir / ".env", "OPENROUTER_API_KEY", "sk-install-only")
+        alan_home = server._user_hermes_home(self.user_b)
+        alan_home.mkdir(parents=True, exist_ok=True)
+        server._remove_env_secret(server._user_hermes_env_path(self.user_b), "OPENROUTER_API_KEY")
+        conn = server._workframe_db()
+        try:
+            conn.execute("DELETE FROM credential_bindings WHERE user_id = ?", (self.user_b,))
+            conn.execute(
+                "UPDATE workspace_memberships SET role = 'owner' WHERE workspace_id = ? AND user_id = ?",
+                (self.workspace_id, self.user_b),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        openrouter = next(
+            row for row in server.list_user_providers(self.user_b, self.workspace_id)["providers"]
+            if row["id"] == "openrouter"
+        )
+        self.assertFalse(openrouter["connected"])
+
+    def test_migrate_adopts_primary_install_key_to_owner(self) -> None:
+        primary = server._primary_profile() or "workframe-agent"
+        primary_dir = server._profile_dir(primary)
+        primary_dir.mkdir(parents=True, exist_ok=True)
+        server._upsert_env_secret(primary_dir / ".env", "OPENROUTER_API_KEY", "sk-install-adopt")
+        alan_home = server._user_hermes_home(self.user_b)
+        alan_home.mkdir(parents=True, exist_ok=True)
+        server._remove_env_secret(server._user_hermes_env_path(self.user_b), "OPENROUTER_API_KEY")
+        conn = server._workframe_db()
+        try:
+            conn.execute("DELETE FROM credential_bindings WHERE user_id = ?", (self.user_b,))
+            conn.execute("DELETE FROM schema_migrations WHERE version = '12'")
+            conn.execute(
+                "UPDATE workspaces SET owner_id = ? WHERE id = ?",
+                (self.user_b, self.workspace_id),
+            )
+            conn.commit()
+            server._migrate_v12_adopt_install_keys_to_owners(conn)
+            conn.commit()
+        finally:
+            conn.close()
+        spec = server._catalog_provider("openrouter") or {"id": "openrouter", "category": "llm"}
+        self.assertTrue(server._user_provider_connected(self.user_b, spec))
+        binding = server._resolve_credential(self.user_b, self.workspace_id, "openrouter", user_only=True)
+        assert binding
+        self.assertEqual(server._credential_secret(binding, self.user_b), "sk-install-adopt")
+        self.assertFalse(server._user_hermes_env_path(self.user_b).is_file())
+
+    def test_strip_profile_llm_env_preserves_turn_lease(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        server._upsert_env_secret(prof_dir / ".env", "OPENROUTER_API_KEY", "sk-fab-only")
+        server._upsert_env_secret(
+            prof_dir / ".env",
+            "OPENROUTER_API_KEY",
+            f"{turn_credentials.LEASE_PREFIX}abc123",
+        )
+        server._strip_profile_llm_env(runtime)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertIn(f"{turn_credentials.LEASE_PREFIX}abc123", text)
+        self.assertNotIn("sk-fab-only", text)
+
+    def test_publish_gateway_secrets_makes_runtime_auth_readable(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        auth_path = prof_dir / "auth.json"
+        auth_path.write_text('{"version":1}\n', encoding="utf-8")
+        os.chmod(auth_path, 0o600)
+        server._publish_profile_gateway_secrets(runtime)
+        mode = auth_path.stat().st_mode & 0o777
+        self.assertTrue(mode & 0o444, f"auth.json not world-readable: {oct(mode)}")
+
+    def test_ensure_profile_api_keeps_lease_after_overlay(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n  provider: openrouter\n  default: openrouter/x\n",
+            encoding="utf-8",
+        )
+        run_id = "stream-order-test"
+        server._apply_turn_credential_lease(
+            runtime, self.user_b, self.workspace_id, "openrouter", run_id,
+        )
+        with patch.object(server, "_ensure_profile_toolsets"), patch.object(
+            server, "_profile_api_healthy", return_value=True,
+        ):
+            server.ensure_profile_api(runtime, self.user_b, self.workspace_id)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertIn(turn_credentials.LEASE_PREFIX, text)
+        server._revoke_turn_credential_lease(run_id, runtime)
+
+    @patch.object(server, "_restart_runtime_profile_gateway")
+    def test_runtime_lease_writes_config_and_reloads_gateway(self, restart_mock) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n  provider: custom\n  default: openrouter/x\n"
+            "  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n"
+            "  api_key: wf_rt_deadbeef\n",
+            encoding="utf-8",
+        )
+        token = server._apply_turn_credential_lease(
+            runtime, self.user_b, self.workspace_id, "openrouter", "lease-sync-1",
+        )
+        self.assertTrue(token.startswith(turn_credentials.LEASE_PREFIX))
+        self.assertEqual(server._read_config_model_api_key(runtime), token)
+        restart_mock.assert_called()
+
+    @patch.object(server, "_restart_runtime_profile_gateway")
+    def test_revoke_clears_stale_lease_from_config(self, restart_mock) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        token = turn_credentials.issue_lease(
+            "revoke-clear",
+            self.user_b,
+            self.workspace_id,
+            "openrouter",
+            runtime,
+            "alan-or",
+        )
+        (prof_dir / "config.yaml").write_text(
+            f"model:\n  provider: custom\n  api_key: {token}\n",
+            encoding="utf-8",
+        )
+        server._revoke_turn_credential_lease("revoke-clear", runtime)
+        self.assertEqual(server._read_config_model_api_key(runtime), "")
+        restart_mock.assert_called()
+
+    def test_ensure_profile_proxy_headers_writes_profile_slug(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n  provider: custom\n  default: openrouter/x\n",
+            encoding="utf-8",
+        )
+        server._ensure_profile_proxy_headers(runtime)
+        text = (prof_dir / "config.yaml").read_text(encoding="utf-8")
+        self.assertIn(f"X-Workframe-Profile: {runtime}", text)
+
+    def test_ensure_profile_proxy_headers_appends_proxy_token_to_existing_block(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n"
+            "  provider: custom\n"
+            "  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n"
+            "  default_headers:\n"
+            f"    X-Workframe-Profile: {runtime}\n"
+            "fallback_providers:\n"
+            "  model: openrouter/x\n",
+            encoding="utf-8",
+        )
+        with patch.dict(os.environ, {"WORKFRAME_PROXY_TOKEN": "proxy-test-token"}, clear=False):
+            internal_proxy_auth.reset_proxy_token_for_tests()
+            server._ensure_profile_proxy_headers(runtime)
+        text = (prof_dir / "config.yaml").read_text(encoding="utf-8")
+        self.assertEqual(text.count("default_headers:"), 1)
+        self.assertIn(f"X-Workframe-Profile: {runtime}", text)
+        self.assertIn("X-Workframe-Proxy-Token: ${WORKFRAME_PROXY_TOKEN}", text)
+        profile_pos = text.index("X-Workframe-Profile:")
+        proxy_pos = text.index("X-Workframe-Proxy-Token:")
+        fallback_pos = text.index("fallback_providers:")
+        self.assertLess(profile_pos, proxy_pos)
+        self.assertLess(proxy_pos, fallback_pos)
+
+    @patch.object(server, "_wait_profile_api_healthy", return_value=True)
+    def test_overlay_with_custom_routing_provider(self, _wait_mock) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n  provider: custom\n  default: openrouter/owl-alpha\n"
+            "  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n",
+            encoding="utf-8",
+        )
+        ready = server._overlay_chat_llm_env(
+            runtime, self.user_b, self.workspace_id, "custom",
+        )
+        self.assertTrue(ready)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertIn(turn_credentials.LEASE_PREFIX, text)
+        server._strip_profile_llm_env(runtime, include_leases=True)
+        server._clear_profile_model_api_key(runtime)
+
+    def test_strip_profile_llm_env_drops_custom_provider_lease(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / ".env").write_text(
+            "OPENAI_API_KEY=wf_rt_expired_lease_token\nWORKFRAME_PROXY_TOKEN=proxy\n",
+            encoding="utf-8",
+        )
+        server._strip_profile_llm_env(runtime, include_leases=True)
+        text = (prof_dir / ".env").read_text(encoding="utf-8")
+        self.assertNotIn("wf_rt_", text)
+        self.assertIn("WORKFRAME_PROXY_TOKEN=proxy", text)
+
+    def test_ensure_profile_llm_proxy_rewrites_scalar_fallback_when_ready(self) -> None:
+        runtime = server._runtime_profile_slug(self.user_b, "architect")
+        prof_dir = server._profile_dir(runtime)
+        prof_dir.mkdir(parents=True, exist_ok=True)
+        (prof_dir / "config.yaml").write_text(
+            "model:\n"
+            "  provider: custom\n"
+            "  default: openrouter/owl-alpha\n"
+            "  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n"
+            "fallback_providers:\n"
+            "  model: openrouter/nvidia/nemotron-3-ultra-550b-a55b:free\n",
+            encoding="utf-8",
+        )
+        server._ensure_profile_llm_proxy(runtime, "openrouter")
+        text = (prof_dir / "config.yaml").read_text(encoding="utf-8")
+        self.assertIn("- provider: custom", text)
+        self.assertNotRegex(text, r"fallback_providers:\n  model:")
+
+
+if __name__ == "__main__":
+    unittest.main()