create-workframe 0.1.0

package/workframe-api/tests/test_user_cohort.py

@@ -0,0 +1,113 @@
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+import server
+from db_setup import ensure_workframe_schemas
+
+
+class UserCohortTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        (server.HERMES_DATA / "profiles").mkdir(parents=True)
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-1"
+        self.user_id = "cb6a2db4-ac86-4c49-8aaa-user"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO users (id, display_name, email, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.user_id, "Fab", "fab@example.com", "member", "active", now, now),
+            )
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.workspace_id, "proj", "Project", self.user_id, "active", now, now),
+            )
+            for slug, name, is_native in (
+                ("workframe-agent", "Workframe Agent", 1),
+                ("architect", "Architect", 0),
+                ("dev", "Dev", 0),
+            ):
+                conn.execute(
+                    """
+                    INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
+                    VALUES (?, ?, ?, ?, ?, 'available', ?, ?)
+                    """,
+                    (f"ap-{slug}", self.workspace_id, slug, name, is_native, now, now),
+                )
+            conn.commit()
+        finally:
+            conn.close()
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+
+    def test_user_handle_from_display_name(self) -> None:
+        self.assertEqual(server._user_handle(self.user_id), "fab")
+
+    def test_cohort_alias(self) -> None:
+        self.assertEqual(server._cohort_alias(self.user_id, "architect"), "fab-architect")
+
+    def test_runtime_display_label_specialist(self) -> None:
+        label = server._runtime_display_label(self.user_id, "architect", self.workspace_id)
+        self.assertEqual(label, "Architect")
+
+    def test_runtime_display_label_concierge(self) -> None:
+        label = server._runtime_display_label(self.user_id, "workframe-agent", self.workspace_id)
+        self.assertEqual(label, "Workframe Agent")
+
+    def test_runtime_display_label_personalized_without_db_name(self) -> None:
+        label = server._runtime_display_label(self.user_id, "research", self.workspace_id)
+        self.assertEqual(label, "Fab's Research")
+
+    def test_resolve_runtime_assignee_slug(self) -> None:
+        with patch.object(server, "ensure_runtime_profile") as ensure:
+            slug = server.resolve_runtime_assignee("architect", self.user_id, self.workspace_id)
+        self.assertTrue(slug.startswith("u-"))
+        self.assertTrue(slug.endswith("-architect"))
+        ensure.assert_called_once()
+
+    @patch.object(server, "ensure_runtime_profile")
+    def test_ensure_user_agent_cohort_writes_manifest(self, _ensure: object) -> None:
+        cohort = server.ensure_user_agent_cohort(self.user_id, self.workspace_id)
+        self.assertEqual(len(cohort), 3)
+        assignees = {row["template_slug"]: row["runtime_slug"] for row in cohort}
+        self.assertTrue(assignees["architect"].startswith("u-"))
+        concierge = assignees["workframe-agent"]
+        manifest = server._profile_dir(concierge) / "WORKFRAME_COHORT.md"
+        self.assertTrue(manifest.is_file())
+        text = manifest.read_text(encoding="utf-8")
+        self.assertIn("Fab's Workframe cohort", text)
+        self.assertIn(assignees["architect"], text)
+        self.assertIn("fab-architect", text)
+        self.assertIn("workspace_kind", text)
+
+    def test_cohort_manifest_markdown_includes_rules(self) -> None:
+        body = server._cohort_manifest_markdown(
+            self.user_id,
+            [
+                {
+                    "role": "Architect",
+                    "display_name": "Fab's Architect",
+                    "runtime_slug": "u-cb6a2db4-architect",
+                    "alias": "fab-architect",
+                }
+            ],
+        )
+        self.assertIn("never bare template names", body)
+        self.assertIn("`scratch`", body)
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_vault_envelope.py

@@ -0,0 +1,110 @@
+"""Vault envelope encryption (KEK + per-secret DEK)."""
+
+from __future__ import annotations
+
+import json
+import tempfile
+import unittest
+from pathlib import Path
+
+import credential_vault
+import vault_kek
+import zk_auth
+
+
+class VaultEnvelopeTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data = credential_vault.DATA_DIR
+        self._old_db = credential_vault.VAULT_DB
+        self._old_kek_file = vault_kek.VAULT_KEK_FILE
+        credential_vault.DATA_DIR = Path(self._tmp.name)
+        credential_vault.VAULT_DB = credential_vault.DATA_DIR / "credential_vault.db"
+        vault_kek.DATA_DIR = credential_vault.DATA_DIR
+        vault_kek.VAULT_KEK_FILE = credential_vault.DATA_DIR / ".vault_kek"
+        vault_kek.clear_kek()
+        credential_vault.ensure_schema()
+
+    def tearDown(self) -> None:
+        vault_kek.clear_kek()
+        credential_vault.DATA_DIR = self._old_data
+        credential_vault.VAULT_DB = self._old_db
+        vault_kek.VAULT_KEK_FILE = self._old_kek_file
+
+    def test_v2_envelope_roundtrip(self) -> None:
+        credential_vault.unseal_for_tests()
+        credential_vault.store_secret("bid-1", "sk-live-secret", provider="openrouter")
+        conn = credential_vault._connect()
+        try:
+            row = conn.execute(
+                "SELECT encrypted_secret FROM credential_secrets WHERE binding_id = ?",
+                ("bid-1",),
+            ).fetchone()
+            blob = str(row["encrypted_secret"])
+            parsed = json.loads(blob)
+            self.assertEqual(parsed["v"], 2)
+            self.assertIn("wrapped_dek", parsed)
+        finally:
+            conn.close()
+        self.assertEqual(credential_vault.read_secret("bid-1"), "sk-live-secret")
+
+    def test_legacy_v1_readable_after_unseal(self) -> None:
+        legacy = json.dumps(zk_auth.encrypt_string("legacy-key", zk_auth.ZK_AUTH_ENCRYPTION_KEY))
+        conn = credential_vault._connect()
+        now = "1"
+        conn.execute(
+            """
+            INSERT INTO credential_secrets (
+                binding_id, encrypted_secret, env_var, provider, scope,
+                user_id, workspace_id, created_at, updated_at
+            ) VALUES (?,?,?,?,?,?,?,?,?)
+            """,
+            ("legacy-1", legacy, "OPENROUTER_API_KEY", "openrouter", "user", "u1", None, now, now),
+        )
+        conn.commit()
+        conn.close()
+        credential_vault.unseal_for_tests()
+        self.assertEqual(credential_vault.read_secret("legacy-1"), "legacy-key")
+        conn = credential_vault._connect()
+        try:
+            row = conn.execute(
+                "SELECT encrypted_secret FROM credential_secrets WHERE binding_id = ?",
+                ("legacy-1",),
+            ).fetchone()
+            self.assertEqual(json.loads(str(row["encrypted_secret"]))["v"], 2)
+        finally:
+            conn.close()
+
+    def test_sealed_vault_blocks_store_without_passphrase_bootstrap(self) -> None:
+        credential_vault.unseal_for_tests()
+        credential_vault.init_vault_passphrase("long-passphrase-1")
+        credential_vault.seal_vault()
+        with self.assertRaises(RuntimeError):
+            credential_vault.store_secret("x", "secret")
+
+    def test_passphrase_unlock_restores_access(self) -> None:
+        credential_vault.unseal_for_tests()
+        credential_vault.store_secret("k1", "before-seal")
+        credential_vault.init_vault_passphrase("another-long-pass")
+        credential_vault.seal_vault()
+        status = credential_vault.unlock_vault("another-long-pass")
+        self.assertFalse(status["sealed"])
+        self.assertEqual(credential_vault.read_secret("k1"), "before-seal")
+
+    def test_wipe_deletes_ciphertext(self) -> None:
+        credential_vault.unseal_for_tests()
+        credential_vault.store_secret("w1", "to-delete")
+        deleted = credential_vault.wipe_all_secrets()
+        self.assertEqual(deleted, 1)
+        self.assertEqual(credential_vault.read_secret("w1"), "")
+
+    def test_bootstrap_generates_kek_file_for_local(self) -> None:
+        vault_kek.clear_kek()
+        status = credential_vault.bootstrap_vault(allow_generate_file=True)
+        self.assertFalse(status["sealed"])
+        self.assertTrue(vault_kek.VAULT_KEK_FILE.is_file())
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_workspace_members.py

@@ -0,0 +1,183 @@
+from __future__ import annotations
+
+import importlib.util
+from pathlib import Path
+from types import SimpleNamespace
+from typing import Any
+
+import pytest
+
+SERVER_PATH = Path(__file__).resolve().parents[1] / "server.py"
+spec = importlib.util.spec_from_file_location("workframe_server", SERVER_PATH)
+server = importlib.util.module_from_spec(spec)
+assert spec.loader is not None
+spec.loader.exec_module(server)
+
+
+class FakeHandler:
+    def __init__(self, auth_user: str = "u_owner", auth_role: str = "owner") -> None:
+        self.auth_user = auth_user
+        self.auth_role = auth_role
+        self.headers = {}
+        self.client_address = ("127.0.0.1", 12345)
+
+
+@pytest.fixture(autouse=True)
+def isolate_server(tmp_path: Path, monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(server, "DATA_DIR", tmp_path)
+    monkeypatch.setattr(server, "AUTH_DB_PATH", tmp_path / "auth.db")
+    monkeypatch.setattr(server, "SECURE_MODE", False)
+    monkeypatch.setattr(server, "DEV_LOCAL_UNSAFE", True)
+    server._ensure_workframe_db_schema()
+    server._ensure_agent_runs_schema()
+    server._ensure_invites_schema()
+    server._ensure_memory_schema()
+    server._ensure_policies_schema()
+    server._ensure_budgets_grants_schema()
+    server._ensure_user_prefs_schema()
+    server._ensure_runtime_tokens_table()
+    seed_db(tmp_path)
+    yield
+
+
+def seed_db(tmp_path: Path) -> None:
+    conn = server._workframe_db()
+    try:
+        now = "1700000000"
+        conn.execute(
+            "INSERT INTO workspaces (id, slug, display_name, owner_id, created_at, updated_at) VALUES (?,?,?,?,?,?)",
+            ("ws", "default", "Default", "u_owner", now, now),
+        )
+        conn.executemany(
+            "INSERT INTO users (id, email, display_name, avatar_url, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
+            [
+                ("u_owner", "owner@example.com", "Owner", None, "owner", "active", now, now),
+                ("u_bob", "bob@example.com", "Bob", None, "member", "active", now, now),
+                ("u_carol", "carol@example.com", "Carol", None, "member", "active", now, now),
+                ("u_outsider", "outsider@example.com", "Outsider", None, "member", "active", now, now),
+            ],
+        )
+        conn.executemany(
+            "INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, invited_by, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
+            [
+                ("m_owner", "ws", "u_owner", "owner", "active", None, now, now),
+                ("m_bob", "ws", "u_bob", "member", "active", "u_owner", now, now),
+                ("m_carol", "ws", "u_carol", "member", "active", "u_owner", now, now),
+            ],
+        )
+        conn.commit()
+    finally:
+        conn.close()
+
+
+def membership_by_user(payload: dict[str, Any], user_id: str) -> dict[str, Any]:
+    return next(item for item in payload["members"] if item["user_id"] == user_id)
+
+
+def test_list_workspace_members_returns_active_memberships_with_user_fields() -> None:
+    status, payload = server._list_workspace_members("ws", FakeHandler())
+
+    assert status == 200
+    assert payload["ok"] is True
+    assert payload["workspace_id"] == "ws"
+    assert [item["user_id"] for item in payload["members"]] == ["u_bob", "u_carol", "u_owner"]
+    bob = membership_by_user(payload, "u_bob")
+    assert bob["membership_id"] == "m_bob"
+    assert bob["email"] == "bob@example.com"
+    assert bob["display_name"] == "Bob"
+    assert bob["role"] == "member"
+    assert bob["status"] == "active"
+
+
+def test_patch_updates_member_role_and_status() -> None:
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {"user_id": "u_bob", "role": "admin", "status": "active"},
+        FakeHandler(),
+    )
+
+    assert status == 200
+    assert payload["membership"]["user_id"] == "u_bob"
+    assert payload["membership"]["role"] == "admin"
+    assert payload["membership"]["status"] == "active"
+    assert payload["membership"]["updated_at"] != "1700000000"
+
+    _, listed = server._list_workspace_members("ws", FakeHandler())
+    assert membership_by_user(listed, "u_bob")["role"] == "admin"
+
+
+def test_patch_status_removed_soft_deletes_member() -> None:
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {"user_id": "u_carol", "status": "removed"},
+        FakeHandler(),
+    )
+
+    assert status == 200
+    assert payload["membership"]["status"] == "removed"
+
+    _, listed = server._list_workspace_members("ws", FakeHandler())
+    assert "u_carol" not in [item["user_id"] for item in listed["members"]]
+
+
+def test_patch_bulk_updates_memberships() -> None:
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {
+            "memberships": [
+                {"user_id": "u_bob", "role": "admin"},
+                {"user_id": "u_carol", "role": "member"},
+            ],
+        },
+        FakeHandler(),
+    )
+
+    assert status == 200
+    assert [item["user_id"] for item in payload["memberships"]] == ["u_bob", "u_carol"]
+    assert payload["memberships"][0]["role"] == "admin"
+    assert payload["memberships"][1]["role"] == "member"
+
+
+def test_patch_requires_owner_or_admin_when_secure(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(server, "SECURE_MODE", True)
+
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {"user_id": "u_bob", "role": "admin"},
+        FakeHandler(auth_user="u_bob", auth_role="member"),
+    )
+
+    assert status == 403
+    assert payload["error"] == "forbidden"
+
+
+def test_patch_rejects_invalid_role() -> None:
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {"user_id": "u_bob", "role": "superadmin"},
+        FakeHandler(),
+    )
+
+    assert status == 400
+    assert payload["error"] == "invalid_role"
+    assert "superadmin" not in payload["allowed"]
+
+
+def test_patch_prevents_removing_last_owner() -> None:
+    status, payload = server._patch_workspace_members(
+        "ws",
+        {"user_id": "u_owner", "status": "removed"},
+        FakeHandler(),
+    )
+
+    assert status == 409
+    assert payload["error"] == "cannot_remove_last_owner"
+
+
+def test_list_workspace_members_requires_workspace_access_when_secure(monkeypatch: pytest.MonkeyPatch) -> None:
+    monkeypatch.setattr(server, "SECURE_MODE", True)
+
+    status, payload = server._list_workspace_members("ws", FakeHandler(auth_user="u_outsider", auth_role="member"))
+
+    assert status == 403
+    assert payload["error"] == "forbidden"

package/workframe-api/tests/test_workspace_messaging_sync.py

@@ -0,0 +1,125 @@
+"""Workspace messaging: vault store, settings merge, gateway env overlay."""
+
+import json
+import tempfile
+import unittest
+from pathlib import Path
+from unittest.mock import patch
+
+import credential_vault
+import server
+import vault_kek
+from db_setup import ensure_workframe_schemas
+
+
+class WorkspaceMessagingSyncTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self._tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self._tmp.cleanup)
+        self._old_data_dir = server.DATA_DIR
+        self._old_auth_db_path = server.AUTH_DB_PATH
+        self._old_hermes_data = server.HERMES_DATA
+        self._old_vault_data_dir = credential_vault.DATA_DIR
+        self._old_vault_db = credential_vault.VAULT_DB
+        self._old_kek_data_dir = vault_kek.DATA_DIR
+        self._old_kek_file = vault_kek.VAULT_KEK_FILE
+        server.DATA_DIR = Path(self._tmp.name)
+        server.AUTH_DB_PATH = Path(self._tmp.name) / "auth.db"
+        server.HERMES_DATA = Path(self._tmp.name) / "hermes"
+        profile_dir = server._profile_dir("workframe-agent")
+        profile_dir.mkdir(parents=True, exist_ok=True)
+        credential_vault.DATA_DIR = server.DATA_DIR
+        credential_vault.VAULT_DB = server.DATA_DIR / "credential_vault.db"
+        vault_kek.DATA_DIR = server.DATA_DIR
+        vault_kek.VAULT_KEK_FILE = server.DATA_DIR / ".vault_kek"
+        credential_vault.ensure_schema()
+        credential_vault.unseal_for_tests()
+        ensure_workframe_schemas()
+        self.workspace_id = "ws-msg"
+        self.admin_id = "admin-msg-user"
+        conn = server._workframe_db()
+        try:
+            now = "1"
+            conn.execute(
+                "INSERT INTO workspaces (id, slug, display_name, owner_id, status, settings_json, created_at, updated_at) VALUES (?,?,?,?,?,?,?,?)",
+                (self.workspace_id, "default", "Default", self.admin_id, "active", "{}", now, now),
+            )
+            conn.execute(
+                "INSERT INTO users (id, display_name, platform_ids, role, status, created_at, updated_at) VALUES (?,?,?,?,?,?,?)",
+                (self.admin_id, "Admin", json.dumps({"discord": "999888777"}), "owner", "active", now, now),
+            )
+            conn.execute(
+                """
+                INSERT INTO workspace_memberships (id, workspace_id, user_id, role, status, created_at, updated_at)
+                VALUES (?, ?, ?, 'owner', 'active', ?, ?)
+                """,
+                ("wm-admin", self.workspace_id, self.admin_id, now, now),
+            )
+            conn.execute(
+                """
+                INSERT INTO agent_profiles (id, workspace_id, slug, display_name, is_native, status, created_at, updated_at)
+                VALUES (?, ?, 'workframe-agent', 'Workframe Agent', 1, 'available', ?, ?)
+                """,
+                ("ap-native", self.workspace_id, now, now),
+            )
+            conn.commit()
+        finally:
+            conn.close()
+
+    def tearDown(self) -> None:
+        server.DATA_DIR = self._old_data_dir
+        server.AUTH_DB_PATH = self._old_auth_db_path
+        server.HERMES_DATA = self._old_hermes_data
+        credential_vault.DATA_DIR = self._old_vault_data_dir
+        credential_vault.VAULT_DB = self._old_vault_db
+        vault_kek.DATA_DIR = self._old_kek_data_dir
+        vault_kek.VAULT_KEK_FILE = self._old_kek_file
+
+    @patch.object(server, "_primary_profile", return_value="workframe-agent")
+    @patch.object(server, "_restart_stack_gateway", return_value={"ok": True})
+    @patch.object(server, "_set_primary_messaging_platforms", return_value=(True, "ok"))
+    def test_store_and_sync_writes_gateway_env(self, _platforms, _restart, _primary) -> None:
+        server._store_workspace_credential(
+            self.workspace_id,
+            "discord",
+            "api_key",
+            "discord-bot-secret",
+            "DISCORD_BOT_TOKEN",
+            "Discord",
+            self.admin_id,
+        )
+        status, payload = server._patch_workspace_integrations(
+            self.workspace_id,
+            {
+                "messaging": {
+                    "discord": {
+                        "home_channel": "chan-123",
+                        "allowed_users": "111",
+                    },
+                },
+            },
+            self.admin_id,
+        )
+        self.assertEqual(status, 200)
+        self.assertTrue(payload.get("ok"))
+        env = server._read_env_map(server._profile_dir("workframe-agent") / ".env")
+        self.assertEqual(env.get("DISCORD_BOT_TOKEN"), "discord-bot-secret")
+        self.assertEqual(env.get("DISCORD_HOME_CHANNEL"), "chan-123")
+        self.assertIn("111", env.get("DISCORD_ALLOWED_USERS", ""))
+        self.assertIn("999888777", env.get("DISCORD_ALLOWED_USERS", ""))
+
+    def test_workspace_store_rejects_user_only_providers(self) -> None:
+        with self.assertRaises(ValueError):
+            server._store_workspace_credential(
+                self.workspace_id,
+                "vercel",
+                "api_key",
+                "pat-secret",
+                "VERCEL_TOKEN",
+                "Vercel",
+                self.admin_id,
+            )
+
+
+if __name__ == "__main__":
+    unittest.main()

package/workframe-api/tests/test_workspace_provider_list.py

@@ -0,0 +1,57 @@
+"""Workspace LLM keys surface in provider list for company-pay onboarding."""
+import os
+import tempfile
+import unittest
+from pathlib import Path
+from unittest import mock
+
+import server
+
+
+class WorkspaceProviderListTests(unittest.TestCase):
+    def setUp(self) -> None:
+        self.tmp = tempfile.TemporaryDirectory()
+        self.addCleanup(self.tmp.cleanup)
+        data = Path(self.tmp.name) / "data"
+        agents = Path(self.tmp.name) / "Agents"
+        profiles = agents / "profiles" / "workframe-agent"
+        profiles.mkdir(parents=True)
+        (profiles / "profile.yaml").write_text("description: test\n", encoding="utf-8")
+        (profiles / ".env").write_text("OPENROUTER_API_KEY=sk-test-workspace\n", encoding="utf-8")
+        self.patches = [
+            mock.patch.object(server, "DATA_DIR", data),
+            mock.patch.object(server, "HERMES_DATA", agents),
+            mock.patch.object(server, "WORKSPACE", Path(self.tmp.name) / "Files"),
+            mock.patch.object(server, "_workframe_db_path", return_value=data / "workframe.db"),
+            mock.patch.dict(os.environ, {"WORKFRAME_PROJECT": "Workframe", "WORKFRAME_NATIVE_PROFILE": "workframe-agent"}, clear=False),
+        ]
+        for patch in self.patches:
+            patch.start()
+            self.addCleanup(patch.stop)
+        server._ensure_workframe_db_schema()
+        server._ensure_default_workspace()
+
+    def test_list_user_providers_shows_workspace_llm_connected(self) -> None:
+        conn = server._workframe_db()
+        ws = conn.execute("SELECT id FROM workspaces WHERE slug='default'").fetchone()
+        now = server._utc_now()
+        conn.execute(
+            """INSERT INTO credential_bindings
+               (id, workspace_id, user_id, agent_profile_id, provider, credential_type,
+                credential_ref, label, is_active, created_by, created_at, updated_at)
+               VALUES (?,?,?,?,?,?,?,?,?,?,?,?)""",
+            (
+                "cred-ws-1", ws["id"], None, None, "openrouter", "api_key",
+                "env:OPENROUTER_API_KEY", "OpenRouter", 1, "admin", now, now,
+            ),
+        )
+        conn.commit()
+        conn.close()
+        payload = server.list_user_providers("user-no-keys", str(ws["id"]))
+        row = next(p for p in payload["providers"] if p["id"] == "openrouter")
+        self.assertTrue(row["connected"])
+        self.assertEqual(row["source"], "workspace")
+
+
+if __name__ == "__main__":
+    unittest.main()