create-workframe 0.1.0

package/workframe-api/tests/test_login_access_policy.py

@@ -0,0 +1,183 @@
+"""Invite-only login for multi-user modes post-install."""
+
+from __future__ import annotations
+
+import hashlib
+import tempfile
+import time
+import unittest
+import uuid
+from pathlib import Path
+from unittest import mock
+
+import server
+import stack_config
+from db_setup import ensure_workframe_schemas
+
+
+class LoginAccessPolicyTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_mode = server.DEPLOYMENT_MODE
+        self._old_dev = server.DEV_LOCAL_UNSAFE
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.DEV_LOCAL_UNSAFE = False
+        ensure_workframe_schemas()
+        stack_config.patch_stack_config({"install_complete": True, "deployment_mode": "public_multi_user"})
+        server.DEPLOYMENT_MODE = "public_multi_user"
+
+        self.workspace_id = "ws-closed"
+        self.owner_id = "user-owner"
+        self.owner_email = "owner@biz.test"
+        conn = server._workframe_db()
+        try:
+            now = str(int(time.time()))
+            conn.execute(
+                "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.owner_id, self.owner_email, "Owner", "owner", "active", now, now),
+            )
+            conn.execute(
+                """
+                INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?)
+                """,
+                (self.workspace_id, "default", "Acme Corp", self.owner_id, "active", now, now),
+            )
+            conn.execute(
+                """
+                INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?)
+                """,
+                ("wm-owner", self.workspace_id, self.owner_id, "owner", "active", now, now),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.DEPLOYMENT_MODE = self._old_mode
+        server.DEV_LOCAL_UNSAFE = self._old_dev
+
+    def test_stranger_denied_when_invite_only(self) -> None:
+        self.assertTrue(server._invite_only_login_enforced())
+        allowed, meta = server._email_allowed_to_authenticate("stranger@evil.test")
+        self.assertFalse(allowed)
+        self.assertEqual(meta["error"], "private_workspace")
+        self.assertIn("Acme Corp", meta["message"])
+
+    def test_owner_allowed(self) -> None:
+        allowed, _ = server._email_allowed_to_authenticate(self.owner_email)
+        self.assertTrue(allowed)
+
+    def test_pending_invitee_allowed(self) -> None:
+        invite_email = "invitee@partner.test"
+        token = "invite-token-secret"
+        conn = server._workframe_db()
+        try:
+            conn.execute(
+                """
+                INSERT INTO workspace_invites
+                (id, workspace_id, email, role, token_hash, invited_by_user_id, expires_at, created_at)
+                VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+                """,
+                (
+                    "inv-1",
+                    self.workspace_id,
+                    invite_email,
+                    "member",
+                    hashlib.sha256(token.encode()).hexdigest(),
+                    self.owner_id,
+                    str(int(time.time()) + 3600),
+                    str(int(time.time())),
+                ),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+        allowed, _ = server._email_allowed_to_authenticate(invite_email)
+        self.assertTrue(allowed)
+        self.assertTrue(server._invite_token_allows_email(token, invite_email))
+
+    def test_trusted_team_denies_stranger_post_install(self) -> None:
+        server.DEPLOYMENT_MODE = "trusted_team"
+        allowed, meta = server._email_allowed_to_authenticate("stranger@evil.test")
+        self.assertFalse(allowed)
+        self.assertEqual(meta["error"], "private_workspace")
+
+    def test_owner_claim_blocked_after_install(self) -> None:
+        conn = server._workframe_db()
+        try:
+            now = str(int(time.time()))
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                ("ws-unclaimed", "unclaimed", "Unclaimed", "", "active", now, now),
+            )
+            conn.commit()
+            promoted = server._promote_workspace_owner_if_unclaimed(conn, "ws-unclaimed", "user-attacker")
+            conn.commit()
+            row = conn.execute(
+                "SELECT owner_id FROM workspaces WHERE id = ?", ("ws-unclaimed",)
+            ).fetchone()
+        finally:
+            conn.close()
+        self.assertFalse(promoted)
+        self.assertEqual(str(row["owner_id"] or ""), "")
+
+    def test_install_stack_get_denied_anonymous_post_install(self) -> None:
+        from http.server import BaseHTTPRequestHandler
+
+        handler = mock.Mock(spec=BaseHTTPRequestHandler)
+        handler.command = "GET"
+        handler.path = "/api/install/stack"
+        handler.headers = {}
+        with mock.patch.object(server, "_install_window_open", return_value=False), mock.patch.object(
+            server, "_session_id_from_request", return_value=""
+        ):
+            self.assertFalse(server._auth_check(handler))
+
+    def _handler(self) -> server.Handler:
+        from io import BytesIO
+        from unittest.mock import MagicMock
+
+        sock = MagicMock()
+        sock.makefile.return_value = BytesIO()
+        return server.Handler(sock, ("127.0.0.1", 0), None)
+
+    def test_ensure_user_does_not_auto_join_when_invite_only(self) -> None:
+        stranger_id = str(uuid.uuid4())
+        stranger_email = "stranger@evil.test"
+        self._handler()._ensure_user(stranger_id, stranger_email, stranger_email)
+        conn = server._workframe_db()
+        try:
+            row = conn.execute(
+                "SELECT id FROM workspace_memberships WHERE workspace_id = ? AND user_id = ? AND deleted_at IS NULL",
+                (self.workspace_id, stranger_id),
+            ).fetchone()
+            self.assertIsNone(row)
+        finally:
+            conn.close()
+
+    @mock.patch.object(server, "_invite_only_login_enforced", return_value=False)
+    def test_ensure_user_auto_joins_when_not_invite_only(self, _enforced: mock.MagicMock) -> None:
+        stranger_id = str(uuid.uuid4())
+        stranger_email = "open@dogfood.test"
+        self._handler()._ensure_user(stranger_id, stranger_email, stranger_email)
+        conn = server._workframe_db()
+        try:
+            row = conn.execute(
+                "SELECT id FROM workspace_memberships WHERE workspace_id = ? AND user_id = ? AND deleted_at IS NULL",
+                (self.workspace_id, stranger_id),
+            ).fetchone()
+            self.assertIsNotNone(row)
+        finally:
+            conn.close()
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_mvp_model_bootstrap.py

@@ -0,0 +1,75 @@
+import importlib.util
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+API = Path(__file__).resolve().parents[1] / "server.py"
+spec = importlib.util.spec_from_file_location("server", API)
+server = importlib.util.module_from_spec(spec)
+assert spec and spec.loader
+spec.loader.exec_module(server)
+
+
+class MvpModelBootstrapTest(unittest.TestCase):
+    def test_apply_mvp_openrouter_writes_config_yaml(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            root = Path(tmp)
+            prof_dir = root / "profiles" / "u-test-user-workframe-agent"
+            prof_dir.mkdir(parents=True)
+            (prof_dir / "profile.yaml").write_text(
+                "model:\n  default: openrouter/owl-alpha\n  provider: openrouter\n",
+                encoding="utf-8",
+            )
+            with patch.object(server, "HERMES_DATA", root):
+                ok = server._apply_mvp_model_for_provider("u-test-user-workframe-agent", "openrouter")
+            self.assertTrue(ok)
+            cfg = prof_dir / "config.yaml"
+            self.assertTrue(cfg.is_file())
+            text = cfg.read_text(encoding="utf-8")
+            self.assertIn("default: openrouter/owl-alpha", text)
+            self.assertIn("provider: openrouter", text)
+            self.assertIn("openrouter/nex-agi", text)
+            self.assertIn("nemotron-3-ultra", text)
+
+    def test_bootstrap_runtime_sets_model_when_missing(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            root = Path(tmp)
+            runtime = "u-test-user-workframe-agent"
+            runtime_dir = root / "profiles" / runtime
+            runtime_dir.mkdir(parents=True)
+            (runtime_dir / ".env").write_text("OPENROUTER_API_KEY=sk-test\n", encoding="utf-8")
+            user_home = root / "profiles" / "user-test"
+            user_home.mkdir(parents=True)
+            (user_home / ".env").write_text("OPENROUTER_API_KEY=sk-test\n", encoding="utf-8")
+            with patch.object(server, "HERMES_DATA", root), patch.object(
+                server, "NATIVE_PROFILE", "workframe-agent"
+            ), patch.object(server, "_primary_profile", return_value="workframe-agent"), patch.object(
+                server, "resolve_hermes_profile", side_effect=lambda p: p
+            ), patch.object(server, "_prepare_runtime_profile_credentials", return_value=True), patch.object(
+                server, "_resolve_credential", return_value={"credential_ref": "env:OPENROUTER_API_KEY", "env_var": "OPENROUTER_API_KEY"}
+            ):
+                server._bootstrap_profile_providers(runtime, "user-test", "ws-1")
+            cfg = runtime_dir / "config.yaml"
+            self.assertTrue(cfg.is_file())
+            self.assertIn("openrouter/owl-alpha", cfg.read_text(encoding="utf-8"))
+
+    def test_profile_model_reads_nested_default_without_crossing_lines(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            root = Path(tmp)
+            runtime = "u-test-user-workframe-agent"
+            runtime_dir = root / "profiles" / runtime
+            runtime_dir.mkdir(parents=True)
+            (runtime_dir / "config.yaml").write_text(
+                "model:\n"
+                "  provider: custom\n"
+                "  default: openrouter/owl-alpha\n"
+                "  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n",
+                encoding="utf-8",
+            )
+            with patch.object(server, "HERMES_DATA", root):
+                self.assertEqual(server._profile_model(runtime), "openrouter/owl-alpha")
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_onboarding_bootstrap.py

@@ -0,0 +1,248 @@
+"""Auto-bootstrap default workspace on API startup."""
+import json
+import os
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import server
+
+
+class OnboardingBootstrapTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self.tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self.tmp.cleanup)
+        data = Path(self.tmp.name) / "data"
+        data.mkdir()
+        self.patches = [
+            mock.patch.object(server, "DATA_DIR", data),
+            mock.patch.object(server, "WORKSPACE", Path(self.tmp.name) / "Files"),
+            mock.patch.object(server, "_workframe_db_path", return_value=data / "workframe.db"),
+            mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Workframe", "WORKFRAME_NATIVE_PROFILE": "workframe-agent"}, clear=False),
+        ]
+        for patch in self.patches:
+            patch.start()
+            self.addCleanup(patch.stop)
+        server._ensure_workframe_db_schema()
+
+    def test_ensure_default_workspace_idempotent(self) -> None:
+        server._ensure_default_workspace()
+        server._ensure_default_workspace()
+        conn = server._workframe_db()
+        ws = conn.execute("SELECT slug, display_name FROM workspaces WHERE slug='default'").fetchone()
+        agents = conn.execute("SELECT slug FROM agent_profiles WHERE deleted_at IS NULL ORDER BY slug").fetchall()
+        rooms = conn.execute("SELECT slug FROM rooms WHERE deleted_at IS NULL").fetchall()
+        conn.close()
+        self.assertEqual(ws["slug"], "default")
+        self.assertEqual(ws["display_name"], "Workframe")
+        self.assertEqual([r[0] for r in agents], ["workframe-agent"])
+        room_slugs = [r[0] for r in rooms]
+        self.assertIn("general", room_slugs)
+
+    def test_sync_workspace_home_room_mirrors_branding(self) -> None:
+        server._ensure_default_workspace()
+        conn = server._workframe_db()
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        ws_id = str(ws["id"])
+        settings = json.dumps({"tagline": "Let's go!"}, sort_keys=True)
+        conn.execute(
+            "UPDATE workspaces SET display_name = ?, settings_json = ?, updated_at = ? WHERE id = ?",
+            ("My Business", settings, "2", ws_id),
+        )
+        server._sync_workspace_home_room(conn, ws_id)
+        conn.commit()
+        room = conn.execute(
+            "SELECT name, topic FROM rooms WHERE workspace_id = ? AND slug = 'general'",
+            (ws_id,),
+        ).fetchone()
+        conn.close()
+        self.assertEqual(room["name"], "My Business")
+        self.assertEqual(room["topic"], "Let's go!")
+        server._ensure_default_workspace()
+        owner = "owner-user-id"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (owner, "owner@test.com", "Owner", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m1", ws["id"], owner, "owner", "active", now, now),
+        )
+        conn.commit()
+        conn.close()
+        with mock.patch.object(server, "_install_complete", return_value=False):
+            payload = server._onboarding_payload(owner)
+        self.assertFalse(payload["complete"])
+        self.assertEqual(payload["step"], "admin_integrations")
+        self.assertEqual(payload["credential_mode"], "byok")
+
+    def test_onboarding_complete_when_install_finished(self) -> None:
+        server._ensure_default_workspace()
+        owner = "owner-install-done"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (owner, "done@test.com", "Owner", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m-done", ws["id"], owner, "owner", "active", now, now),
+        )
+        conn.commit()
+        conn.close()
+        with mock.patch.object(server, "_install_complete", return_value=True), mock.patch.object(
+            server, "_user_has_llm_provider", return_value=True
+        ):
+            payload = server._onboarding_payload(owner)
+        self.assertTrue(payload["complete"])
+        self.assertEqual(payload["step"], "done")
+
+    def test_onboarding_workspace_provider_after_company_mode(self) -> None:
+        server._ensure_default_workspace()
+        owner = "owner-workspace-keys"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (owner, "owner2@test.com", "Owner", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m2", ws["id"], owner, "owner", "active", now, now),
+        )
+        settings = '{"credential_mode":"workspace","admin_integrations_done":true,"admin_onboarding_done":true}'
+        conn.execute(
+            "UPDATE workspaces SET settings_json = ? WHERE id = ?",
+            (settings, ws["id"]),
+        )
+        conn.commit()
+        conn.close()
+        payload = server._onboarding_payload(owner)
+        self.assertFalse(payload["complete"])
+        self.assertEqual(payload["step"], "workspace_provider")
+
+    def test_member_can_mark_integrations_done_during_install(self) -> None:
+        server._ensure_default_workspace()
+        user_id = "installer-member"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (user_id, "installer@test.com", "Installer", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m-install", ws["id"], user_id, "member", "active", now, now),
+        )
+        conn.commit()
+        conn.close()
+        with mock.patch.object(server, "_install_window_open", return_value=True):
+            status, payload = server._patch_workspace_integrations(
+                str(ws["id"]),
+                {"admin_integrations_done": True},
+                user_id,
+            )
+        self.assertEqual(status, 200)
+        self.assertTrue(payload.get("ok"))
+        conn = server._workframe_db()
+        settings = server._parse_workspace_settings(
+            conn.execute("SELECT * FROM workspaces WHERE id = ?", (ws["id"],)).fetchone()
+        )
+        conn.close()
+        self.assertTrue(settings.get("admin_integrations_done"))
+
+    def test_owner_id_repairs_stale_member_role(self) -> None:
+        server._ensure_default_workspace()
+        user_id = "stale-owner"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "UPDATE workspaces SET owner_id = ? WHERE id = ?",
+            (user_id, ws["id"]),
+        )
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (user_id, "stale@test.com", "Stale", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m-stale", ws["id"], user_id, "member", "active", now, now),
+        )
+        conn.commit()
+        conn.close()
+        status, payload = server._patch_workspace_integrations(
+            str(ws["id"]),
+            {"admin_integrations_done": True},
+            user_id,
+        )
+        self.assertEqual(status, 200)
+        self.assertTrue(payload.get("ok"))
+        conn = server._workframe_db()
+        role = conn.execute(
+            "SELECT role FROM workspace_memberships WHERE workspace_id = ? AND user_id = ?",
+            (ws["id"], user_id),
+        ).fetchone()
+        conn.close()
+        self.assertEqual(role["role"], "owner")
+
+    def test_patch_workspace_tagline_uses_existing_row(self) -> None:
+        server._ensure_default_workspace()
+        owner = "owner-tagline"
+        conn = server._workframe_db()
+        now = str(int(__import__("time").time()))
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "INSERT INTO users (id, email, display_name, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            (owner, "tagline@test.com", "Owner", "user", "active", now, now),
+        )
+        conn.execute(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+            ("m-tagline", ws["id"], owner, "owner", "active", now, now),
+        )
+        conn.commit()
+        conn.close()
+        status, payload = server._patch_workspace(
+            str(ws["id"]),
+            {"display_name": "Acme", "tagline": "We ship", "description": "Mission"},
+            owner,
+        )
+        self.assertEqual(status, 200)
+        self.assertTrue(payload.get("ok"))
+        self.assertEqual(payload["workspace"]["tagline"], "We ship")
+        self.assertEqual(payload["workspace"]["display_name"], "Acme")
+        conn = server._workframe_db()
+        raw = conn.execute(
+            "SELECT settings_json FROM workspaces WHERE id = ?",
+            (ws["id"],),
+        ).fetchone()
+        conn.close()
+        settings = __import__("json").loads(raw["settings_json"] or "{}")
+        self.assertEqual(settings.get("tagline"), "We ship")
+
+    def test_files_tree_root_uses_workspace_display_name(self) -> None:
+        server._ensure_default_workspace()
+        conn = server._workframe_db()
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        conn.execute(
+            "UPDATE workspaces SET display_name = ?, updated_at = ? WHERE id = ?",
+            ("Acme Corp", "3", ws["id"]),
+        )
+        conn.commit()
+        conn.close()
+        with mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Shmorkframe"}, clear=False):
+            self.assertEqual(server._files_tree_root_name(), "Acme Corp")
+            tree = server.files_tree()
+        self.assertEqual(tree["name"], "Acme Corp")
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_platform_auth.py

@@ -0,0 +1,47 @@
+import hashlib
+import hmac
+import unittest
+
+import platform_auth
+import stack_config
+
+
+class PlatformAuthTests(unittest.TestCase):
+    def test_verify_telegram_login_accepts_valid_hash(self) -> None:
+        bot_token = "123456:ABC-DEF"
+        payload = {
+            "id": "424242",
+            "first_name": "Test",
+            "username": "tester",
+            "auth_date": "1700000000",
+        }
+        check_line = "\n".join(f"{k}={payload[k]}" for k in sorted(payload))
+        secret = hashlib.sha256(bot_token.encode("utf-8")).digest()
+        payload["hash"] = hmac.new(secret, check_line.encode("utf-8"), hashlib.sha256).hexdigest()
+
+        old = stack_config._read_raw
+        stack_config._read_raw = lambda: {
+            "telegram_login": {"bot_username": "wfbot", "bot_token": bot_token},
+        }
+        try:
+            result = platform_auth.verify_telegram_login(payload)
+        finally:
+            stack_config._read_raw = old
+
+        self.assertTrue(result.get("ok"))
+        self.assertEqual(result.get("platform_ids", {}).get("telegram"), "424242")
+
+    def test_verify_telegram_login_rejects_bad_hash(self) -> None:
+        old = stack_config._read_raw
+        stack_config._read_raw = lambda: {
+            "telegram_login": {"bot_username": "wfbot", "bot_token": "1:2"},
+        }
+        try:
+            result = platform_auth.verify_telegram_login({"id": "1", "hash": "bad"})
+        finally:
+            stack_config._read_raw = old
+        self.assertFalse(result.get("ok"))
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_profile_config_path.py

@@ -0,0 +1,56 @@
+"""Hermes:latest profiles use profile.yaml instead of config.yaml."""
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import server
+
+
+class ProfileConfigPathTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self.tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self.tmp.cleanup)
+        self.hermes = Path(self.tmp.name) / "Agents"
+        profiles = self.hermes / "profiles" / "workframe-agent"
+        profiles.mkdir(parents=True)
+        (profiles / "profile.yaml").write_text("description: test\n", encoding="utf-8")
+        self.patch = mock.patch.object(server, "HERMES_DATA", self.hermes)
+        self.patch.start()
+        self.addCleanup(self.patch.stop)
+
+    def test_profile_config_path_prefers_either_yaml(self) -> None:
+        path = server._profile_config_path("workframe-agent")
+        self.assertIsNotNone(path)
+        self.assertEqual(path.name, "profile.yaml")
+
+    def test_runtime_profile_on_disk_accepts_profile_yaml(self) -> None:
+        self.assertTrue(server._runtime_profile_on_disk("workframe-agent"))
+
+    def test_inherit_runtime_profile_config_copies_template_yaml(self) -> None:
+        runtime = "u-test-user-workframe-agent"
+        runtime_dir = self.hermes / "profiles" / runtime
+        runtime_dir.mkdir(parents=True)
+        (runtime_dir / ".env").write_text("X=1\n", encoding="utf-8")
+        server._inherit_runtime_profile_config(runtime, "workframe-agent")
+        inherited = runtime_dir / "profile.yaml"
+        self.assertTrue(inherited.is_file())
+        self.assertIn("description:", inherited.read_text(encoding="utf-8"))
+
+    def test_configure_profile_api_writes_config_yaml_on_disk(self) -> None:
+        runtime = "z-test-runtime-agent"
+        runtime_dir = self.hermes / "profiles" / runtime
+        runtime_dir.mkdir(parents=True)
+        (runtime_dir / "config.yaml").write_text("platforms: {}\n", encoding="utf-8")
+        with mock.patch.object(server, "NATIVE_PROFILE", "workframe-agent"):
+            ok, out, port = server._configure_profile_api(runtime)
+        self.assertTrue(ok)
+        self.assertEqual(out, "ok")
+        self.assertGreater(port, 18610)
+        text = (runtime_dir / "config.yaml").read_text(encoding="utf-8")
+        self.assertIn("api_server", text)
+        self.assertIn("enabled: true", text)
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_profile_config_yaml_repair.py

@@ -0,0 +1,63 @@
+"""Repair invalid scalar model: headers in profile config.yaml."""
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import server
+import yaml
+
+
+class ProfileConfigYamlRepairTests(unittest.TestCase):
+    def test_fix_invalid_model_header_scalar_empty(self) -> None:
+        raw = "model: ''\n  base_url: http://example/v1\n  provider: custom\n"
+        fixed = server._fix_invalid_model_header(raw)
+        data = yaml.safe_load(fixed)
+        self.assertIsInstance(data.get("model"), dict)
+        self.assertEqual(data["model"]["base_url"], "http://example/v1")
+
+    def test_normalize_writes_repaired_file(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            prof = "u-test-user-dev"
+            prof_dir = Path(tmp) / "profiles" / prof
+            prof_dir.mkdir(parents=True)
+            cfg = prof_dir / "config.yaml"
+            cfg.write_text(
+                "model: ''\n  base_url: http://workframe-api:8080/internal/llm/openrouter/v1\n"
+                "  provider: custom\n",
+                encoding="utf-8",
+            )
+            with mock.patch.object(server, "_profile_gateway_config_path", return_value=cfg):
+                server._normalize_profile_config_yaml(prof)
+            yaml.safe_load(cfg.read_text(encoding="utf-8"))
+
+    def test_scrub_orphan_top_level_list_lines(self) -> None:
+        with tempfile.TemporaryDirectory() as tmp:
+            prof = "u-test-user-dev"
+            prof_dir = Path(tmp) / "profiles" / prof
+            prof_dir.mkdir(parents=True)
+            cfg = prof_dir / "config.yaml"
+            cfg.write_text(
+                "model:\n  default: openrouter/owl-alpha\n"
+                "- provider: openrouter\n"
+                "model:\n  default: openrouter/nex-agi\n",
+                encoding="utf-8",
+            )
+            with mock.patch.object(server, "_profile_gateway_config_path", return_value=cfg), mock.patch.object(
+                server,
+                "_read_model_block",
+                return_value={
+                    "default": "openrouter/owl-alpha",
+                    "provider": "custom",
+                    "base_url": "",
+                    "fallback_chain": [],
+                },
+            ):
+                server._normalize_profile_config_yaml(prof)
+            text = cfg.read_text(encoding="utf-8")
+            self.assertNotIn("- provider: openrouter\n", text)
+            yaml.safe_load(text)
+
+
+if __name__ == "__main__":
+    unittest.main()