hanzi-browse 2.2.0

package/dist/managed/api-http.test.js

@@ -0,0 +1,623 @@
+/**
+ * HTTP-level API tests
+ *
+ * Starts the actual server and hits endpoints.
+ * Tests auth enforcement, workspace isolation, session validation.
+ */
+import { initVertex } from "../llm/vertex.js";
+import { startManagedAPI, initManagedAPI } from "./api.js";
+import { createWorkspace, createApiKey } from "./store.js";
+const PORT = 4567; // Use different port from production
+const BASE = `http://localhost:${PORT}`;
+// Mock relay — we don't need real WebSocket for API tests
+const mockRelay = {
+    send: () => { },
+    onMessage: () => { },
+    connect: async () => { },
+    isConnected: () => true,
+};
+let defaultKey;
+let otherKey;
+async function setup() {
+    // Init Vertex (needed for imports, won't actually call it)
+    try {
+        initVertex("/tmp/hanzi-vertex-sa.json");
+    }
+    catch { }
+    // Always create fresh workspaces with known plaintext keys
+    const ws1 = createWorkspace("Test Workspace");
+    const key1 = createApiKey(ws1.id, "test-key");
+    defaultKey = key1.key; // plaintext from createApiKey
+    const ws2 = createWorkspace("Other Workspace");
+    const key2 = createApiKey(ws2.id, "other-key");
+    otherKey = key2.key;
+    initManagedAPI(mockRelay, () => false); // All sessions "not connected" by default
+    startManagedAPI(PORT);
+    await new Promise((r) => setTimeout(r, 500)); // Let server start
+}
+async function req(method, path, body, apiKey) {
+    const headers = { "Content-Type": "application/json" };
+    if (apiKey)
+        headers["Authorization"] = `Bearer ${apiKey}`;
+    const res = await fetch(`${BASE}${path}`, {
+        method,
+        headers,
+        body: body ? JSON.stringify(body) : undefined,
+    });
+    const data = await res.json().catch(() => null);
+    return { status: res.status, data };
+}
+function assert(condition, msg) {
+    if (!condition)
+        throw new Error(`FAIL: ${msg}`);
+    console.log(`  ✓ ${msg}`);
+}
+// --- Tests ---
+async function testHealthNoAuth() {
+    console.log("\n--- Health (no auth required) ---");
+    const { status, data } = await req("GET", "/v1/health");
+    assert(status === 200, "Health returns 200");
+    assert(data.status === "ok", "Health status is ok");
+}
+async function testAuthRequired() {
+    console.log("\n--- Auth required ---");
+    const { status: s1 } = await req("POST", "/v1/tasks", { task: "test" });
+    assert(s1 === 401, "POST /tasks without auth returns 401");
+    const { status: s2 } = await req("GET", "/v1/tasks");
+    assert(s2 === 401, "GET /tasks without auth returns 401");
+    const { status: s3 } = await req("GET", "/v1/usage");
+    assert(s3 === 401, "GET /usage without auth returns 401");
+    const { status: s4 } = await req("POST", "/v1/browser-sessions/pair");
+    assert(s4 === 401, "POST /browser-sessions/pair without auth returns 401");
+    const { status: s5 } = await req("GET", "/v1/tasks", undefined, "hic_live_bogus");
+    assert(s5 === 401, "Invalid API key returns 401");
+}
+async function testBrowserSessionIdRequired() {
+    console.log("\n--- browser_session_id required ---");
+    const { status, data } = await req("POST", "/v1/tasks", { task: "test" }, defaultKey);
+    assert(status === 400, "Task without browser_session_id returns 400");
+    assert(data.error.includes("browser_session_id"), "Error mentions browser_session_id");
+}
+async function testPairingFlow() {
+    console.log("\n--- Pairing flow ---");
+    // Create pairing token
+    const { status: s1, data: d1 } = await req("POST", "/v1/browser-sessions/pair", {}, defaultKey);
+    assert(s1 === 201, "Pairing token created");
+    assert(d1.pairing_token.startsWith("hic_pair_"), "Token has correct prefix");
+    assert(d1.expires_in_seconds > 0, "Token has expiry");
+    // Register with pairing token (no auth required — the token IS the auth)
+    const { status: s2, data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    assert(s2 === 201, "Session registered");
+    assert(d2.browser_session_id, "Got browser_session_id");
+    assert(d2.session_token.startsWith("hic_sess_"), "Got session_token");
+    // Cannot reuse pairing token
+    const { status: s3 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    assert(s3 === 401, "Reused pairing token rejected");
+    // Invalid pairing token
+    const { status: s4 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: "hic_pair_bogus",
+    });
+    assert(s4 === 401, "Bogus pairing token rejected");
+}
+async function testSessionNotConnectedRejectsTask() {
+    console.log("\n--- Session not connected rejects task ---");
+    // Create a session
+    const { data: d1 } = await req("POST", "/v1/browser-sessions/pair", {}, defaultKey);
+    const { data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    // Try to create task — session exists but not connected (mock returns false)
+    const { status, data } = await req("POST", "/v1/tasks", {
+        task: "test",
+        browser_session_id: d2.browser_session_id,
+    }, defaultKey);
+    assert(status === 409, "Disconnected session returns 409");
+    assert(data.error.includes("not connected"), "Error mentions not connected");
+}
+async function testWrongWorkspaceSessionRejectsTask() {
+    console.log("\n--- Wrong workspace session rejects task ---");
+    // Create session in workspace A (defaultKey)
+    const { data: d1 } = await req("POST", "/v1/browser-sessions/pair", {}, defaultKey);
+    const { data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    // Try to use it with workspace B's key
+    const { status, data } = await req("POST", "/v1/tasks", {
+        task: "test",
+        browser_session_id: d2.browser_session_id,
+    }, otherKey);
+    assert(status === 403, "Wrong workspace session returns 403");
+    assert(data.error.includes("does not belong"), "Error mentions workspace mismatch");
+}
+async function testTaskOwnershipIsolation() {
+    console.log("\n--- Task ownership isolation ---");
+    // Create a task in default workspace directly in the store
+    const { createTaskRun, validateApiKey } = await import("./store.js");
+    const resolved = validateApiKey(defaultKey);
+    const task = createTaskRun({
+        workspaceId: resolved.workspaceId,
+        apiKeyId: "test",
+        task: "ownership test",
+        browserSessionId: "test-session",
+    });
+    // Default key can see it
+    const { status: s1, data: d1 } = await req("GET", `/v1/tasks/${task.id}`, undefined, defaultKey);
+    assert(s1 === 200, "Owner can read task");
+    assert(d1.id === task.id, "Correct task returned");
+    // Other workspace gets 404 (not 403 — don't leak existence)
+    const { status: s2 } = await req("GET", `/v1/tasks/${task.id}`, undefined, otherKey);
+    assert(s2 === 404, "Non-owner gets 404 (not 403)");
+    // Other workspace can't cancel it
+    const { status: s3 } = await req("POST", `/v1/tasks/${task.id}/cancel`, {}, otherKey);
+    assert(s3 === 404, "Non-owner can't cancel (gets 404)");
+    // Nonexistent task
+    const { status: s4 } = await req("GET", "/v1/tasks/nonexistent-id", undefined, defaultKey);
+    assert(s4 === 404, "Nonexistent task returns 404");
+}
+async function testListTasksIsolation() {
+    console.log("\n--- List tasks isolation ---");
+    const { status: s1, data: d1 } = await req("GET", "/v1/tasks", undefined, defaultKey);
+    assert(s1 === 200, "Default workspace can list tasks");
+    const { status: s2, data: d2 } = await req("GET", "/v1/tasks", undefined, otherKey);
+    assert(s2 === 200, "Other workspace can list tasks");
+    // Other workspace should have zero tasks (all tasks belong to default)
+    assert(d2.tasks.length === 0, "Other workspace sees no tasks");
+}
+async function testUsageIsolation() {
+    console.log("\n--- Usage isolation ---");
+    const { status: s1, data: d1 } = await req("GET", "/v1/usage", undefined, defaultKey);
+    assert(s1 === 200, "Default workspace can get usage");
+    const { status: s2, data: d2 } = await req("GET", "/v1/usage", undefined, otherKey);
+    assert(s2 === 200, "Other workspace can get usage");
+    assert(d2.totalApiCalls === 0, "Other workspace has zero usage");
+}
+// --- Input Validation Tests (Slice 1 hardening) ---
+async function testInputValidation() {
+    console.log("\n--- Input validation (hardening) ---");
+    // Task too long
+    const longTask = "a".repeat(10_001);
+    const { status: s1, data: d1 } = await req("POST", "/v1/tasks", {
+        task: longTask,
+        browser_session_id: "test",
+    }, defaultKey);
+    assert(s1 === 400, "Task exceeding 10000 chars returns 400");
+    assert(d1.error.includes("10000"), "Error mentions char limit");
+    // Context too long
+    const longCtx = "b".repeat(50_001);
+    const { status: s2, data: d2 } = await req("POST", "/v1/tasks", {
+        task: "test",
+        context: longCtx,
+        browser_session_id: "test",
+    }, defaultKey);
+    assert(s2 === 400, "Context exceeding 50000 chars returns 400");
+    assert(d2.error.includes("context"), "Error mentions context");
+    // Invalid URL
+    const { status: s3, data: d3 } = await req("POST", "/v1/tasks", {
+        task: "test",
+        url: "not-a-url",
+        browser_session_id: "test",
+    }, defaultKey);
+    assert(s3 === 400, "Invalid URL returns 400");
+    assert(d3.error.includes("url"), "Error mentions url");
+    // URL too long
+    const longUrl = "https://example.com/" + "x".repeat(2048);
+    const { status: s4, data: d4 } = await req("POST", "/v1/tasks", {
+        task: "test",
+        url: longUrl,
+        browser_session_id: "test",
+    }, defaultKey);
+    assert(s4 === 400, "URL exceeding 2048 chars returns 400");
+    // Empty task
+    const { status: s5 } = await req("POST", "/v1/tasks", {
+        task: "   ",
+        browser_session_id: "test",
+    }, defaultKey);
+    assert(s5 === 400, "Whitespace-only task returns 400");
+    // Valid task passes validation (hits browser_session_id check next)
+    const { status: s6, data: d6 } = await req("POST", "/v1/tasks", {
+        task: "valid task",
+        url: "https://example.com",
+        context: "some context",
+        browser_session_id: "nonexistent-session",
+    }, defaultKey);
+    assert(s6 === 404, "Valid input with unknown session returns 404 (passes validation)");
+}
+async function testRequestBodyLimit() {
+    console.log("\n--- Request body size limit ---");
+    // Send a request with body > 128KB
+    const hugeBody = JSON.stringify({ task: "x".repeat(200_000) });
+    try {
+        const res = await fetch(`${BASE}/v1/tasks`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json",
+                "Authorization": `Bearer ${defaultKey}`,
+            },
+            body: hugeBody,
+        });
+        // Should get either 400 (body too large) or connection reset
+        assert(res.status >= 400, "Oversized body rejected");
+    }
+    catch {
+        // Connection reset is also acceptable — server destroyed the socket
+        assert(true, "Oversized body caused connection reset (acceptable)");
+    }
+}
+// --- Rate Limiting Tests (Slice 2) ---
+async function testRateLimiting() {
+    console.log("\n--- Rate limiting (hardening) ---");
+    // Rate limit is checked AFTER input validation — bad requests (400) don't burn quota.
+    // To trigger rate limits, we need valid requests that pass validation but fail later
+    // (e.g., session exists but is not connected → 409).
+    const { createWorkspace, createApiKey, createPairingToken, consumePairingToken } = await import("./store.js");
+    const freshWs = createWorkspace("Rate Limit Test");
+    const freshKey = createApiKey(freshWs.id, "rate-key");
+    // Create a real session (but it won't be "connected" since mock returns false)
+    const pt = createPairingToken(freshWs.id, freshKey.id);
+    const session = consumePairingToken(pt._plainToken);
+    // Verify bad requests don't burn quota: send 5 invalid requests first
+    for (let i = 0; i < 5; i++) {
+        const { status } = await req("POST", "/v1/tasks", { task: `bad ${i}` }, freshKey.key);
+        assert(status === 400, "Bad request returns 400 without burning quota");
+    }
+    // Now hammer with valid-looking requests (reach rate limit check, get 409 = not connected)
+    let hitRateLimit = false;
+    for (let i = 0; i < 12; i++) {
+        const { status } = await req("POST", "/v1/tasks", {
+            task: `rate test ${i}`,
+            browser_session_id: session.id,
+        }, freshKey.key);
+        if (status === 429) {
+            hitRateLimit = true;
+            break;
+        }
+    }
+    assert(hitRateLimit, "Rate limit kicks in after max valid requests");
+    // Verify the error message is informative
+    const { status: s2, data: d2 } = await req("POST", "/v1/tasks", {
+        task: "one more",
+        browser_session_id: session.id,
+    }, freshKey.key);
+    assert(s2 === 429, "Rate limited request returns 429");
+    assert(d2.error.includes("Rate limit"), "Error mentions rate limit");
+}
+async function testCorsHeaders() {
+    console.log("\n--- CORS headers (hardening) ---");
+    // Known origin should get CORS headers
+    const res1 = await fetch(`${BASE}/v1/health`, {
+        headers: { Origin: "https://browse.hanzilla.co" },
+    });
+    const acao1 = res1.headers.get("access-control-allow-origin");
+    assert(acao1 === "https://browse.hanzilla.co", "Known origin gets reflected CORS");
+    // Unknown origin should NOT get CORS headers
+    const res2 = await fetch(`${BASE}/v1/health`, {
+        headers: { Origin: "https://evil.com" },
+    });
+    const acao2 = res2.headers.get("access-control-allow-origin");
+    assert(acao2 === null, "Unknown origin gets no CORS header");
+    // No origin header — no CORS headers
+    const res3 = await fetch(`${BASE}/v1/health`);
+    const acao3 = res3.headers.get("access-control-allow-origin");
+    assert(acao3 === null, "No origin header means no CORS header");
+}
+// --- Self-serve API Key Tests ---
+async function testApiKeyCRUD() {
+    console.log("\n--- Self-serve API key CRUD ---");
+    // Create key
+    const { status: s1, data: d1 } = await req("POST", "/v1/api-keys", { name: "test-key" }, defaultKey);
+    assert(s1 === 201, "API key created (201)");
+    assert(d1.key.startsWith("hic_live_"), "Key has correct prefix");
+    assert(d1.name === "test-key", "Key has correct name");
+    assert(d1.id, "Key has an ID");
+    assert(d1._warning, "Response includes save warning");
+    const createdKeyId = d1.id;
+    const createdKeyValue = d1.key;
+    // List keys
+    const { status: s2, data: d2 } = await req("GET", "/v1/api-keys", undefined, defaultKey);
+    assert(s2 === 200, "List API keys returns 200");
+    assert(Array.isArray(d2.api_keys), "Response has api_keys array");
+    const found = d2.api_keys.find((k) => k.id === createdKeyId);
+    assert(!!found, "Created key appears in list");
+    assert(found.key_prefix.startsWith("hic_live_"), "Listed key shows readable prefix");
+    assert(!found.key_prefix.includes(createdKeyValue), "Listed key does not expose full key");
+    // The new key should work for auth
+    const { status: s3 } = await req("GET", "/v1/api-keys", undefined, createdKeyValue);
+    assert(s3 === 200, "Newly created key works for auth");
+    // Delete key
+    const { status: s4, data: d4 } = await req("DELETE", `/v1/api-keys/${createdKeyId}`, undefined, defaultKey);
+    assert(s4 === 200, "Delete returns 200");
+    assert(d4.deleted === true, "Response confirms deletion");
+    // Deleted key no longer works for auth
+    const { status: s5 } = await req("GET", "/v1/api-keys", undefined, createdKeyValue);
+    assert(s5 === 401, "Deleted key returns 401");
+    // Deleted key no longer in list
+    const { status: s6, data: d6 } = await req("GET", "/v1/api-keys", undefined, defaultKey);
+    const notFound = d6.api_keys.find((k) => k.id === createdKeyId);
+    assert(!notFound, "Deleted key removed from list");
+    // Delete nonexistent key
+    const { status: s7 } = await req("DELETE", "/v1/api-keys/nonexistent-id", undefined, defaultKey);
+    assert(s7 === 404, "Delete nonexistent key returns 404");
+    // Create with missing name
+    const { status: s8 } = await req("POST", "/v1/api-keys", {}, defaultKey);
+    assert(s8 === 400, "Create without name returns 400");
+    // Create with oversized name
+    const { status: s9 } = await req("POST", "/v1/api-keys", { name: "x".repeat(101) }, defaultKey);
+    assert(s9 === 400, "Create with name > 100 chars returns 400");
+}
+async function testApiKeyWorkspaceIsolation() {
+    console.log("\n--- API key workspace isolation ---");
+    // Create a key in default workspace
+    const { data: d1 } = await req("POST", "/v1/api-keys", { name: "ws-test" }, defaultKey);
+    // Other workspace cannot see it
+    const { data: d2 } = await req("GET", "/v1/api-keys", undefined, otherKey);
+    const found = d2.api_keys.find((k) => k.id === d1.id);
+    assert(!found, "Other workspace cannot see key from different workspace");
+    // Other workspace cannot delete it
+    const { status: s3 } = await req("DELETE", `/v1/api-keys/${d1.id}`, undefined, otherKey);
+    assert(s3 === 404, "Other workspace cannot delete key from different workspace");
+    // Clean up
+    await req("DELETE", `/v1/api-keys/${d1.id}`, undefined, defaultKey);
+}
+// --- Session Metadata Tests ---
+async function testSessionMetadata() {
+    console.log("\n--- Session metadata propagation ---");
+    // Create pairing token WITH metadata
+    const { status: s1, data: d1 } = await req("POST", "/v1/browser-sessions/pair", {
+        label: "Dr. Smith's browser",
+        external_user_id: "user_abc123",
+    }, defaultKey);
+    assert(s1 === 201, "Pairing token with metadata created");
+    // Register session
+    const { status: s2, data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    assert(s2 === 201, "Session registered from token with metadata");
+    // List sessions — metadata should be present
+    const { data: d3 } = await req("GET", "/v1/browser-sessions", undefined, defaultKey);
+    const session = d3.sessions.find((s) => s.id === d2.browser_session_id);
+    assert(!!session, "Session appears in list");
+    assert(session.label === "Dr. Smith's browser", "Label propagated to session");
+    assert(session.external_user_id === "user_abc123", "external_user_id propagated to session");
+}
+async function testSessionMetadataOptional() {
+    console.log("\n--- Session metadata optional ---");
+    // Create pairing token WITHOUT metadata (backward compatibility)
+    const { status: s1, data: d1 } = await req("POST", "/v1/browser-sessions/pair", {}, defaultKey);
+    assert(s1 === 201, "Pairing token without metadata created");
+    // Register
+    const { data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    // List — null metadata is fine
+    const { data: d3 } = await req("GET", "/v1/browser-sessions", undefined, defaultKey);
+    const session = d3.sessions.find((s) => s.id === d2.browser_session_id);
+    assert(!!session, "Session without metadata appears in list");
+    assert(session.label === null || session.label === undefined, "Label is null when not provided");
+    assert(session.external_user_id === null || session.external_user_id === undefined, "external_user_id is null when not provided");
+}
+// --- Legacy Key Prefix Normalization ---
+async function testLegacyKeyPrefixNormalization() {
+    console.log("\n--- Legacy key prefix normalization ---");
+    // Simulate a legacy key by injecting one without keyPrefix directly into the store
+    const { validateApiKey } = await import("./store.js");
+    const resolved = validateApiKey(defaultKey);
+    const store = await import("./store.js");
+    // The store's internal data is not directly accessible, but we can verify
+    // that all keys returned by the API have readable prefixes (not raw hashes).
+    const { status, data } = await req("GET", "/v1/api-keys", undefined, defaultKey);
+    assert(status === 200, "List API keys returns 200");
+    for (const k of data.api_keys) {
+        assert(k.key_prefix.startsWith("hic_live_") || k.key_prefix.startsWith("hic_live_***"), `Key prefix is readable: ${k.key_prefix.slice(0, 20)}`);
+        // Must never be a raw 64-char hex hash
+        assert(k.key_prefix.length < 40, `Key prefix is not a raw hash (length ${k.key_prefix.length})`);
+    }
+}
+// --- Managed Task Execution (mock relay) ---
+async function testManagedTaskExecution() {
+    console.log("\n--- Managed task execution (mock relay) ---");
+    // This test proves the full managed path:
+    // 1. Create pairing token → 2. Register session → 3. Create task → 4. Task completes
+    //
+    // Limitation: we cannot test real LLM execution or real browser tool execution
+    // locally without a running extension + relay + LLM. What we CAN test:
+    // - The happy path up to task creation with a connected session
+    // - The mock relay session connectivity check
+    //
+    // For this test, we need a session that reports as "connected" via the
+    // isSessionConnectedFn. The test setup uses () => false, so all sessions
+    // appear disconnected. We test the 409 → proves the guard works.
+    // A real end-to-end test requires: live relay + extension + LLM.
+    // Create and register a session
+    const { data: d1 } = await req("POST", "/v1/browser-sessions/pair", {
+        label: "e2e test browser",
+        external_user_id: "e2e-user-1",
+    }, defaultKey);
+    const { data: d2 } = await req("POST", "/v1/browser-sessions/register", {
+        pairing_token: d1.pairing_token,
+    });
+    assert(d2.browser_session_id, "Session registered for e2e test");
+    // Verify session appears as disconnected (mock returns false)
+    const { data: d3 } = await req("GET", "/v1/browser-sessions", undefined, defaultKey);
+    const session = d3.sessions.find((s) => s.id === d2.browser_session_id);
+    assert(!!session, "Session in list");
+    assert(session.status === "disconnected", "Session reports disconnected (mock relay)");
+    assert(session.label === "e2e test browser", "Session has label");
+    assert(session.external_user_id === "e2e-user-1", "Session has external_user_id");
+    // Task creation is correctly rejected because session is not connected
+    const { status: s4, data: d4 } = await req("POST", "/v1/tasks", {
+        task: "Read the current page title",
+        browser_session_id: d2.browser_session_id,
+    }, defaultKey);
+    assert(s4 === 409, "Task rejected — session not connected (mock)");
+    assert(d4.error.includes("not connected"), "Error explains why");
+    // This proves: auth → pairing → session ownership → connectivity guard all work.
+    // What remains unproven: actual LLM call + tool execution + result retrieval.
+    // That requires: live relay, live extension, live LLM — tested by integration.test.ts
+    // against production.
+}
+// --- Better Auth Session Cookie ---
+// Better Auth session-cookie auth requires:
+// 1. A running Postgres instance (Better Auth stores sessions in DB)
+// 2. Google OAuth or email/password signup to create a user + session
+// 3. The session cookie to be passed in requests
+//
+// This cannot be tested in the local file-store test harness because:
+// - createAuth() returns null when DATABASE_URL is not set
+// - resolveSessionToWorkspace() returns null when auth is not initialized
+//
+// What we CAN prove: that the authenticate() function falls through correctly
+// when no session cookie is present, and that API key auth still works.
+// The full session-cookie path is proven by integration.test.ts against production.
+async function testSessionCookieAuthFallthrough() {
+    console.log("\n--- Session cookie auth fallthrough ---");
+    // Request with no auth at all — should get 401
+    const { status: s1 } = await req("GET", "/v1/api-keys");
+    assert(s1 === 401, "No auth → 401 (cookie auth not available without DB)");
+    // Request with a fake cookie — should still get 401 (no DB = no session resolution)
+    const res = await fetch(`http://localhost:${PORT}/v1/api-keys`, {
+        headers: {
+            "Content-Type": "application/json",
+            "Cookie": "better-auth.session_token=fake_session_token_123",
+        },
+    });
+    assert(res.status === 401, "Fake session cookie → 401 (no DB backing)");
+    // API key auth still works (not broken by cookie auth attempt)
+    const { status: s3 } = await req("GET", "/v1/api-keys", undefined, defaultKey);
+    assert(s3 === 200, "API key auth still works after cookie fallthrough");
+}
+// --- Stuck-Task Recovery ---
+async function testStuckTaskRecovery() {
+    console.log("\n--- Stuck-task recovery ---");
+    // Create a task directly in the store with "running" status and an old createdAt
+    const { createTaskRun, getTaskRun, validateApiKey, listStuckTasks } = await import("./store.js");
+    const resolved = validateApiKey(defaultKey);
+    const task = createTaskRun({
+        workspaceId: resolved.workspaceId,
+        apiKeyId: "test",
+        task: "stuck task test",
+        browserSessionId: "test-session",
+    });
+    assert(task.status === "running", "Task starts as running");
+    // Manually backdate the task's createdAt to simulate a stuck task
+    const stored = getTaskRun(task.id);
+    stored.createdAt = Date.now() - 40 * 60 * 1000; // 40 minutes ago
+    // listStuckTasks should find it
+    const stuck = listStuckTasks(35 * 60 * 1000); // 35-minute threshold
+    assert(stuck.some(t => t.id === task.id), "listStuckTasks finds the old running task");
+    // Call recoverStuckTasks
+    const { recoverStuckTasks } = await import("./api.js");
+    await recoverStuckTasks();
+    // Task should now be marked as error
+    const recovered = getTaskRun(task.id);
+    assert(recovered.status === "error", "Stuck task marked as error after recovery");
+    assert(recovered.answer.includes("server restart"), "Answer mentions server restart");
+    assert(recovered.completedAt > 0, "completedAt is set");
+}
+// --- Request ID Header ---
+async function testRequestIdHeader() {
+    console.log("\n--- Request ID in response headers ---");
+    // All responses should have X-Request-Id header
+    const res1 = await fetch(`http://localhost:${PORT}/v1/health`);
+    const rid1 = res1.headers.get("x-request-id");
+    assert(!!rid1, "Health response has X-Request-Id header");
+    assert(rid1.length === 8, "Request ID is 8 chars");
+    // Error responses should also have it
+    const res2 = await fetch(`http://localhost:${PORT}/v1/tasks`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ task: "test" }),
+    });
+    const rid2 = res2.headers.get("x-request-id");
+    assert(!!rid2, "401 error response has X-Request-Id header");
+    assert(rid2 !== rid1, "Different requests get different IDs");
+}
+// --- Billing Store Functions ---
+async function testBillingWorkspaceFields() {
+    console.log("\n--- Billing workspace fields ---");
+    const { createWorkspace, getWorkspace, updateWorkspaceBilling } = await import("./store.js");
+    // New workspace defaults to free plan
+    const ws = createWorkspace("Billing Test");
+    assert(ws.plan === "free", "New workspace defaults to free plan");
+    assert(ws.stripeCustomerId === undefined, "No Stripe customer by default");
+    assert(ws.subscriptionId === undefined, "No subscription by default");
+    assert(ws.subscriptionStatus === undefined, "No subscription status by default");
+    // Update billing fields
+    const updated = updateWorkspaceBilling(ws.id, {
+        stripeCustomerId: "cus_test123",
+        plan: "pro",
+        subscriptionId: "sub_test456",
+        subscriptionStatus: "active",
+    });
+    assert(updated !== null, "Update returns workspace");
+    assert(updated.stripeCustomerId === "cus_test123", "Stripe customer ID persisted");
+    assert(updated.plan === "pro", "Plan updated to pro");
+    assert(updated.subscriptionId === "sub_test456", "Subscription ID persisted");
+    assert(updated.subscriptionStatus === "active", "Subscription status persisted");
+    // Verify getWorkspace returns the updated fields
+    const fetched = getWorkspace(ws.id);
+    assert(fetched.plan === "pro", "getWorkspace reflects updated plan");
+    assert(fetched.stripeCustomerId === "cus_test123", "getWorkspace reflects customer ID");
+    // Simulate subscription cancellation
+    const cancelled = updateWorkspaceBilling(ws.id, {
+        plan: "free",
+        subscriptionStatus: "cancelled",
+    });
+    assert(cancelled.plan === "free", "Plan reverted to free");
+    assert(cancelled.subscriptionStatus === "cancelled", "Status set to cancelled");
+    assert(cancelled.stripeCustomerId === "cus_test123", "Customer ID preserved on cancel");
+    // Update nonexistent workspace returns null
+    const missing = updateWorkspaceBilling("nonexistent-id", { plan: "pro" });
+    assert(missing === null, "Update nonexistent workspace returns null");
+}
+async function testBillingCheckoutEndpoint() {
+    console.log("\n--- Billing checkout endpoint ---");
+    // Billing is not configured in test environment (no STRIPE_SECRET_KEY)
+    const { status, data } = await req("POST", "/v1/billing/checkout", {
+        email: "test@example.com",
+    }, defaultKey);
+    assert(status === 503, "Checkout returns 503 when billing not configured");
+    assert(data.error.includes("not configured"), "Error mentions billing not configured");
+}
+// --- Run ---
+async function runAll() {
+    await setup();
+    console.log("=== HTTP API Tests ===");
+    await testHealthNoAuth();
+    await testAuthRequired();
+    await testBrowserSessionIdRequired();
+    await testPairingFlow();
+    await testSessionNotConnectedRejectsTask();
+    await testWrongWorkspaceSessionRejectsTask();
+    await testTaskOwnershipIsolation();
+    await testListTasksIsolation();
+    await testUsageIsolation();
+    await testInputValidation();
+    await testRequestBodyLimit();
+    await testRateLimiting();
+    await testCorsHeaders();
+    await testApiKeyCRUD();
+    await testApiKeyWorkspaceIsolation();
+    await testSessionMetadata();
+    await testSessionMetadataOptional();
+    await testLegacyKeyPrefixNormalization();
+    await testManagedTaskExecution();
+    await testSessionCookieAuthFallthrough();
+    await testStuckTaskRecovery();
+    await testRequestIdHeader();
+    await testBillingWorkspaceFields();
+    await testBillingCheckoutEndpoint();
+    console.log("\n=== All HTTP API tests passed ===\n");
+    process.exit(0);
+}
+// Only run when executed directly (not when imported by vitest)
+const isDirectRun = !process.env.VITEST;
+if (isDirectRun) {
+    runAll().catch((err) => {
+        console.error("\n❌ TEST FAILED:", err.message);
+        process.exit(1);
+    });
+}