ndomo 0.1.0

package/scripts/smoke-hot.ts

@@ -0,0 +1,417 @@
+/**
+ * ndomo smoke-hot — end-to-end DB feature test (v1-v5).
+ *
+ * Runs 7 numbered tests on a fresh DB. Exits 0 on all pass, 1 on any fail.
+ * Uses HOME from env, creates $HOME/.ndomo/ for mem/plans archive.
+ * NDOMO_MEM_DIR env var overrides mem dir (default ~/.ndomo/mem/plans).
+ *
+ * Usage:
+ *   TESTHOME=$(mktemp -d) \
+ *     HOME=$TESTHOME \
+ *     NDOMO_MEM_DIR=$TESTHOME/.ndomo/mem/plans \
+ *     bun scripts/smoke-hot.ts
+ *
+ * Cleanup:
+ *   rm -rf $TESTHOME
+ */
+
+import { existsSync, mkdirSync, readdirSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { openDb } from "../src/db/client.ts";
+import { runMigrations } from "../src/db/migrations.ts";
+import { archivePlan } from "../src/db/plan-archive.ts";
+import { approvePlan, createPlan, searchPlans, updatePlanStatus } from "../src/db/plans.ts";
+import { checkpointSession, getSession, startSession } from "../src/db/sessions.ts";
+import { createTasksBatch, updateTaskStatus } from "../src/db/tasks.ts";
+
+// ─── Setup ─────────────────────────────────────────────────────────────────
+
+const home = process.env.HOME;
+if (!home) {
+  console.error("HOME not set");
+  process.exit(1);
+}
+
+const testDir = join(home, ".ndomo-test");
+mkdirSync(testDir, { recursive: true });
+
+// Ensure $HOME/.ndomo/ exists (spec requirement)
+mkdirSync(join(home, ".ndomo"), { recursive: true });
+
+const db = openDb(testDir);
+runMigrations(db);
+
+let testN = 0;
+
+function fail(n: number, msg: string, err?: unknown): never {
+  console.error(`[${n}/7] ${msg}... FAILED`);
+  if (err !== undefined) {
+    console.error(err instanceof Error ? err.message : String(err));
+  }
+  console.error("SMOKE FAILED");
+  db.close();
+  process.exit(1);
+}
+
+// ─── Test 1: Migrations in fresh DB ────────────────────────────────────────
+
+testN++;
+try {
+  const versions = db.query("SELECT version FROM schema_version ORDER BY version").all() as {
+    version: number;
+  }[];
+
+  if (versions.length !== 5) {
+    fail(testN, `schema_version has ${versions.length} entries, expected 5`, versions);
+  }
+  console.log(`[${testN}/7] schema_version has 5 entries (v1..v5)... OK`);
+  console.log(JSON.stringify(versions, null, 2));
+
+  const tables = db
+    .query("SELECT name FROM sqlite_master WHERE type IN ('table','view') ORDER BY name")
+    .all() as { name: string }[];
+  const tableNames = tables.map((r) => r.name);
+
+  const expected = ["plans", "plan_tasks", "sessions", "plan_tags", "task_tags", "plan_progress"];
+  for (const name of expected) {
+    if (!tableNames.includes(name)) {
+      fail(testN, `missing table/view: ${name}`, tableNames);
+    }
+  }
+  console.log(`[${testN}/7] Required tables/views exist... OK`);
+  console.log(JSON.stringify(tableNames, null, 2));
+} catch (err) {
+  fail(testN, "Migrations in fresh DB", err);
+}
+
+// ─── Test 2: createPlan (draft) ────────────────────────────────────────────
+
+testN++;
+try {
+  const plan = createPlan(db, {
+    id: "hp1",
+    slug: "hot-test",
+    title: "Hot Test",
+    status: "draft",
+    priority: 3,
+    overview: "smoke hot",
+    approvedAt: null,
+    completedAt: null,
+    sessionId: null,
+    approach: null,
+    complexity: 3,
+    createdBy: "smoke",
+    updatedBy: "smoke",
+    sourceSessionId: null,
+    sourceMessageId: null,
+    category: null,
+    metadata: {},
+    archivedAt: null,
+  });
+
+  if (plan.status !== "draft") {
+    fail(testN, `expected status "draft", got "${plan.status}"`, plan);
+  }
+  if (plan.id !== "hp1") {
+    fail(testN, `expected id "hp1", got "${plan.id}"`, plan);
+  }
+  console.log(`[${testN}/7] createPlan (draft) id=hp1 status=draft... OK`);
+  console.log(JSON.stringify({ id: plan.id, status: plan.status }, null, 2));
+} catch (err) {
+  fail(testN, "createPlan (draft)", err);
+}
+
+// ─── Test 3: approvePlan + createTasksBatch ────────────────────────────────
+
+testN++;
+try {
+  const approved = approvePlan(db, "hp1");
+  if (!approved) {
+    fail(testN, "approvePlan returned null");
+  }
+  if (approved.status !== "approved") {
+    fail(testN, `expected status "approved", got "${approved.status}"`, approved);
+  }
+  if (approved.approvedAt === null) {
+    fail(testN, "approvedAt should not be null after approvePlan", approved);
+  }
+  console.log(`[${testN}/7] approvePlan status=approved approvedAt=set... OK`);
+
+  const tasks = createTasksBatch(db, "hp1", [
+    {
+      orderIndex: 0,
+      description: "task 1",
+      agent: "smith",
+      files: [],
+      dependencies: [],
+      complexity: 2,
+      createdBy: "smoke",
+      updatedBy: "smoke",
+      sourceSessionId: null,
+      sourceMessageId: null,
+      reviewedBy: null,
+      tokensUsed: null,
+      durationMs: null,
+      artifacts: [],
+      metadata: {},
+    },
+    {
+      orderIndex: 1,
+      description: "task 2",
+      agent: "js-smith",
+      files: [],
+      dependencies: [],
+      complexity: 3,
+      createdBy: "smoke",
+      updatedBy: "smoke",
+      sourceSessionId: null,
+      sourceMessageId: null,
+      reviewedBy: null,
+      tokensUsed: null,
+      durationMs: null,
+      artifacts: [],
+      metadata: {},
+    },
+  ]);
+
+  if (tasks.length !== 2) {
+    fail(testN, `expected 2 tasks, got ${tasks.length}`, tasks);
+  }
+  if (tasks[0]?.orderIndex !== 0) {
+    fail(testN, `task[0].orderIndex expected 0, got ${tasks[0]?.orderIndex}`, tasks[0]);
+  }
+  if (tasks[1]?.orderIndex !== 1) {
+    fail(testN, `task[1].orderIndex expected 1, got ${tasks[1]?.orderIndex}`, tasks[1]);
+  }
+  console.log(`[${testN}/7] createTasksBatch 2 tasks orderIndex 0,1... OK`);
+  console.log(
+    JSON.stringify(
+      tasks.map((t) => ({ id: t.id, orderIndex: t.orderIndex, description: t.description })),
+      null,
+      2,
+    ),
+  );
+} catch (err) {
+  fail(testN, "approvePlan + createTasksBatch", err);
+}
+
+// ─── Test 4: session + checkpoint + task updates ───────────────────────────
+
+testN++;
+try {
+  const sessionStarted = startSession(db, {
+    id: "hs1",
+    planId: "hp1",
+    goal: "smoke",
+    metadata: {},
+  });
+  if (sessionStarted.id !== "hs1") {
+    fail(testN, `startSession id mismatch: got "${sessionStarted.id}"`);
+  }
+  console.log(`[${testN}/7] startSession id=hs1... OK`);
+
+  const sessionCheckpointed = checkpointSession(
+    db,
+    "hs1",
+    { phase: "testing" },
+    "chose smoke path",
+  );
+  if (!sessionCheckpointed) {
+    fail(testN, "checkpointSession returned null");
+  }
+  if (sessionCheckpointed.state.phase !== "testing") {
+    fail(
+      testN,
+      `expected state.phase "testing", got "${String(sessionCheckpointed.state.phase)}"`,
+      sessionCheckpointed.state,
+    );
+  }
+  if (sessionCheckpointed.keyDecisions !== "chose smoke path") {
+    fail(
+      testN,
+      `expected keyDecisions "chose smoke path", got "${sessionCheckpointed.keyDecisions}"`,
+    );
+  }
+  console.log(`[${testN}/7] checkpointSession phase=testing keyDecisions=set... OK`);
+
+  // Get tasks for this plan via direct query (avoids import cycle)
+  const tasks = (
+    db
+      .query("SELECT id, order_index FROM plan_tasks WHERE plan_id = ? ORDER BY order_index")
+      .all("hp1") as { id: string; order_index: number }[]
+  ).map((r) => ({ id: r.id, orderIndex: r.order_index }));
+
+  if (tasks.length < 2) {
+    fail(testN, `expected at least 2 tasks, got ${tasks.length}`, tasks);
+  }
+  const t0 = tasks[0] as { id: string };
+  const t1 = tasks[1] as { id: string };
+
+  // Set task 0 to running
+  const runningTask = updateTaskStatus(db, t0.id, "running");
+  if (!runningTask || runningTask.status !== "running") {
+    fail(testN, `task[0] status expected "running", got "${runningTask?.status}"`);
+  }
+  if (runningTask.startedAt === null) {
+    fail(testN, "task[0].startedAt should be set after running status", runningTask);
+  }
+  console.log(`[${testN}/7] task[0] status=running startedAt=set... OK`);
+
+  // Set task 0 to done with result
+  const doneTask0 = updateTaskStatus(db, t0.id, "done", {
+    result: "completed successfully",
+  });
+  if (!doneTask0 || doneTask0.status !== "done") {
+    fail(testN, `task[0] status expected "done", got "${doneTask0?.status}"`);
+  }
+  if (doneTask0.completedAt === null) {
+    fail(testN, "task[0].completedAt should be set after done status", doneTask0);
+  }
+  console.log(`[${testN}/7] task[0] status=done completedAt=set... OK`);
+
+  // Set task 1 to done with result
+  const doneTask1 = updateTaskStatus(db, t1.id, "done", { result: "ok" });
+  if (!doneTask1 || doneTask1.status !== "done") {
+    fail(testN, `task[1] status expected "done", got "${doneTask1?.status}"`);
+  }
+  console.log(`[${testN}/7] task[1] status=done... OK`);
+
+  // Verify session state persisted
+  const sessionReloaded = getSession(db, "hs1");
+  if (!sessionReloaded) {
+    fail(testN, "getSession returned null after updates");
+  }
+  if (sessionReloaded.state.phase !== "testing") {
+    fail(testN, "session.state.phase should persist after checkpoint", sessionReloaded.state);
+  }
+  console.log(`[${testN}/7] session state persisted phase=testing... OK`);
+} catch (err) {
+  fail(testN, "session + checkpoint + task updates", err);
+}
+
+// ─── Test 5: updatePlanStatus(completed) + auto-archive ────────────────────
+
+testN++;
+try {
+  const updated = updatePlanStatus(db, "hp1", "completed");
+  if (!updated || updated.status !== "completed") {
+    fail(testN, `updatePlanStatus expected "completed", got "${updated?.status}"`);
+  }
+  console.log(`[${testN}/7] updatePlanStatus(completed)... OK`);
+
+  // Replicate auto-archive logic from plugin.ts
+  // getMemDir equivalent: NDOMO_MEM_DIR env var, else ~/.ndomo/mem/plans
+  const localMemDir = process.env.NDOMO_MEM_DIR ?? join(home, ".ndomo", "mem", "plans");
+  mkdirSync(localMemDir, { recursive: true });
+
+  const archiveResult = archivePlan(db, "hp1", { memDir: localMemDir });
+
+  if (!existsSync(archiveResult.filePath)) {
+    fail(testN, `archive file not found at ${archiveResult.filePath}`, archiveResult);
+  }
+  console.log(`[${testN}/7] archive file exists... OK`);
+  console.log(
+    JSON.stringify({ filePath: archiveResult.filePath, byteSize: archiveResult.byteSize }, null, 2),
+  );
+
+  const mdContent = readFileSync(archiveResult.filePath, "utf-8");
+  if (!mdContent.includes("Hot Test")) {
+    fail(testN, "archive markdown missing 'Hot Test'", { preview: mdContent.slice(0, 200) });
+  }
+  if (!mdContent.includes("## Tasks")) {
+    fail(testN, "archive markdown missing '## Tasks' section", {
+      preview: mdContent.slice(0, 500),
+    });
+  }
+  console.log(`[${testN}/7] markdown includes "Hot Test" and "## Tasks"... OK`);
+} catch (err) {
+  fail(testN, "updatePlanStatus + auto-archive", err);
+}
+
+// ─── Test 6: searchPlans filters archived by default ───────────────────────
+
+testN++;
+try {
+  const defaultResults = searchPlans(db, "hot test");
+  if (defaultResults.length !== 0) {
+    fail(
+      testN,
+      `searchPlans() expected 0 results, got ${defaultResults.length}`,
+      defaultResults.map((p) => ({ id: p.id, title: p.title })),
+    );
+  }
+  console.log(`[${testN}/7] searchPlans() returns 0 (archived excluded)... OK`);
+
+  const archivedResults = searchPlans(db, "hot test", 20, {
+    includeArchived: true,
+  });
+  if (archivedResults.length !== 1) {
+    fail(
+      testN,
+      `searchPlans(includeArchived:true) expected 1 result, got ${archivedResults.length}`,
+      archivedResults.map((p) => ({ id: p.id, title: p.title })),
+    );
+  }
+  if (archivedResults[0]?.id !== "hp1") {
+    fail(testN, `expected hp1, got ${archivedResults[0]?.id}`, archivedResults[0]);
+  }
+  console.log(`[${testN}/7] searchPlans(includeArchived:true) returns hp1... OK`);
+  console.log(
+    JSON.stringify(
+      archivedResults.map((p) => ({ id: p.id, title: p.title })),
+      null,
+      2,
+    ),
+  );
+} catch (err) {
+  fail(testN, "searchPlans archive filter", err);
+}
+
+// ─── Test 7: verify archive markdown format ────────────────────────────────
+
+testN++;
+try {
+  const localMemDir = process.env.NDOMO_MEM_DIR ?? join(home, ".ndomo", "mem", "plans");
+  // Find the md file for hp1 (hot-test-2026-*.md)
+  const files = readdirSync(localMemDir).filter(
+    (f) => f.startsWith("hot-test-") && f.endsWith(".md"),
+  );
+  if (files.length === 0) {
+    fail(testN, "no archive markdown file found in memDir", localMemDir);
+  }
+  const firstFile = files[0] as string;
+  const mdPath = join(localMemDir, firstFile);
+  const mdContent = readFileSync(mdPath, "utf-8");
+  const lines = mdContent.split("\n");
+
+  // First line should be # Plan: Hot Test
+  const firstLine = lines[0] ?? "";
+  if (!firstLine.includes("Hot Test")) {
+    fail(testN, `first line should contain "Hot Test", got: "${firstLine}"`);
+  }
+  console.log(`[${testN}/7] first line contains "Hot Test"... OK`);
+
+  // Section ## Tasks with 2 [x] checkboxes
+  const taskCheckboxMatches = mdContent.match(/\[x\]/g);
+  if (!taskCheckboxMatches || taskCheckboxMatches.length < 2) {
+    fail(testN, `expected 2 [x] checkboxes, found ${taskCheckboxMatches?.length ?? 0}`);
+  }
+  console.log(`[${testN}/7] has ## Tasks with 2 [x] checkboxes... OK`);
+
+  // Section ## Metadata with JSON block
+  if (!mdContent.includes("## Metadata")) {
+    fail(testN, "missing ## Metadata section", { preview: mdContent.slice(-500) });
+  }
+  if (!mdContent.includes("```json")) {
+    fail(testN, "missing JSON code block in Metadata", { preview: mdContent.slice(-500) });
+  }
+  console.log(`[${testN}/7] has ## Metadata with JSON block... OK`);
+} catch (err) {
+  fail(testN, "archive markdown format check", err);
+}
+
+// ─── Done ──────────────────────────────────────────────────────────────────
+
+db.close();
+console.log("SMOKE OK");
+process.exit(0);

package/scripts/smoke-http.sh

@@ -0,0 +1,228 @@
+#!/usr/bin/env bash
+# ndomo Phase 1 HTTP server smoke test.
+#
+# Boots the Elysia HTTP server, runs a battery of curl assertions against
+# REST + SSE endpoints, verifies security headers, then kills the server.
+#
+# Usage:
+#   bash scripts/smoke-http.sh
+#
+# Env overrides:
+#   SMOKE_PORT      TCP port for the server (default: 4097)
+#   SMOKE_PASSWORD  HTTP Basic password (default: smoke-test-password)
+#   SMOKE_TIMEOUT   Health-check wait in seconds (default: 10)
+#
+# Exit 0 on all assertions pass, exit 1 on any failure.
+set -euo pipefail
+
+# ─── Banner ──────────────────────────────────────────────────────────────────
+echo "┌──────────────────────────────────────┐"
+echo "│  Phase 1 HTTP server smoke test      │"
+echo "└──────────────────────────────────────┘"
+
+# ─── Resolve project root (this script's parent dir) ─────────────────────────
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+cd "${PROJECT_ROOT}"
+
+# ─── Pre-flight checks ───────────────────────────────────────────────────────
+command -v bun >/dev/null 2>&1 || {
+  echo "[FAIL] bun not found in PATH — install from https://bun.sh" >&2
+  exit 1
+}
+command -v curl >/dev/null 2>&1 || {
+  echo "[FAIL] curl not found in PATH" >&2
+  exit 1
+}
+
+# ─── Config ──────────────────────────────────────────────────────────────────
+SMOKE_PORT="${SMOKE_PORT:-4097}"
+SMOKE_PASSWORD="${SMOKE_PASSWORD:-smoke-test-password}"
+SMOKE_TIMEOUT="${SMOKE_TIMEOUT:-10}"
+
+# Validate port range
+if ! [[ "${SMOKE_PORT}" =~ ^[0-9]+$ ]] || [ "${SMOKE_PORT}" -lt 1 ] || [ "${SMOKE_PORT}" -gt 65535 ]; then
+  echo "[FAIL] invalid SMOKE_PORT: ${SMOKE_PORT}" >&2
+  exit 1
+fi
+
+# ─── Port fallback helper ────────────────────────────────────────────────────
+# If SMOKE_PORT is in use, fall back to the next free port up to +10.
+find_free_port() {
+  local start="$1"
+  for offset in $(seq 0 10); do
+    local candidate=$((start + offset))
+    if ! ss -lnt 2>/dev/null | awk '{print $4}' | grep -qE "(^|:)${candidate}$"; then
+      echo "${candidate}"
+      return 0
+    fi
+  done
+  return 1
+}
+
+PORT="$(find_free_port "${SMOKE_PORT}")" || {
+  echo "[FAIL] no free port in range ${SMOKE_PORT}-$((SMOKE_PORT + 10))" >&2
+  exit 1
+}
+if [ "${PORT}" != "${SMOKE_PORT}" ]; then
+  echo "[info] SMOKE_PORT ${SMOKE_PORT} busy — falling back to ${PORT}"
+fi
+
+# ─── Bootstrap .ndomo/state.db if missing ────────────────────────────────────
+NDOMO_DB="${PROJECT_ROOT}/.ndomo/state.db"
+if [ ! -f "${NDOMO_DB}" ]; then
+  echo "[setup] bootstrapping .ndomo/state.db..."
+  bun -e '
+    import { Database } from "bun:sqlite";
+    import { mkdirSync } from "node:fs";
+    import { join } from "node:path";
+    const dir = join(process.cwd(), ".ndomo");
+    mkdirSync(dir, { recursive: true });
+    const db = new Database(join(dir, "state.db"), { create: true });
+    db.exec("PRAGMA foreign_keys = ON");
+    db.exec("PRAGMA auto_vacuum = INCREMENTAL");
+    db.exec("PRAGMA journal_mode = WAL");
+    db.exec("PRAGMA synchronous = NORMAL");
+    const { runMigrations } = await import("./src/db/migrations.ts");
+    runMigrations(db);
+    db.close();
+    console.log("[setup] db initialized");
+  ' || {
+    echo "[FAIL] failed to bootstrap .ndomo/state.db" >&2
+    exit 1
+  }
+fi
+
+# ─── Export server env ───────────────────────────────────────────────────────
+export NDOMO_HTTP_ENABLED=true
+export NDOMO_HTTP_PORT="${PORT}"
+export NDOMO_HTTP_AUTH_REQUIRED=true
+export NDOMO_HTTP_CORS_ORIGINS='*'
+export OPENCODE_SERVER_PASSWORD="${SMOKE_PASSWORD}"
+export OPENCODE_SERVER_URL="${OPENCODE_SERVER_URL:-http://localhost:4096}"
+
+# ─── Start server in background ─────────────────────────────────────────────
+LOG="$(mktemp -t smoke-http-XXXXXX.log)"
+echo "[setup] starting server on port ${PORT} (log: ${LOG})"
+
+# Use --cors to ensure wildcard; --force is NOT needed because env enables it.
+bun run src/cli/serve.ts --port "${PORT}" --cors '*' >"${LOG}" 2>&1 &
+SERVER_PID=$!
+
+# Register cleanup trap — runs even on assertion failure
+cleanup() {
+  local exit_code=$?
+  if kill -0 "${SERVER_PID}" 2>/dev/null; then
+    echo "[cleanup] killing server pid ${SERVER_PID}"
+    kill "${SERVER_PID}" 2>/dev/null || true
+    # Wait up to 3s for graceful shutdown
+    for _ in 1 2 3 4 5 6; do
+      kill -0 "${SERVER_PID}" 2>/dev/null || break
+      sleep 0.5
+    done
+    # Hard kill if still alive
+    kill -9 "${SERVER_PID}" 2>/dev/null || true
+    wait "${SERVER_PID}" 2>/dev/null || true
+  fi
+  rm -f "${LOG}"
+  exit "${exit_code}"
+}
+trap cleanup EXIT INT TERM
+
+# ─── Wait for /health (up to SMOKE_TIMEOUT seconds, 200ms backoff) ────────────
+echo "[wait] polling /health (timeout ${SMOKE_TIMEOUT}s)..."
+ready=false
+deadline=$(( $(date +%s) + SMOKE_TIMEOUT ))
+while [ "$(date +%s)" -lt "${deadline}" ]; do
+  if ! kill -0 "${SERVER_PID}" 2>/dev/null; then
+    echo "[FAIL] server died before becoming ready. Log:"
+    cat "${LOG}" >&2
+    exit 1
+  fi
+  if curl -fsS -o /dev/null "localhost:${PORT}/health" 2>/dev/null; then
+    ready=true
+    break
+  fi
+  sleep 0.2
+done
+if [ "${ready}" != "true" ]; then
+  echo "[FAIL] /health did not respond within ${SMOKE_TIMEOUT}s. Log:"
+  cat "${LOG}" >&2
+  exit 1
+fi
+echo "[ready] server up on port ${PORT}"
+
+# ─── Assertion harness ───────────────────────────────────────────────────────
+PASS=0
+FAIL=0
+FAILED_NAMES=()
+
+assert() {
+  local name="$1"
+  local cmd="$2"
+  if eval "${cmd}" >/dev/null 2>&1; then
+    echo "[PASS] ${name}"
+    PASS=$((PASS + 1))
+  else
+    echo "[FAIL] ${name}"
+    FAIL=$((FAIL + 1))
+    FAILED_NAMES+=("${name}")
+  fi
+}
+
+assert "health 200 + status=ok" \
+  "[ \"\$(curl -fsS -o /tmp/smoke-health.json -w '%{http_code}' localhost:${PORT}/health)\" = '200' ] && [ \"\$(grep -o '\"status\":\"[^\"]*\"' /tmp/smoke-health.json | head -1 | cut -d'\"' -f4)\" = 'ok' ]"
+
+assert "auth required: no creds → 401 + WWW-Authenticate" \
+  "[ \"\$(curl -s -o /dev/null -w '%{http_code}' localhost:${PORT}/api/plans)\" = '401' ] && [ -n \"\$(curl -s -i localhost:${PORT}/api/plans | grep -i '^www-authenticate:')\" ]"
+
+assert "auth OK: /api/plans → 200 + JSON array" \
+  "[ \"\$(curl -fsS -o /tmp/smoke-plans.json -w '%{http_code}' -u \"user:${SMOKE_PASSWORD}\" localhost:${PORT}/api/plans)\" = '200' ] && head -c 1 /tmp/smoke-plans.json | grep -q '\\['"
+
+assert "auth OK: /api/sessions/active → 200" \
+  "[ \"\$(curl -fsS -o /tmp/smoke-sessions.json -w '%{http_code}' -u \"user:${SMOKE_PASSWORD}\" localhost:${PORT}/api/sessions/active)\" = '200' ]"
+
+assert "CORS preflight OPTIONS /api/plans → 204 + ACAO" \
+  "[ \"\$(curl -s -o /dev/null -w '%{http_code}' -X OPTIONS -H 'Origin: http://localhost' -H 'Access-Control-Request-Method: GET' localhost:${PORT}/api/plans)\" = '204' ] && [ -n \"\$(curl -s -i -X OPTIONS -H 'Origin: http://localhost' -H 'Access-Control-Request-Method: GET' localhost:${PORT}/api/plans | grep -i '^access-control-allow-origin:')\" ]"
+
+# ─── Security headers (≥ 3 of the canonical set must be present) ────────────
+HDRS_RAW="$(curl -s -i -u "user:${SMOKE_PASSWORD}" localhost:${PORT}/api/sessions/active || true)"
+SEC_HITS=0
+for h in "Strict-Transport-Security" "X-Content-Type-Options" "X-Frame-Options" "Content-Security-Policy" "Referrer-Policy"; do
+  if printf "%s" "${HDRS_RAW}" | grep -qi "^${h}:"; then
+    SEC_HITS=$((SEC_HITS + 1))
+  fi
+done
+assert "security headers ≥ 3 present (got ${SEC_HITS})" \
+  "[ ${SEC_HITS} -ge 3 ]"
+
+# ─── SSE endpoint behavior ───────────────────────────────────────────────────
+# Two valid outcomes:
+#   A) OpenCode SDK up  → 200 + Content-Type: text/event-stream (real SSE stream)
+#   B) OpenCode SDK down → 503 + JSON body { error: "sdk_unavailable" } (graceful fallback)
+# The test passes if EITHER outcome occurs. Both indicate the SSE route is
+# correctly wired (events.ts returns 503 when sdkClient is null).
+SSE_HDRS="$(curl -s -i -N --max-time 2 -u "user:${SMOKE_PASSWORD}" "localhost:${PORT}/api/events" 2>/dev/null || true)"
+SSE_BODY="$(printf '%s' "${SSE_HDRS}" | awk 'BEGIN{p=0} /^\r?$/{p=1; next} p{print}')"
+SSE_STATUS="$(printf '%s' "${SSE_HDRS}" | head -1 | awk '{print $2}')"
+if printf '%s' "${SSE_HDRS}" | grep -qi '^content-type:[[:space:]]*text/event-stream'; then
+  assert "SSE: 200 + text/event-stream (SDK up)" "true"
+elif [ "${SSE_STATUS}" = "503" ] && printf '%s' "${SSE_BODY}" | grep -q '"sdk_unavailable"'; then
+  assert "SSE: 503 + sdk_unavailable (SDK down — graceful fallback)" "true"
+else
+  assert "SSE: 200/503 with correct Content-Type or sdk_unavailable body" "false"
+fi
+
+# ─── Report ──────────────────────────────────────────────────────────────────
+echo ""
+echo "────────────────────────────────────────"
+echo "PASS: ${PASS}/${PASS}+${FAIL}"
+if [ "${FAIL}" -gt 0 ]; then
+  echo "FAILED assertions:"
+  for name in "${FAILED_NAMES[@]}"; do
+    echo "  - ${name}"
+  done
+  exit 1
+fi
+echo "PASS: ${PASS}/${PASS}"
+exit 0