mindforge-cc 1.0.0

package/tests/production.test.js

@@ -0,0 +1,416 @@
+/**
+ * MindForge Day 7 — Production Readiness Tests
+ * Verifies the installer, updater, migration engine, plugin system,
+ * token optimiser, and all 36 commands exist.
+ *
+ * Run: node tests/production.test.js
+ */
+'use strict';
+
+const fs   = require('fs');
+const path = require('path');
+const assert = require('assert');
+let passed = 0, failed = 0;
+
+function test(name, fn) {
+  try { fn(); console.log(`  ✅  ${name}`); passed++; }
+  catch(e) { console.error(`  ❌  ${name}\n      ${e.message}`); failed++; }
+}
+
+const read   = p  => fs.existsSync(p) ? fs.readFileSync(p, 'utf8') : '';
+const exists = p  => fs.existsSync(p);
+
+// ── Installer completeness ─────────────────────────────────────────────────────
+console.log('\nMindForge Day 7 — Production Readiness Tests\n');
+console.log('Installer:');
+
+test('bin/install.js exists with shebang', () => {
+  const c = read('bin/install.js');
+  assert.ok(c.includes('#!/usr/bin/env node'), 'Missing shebang');
+  assert.ok(c.length > 500, 'install.js seems too short');
+});
+
+test('bin/installer-core.js exists and exports run()', () => {
+  const c = read('bin/installer-core.js');
+  assert.ok(c.includes('module.exports'), 'Missing module.exports');
+  assert.ok(c.includes('async function run') || c.includes('function run'), 'Missing run function');
+});
+
+test('installer handles --version flag correctly', () => {
+  const c = read('bin/install.js');
+  assert.ok(c.includes("'--version'") || c.includes('"--version"'), 'Missing --version');
+  assert.ok(c.includes('process.exit(0)'), 'Should exit 0 for --version');
+});
+
+test('installer has Node.js version gate (≥ 18)', () => {
+  const combined = read('bin/install.js') + read('bin/installer-core.js');
+  assert.ok(combined.includes('18'), 'Should check for Node.js 18');
+  assert.ok(combined.includes('process.exit(1)') || combined.includes('exit(1)'), 'Should exit 1 for old node');
+});
+
+test('installer has CI mode detection', () => {
+  const c = read('bin/install.js');
+  assert.ok(c.includes("process.env.CI"), 'Should detect CI environment');
+  assert.ok(c.includes('IS_NON_INTERACTIVE'), 'Should have non-interactive flag');
+});
+
+test('installer backs up existing CLAUDE.md', () => {
+  const c = read('bin/installer-core.js');
+  assert.ok(c.includes('backup') || c.includes('.backup-'), 'Should back up CLAUDE.md');
+});
+
+test('installer has self-install detection', () => {
+  const c = read('bin/installer-core.js');
+  assert.ok(
+    c.includes('isSelfInstall') || c.includes("'mindforge-cc'"),
+    'Should detect self-install scenario'
+  );
+});
+
+test('installer excludes sensitive files (*.env, *.key, *.pem)', () => {
+  const c = read('bin/installer-core.js');
+  assert.ok(
+    c.includes('.env') || c.includes('SENSITIVE_EXCLUDE') || c.includes('.key'),
+    'Should have sensitive file exclusion list'
+  );
+});
+
+test('installer verifies install after completing', () => {
+  const c = read('bin/installer-core.js');
+  assert.ok(
+    c.includes('verifyInstall') || c.includes('verification'),
+    'Should verify install after completing'
+  );
+});
+
+// ── Self-update system ─────────────────────────────────────────────────────────
+console.log('\nSelf-update system:');
+
+['version-comparator.js', 'changelog-fetcher.js', 'self-update.js'].forEach(f => {
+  test(`bin/updater/${f} exists`, () => {
+    assert.ok(exists(`bin/updater/${f}`), `Missing: bin/updater/${f}`);
+  });
+});
+
+test('compareSemver: 1.0.0 > 0.6.0', () => {
+  const { compareSemver } = require('../bin/updater/version-comparator');
+  assert.ok(compareSemver('1.0.0', '0.6.0') > 0);
+});
+
+test('compareSemver: 0.6.0 < 1.0.0', () => {
+  const { compareSemver } = require('../bin/updater/version-comparator');
+  assert.ok(compareSemver('0.6.0', '1.0.0') < 0);
+});
+
+test('compareSemver: 1.0.0 == 1.0.0', () => {
+  const { compareSemver } = require('../bin/updater/version-comparator');
+  assert.strictEqual(compareSemver('1.0.0', '1.0.0'), 0);
+});
+
+test('compareSemver handles v prefix', () => {
+  const { compareSemver } = require('../bin/updater/version-comparator');
+  assert.ok(compareSemver('v1.0.0', 'v0.6.0') > 0);
+});
+
+test('upgradeType: 0.6.0 → 1.0.0 is major', () => {
+  const { upgradeType } = require('../bin/updater/version-comparator');
+  assert.strictEqual(upgradeType('0.6.0', '1.0.0'), 'major');
+});
+
+test('upgradeType: 1.0.0 → 1.1.0 is minor', () => {
+  const { upgradeType } = require('../bin/updater/version-comparator');
+  assert.strictEqual(upgradeType('1.0.0', '1.1.0'), 'minor');
+});
+
+test('upgradeType: 1.0.0 → 1.0.1 is patch', () => {
+  const { upgradeType } = require('../bin/updater/version-comparator');
+  assert.strictEqual(upgradeType('1.0.0', '1.0.1'), 'patch');
+});
+
+test('upgradeType: 1.0.0 → 1.0.0 is none', () => {
+  const { upgradeType } = require('../bin/updater/version-comparator');
+  assert.strictEqual(upgradeType('1.0.0', '1.0.0'), 'none');
+});
+
+test('self-update has scope detection', () => {
+  const c = read('bin/updater/self-update.js');
+  assert.ok(c.includes('detectInstallScope'), 'Should have detectInstallScope()');
+});
+
+test('self-update reads schema_version before applying update', () => {
+  const c = read('bin/updater/self-update.js');
+  assert.ok(
+    c.includes('readHandoffSchemaVersion') || c.includes('schema_version'),
+    'Should read schema_version from HANDOFF before updating'
+  );
+});
+
+// ── Migration engine ────────────────────────────────────────────────────────────
+console.log('\nMigration engine:');
+
+['migrate.js', 'schema-versions.js', '0.1.0-to-0.5.0.js', '0.5.0-to-0.6.0.js', '0.6.0-to-1.0.0.js'].forEach(f => {
+  test(`bin/migrations/${f} exists`, () => {
+    assert.ok(exists(`bin/migrations/${f}`), `Missing: ${f}`);
+  });
+});
+
+test('migrate.js creates backup before migrating', () => {
+  const c = read('bin/migrations/migrate.js');
+  assert.ok(c.includes('backup') || c.includes('Backup'), 'Should create backup');
+});
+
+test('migrate.js aborts if backup fails', () => {
+  const c = read('bin/migrations/migrate.js');
+  assert.ok(
+    c.includes('backupErr') || c.includes('Migration aborted'),
+    'Should abort if backup creation fails'
+  );
+});
+
+test('migrate.js restores from backup on migration failure', () => {
+  const c = read('bin/migrations/migrate.js');
+  assert.ok(
+    c.includes('Restoring') || c.includes('restoreFromBackup') || c.includes('restore'),
+    'Should restore from backup on failure'
+  );
+});
+
+test('0.6.0-to-1.0.0 migration adds plugin_api_version', () => {
+  const c = read('bin/migrations/0.6.0-to-1.0.0.js');
+  assert.ok(c.includes('plugin_api_version'), 'Should add plugin_api_version field');
+});
+
+test('0.6.0-to-1.0.0 migration backfills session_id in AUDIT.jsonl', () => {
+  const c = read('bin/migrations/0.6.0-to-1.0.0.js');
+  assert.ok(c.includes('session_id'), 'Should backfill session_id');
+});
+
+test('0.6.0-to-1.0.0 migration converts VERIFY_PASS_RATE_WARNING_THRESHOLD', () => {
+  const c = read('bin/migrations/0.6.0-to-1.0.0.js');
+  assert.ok(
+    c.includes('VERIFY_PASS_RATE') || c.includes('val / 100'),
+    'Should convert percentage to decimal'
+  );
+});
+
+test('migration preserves invalid AUDIT.jsonl lines (no crash)', () => {
+  const c = read('bin/migrations/0.6.0-to-1.0.0.js');
+  assert.ok(c.includes('catch') || c.includes('try'), 'Should handle parse errors gracefully');
+});
+
+// ── Plugin system ────────────────────────────────────────────────────────────────
+console.log('\nPlugin system:');
+
+['plugin-schema.md', 'plugin-loader.md', 'PLUGINS-MANIFEST.md'].forEach(f => {
+  test(`.mindforge/plugins/${f} exists`, () => {
+    assert.ok(exists(`.mindforge/plugins/${f}`));
+  });
+});
+
+test('plugin schema defines permission model', () => {
+  const c = read('.mindforge/plugins/plugin-schema.md');
+  assert.ok(c.includes('permissions'), 'Should define permissions');
+  assert.ok(c.includes('write_state'), 'Should include write_state permission');
+  assert.ok(c.includes('network_access'), 'Should include network_access permission');
+});
+
+test('plugin loader has injection guard step', () => {
+  const c = read('.mindforge/plugins/plugin-loader.md');
+  assert.ok(c.includes('injection guard') || c.includes('Injection'), 'Should run injection guard');
+});
+
+test('plugin loader documents advisory permission model', () => {
+  const c = read('.mindforge/plugins/plugin-loader.md');
+  assert.ok(
+    c.includes('advisory') || c.includes('not OS-enforced') || c.includes('not enforced'),
+    'Should explain that permissions are advisory'
+  );
+});
+
+test('plugin schema lists all 36 reserved command names', () => {
+  const c = read('.mindforge/plugins/plugin-schema.md');
+  assert.ok(
+    c.includes('Reserved command names') || c.includes('reserved'),
+    'Should list reserved command names'
+  );
+  // Check a few specific reserved names are mentioned
+  assert.ok(c.includes('health'), 'Should list health as reserved');
+  assert.ok(c.includes('security-scan'), 'Should list security-scan as reserved');
+});
+
+// ── Token optimiser ─────────────────────────────────────────────────────────────
+console.log('\nToken optimiser:');
+
+test('token-optimiser.md exists', () => {
+  assert.ok(exists('.mindforge/production/token-optimiser.md'));
+});
+
+test('token optimiser defines efficiency formula', () => {
+  const c = read('.mindforge/production/token-optimiser.md');
+  assert.ok(c.includes('token_efficiency') || c.includes('efficiency'), 'Should define efficiency');
+  assert.ok(c.includes('useful_output') || c.includes('output_tokens'), 'Should define useful output');
+});
+
+test('token optimiser has lean plan strategy', () => {
+  const c = read('.mindforge/production/token-optimiser.md');
+  assert.ok(c.includes('Strategy 1') || c.includes('Lean'), 'Should have lean plan strategy');
+});
+
+// ── Production checklist ────────────────────────────────────────────────────────
+console.log('\nProduction checklist:');
+
+test('production-checklist.md has exactly 50 checkbox items', () => {
+  const c = read('.mindforge/production/production-checklist.md');
+  const boxes = (c.match(/- \[ \]/g) || []).length;
+  assert.ok(boxes >= 50, `Expected >= 50 items, found ${boxes}`);
+});
+
+// ── Documentation completeness ──────────────────────────────────────────────────
+console.log('\nDocumentation:');
+
+const DOC_FILES = [
+  'docs/reference/commands.md',
+  'docs/security/SECURITY.md',
+  'docs/security/threat-model.md',
+  'docs/architecture/decision-records-index.md',
+  'docs/contributing/CONTRIBUTING.md',
+];
+DOC_FILES.forEach(f => test(`${f} exists`, () => assert.ok(exists(f), `Missing: ${f}`)));
+
+test('threat model covers all 7 threat actors', () => {
+  const c = read('docs/security/threat-model.md');
+  for (let i = 1; i <= 7; i++) {
+    assert.ok(c.includes(`Threat Actor ${i}`), `Missing Threat Actor ${i}`);
+  }
+});
+
+test('ADR index lists all 20 ADRs', () => {
+  const c = read('docs/architecture/decision-records-index.md');
+  for (let i = 1; i <= 20; i++) {
+    const adrRef = `ADR-${String(i).padStart(3, '0')}`;
+    assert.ok(c.includes(adrRef) || c.includes(`ADR-${i}`), `Missing ${adrRef} in index`);
+  }
+});
+
+test('SECURITY.md has responsible disclosure policy', () => {
+  const c = read('docs/security/SECURITY.md');
+  assert.ok(c.includes('disclosure') || c.includes('24 hours'), 'Should have disclosure timeline');
+});
+
+// ── All 36 commands ─────────────────────────────────────────────────────────────
+console.log('\nAll 36 commands:');
+
+const ALL_COMMANDS = [
+  // Day 1
+  'help', 'init-project', 'plan-phase', 'execute-phase', 'verify-phase', 'ship',
+  // Day 2
+  'next', 'quick', 'status', 'debug',
+  // Day 3
+  'skills', 'review', 'security-scan', 'map-codebase', 'discuss-phase',
+  // Day 4
+  'audit', 'milestone', 'complete-milestone', 'approve', 'sync-jira', 'sync-confluence',
+  // Day 5
+  'health', 'retrospective', 'profile-team', 'metrics',
+  // Day 6
+  'init-org', 'install-skill', 'publish-skill', 'pr-review', 'workspace', 'benchmark',
+  // Day 7
+  'update', 'migrate', 'plugins', 'tokens', 'release',
+];
+
+assert.strictEqual(ALL_COMMANDS.length, 36, `Expected 36 commands, have ${ALL_COMMANDS.length}`);
+console.log(`  (verifying all ${ALL_COMMANDS.length} commands)`);
+
+test('all 36 commands in .claude/commands/mindforge/', () => {
+  const missing = ALL_COMMANDS.filter(cmd => !exists(`.claude/commands/mindforge/${cmd}.md`));
+  assert.strictEqual(missing.length, 0, `Missing: ${missing.join(', ')}`);
+});
+
+test('all 36 commands mirrored to .agent/mindforge/', () => {
+  const missing = ALL_COMMANDS.filter(cmd => !exists(`.agent/mindforge/${cmd}.md`));
+  assert.strictEqual(missing.length, 0, `Missing agent mirror: ${missing.join(', ')}`);
+});
+
+test('no command file is empty (> 100 chars)', () => {
+  const tiny = ALL_COMMANDS.filter(cmd => {
+    const p = `.claude/commands/mindforge/${cmd}.md`;
+    return exists(p) && fs.statSync(p).size < 100;
+  });
+  assert.strictEqual(tiny.length, 0, `Too small: ${tiny.join(', ')}`);
+});
+
+// ── Hardening tests ───────────────────────────────────────────────────────────
+console.log('\nHardening tests:');
+
+test('SENSITIVE_EXCLUDE properly excludes .env and .key files', () => {
+  const SENSITIVE_EXCLUDE = [
+    '.env', /^\.env\..*/, /\.key$/, /\.pem$/, 'secrets', /^secrets$/
+  ];
+  const shouldExclude = (name) =>
+    SENSITIVE_EXCLUDE.some(p => typeof p === 'string' ? p === name : p.test(name));
+
+  assert.ok(shouldExclude('.env'),               '.env should be excluded');
+  assert.ok(shouldExclude('.env.local'),         '.env.local should be excluded');
+  assert.ok(shouldExclude('private.key'),        'private.key should be excluded');
+  assert.ok(shouldExclude('certificate.pem'),    'certificate.pem should be excluded');
+  assert.ok(shouldExclude('secrets'),            'secrets directory should be excluded');
+  assert.ok(!shouldExclude('package.json'),      'package.json should NOT be excluded');
+  assert.ok(!shouldExclude('.mindforge'),        '.mindforge should NOT be excluded');
+  assert.ok(!shouldExclude('src'),               'src should NOT be excluded');
+});
+
+test('SENSITIVE_EXCLUDE uses regex for .key and .pem (not glob strings)', () => {
+  const c = fs.readFileSync('bin/installer-core.js', 'utf8');
+  // Should use regex pattern /\.key$/ not string '*.key'
+  assert.ok(!c.includes("'*.key'"), 'Should not use glob string for .key');
+  assert.ok(!c.includes("'*.pem'"), 'Should not use glob string for .pem');
+  assert.ok(
+    c.includes('\\.key$') || c.includes('/\\.key$/') || c.includes('/.key$/'),
+    'Should use regex for .key'
+  );
+});
+
+test('migration filter uses toVersion range check (not fromVersion)', () => {
+  const c = fs.readFileSync('bin/migrations/migrate.js', 'utf8');
+  // The correct filter uses compareSemver(m.toVersion, fromVersion) > 0
+  assert.ok(
+    c.includes('m.toVersion') && c.includes('> 0'),
+    'Should use toVersion range check for migration filter'
+  );
+});
+
+test('migration has CI auto-delete of backup', () => {
+  const c = fs.readFileSync('bin/migrations/migrate.js', 'utf8');
+  assert.ok(
+    c.includes('CI') && (c.includes('auto-deleted') || c.includes('rmSync')),
+    'Should auto-delete backup in CI mode'
+  );
+});
+
+// ── Final version check ────────────────────────────────────────────────────────
+console.log('\nVersion:');
+
+test('package.json version is 1.0.0', () => {
+  const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
+  assert.strictEqual(pkg.version, '1.0.0', `Expected 1.0.0, got ${pkg.version}`);
+});
+
+test('CHANGELOG.md has v1.0.0 entry', () => {
+  const c = read('CHANGELOG.md');
+  assert.ok(c.includes('1.0.0'), 'CHANGELOG.md should have 1.0.0 entry');
+});
+
+test('all 20 ADR files present in .planning/decisions/', () => {
+  if (!exists('.planning/decisions/')) return; // Skip if no decisions dir yet
+  const adrs = fs.readdirSync('.planning/decisions/').filter(f => f.startsWith('ADR-') && f.endsWith('.md'));
+  assert.ok(adrs.length >= 20, `Expected >= 20 ADRs, found ${adrs.length}`);
+});
+
+// ── Results ─────────────────────────────────────────────────────────────────────
+console.log(`\n${'─'.repeat(55)}`);
+console.log(`Results: ${passed} passed, ${failed} failed`);
+if (failed > 0) {
+  console.error(`\n❌  ${failed} test(s) failed — not production ready.\n`);
+  process.exit(1);
+} else {
+  console.log(`\n✅  All production readiness tests passed.\n`);
+}

package/tests/sdk.test.js

@@ -0,0 +1,200 @@
+/**
+ * MindForge Day 6 — SDK Tests
+ * Run: node tests/sdk.test.js
+ */
+'use strict';
+const fs = require('fs'), path = require('path'), assert = require('assert');
+let passed = 0, failed = 0;
+function test(name, fn) {
+  try { fn(); console.log(`  ✅ ${name}`); passed++; }
+  catch(e) { console.error(`  ❌ ${name}\n     ${e.message}`); failed++; }
+}
+const read = p => fs.existsSync(p) ? fs.readFileSync(p, 'utf8') : '';
+
+// ── Lightweight SDK client simulation (without TypeScript compilation) ─────────
+class MockMindForgeClient {
+  constructor(config = {}) {
+    this.projectRoot = config.projectRoot || process.cwd();
+  }
+  isInitialised() {
+    return fs.existsSync(path.join(this.projectRoot, '.planning', 'PROJECT.md'));
+  }
+  readHandoff() {
+    const p = path.join(this.projectRoot, '.planning', 'HANDOFF.json');
+    if (!fs.existsSync(p)) return null;
+    try { return JSON.parse(fs.readFileSync(p, 'utf8')); }
+    catch { return null; }
+  }
+  readAuditLog(filter = {}) {
+    const p = path.join(this.projectRoot, '.planning', 'AUDIT.jsonl');
+    if (!fs.existsSync(p)) return [];
+    return fs.readFileSync(p, 'utf8')
+      .split('\n').filter(Boolean)
+      .map(l => { try { return JSON.parse(l); } catch { return null; } })
+      .filter(Boolean)
+      .filter(e => !filter.event || e.event === filter.event);
+  }
+  async health() {
+    const warnings = [], errors = [], info = [];
+    const handoff = this.readHandoff();
+    if (handoff && !handoff.schema_version) {
+      errors.push({ category: 'state', message: 'HANDOFF.json missing schema_version' });
+    }
+    return {
+      overallStatus: errors.length > 0 ? 'error' : warnings.length > 0 ? 'warning' : 'healthy',
+      errors, warnings, informational: info,
+      timestamp: new Date().toISOString(),
+    };
+  }
+}
+
+// ── Command builder simulation ────────────────────────────────────────────────
+const commands = {
+  health: (opts = {}) => `/mindforge:health ${(opts.flags||[]).join(' ')}`.trim(),
+  planPhase: (n, opts = {}) => `/mindforge:plan-phase ${n} ${(opts.flags||[]).join(' ')}`.trim(),
+  executePhase: (n, opts = {}) => `/mindforge:execute-phase ${n} ${(opts.flags||[]).join(' ')}`.trim(),
+  audit: (f = {}) => {
+    const parts = ['/mindforge:audit'];
+    if (f.phase) parts.push(`--phase ${f.phase}`);
+    if (f.event) parts.push(`--event ${f.event}`);
+    return parts.join(' ');
+  },
+};
+
+console.log('\nMindForge Day 6 — SDK Tests\n');
+
+console.log('SDK source files:');
+['index.ts','client.ts','types.ts','events.ts','commands.ts'].forEach(f => {
+  test(`sdk/src/${f} exists`, () => {
+    assert.ok(fs.existsSync(`sdk/src/${f}`), `Missing: sdk/src/${f}`);
+  });
+});
+
+console.log('\nSDK type exports:');
+test('index.ts exports VERSION', () => {
+  const c = read('sdk/src/index.ts');
+  assert.ok(c.includes("VERSION"), 'Should export VERSION');
+});
+
+test('types.ts defines MindForgeConfig', () => {
+  const c = read('sdk/src/types.ts');
+  assert.ok(c.includes('MindForgeConfig'), 'Should define MindForgeConfig');
+});
+
+test('types.ts defines all result types', () => {
+  const c = read('sdk/src/types.ts');
+  ['PhaseResult','TaskResult','SecurityFinding','GateResult','HealthReport'].forEach(t => {
+    assert.ok(c.includes(t), `Should define ${t}`);
+  });
+});
+
+test('events.ts defines MindForgeEventStream', () => {
+  const c = read('sdk/src/events.ts');
+  assert.ok(c.includes('MindForgeEventStream'), 'Should define MindForgeEventStream');
+  assert.ok(c.includes('watchAuditLog'), 'Should have watchAuditLog method');
+});
+
+console.log('\nSDK client behaviour:');
+
+test('client.isInitialised() returns false when PROJECT.md missing', () => {
+  const client = new MockMindForgeClient({ projectRoot: '/tmp/nonexistent-project' });
+  assert.strictEqual(client.isInitialised(), false);
+});
+
+test('client.isInitialised() returns true when PROJECT.md exists', () => {
+  const client = new MockMindForgeClient({ projectRoot: process.cwd() });
+  // May be true or false depending on whether we're in a MindForge project
+  assert.ok(typeof client.isInitialised() === 'boolean');
+});
+
+test('client.readHandoff() returns null when HANDOFF.json missing', () => {
+  const client = new MockMindForgeClient({ projectRoot: '/tmp/nonexistent-project' });
+  assert.strictEqual(client.readHandoff(), null);
+});
+
+test('client.readHandoff() parses valid HANDOFF.json', () => {
+  const client = new MockMindForgeClient({ projectRoot: process.cwd() });
+  const handoff = client.readHandoff();
+  if (handoff) {
+    assert.ok(typeof handoff === 'object', 'HANDOFF.json should parse to object');
+    assert.ok(handoff.schema_version, 'HANDOFF.json should have schema_version');
+  }
+  // null is acceptable if not in a MindForge project
+});
+
+test('client.readAuditLog() returns array', () => {
+  const client = new MockMindForgeClient({ projectRoot: process.cwd() });
+  const log = client.readAuditLog();
+  assert.ok(Array.isArray(log), 'readAuditLog should return array');
+});
+
+test('client.readAuditLog() filters by event type', () => {
+  const client = new MockMindForgeClient({ projectRoot: process.cwd() });
+  const secFindings = client.readAuditLog({ event: 'security_finding' });
+  assert.ok(Array.isArray(secFindings));
+  secFindings.forEach(e => {
+    assert.strictEqual(e.event, 'security_finding', 'All entries should match filter');
+  });
+});
+
+test('client.health() returns HealthReport shape', async () => {
+  const client = new MockMindForgeClient({ projectRoot: process.cwd() });
+  const report = await client.health();
+  assert.ok(['healthy','warning','error'].includes(report.overallStatus));
+  assert.ok(Array.isArray(report.errors));
+  assert.ok(Array.isArray(report.warnings));
+  assert.ok(report.timestamp);
+});
+
+console.log('\nCommand builders:');
+test('commands.health() builds correct string', () => {
+  assert.strictEqual(commands.health(), '/mindforge:health');
+  assert.strictEqual(commands.health({ flags: ['--repair'] }), '/mindforge:health --repair');
+});
+
+test('commands.planPhase() builds correct string', () => {
+  assert.strictEqual(commands.planPhase(3), '/mindforge:plan-phase 3');
+});
+
+test('commands.audit() builds filter string', () => {
+  const cmd = commands.audit({ phase: 3, event: 'security_finding' });
+  assert.ok(cmd.includes('--phase 3'));
+  assert.ok(cmd.includes('--event security_finding'));
+});
+
+test('commands.executePhase() includes phase number', () => {
+  const cmd = commands.executePhase(2);
+  assert.ok(cmd.includes('2'));
+  assert.ok(cmd.startsWith('/mindforge:execute-phase'));
+});
+
+console.log('\nHardening-prompted SDK tests:');
+
+test('SDK SSE server binds to 127.0.0.1 (localhost only)', () => {
+  const c = read('sdk/src/events.ts');
+  assert.ok(
+    c.includes("'127.0.0.1'") || c.includes('"127.0.0.1"'),
+    'SSE server should bind to 127.0.0.1 only'
+  );
+});
+
+test('SDK SSE server rejects non-localhost connections', () => {
+  const c = read('sdk/src/events.ts');
+  assert.ok(
+    c.includes('isLocalhost') || c.includes('remoteAddress') || c.includes('Forbidden'),
+    'SSE server should reject non-localhost connections'
+  );
+});
+
+test('SDK has inotify fallback for Linux', () => {
+  const c = read('sdk/src/events.ts');
+  assert.ok(
+    c.includes('ENOSPC') || c.includes('polling') || c.includes('watchFile'),
+    'SDK should handle Linux inotify limits'
+  );
+});
+
+console.log(`\n${'─'.repeat(50)}`);
+console.log(`Results: ${passed} passed, ${failed} failed`);
+if (failed > 0) { console.error(`\n❌ ${failed} test(s) failed.\n`); process.exit(1); }
+else { console.log(`\n✅ All SDK tests passed.\n`); }