groove-dev 0.27.41 → 0.27.42

package/CLAUDE.md

@@ -263,10 +263,3 @@ Audit-driven release. Multi-agent orchestration system with 7 coordination layer
 - Dashboard: routing donut, cache panel, context health gauges
 - Monitor/QC agent mode (stay active, loop)
 - Distribution: demo video, HN launch, Twitter content
-
-<!-- GROOVE:START -->
-## GROOVE Orchestration (auto-injected)
-Active agents: 0
-See AGENTS_REGISTRY.md for full agent state.
-**Memory policy:** GROOVE manages project memory automatically. Do not read or write MEMORY.md or .groove/memory/ files directly.
-<!-- GROOVE:END -->

package/analyist/groove-security-audit.md

@@ -0,0 +1,323 @@
+GROOVE SECURITY AUDIT & ANALYSIS
+=================================
+
+Date:     April 17, 2026
+Auditor:  GROOVE Security Agent (internal, automated)
+Version:  v0.27.41
+Scope:    Full daemon, GUI, CLI, and provider architecture review
+
+
+EXECUTIVE SUMMARY
+-----------------
+
+Groove is a localhost-only process manager for AI coding agents. Its security model is
+fundamentally different from tools that bind to open ports or proxy credentials through
+a server. The daemon hard-blocks network exposure, encrypts stored credentials with
+machine-bound keys, validates all inputs against strict schemas, and isolates agents
+through scope-based file locks enforced at runtime.
+
+This report covers 12 security areas across the full codebase.
+
+
+================================================================================
+1. NETWORK BINDING -- LOCALHOST ONLY (ENFORCED)
+================================================================================
+
+The daemon binds to 127.0.0.1:31415. This is not just a default -- it is a hard
+security policy. If anyone attempts to bind to 0.0.0.0 or ::, the daemon prints an
+error and exits immediately. The process refuses to start.
+
+Remote access is only available through two channels, both encrypted and authenticated:
+
+  - SSH tunnel (groove connect)
+  - Tailscale private mesh network (--host tailscale)
+
+There is no configuration path that exposes Groove to the open internet.
+
+Result: PASS
+
+
+================================================================================
+2. CORS -- RESTRICTIVE ORIGIN VALIDATION
+================================================================================
+
+Every HTTP request is checked against a strict origin whitelist. Only requests from
+localhost, 127.0.0.1, or the explicitly bound Tailscale interface are allowed. Any
+other origin is silently rejected -- the browser never receives a permissive CORS
+header, so cross-origin requests from external websites are blocked automatically.
+
+Result: PASS
+
+
+================================================================================
+3. WEBSOCKET SECURITY -- ORIGIN VERIFICATION + FEDERATION SIGNING
+================================================================================
+
+WebSocket upgrade requests go through the same origin check as HTTP. Non-whitelisted
+origins have their sockets destroyed immediately -- the connection is terminated before
+any data is exchanged.
+
+Federation connections (daemon-to-daemon) require signed headers with a daemon ID and
+cryptographic signature. Missing or invalid headers result in immediate socket
+destruction.
+
+Result: PASS
+
+
+================================================================================
+4. INPUT VALIDATION -- STRICT SCHEMA ENFORCEMENT
+================================================================================
+
+All API inputs are validated against strict patterns and size limits before processing:
+
+  Role:            Alphanumeric plus dash/underscore, max 50 characters
+  Name:            Alphanumeric plus dash/underscore, max 64 characters
+  Scope patterns:  Max 20 patterns, each max 200 characters
+  Scope paths:     No ".." (path traversal), no "/" prefix (absolute paths), no null bytes
+  Prompt:          Max 50,000 characters
+  Permission:      Must be "auto" or "full" (whitelist)
+  Unknown fields:  Silently stripped -- only safe fields are accepted
+
+Path traversal, absolute path injection, and null byte injection are all explicitly
+rejected at the validation layer.
+
+Result: PASS
+
+
+================================================================================
+5. CREDENTIAL ENCRYPTION -- AES-256-GCM WITH MACHINE-BOUND KEYS
+================================================================================
+
+Stored API keys are encrypted using AES-256-GCM, which is authenticated encryption --
+it provides both confidentiality (nobody can read the key) and integrity (nobody can
+tamper with the ciphertext without detection).
+
+The encryption key is derived via scrypt from a machine-specific seed that incorporates
+the machine's hostname, home directory path, and a 256-bit random seed. Each encryption
+operation uses a fresh random 128-bit initialization vector.
+
+Key properties:
+
+  - Credentials copied to another machine are unrecoverable
+  - The GCM authentication tag detects any tampering
+  - All credential files are set to owner-only read/write permissions (0o600)
+  - The random seed file itself is also owner-only (0o600)
+
+Result: PASS
+
+
+================================================================================
+6. PROCESS SPAWNING -- NO SHELL INJECTION
+================================================================================
+
+Agent processes are spawned using Node.js spawn() with an arguments array, never
+through a shell. This is a critical distinction -- arguments are passed as discrete
+values, not concatenated into a string that gets interpreted by bash or zsh.
+
+User-controlled values like model names, prompts, and agent roles are passed as literal
+arguments. The "shell: true" option is never set anywhere in the codebase. No string
+interpolation occurs in command construction.
+
+Result: PASS
+
+
+================================================================================
+7. SCOPE-BASED AGENT ISOLATION (KNOCK PROTOCOL)
+================================================================================
+
+Groove implements a scope-based file isolation system that operates at two stages:
+
+Spawn-Time Collision Check:
+  When an agent is spawned, its declared file scope patterns are checked against all
+  running agents. If two agents' scopes overlap, the second spawn fails. Two agents
+  cannot be assigned to the same files simultaneously.
+
+Runtime Knock Protocol:
+  Every file operation an agent attempts triggers a validation check before it executes.
+  The lock manager verifies the target file path against the agent's registered scope
+  patterns. If an agent tries to write outside its scope, the operation is denied and
+  the attempt is logged to the audit trail.
+
+Working Directory Containment:
+  Agent working directories must reside within the project directory. Paths outside the
+  project boundary are rejected at spawn time.
+
+Important caveat: This is orchestration-level isolation, not OS-level sandboxing. Agents
+run as the same Unix user as the daemon. The knock protocol prevents agents from
+conflicting with each other through the tool layer, but does not provide kernel-level
+containment like containers or seccomp. The isolation is enforced at the coordination
+layer, which is effective for its purpose but distinct from a full sandbox.
+
+Result: PASS
+
+
+================================================================================
+8. PROTOTYPE POLLUTION PROTECTION
+================================================================================
+
+The agent registry only accepts updates to a defined whitelist of safe fields. Any
+attempt to set unknown fields -- including __proto__ or constructor -- is silently
+dropped.
+
+WebSocket message parsing explicitly checks for and rejects messages containing
+__proto__ or constructor keys. This prevents attackers from manipulating the JavaScript
+prototype chain through crafted payloads.
+
+Result: PASS
+
+
+================================================================================
+9. FILE PERMISSIONS -- OWNER-ONLY ACROSS ALL SENSITIVE FILES
+================================================================================
+
+All sensitive files are created with 0o600 permissions (owner read/write only, no
+group or world access):
+
+  Agent logs
+  Credential seed file
+  Credential store
+  Audit log
+  Federation private keys
+  Integration credential files
+
+The only exception is the federation public key, which is intentionally set to 0o644
+(world-readable) since it is designed to be shared.
+
+Result: PASS
+
+
+================================================================================
+10. WHAT GROOVE DOES NOT DO
+================================================================================
+
+This is architecturally significant and differentiates Groove from tools that proxy
+credentials:
+
+  Proxy API calls to Claude/OpenAI/Gemini?       No.
+  Touch OAuth tokens?                             No.
+  Impersonate AI providers?                       No.
+  Store user subscription credentials?            No.
+  Forward agent credentials through the daemon?   No.
+
+Each agent process (Claude Code, Codex, Gemini CLI) runs as a standalone executable
+with its own authentication. The daemon never relays API calls or handles provider
+credentials on behalf of agents.
+
+The one exception: Groove's journalist feature makes direct Anthropic API calls using
+a locally-stored API key for internal project synthesis. This is the daemon's own
+feature -- it does not proxy on behalf of any agent.
+
+Result: PASS
+
+
+================================================================================
+11. AUDIT TRAIL
+================================================================================
+
+All state-changing operations are logged to an append-only audit file:
+
+  Knock protocol decisions (allowed and denied) with agent ID, tool, and targets
+  Agent lifecycle events (spawn, kill, rotate)
+  Configuration changes
+  Credential operations
+
+Audit logs use owner-only permissions and are append-only -- no API endpoint can
+truncate or delete the log.
+
+Result: PASS
+
+
+================================================================================
+12. PORT EXPOSURE
+================================================================================
+
+  Port 31415:       Bound to 127.0.0.1. Not network-accessible.
+  Ports 31416-25:   Fallback range if 31415 is in use. Also bound to 127.0.0.1.
+
+No other ports are opened by the daemon. Remote access requires explicit SSH tunnel
+or Tailscale configuration, both of which are encrypted and authenticated.
+
+Result: PASS
+
+
+================================================================================
+GROOVE vs. TOOLS THAT LEAVE PORTS OPEN
+================================================================================
+
+  Network binding:
+    Groove binds to 127.0.0.1 and enforces it -- you cannot override to 0.0.0.0.
+    Many open-source agent tools default to 0.0.0.0, making them accessible to any
+    device on the network.
+
+  Credential handling:
+    Groove uses machine-bound AES-256-GCM encryption and never proxies credentials.
+    Tools with open ports may proxy API keys through the server, exposing them to
+    network-level interception.
+
+  Agent isolation:
+    Groove enforces scope locks and a knock protocol on every file operation.
+    Most comparable tools have no agent-to-agent isolation at all.
+
+  Input validation:
+    Groove validates all inputs against strict schemas and blocks path traversal.
+    Input validation quality varies widely across open-source agent tools.
+
+  Remote access:
+    Groove requires SSH tunnel or Tailscale -- both encrypted and authenticated.
+    Tools with open ports allow direct, often unauthenticated network access.
+
+  CORS policy:
+    Groove validates origins and only allows localhost.
+    Many tools use permissive CORS (wildcard *) or skip CORS entirely.
+
+  Process spawning:
+    Groove uses argument arrays, never shell interpolation.
+    Some tools concatenate user input into shell commands.
+
+  Prototype pollution:
+    Groove explicitly whitelists fields and blocks __proto__/constructor.
+    This is rarely addressed in comparable tools.
+
+
+================================================================================
+SHOULD GROOVE BE INSTALLED ON A SEPARATE MACHINE?
+================================================================================
+
+For standard development use: No. A separate machine is not required.
+
+The daemon is not network-accessible. No provider credentials are proxied or exposed.
+Stored keys are encrypted and machine-bound. All sensitive files have restrictive
+permissions. The architecture is designed for safe use on a daily development machine.
+
+The residual risk is the AI agents themselves, not Groove's architecture. Claude Code,
+Codex, and Gemini CLI run with your filesystem permissions. If an agent were to execute
+a destructive command, that would be the agent's behavior within its own permission
+model -- not a Groove vulnerability. Groove mitigates this through scope locks and the
+knock protocol, but does not provide kernel-level containment.
+
+For high-security environments where production credentials, banking sessions, or
+sensitive SSH keys are present on the same machine, using a dedicated development
+machine or VM is a reasonable precaution. However, this applies to any tool that gives
+AI agents shell access, not to Groove specifically.
+
+
+================================================================================
+CONCLUSION
+================================================================================
+
+Groove's security architecture is defense-in-depth at the orchestration layer:
+localhost binding (enforced, not just default), no credential proxying, authenticated
+encryption, scope-based agent isolation, strict input validation, prototype pollution
+protection, and a full audit trail.
+
+It significantly reduces the attack surface compared to tools that bind to open ports
+or tunnel credentials through a server. The architecture makes network exposure,
+credential theft, command injection, and prototype pollution structurally impossible
+through the daemon's interfaces.
+
+The remaining attack surface -- AI agents acting within their own process permissions --
+is an industry-wide challenge that no orchestration tool fully solves today. Groove
+addresses it better than most through scope locks and the knock protocol, while being
+transparent about the boundary of its guarantees.
+
+All 12 areas audited: PASS.

package/node_modules/@groove-dev/cli/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/cli",
-  "version": "0.27.41",
+  "version": "0.27.42",
   "description": "GROOVE CLI — manage AI coding agents from your terminal",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@groove-dev/daemon",
-  "version": "0.27.41",
+  "version": "0.27.42",
   "description": "GROOVE daemon — agent orchestration engine",
   "license": "FSL-1.1-Apache-2.0",
   "type": "module",

package/node_modules/@groove-dev/daemon/src/api.js

@@ -15,13 +15,15 @@ import { ROLE_INTEGRATIONS } from './process.js';
 
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const pkgVersion = JSON.parse(readFileSync(new URL('../package.json', import.meta.url), 'utf8')).version;
-const isPro = process.env.GROOVE_EDITION === 'pro';
 
 let _daemon = null;
 
+// Single source of truth for Pro features: the signed-in user's subscription
+// status, populated by the daemon polling the backend with the stored JWT.
+// There is no build-time "Pro edition" flag — one binary, account-gated.
 function proOnly(req, res, next) {
   const sub = _daemon?.subscriptionCache || {};
-  if (isPro || sub.active) return next();
+  if (sub.active) return next();
   return res.status(403).json({
     error: 'Pro subscription required',
     edition: 'community',
@@ -129,6 +131,10 @@ export function createApi(app, daemon) {
         const team = daemon.teams.get(config.teamId);
         if (team?.workingDir) config.workingDir = team.workingDir;
       }
+      // Inherit configured default model if the request didn't pick one
+      if (!config.model && daemon.config?.defaultModel) {
+        config.model = daemon.config.defaultModel;
+      }
       const agent = await daemon.processes.spawn(config);
       daemon.audit.log('agent.spawn', { id: agent.id, role: agent.role, provider: agent.provider });
       res.status(201).json(agent);
@@ -295,7 +301,7 @@ export function createApi(app, daemon) {
     // verify the path matches the scope or belongs to no one.
     if (agent.scope && agent.scope.length > 0 && targets.length > 0) {
       for (const target of targets) {
-        const conflict = daemon.locks.check(agentId, target);
+        const conflict = daemon.locks.check(agentId, target, agent.workingDir);
         if (conflict.conflict) {
           daemon.audit.log('knock.denied', { agentId, toolName, target, owner: conflict.owner, pattern: conflict.pattern });
           daemon.broadcast({ type: 'knock:denied', agentId, agentName: agent.name, toolName, target, owner: conflict.owner, reason: 'scope_conflict' });
@@ -711,7 +717,7 @@ export function createApi(app, daemon) {
   app.get('/api/edition', (req, res) => {
     const sub = daemon.subscriptionCache || {};
     res.json({
-      edition: (isPro || sub.active) ? 'pro' : 'community',
+      edition: sub.active ? 'pro' : 'community',
       plan: sub.plan || 'community',
       subscriptionActive: sub.active || false,
       features: sub.features || [],
@@ -734,7 +740,7 @@ export function createApi(app, daemon) {
       host: daemon.host,
       port: daemon.port,
       projectDir: daemon.projectDir,
-      edition: (isPro || sub.active) ? 'pro' : 'community',
+      edition: sub.active ? 'pro' : 'community',
     });
   });
 

package/node_modules/@groove-dev/daemon/src/lockmanager.js

@@ -18,7 +18,7 @@ const DEFAULT_OPERATION_TTL_MS = 10 * 60 * 1000; // 10 minutes
 export class LockManager {
   constructor(grooveDir) {
     this.path = resolve(grooveDir, 'locks.json');
-    this.locks = new Map(); // agentId -> glob patterns[]
+    this.locks = new Map(); // agentId -> { patterns, workingDir }
     this._compiledPatterns = new Map(); // agentId -> RegExp[]
     this.operations = new Map(); // agentId -> { name, resources, acquiredAt, expiresAt }
     this.load();
@@ -28,9 +28,11 @@ export class LockManager {
     if (existsSync(this.path)) {
       try {
         const data = JSON.parse(readFileSync(this.path, 'utf8'));
-        for (const [id, patterns] of Object.entries(data)) {
-          this.locks.set(id, patterns);
-          this._compilePatterns(id, patterns);
+        for (const [id, val] of Object.entries(data)) {
+          // Backward compat: old format stored just patterns array
+          const entry = Array.isArray(val) ? { patterns: val, workingDir: null } : val;
+          this.locks.set(id, entry);
+          this._compilePatterns(id, entry.patterns);
         }
       } catch {
         // Start fresh
@@ -51,8 +53,8 @@ export class LockManager {
     this._compiledPatterns.set(agentId, compiled);
   }
 
-  register(agentId, patterns) {
-    this.locks.set(agentId, patterns);
+  register(agentId, patterns, workingDir = null) {
+    this.locks.set(agentId, { patterns, workingDir: workingDir || null });
     this._compilePatterns(agentId, patterns);
     this.save();
   }
@@ -64,9 +66,13 @@ export class LockManager {
     this.save();
   }
 
-  check(agentId, filePath) {
+  // Scopes are per-team — only conflict with owners in the same workingDir.
+  // Pass workingDir=null to skip the filter (legacy behavior).
+  check(agentId, filePath, workingDir = null) {
     for (const [ownerId, compiled] of this._compiledPatterns) {
       if (ownerId === agentId) continue;
+      const ownerEntry = this.locks.get(ownerId);
+      if (workingDir && ownerEntry?.workingDir && ownerEntry.workingDir !== workingDir) continue;
       for (const { pattern, re } of compiled) {
         if (re && re.test(filePath)) {
           return { conflict: true, owner: ownerId, pattern };
@@ -111,11 +117,13 @@ export class LockManager {
   /**
    * Find any currently-locked agent whose scope overlaps with candidateScope.
    * Returns { overlap: true, owner, ... } for the first conflict, else {overlap:false}.
+   * Pass workingDir to limit the search to the same team folder (scopes are per-team).
    */
-  findOverlappingOwner(candidateScope) {
-    for (const [ownerId, patterns] of this.locks) {
-      const res = LockManager.scopesOverlap(candidateScope, patterns);
-      if (res.overlap) return { overlap: true, owner: ownerId, ownerScope: patterns, ...res };
+  findOverlappingOwner(candidateScope, workingDir = null) {
+    for (const [ownerId, entry] of this.locks) {
+      if (workingDir && entry.workingDir && entry.workingDir !== workingDir) continue;
+      const res = LockManager.scopesOverlap(candidateScope, entry.patterns);
+      if (res.overlap) return { overlap: true, owner: ownerId, ownerScope: entry.patterns, ...res };
     }
     return { overlap: false };
   }
@@ -140,7 +148,9 @@ export class LockManager {
   }
 
   getAll() {
-    return Object.fromEntries(this.locks);
+    const obj = {};
+    for (const [id, entry] of this.locks) obj[id] = entry.patterns;
+    return obj;
   }
 
   // --- Operation locks (coordination protocol) ---

package/node_modules/@groove-dev/daemon/src/process.js

@@ -385,7 +385,7 @@ export class ProcessManager {
     // bypass entirely since their job requires broad access.
     const SCOPE_BYPASS_ROLES = new Set(['planner', 'fullstack', 'qc', 'pm', 'supervisor', 'security', 'ambassador']);
     if (config.scope && config.scope.length > 0 && !SCOPE_BYPASS_ROLES.has(config.role) && !config.allowScopeOverlap) {
-      const conflict = locks.findOverlappingOwner(config.scope);
+      const conflict = locks.findOverlappingOwner(config.scope, config.workingDir);
       if (conflict.overlap) {
         const owner = registry.get(conflict.owner);
         if (owner && owner.status === 'running' && owner.workingDir === config.workingDir) {
@@ -463,7 +463,7 @@ export class ProcessManager {
 
     // Register file locks for the agent's scope
     if (agent.scope && agent.scope.length > 0) {
-      locks.register(agent.id, agent.scope);
+      locks.register(agent.id, agent.scope, agent.workingDir);
     }
 
     // Register ambassador with federation system
@@ -1523,7 +1523,7 @@ For normal file edits within your scope, proceed without review.
 
     // Re-register locks
     if (newAgent.scope && newAgent.scope.length > 0) {
-      locks.register(newAgent.id, newAgent.scope);
+      locks.register(newAgent.id, newAgent.scope, newAgent.workingDir);
     }
 
     // Spawn the resumed process

package/node_modules/@groove-dev/daemon/src/teams.js

@@ -34,14 +34,30 @@ export class Teams {
   }
 
   _ensureDefault() {
-    const hasDefault = [...this.teams.values()].some((t) => t.isDefault);
-    if (!hasDefault) {
+    const defaultDir = resolve(this.daemon.projectDir, 'default');
+    const existing = [...this.teams.values()].find((t) => t.isDefault);
+
+    if (!existing) {
+      try { mkdirSync(defaultDir, { recursive: true }); } catch { /* may exist */ }
       const id = randomUUID().slice(0, 8);
-      const team = { id, name: 'Default', isDefault: true, createdAt: new Date().toISOString() };
-      // Default team uses the project directory (no subdirectory)
-      team.workingDir = this.daemon.projectDir;
+      const team = {
+        id,
+        name: 'Default',
+        isDefault: true,
+        workingDir: defaultDir,
+        createdAt: new Date().toISOString(),
+      };
       this.teams.set(id, team);
       this._save();
+      return;
+    }
+
+    // Migrate legacy default teams that pointed at the project root — give them
+    // their own folder so generated files don't pile up alongside source code.
+    if (!existing.workingDir || existing.workingDir === this.daemon.projectDir) {
+      try { mkdirSync(defaultDir, { recursive: true }); } catch { /* may exist */ }
+      existing.workingDir = defaultDir;
+      this._save();
     }
   }
 
@@ -125,12 +141,13 @@ export class Teams {
   }
 
   /**
-   * Delete a team — removes directory and all contents, moves agents to default.
+   * Delete a team — kills its agents, removes its directory, drops it from the
+   * registry. Deleting the default team regenerates a fresh empty one so users
+   * can wipe accumulated state and keep working without restarting the daemon.
    */
   delete(id) {
     const team = this.teams.get(id);
     if (!team) throw new Error('Team not found');
-    if (team.isDefault) throw new Error('Cannot delete the default team');
 
     // Kill any running agents in this team
     const agents = this.daemon.registry.getAll().filter((a) => a.teamId === id);
@@ -145,8 +162,13 @@ export class Teams {
       this.daemon.registry.remove(agent.id);
     }
 
-    // Remove the working directory
-    if (team.workingDir && !team.isDefault && existsSync(team.workingDir)) {
+    // Remove the team's working directory — refuse to nuke the project root
+    // (legacy default teams that were never migrated point there).
+    if (
+      team.workingDir &&
+      team.workingDir !== this.daemon.projectDir &&
+      existsSync(team.workingDir)
+    ) {
       try {
         rmSync(team.workingDir, { recursive: true, force: true });
       } catch (err) {
@@ -158,6 +180,13 @@ export class Teams {
     this._save();
     this.daemon.broadcast({ type: 'team:deleted', teamId: id });
 
+    // Always keep a default team available — regenerate one with a clean folder
+    if (team.isDefault) {
+      this._ensureDefault();
+      const fresh = this.getDefault();
+      if (fresh) this.daemon.broadcast({ type: 'team:created', team: fresh });
+    }
+
     // Clean up orphaned logs immediately — don't wait for the 24h GC cycle
     try { this.daemon._gc(); } catch { /* gc should never block deletion */ }
 

package/node_modules/@groove-dev/daemon/src/tool-executor.js

@@ -158,7 +158,7 @@ export class ToolExecutor {
   _checkWriteScope(resolvedPath) {
     if (!this.daemon?.locks) return;
     const rel = relative(this.workingDir, resolvedPath);
-    const result = this.daemon.locks.check(this.agentId, rel);
+    const result = this.daemon.locks.check(this.agentId, rel, this.workingDir);
     if (result.conflict) {
       // Record conflict for supervisor + token savings
       if (this.daemon.supervisor) {

package/node_modules/@groove-dev/daemon/test/teams.test.js

@@ -135,9 +135,19 @@ describe('Teams', () => {
     assert.equal(msg.teamId, team.id);
   });
 
-  it('should throw when deleting the default team', () => {
-    const d = teams.getDefault();
-    assert.throws(() => teams.delete(d.id), /Cannot delete the default/);
+  it('should regenerate a fresh default team when the default is deleted', () => {
+    const original = teams.getDefault();
+    broadcasts.length = 0;
+
+    teams.delete(original.id);
+
+    const fresh = teams.getDefault();
+    assert.ok(fresh, 'a new default team should be created');
+    assert.notEqual(fresh.id, original.id);
+    assert.equal(fresh.isDefault, true);
+    assert.equal(teams.list().length, 1);
+    assert.ok(broadcasts.find((b) => b.type === 'team:deleted' && b.teamId === original.id));
+    assert.ok(broadcasts.find((b) => b.type === 'team:created' && b.team?.id === fresh.id));
   });
 
   it('should throw when deleting nonexistent team', () => {