groove-dev 0.27.93 → 0.27.96

package/node_modules/moe-training/test/client/step-classifier.test.js

@@ -0,0 +1,135 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { StepClassifier } from '../../client/step-classifier.js';
+
+describe('StepClassifier', () => {
+  it('user message before any action is not a correction', () => {
+    const classifier = new StepClassifier();
+    const result = classifier.classifyUserMessage('fix the bug');
+    assert.equal(result, null);
+  });
+
+  it('user message after action is a correction', () => {
+    const classifier = new StepClassifier();
+    classifier.onStep({ type: 'action' });
+    const result = classifier.classifyUserMessage('no, use exponential backoff');
+    assert.equal(result.type, 'correction');
+    assert.equal(result.content, 'no, use exponential backoff');
+    assert.equal(result.source, 'user');
+  });
+
+  it('classifies coordination event', () => {
+    const classifier = new StepClassifier();
+    const result = classifier.classifyCoordinationEvent({
+      coordination_id: 'coord-1',
+      direction: 'outbound',
+      target_agent: 'backend-1',
+      protocol: 'knock',
+      content: 'Requesting lock on src/api.js',
+    });
+    assert.equal(result.type, 'coordination');
+    assert.equal(result.coordination_id, 'coord-1');
+    assert.equal(result.direction, 'outbound');
+    assert.equal(result.target_agent, 'backend-1');
+    assert.equal(result.protocol, 'knock');
+  });
+
+  it('detects error recovery', () => {
+    const steps = [
+      { type: 'thought', step: 1 },
+      { type: 'action', step: 2 },
+      { type: 'error', step: 3 },
+      { type: 'thought', step: 4 },
+      { type: 'action', step: 5 },
+      { type: 'resolution', step: 6 },
+    ];
+    assert.equal(StepClassifier.detectErrorRecovery(steps), true);
+  });
+
+  it('no error recovery when no resolution after error', () => {
+    const steps = [
+      { type: 'thought', step: 1 },
+      { type: 'error', step: 2 },
+      { type: 'error', step: 3 },
+    ];
+    assert.equal(StepClassifier.detectErrorRecovery(steps), false);
+  });
+
+  it('no error recovery when no errors', () => {
+    const steps = [
+      { type: 'thought', step: 1 },
+      { type: 'action', step: 2 },
+      { type: 'resolution', step: 3 },
+    ];
+    assert.equal(StepClassifier.detectErrorRecovery(steps), false);
+  });
+
+  it('counts user interventions', () => {
+    const steps = [
+      { type: 'thought' },
+      { type: 'correction' },
+      { type: 'action' },
+      { type: 'correction' },
+      { type: 'resolution' },
+    ];
+    assert.equal(StepClassifier.countUserInterventions(steps), 2);
+  });
+
+  it('counts zero interventions when none present', () => {
+    const steps = [
+      { type: 'thought' },
+      { type: 'action' },
+      { type: 'resolution' },
+    ];
+    assert.equal(StepClassifier.countUserInterventions(steps), 0);
+  });
+
+  it('reclassifies action with error content to error', () => {
+    const classifier = new StepClassifier();
+    const step = { type: 'action', content: 'Command failed with exit code 1' };
+    const result = classifier.onStep(step);
+    assert.equal(result.type, 'error');
+  });
+
+  it('reclassifies observation with error content to error', () => {
+    const classifier = new StepClassifier();
+    const step = { type: 'observation', content: 'TypeError: cannot read properties of undefined' };
+    const result = classifier.onStep(step);
+    assert.equal(result.type, 'error');
+  });
+
+  it('does not reclassify thought with error content', () => {
+    const classifier = new StepClassifier();
+    const step = { type: 'thought', content: 'I see the Error and will fix it' };
+    const result = classifier.onStep(step);
+    assert.equal(result.type, 'thought');
+  });
+
+  it('marks thought after correction as correction_context', () => {
+    const classifier = new StepClassifier();
+    classifier.onStep({ type: 'action' });
+    classifier.onStep({ type: 'correction', content: 'no, fix the bug' });
+    const step = { type: 'thought', content: 'I see the issue, let me fix it' };
+    const result = classifier.onStep(step);
+    assert.equal(result.type, 'thought');
+    assert.equal(result.correction_context, true);
+  });
+
+  it('does not mark thought as correction_context without prior correction', () => {
+    const classifier = new StepClassifier();
+    classifier.onStep({ type: 'action', content: 'running test' });
+    const step = { type: 'thought', content: 'let me fix this' };
+    const result = classifier.onStep(step);
+    assert.equal(result.correction_context, undefined);
+  });
+
+  it('returns the step from onStep', () => {
+    const classifier = new StepClassifier();
+    const step = { type: 'action', content: 'hello' };
+    const result = classifier.onStep(step);
+    assert.ok(result);
+    assert.equal(result.type, 'action');
+  });
+});

package/node_modules/moe-training/test/client/transmission-queue.test.js

@@ -0,0 +1,33 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+import { TransmissionQueue } from '../../client/transmission-queue.js';
+
+describe('TransmissionQueue', () => {
+  it('waitForDrain resolves immediately when queue is empty', async () => {
+    const queue = new TransmissionQueue('http://localhost:9999');
+    await queue.waitForDrain();
+    assert.ok(true);
+  });
+
+  it('waitForDrain waits for active drain to complete', async () => {
+    const queue = new TransmissionQueue('http://localhost:9999');
+    queue._queue.push({ session_id: 'test' });
+    const drain = Promise.resolve().then(() => {
+      queue._queue.length = 0;
+    });
+    queue._drainPromise = drain.finally(() => {
+      queue._drainPromise = null;
+    });
+    await queue.waitForDrain();
+    assert.equal(queue._queue.length, 0);
+  });
+
+  it('offlineQueueSize tracks offline envelopes', () => {
+    const queue = new TransmissionQueue('http://localhost:9999');
+    assert.equal(queue.offlineQueueSize, 0);
+    queue.enqueue({ session_id: 'test', attestation: { session_hmac: 'OFFLINE' } });
+    assert.equal(queue.offlineQueueSize, 1);
+  });
+});

package/node_modules/moe-training/test/integration/handshake.test.js

@@ -0,0 +1,260 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { generateECDHKeypair, deriveSharedSecret, signEnvelope, verifyEnvelope } from '../../shared/crypto.js';
+import { SessionRegistry } from '../../server/session-registry.js';
+import { EnvelopeVerifier } from '../../server/verifier.js';
+import { SessionAttestation } from '../../client/session-attestation.js';
+import { EnvelopeBuilder } from '../../client/envelope-builder.js';
+
+describe('ECDH Handshake End-to-End', () => {
+  let tmpDir, registry, verifier;
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'handshake-test-'));
+    registry = new SessionRegistry(join(tmpDir, 'sessions.db'));
+    verifier = new EnvelopeVerifier(registry);
+  });
+
+  afterEach(() => {
+    registry.close();
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('client and server derive the same shared secret', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_001', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+
+    const serverSession = registry.getSession('sess_hs_001');
+    const clientSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+    assert.equal(clientSecret, serverSession.shared_secret);
+  });
+
+  it('client-signed envelope passes server verification', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_002', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+
+    const serverSession = registry.getSession('sess_hs_002');
+    const sharedSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+    assert.equal(sharedSecret, serverSession.shared_secret);
+
+    const envelope = {
+      envelope_id: 'env_hs_001',
+      session_id: 'sess_hs_002',
+      chunk_sequence: 0,
+      contributor_id: 'cccccccccccccccccccccccccccccccc',
+      metadata: {
+        model_engine: 'claude-opus-4-6',
+        provider: 'claude-code',
+        agent_role: 'frontend',
+        agent_id: 'frontend-1',
+      },
+      trajectory_log: [
+        { step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'planning', token_count: 10 },
+      ],
+      attestation: { session_hmac: '', sequence: 0, app_version_hash: '' },
+    };
+
+    const envelopeForHmac = { ...envelope };
+    delete envelopeForHmac.attestation;
+    const envelopeBytes = JSON.stringify(envelopeForHmac);
+    const hmac = signEnvelope(sharedSecret, envelopeBytes, 0);
+    envelope.attestation = { session_hmac: hmac, sequence: 0, app_version_hash: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb' };
+
+    const verifyResult = verifier.verify(envelope);
+    assert.equal(verifyResult.valid, true);
+  });
+
+  it('tampered envelope is rejected by server', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_003', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+
+    const sharedSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+
+    const envelope = {
+      envelope_id: 'env_hs_002',
+      session_id: 'sess_hs_003',
+      chunk_sequence: 0,
+      contributor_id: 'cccccccccccccccccccccccccccccccc',
+      metadata: {
+        model_engine: 'claude-opus-4-6',
+        provider: 'claude-code',
+        agent_role: 'frontend',
+        agent_id: 'frontend-1',
+      },
+      trajectory_log: [
+        { step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'original', token_count: 10 },
+      ],
+      attestation: { session_hmac: '', sequence: 0, app_version_hash: '' },
+    };
+
+    const envelopeForHmac = { ...envelope };
+    delete envelopeForHmac.attestation;
+    const envelopeBytes = JSON.stringify(envelopeForHmac);
+    const hmac = signEnvelope(sharedSecret, envelopeBytes, 0);
+    envelope.attestation = { session_hmac: hmac, sequence: 0, app_version_hash: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb' };
+
+    envelope.trajectory_log.push({ step: 2, type: 'action', timestamp: Date.now() / 1000, content: 'injected' });
+
+    const verifyResult = verifier.verify(envelope);
+    assert.equal(verifyResult.valid, false);
+    assert.ok(verifyResult.reason.includes('HMAC'));
+  });
+
+  it('sequence numbers enforce ordering', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_004', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+    const sharedSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+
+    function makeEnv(seq) {
+      const env = {
+        envelope_id: `env_hs_seq_${seq}`,
+        session_id: 'sess_hs_004',
+        chunk_sequence: seq,
+        contributor_id: 'cccccccccccccccccccccccccccccccc',
+        metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code', agent_role: 'frontend', agent_id: 'frontend-1' },
+        trajectory_log: [{ step: seq + 1, type: 'thought', timestamp: Date.now() / 1000, content: `step ${seq}`, token_count: 5 }],
+      };
+      const bytes = JSON.stringify(env);
+      const hmac = signEnvelope(sharedSecret, bytes, seq);
+      env.attestation = { session_hmac: hmac, sequence: seq, app_version_hash: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb' };
+      return env;
+    }
+
+    const r0 = verifier.verify(makeEnv(0));
+    assert.equal(r0.valid, true);
+
+    const r1 = verifier.verify(makeEnv(1));
+    assert.equal(r1.valid, true);
+
+    const rSkip = verifier.verify(makeEnv(5));
+    assert.equal(rSkip.valid, false);
+    assert.ok(rSkip.reason.includes('sequence'));
+
+    const r2 = verifier.verify(makeEnv(2));
+    assert.equal(r2.valid, true);
+  });
+
+  it('different client keypairs produce different shared secrets', () => {
+    const client1 = generateECDHKeypair();
+    const client2 = generateECDHKeypair();
+
+    registry.openSession('sess_hs_005a', client1.publicKey, 'claude-code', 'claude-opus-4-6', 'fp1', 'h1', '0.27.77');
+    registry.openSession('sess_hs_005b', client2.publicKey, 'claude-code', 'claude-opus-4-6', 'fp2', 'h2', '0.27.77');
+
+    const s1 = registry.getSession('sess_hs_005a');
+    const s2 = registry.getSession('sess_hs_005b');
+
+    assert.notEqual(s1.shared_secret, s2.shared_secret);
+  });
+
+  it('EnvelopeBuilder output is verifiable after client signing', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_006', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+    const sharedSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+
+    const builder = new EnvelopeBuilder('sess_hs_006', 'cccccccccccccccccccccccccccccccc', {
+      model_engine: 'claude-opus-4-6',
+      provider: 'claude-code',
+      agent_role: 'frontend',
+      agent_id: 'frontend-1',
+      task_complexity: 'medium',
+      team_size: 1,
+      session_quality: 80,
+      groove_version: '0.27.77',
+    });
+
+    builder.addStep({ step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'test', token_count: 5 });
+    const envelope = builder.flush();
+    assert.ok(envelope);
+
+    const envelopeForHmac = { ...envelope };
+    delete envelopeForHmac.attestation;
+    const envelopeBytes = JSON.stringify(envelopeForHmac);
+    const hmac = signEnvelope(sharedSecret, envelopeBytes, 0);
+    envelope.attestation = { session_hmac: hmac, sequence: 0, app_version_hash: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb' };
+
+    const verifyResult = verifier.verify(envelope);
+    assert.equal(verifyResult.valid, true);
+  });
+
+  it('SESSION_CLOSE from builder is verifiable', () => {
+    const clientKeypair = generateECDHKeypair();
+    const result = registry.openSession(
+      'sess_hs_007', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+    const sharedSecret = deriveSharedSecret(clientKeypair.privateKey, result.serverPublicKey);
+
+    const builder = new EnvelopeBuilder('sess_hs_007', 'cccccccccccccccccccccccccccccccc', {
+      model_engine: 'claude-opus-4-6',
+      provider: 'claude-code',
+      agent_role: 'frontend',
+      agent_id: 'frontend-1',
+    });
+
+    const closeEnvelope = builder.buildSessionClose({
+      status: 'SUCCESS',
+      user_interventions: 0,
+      total_steps: 10,
+      total_chunks: 1,
+      total_tokens: 500,
+      duration_seconds: 60,
+      files_modified: 2,
+      errors_encountered: 0,
+      errors_recovered: 0,
+      coordination_events: 0,
+    });
+
+    const forHmac = { ...closeEnvelope };
+    delete forHmac.attestation;
+    const bytes = JSON.stringify(forHmac);
+    const hmac = signEnvelope(sharedSecret, bytes, 0);
+    closeEnvelope.attestation = { session_hmac: hmac, sequence: 0, app_version_hash: 'bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb' };
+
+    const verifyResult = verifier.verifyClose(closeEnvelope);
+    assert.equal(verifyResult.valid, true);
+
+    const session = registry.getSession('sess_hs_007');
+    assert.equal(session.status, 'closed');
+  });
+
+  it('HMAC verification is constant-time (no short-circuit)', () => {
+    const clientKeypair = generateECDHKeypair();
+    registry.openSession(
+      'sess_hs_008', clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_test', 'hash_test', '0.27.77'
+    );
+    const session = registry.getSession('sess_hs_008');
+    const sharedSecret = session.shared_secret;
+
+    const payload = JSON.stringify({ test: 'data' });
+    const validHmac = signEnvelope(sharedSecret, payload, 0);
+
+    const wrongFirstChar = String.fromCharCode(validHmac.charCodeAt(0) ^ 1) + validHmac.slice(1);
+    const wrongLastChar = validHmac.slice(0, -1) + String.fromCharCode(validHmac.charCodeAt(validHmac.length - 1) ^ 1);
+
+    assert.equal(verifyEnvelope(sharedSecret, payload, 0, wrongFirstChar), false);
+    assert.equal(verifyEnvelope(sharedSecret, payload, 0, wrongLastChar), false);
+    assert.equal(verifyEnvelope(sharedSecret, payload, 0, validHmac), true);
+  });
+});

package/node_modules/moe-training/test/server/ingest-security.test.js

@@ -0,0 +1,166 @@
+// FSL-1.1-Apache-2.0 — see LICENSE
+
+import { describe, it, beforeEach, afterEach } from 'node:test';
+import assert from 'node:assert/strict';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { generateECDHKeypair, signEnvelope } from '../../shared/crypto.js';
+import { SessionRegistry } from '../../server/session-registry.js';
+import { EnvelopeVerifier } from '../../server/verifier.js';
+import { EnvelopeStorage } from '../../server/storage.js';
+
+const VALID_CONTRIBUTOR = 'c'.repeat(32);
+const VALID_APP_HASH = 'b'.repeat(64);
+
+function makeSignedEnvelope(sessionId, sequence, sharedSecret, overrides = {}) {
+  const envelope = {
+    envelope_id: `env_test_${sequence}`,
+    session_id: sessionId,
+    chunk_sequence: sequence,
+    contributor_id: VALID_CONTRIBUTOR,
+    metadata: { model_engine: 'claude-opus-4-6', provider: 'claude-code', agent_role: 'backend', agent_id: 'backend-1' },
+    trajectory_log: [{ step: 1, type: 'thought', timestamp: Date.now() / 1000, content: 'test', token_count: 10 }],
+    ...overrides,
+  };
+
+  const forHmac = { ...envelope };
+  const envelopeBytes = JSON.stringify(forHmac);
+  const hmac = signEnvelope(sharedSecret, envelopeBytes, sequence);
+
+  envelope.attestation = {
+    session_hmac: hmac,
+    sequence,
+    app_version_hash: VALID_APP_HASH,
+  };
+
+  return envelope;
+}
+
+describe('Ingest Security', () => {
+  let registry;
+  let verifier;
+  let storage;
+  let tmpDir;
+  let sharedSecret;
+  const sessionId = 'sess_ingest_sec_001';
+
+  beforeEach(() => {
+    tmpDir = mkdtempSync(join(tmpdir(), 'ingest-sec-'));
+    registry = new SessionRegistry(join(tmpDir, 'sessions.db'));
+    storage = new EnvelopeStorage(join(tmpDir, 'envelopes'));
+    verifier = new EnvelopeVerifier(registry);
+
+    const clientKeypair = generateECDHKeypair();
+    registry.openSession(
+      sessionId, clientKeypair.publicKey, 'claude-code', 'claude-opus-4-6',
+      'fp_ingest', 'hash_ingest', '0.27.77'
+    );
+
+    const session = registry.getSession(sessionId);
+    sharedSecret = session.shared_secret;
+  });
+
+  afterEach(() => {
+    registry.close();
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it('rejects envelope with > 500 steps', () => {
+    const steps = Array.from({ length: 501 }, (_, i) => ({
+      step: i, type: 'thought', timestamp: Date.now() / 1000,
+    }));
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret, { trajectory_log: steps });
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('schema'));
+  });
+
+  it('rejects envelope when session has > 200 envelopes', () => {
+    // Simulate 200 envelopes already received
+    for (let i = 0; i < 200; i++) {
+      registry.incrementEnvelopeCount(sessionId);
+    }
+
+    const withinLimit = registry.checkEnvelopeCount(sessionId, 200);
+    assert.equal(withinLimit, false);
+  });
+
+  it('server generates envelope_id (client value ignored)', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret);
+    const originalId = envelope.envelope_id;
+
+    // Verify passes
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, true);
+
+    // In the real ingest flow, server overwrites envelope_id
+    // Verify the dedup infrastructure works
+    const generatedId = 'env_server_generated';
+    registry.recordProcessedEnvelope(generatedId, sessionId);
+    assert.equal(registry.isEnvelopeProcessed(generatedId), true);
+    assert.equal(registry.isEnvelopeProcessed(originalId), false);
+  });
+
+  it('rejects invalid model_engine via schema validation', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret, {
+      metadata: { model_engine: 'gpt-5-turbo', provider: 'claude-code', agent_role: 'backend', agent_id: 'backend-1' },
+    });
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('schema'));
+  });
+
+  it('rejects invalid contributor_id format', () => {
+    const envelope = makeSignedEnvelope(sessionId, 0, sharedSecret, {
+      contributor_id: 'not-a-valid-hex-id',
+    });
+    const result = verifier.verify(envelope);
+    assert.equal(result.valid, false);
+    assert.ok(result.reason.includes('schema'));
+  });
+
+  it('envelope dedup prevents double-processing', () => {
+    const envelopeId = 'env_dedup_test';
+    assert.equal(registry.isEnvelopeProcessed(envelopeId), false);
+
+    registry.recordProcessedEnvelope(envelopeId, sessionId);
+    assert.equal(registry.isEnvelopeProcessed(envelopeId), true);
+
+    // Recording again should not throw (INSERT OR IGNORE)
+    registry.recordProcessedEnvelope(envelopeId, sessionId);
+    assert.equal(registry.isEnvelopeProcessed(envelopeId), true);
+  });
+
+  it('per-session envelope count tracks correctly', () => {
+    assert.equal(registry.checkEnvelopeCount(sessionId, 200), true);
+
+    registry.incrementEnvelopeCount(sessionId);
+    const session = registry.getSession(sessionId);
+    assert.equal(session.envelope_count, 1);
+
+    registry.incrementEnvelopeCount(sessionId);
+    const session2 = registry.getSession(sessionId);
+    assert.equal(session2.envelope_count, 2);
+  });
+
+  it('atomic sequence check prevents race condition', () => {
+    // First call should succeed
+    const r1 = registry.checkAndIncrementSequence(sessionId, 0);
+    assert.equal(r1.valid, true);
+
+    // Same sequence again should fail
+    const r2 = registry.checkAndIncrementSequence(sessionId, 0);
+    assert.equal(r2.valid, false);
+    assert.ok(r2.reason.includes('sequence'));
+
+    // Next sequence should succeed
+    const r3 = registry.checkAndIncrementSequence(sessionId, 1);
+    assert.equal(r3.valid, true);
+  });
+
+  it('storage quota check works', () => {
+    const ok = storage.checkQuota();
+    assert.equal(ok, true);
+  });
+});