opencode-pilot 0.24.10 → 0.24.12

package/test/integration/real-server.test.js

@@ -0,0 +1,274 @@
+/**
+ * Integration tests against a REAL OpenCode server.
+ *
+ * These tests verify actual API behavior — not mocked assumptions.
+ * They require a running OpenCode instance (the desktop app) with access
+ * to this repo's project. Tests are skipped when no server is available.
+ *
+ * What these tests prove:
+ *
+ *   1. Creating a session with a sandbox directory sets `session.directory`
+ *      to the sandbox path AND resolves the correct `projectID` (same as
+ *      the parent repo). This disproves the assumption that sandbox
+ *      directories produce `projectID = 'global'`.
+ *
+ *   2. PATCH /session/:id does NOT change `session.directory`. The
+ *      `?directory` query param on PATCH is a routing parameter only.
+ *
+ * These facts mean createSessionViaApi only needs to POST with the
+ * working directory — no PATCH-based "re-scoping" is needed.
+ */
+import { describe, it, before, after } from "node:test";
+import assert from "node:assert";
+import path from "node:path";
+
+// ─── Server discovery ───────────────────────────────────────────────────────
+
+const PROJECT_DIR = path.resolve(import.meta.dirname, "../..");
+const SERVER_URL = "http://localhost:4096";
+const SANDBOX_NAME = "test-real-server";
+
+let serverAvailable = false;
+let projectID = null;
+let sandboxDir = null;
+const createdSessionIds = [];
+
+async function checkServer() {
+  try {
+    const encoded = encodeURIComponent(PROJECT_DIR);
+    const res = await fetch(`${SERVER_URL}/session?directory=${encoded}`);
+    if (!res.ok) return false;
+
+    // Also verify this project is known
+    const projRes = await fetch(`${SERVER_URL}/project`);
+    if (!projRes.ok) return false;
+    const projects = await projRes.json();
+    const match = projects.find((p) => p.worktree === PROJECT_DIR);
+    if (!match) return false;
+    projectID = match.id;
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+async function createSandbox() {
+  const encoded = encodeURIComponent(PROJECT_DIR);
+  const res = await fetch(
+    `${SERVER_URL}/experimental/worktree?directory=${encoded}`,
+    {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ name: SANDBOX_NAME }),
+    }
+  );
+  if (!res.ok) return null;
+  const wt = await res.json();
+  return wt.directory;
+}
+
+async function findOrCreateSandbox() {
+  const encoded = encodeURIComponent(PROJECT_DIR);
+  const res = await fetch(
+    `${SERVER_URL}/experimental/worktree?directory=${encoded}`
+  );
+  if (res.ok) {
+    const worktrees = await res.json();
+    const existing = worktrees.find((w) => w.endsWith(`/${SANDBOX_NAME}`));
+    if (existing) return existing;
+  }
+  return createSandbox();
+}
+
+async function archiveSession(id, directory) {
+  const encoded = encodeURIComponent(directory);
+  await fetch(`${SERVER_URL}/session/${id}?directory=${encoded}`, {
+    method: "PATCH",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({ time: { archived: Date.now() } }),
+  }).catch(() => {});
+}
+
+// ─── Test suite ─────────────────────────────────────────────────────────────
+
+describe("real server: session directory behavior", { skip: false }, () => {
+  before(async () => {
+    serverAvailable = await checkServer();
+    if (!serverAvailable) return;
+    sandboxDir = await findOrCreateSandbox();
+  });
+
+  after(async () => {
+    if (!serverAvailable) return;
+    // Archive test sessions so they don't clutter the UI
+    for (const { id, directory } of createdSessionIds) {
+      await archiveSession(id, directory);
+    }
+  });
+
+  it("skip: no OpenCode server running", { skip: !false }, function () {
+    // This is a sentinel — replaced dynamically in before()
+  });
+
+  it("POST /session with sandbox dir → correct directory AND projectID", async (t) => {
+    if (!serverAvailable) return t.skip("no OpenCode server");
+    if (!sandboxDir) return t.skip("could not create sandbox");
+
+    const encoded = encodeURIComponent(sandboxDir);
+    const res = await fetch(`${SERVER_URL}/session?directory=${encoded}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({}),
+    });
+
+    assert.ok(res.ok, `POST /session should succeed (got ${res.status})`);
+    const session = await res.json();
+    createdSessionIds.push({ id: session.id, directory: sandboxDir });
+
+    // The session's directory must be the sandbox path — this is where the
+    // agent will operate. This was the bug: prior code created with the
+    // project dir, so the agent worked in the wrong directory.
+    assert.strictEqual(
+      session.directory,
+      sandboxDir,
+      "session.directory must be the sandbox path (where agent operates)"
+    );
+
+    // The projectID must match the parent repo's project — NOT 'global'.
+    // This disproves the assumption that led to 4 regression-fix cycles.
+    assert.strictEqual(
+      session.projectID,
+      projectID,
+      "session.projectID must match the parent repo (sandbox is a git worktree of the same repo)"
+    );
+  });
+
+  it("POST /session with project dir → project directory and same projectID", async (t) => {
+    if (!serverAvailable) return t.skip("no OpenCode server");
+
+    const encoded = encodeURIComponent(PROJECT_DIR);
+    const res = await fetch(`${SERVER_URL}/session?directory=${encoded}`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({}),
+    });
+
+    assert.ok(res.ok, `POST /session should succeed (got ${res.status})`);
+    const session = await res.json();
+    createdSessionIds.push({ id: session.id, directory: PROJECT_DIR });
+
+    assert.strictEqual(
+      session.directory,
+      PROJECT_DIR,
+      "session.directory must be the project path"
+    );
+
+    assert.strictEqual(
+      session.projectID,
+      projectID,
+      "session.projectID must be the same whether created from sandbox or project dir"
+    );
+  });
+
+  it("PATCH /session/:id does NOT change session.directory", async (t) => {
+    if (!serverAvailable) return t.skip("no OpenCode server");
+    if (!sandboxDir) return t.skip("could not create sandbox");
+
+    // Create session with sandbox dir
+    const encoded = encodeURIComponent(sandboxDir);
+    const createRes = await fetch(
+      `${SERVER_URL}/session?directory=${encoded}`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({}),
+      }
+    );
+    const session = await createRes.json();
+    createdSessionIds.push({ id: session.id, directory: sandboxDir });
+
+    // PATCH with project dir (this is what the "re-scoping" code tried to do)
+    const projectEncoded = encodeURIComponent(PROJECT_DIR);
+    const patchRes = await fetch(
+      `${SERVER_URL}/session/${session.id}?directory=${projectEncoded}`,
+      {
+        method: "PATCH",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ title: "patched-test" }),
+      }
+    );
+    assert.ok(patchRes.ok, `PATCH should succeed (got ${patchRes.status})`);
+    const patched = await patchRes.json();
+
+    // The directory must NOT have changed — PATCH only updates title/archived
+    assert.strictEqual(
+      patched.directory,
+      sandboxDir,
+      "PATCH must NOT change session.directory (it only updates title/archived)"
+    );
+
+    // Title should have been updated
+    assert.strictEqual(patched.title, "patched-test", "title should be updated");
+
+    // Read it back to be sure
+    const readRes = await fetch(
+      `${SERVER_URL}/session?directory=${encoded}`
+    );
+    const sessions = await readRes.json();
+    const readBack = sessions.find((s) => s.id === session.id);
+    assert.ok(readBack, "session should be readable from sandbox dir");
+    assert.strictEqual(
+      readBack.directory,
+      sandboxDir,
+      "read-back confirms directory unchanged after PATCH"
+    );
+  });
+
+  it("GET /session?directory filters by exact session.directory match", async (t) => {
+    if (!serverAvailable) return t.skip("no OpenCode server");
+    if (!sandboxDir) return t.skip("could not create sandbox");
+
+    // Create session with sandbox dir
+    const encoded = encodeURIComponent(sandboxDir);
+    const createRes = await fetch(
+      `${SERVER_URL}/session?directory=${encoded}`,
+      {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({}),
+      }
+    );
+    const session = await createRes.json();
+    createdSessionIds.push({ id: session.id, directory: sandboxDir });
+
+    // Query with sandbox dir — should find it (exact match on session.directory)
+    const fromSandbox = await fetch(
+      `${SERVER_URL}/session?directory=${encoded}`
+    );
+    const sandboxSessions = await fromSandbox.json();
+    const foundFromSandbox = sandboxSessions.find((s) => s.id === session.id);
+    assert.ok(
+      foundFromSandbox,
+      "session should be found when querying with sandbox dir (exact match)"
+    );
+
+    // Query with project dir — should NOT find it because session.directory
+    // is the sandbox path, not the project path. The ?directory param on
+    // GET /session is both a project-routing param (middleware) AND an exact
+    // filter on session.directory (route handler). Since session.directory
+    // is the sandbox path, it won't match the project path filter.
+    // This is actually correct behavior: it means session reuse via
+    // findReusableSession naturally isolates sandbox sessions from project
+    // sessions — each sandbox only sees its own sessions.
+    const projectEncoded = encodeURIComponent(PROJECT_DIR);
+    const fromProject = await fetch(
+      `${SERVER_URL}/session?directory=${projectEncoded}`
+    );
+    const projectSessions = await fromProject.json();
+    const foundFromProject = projectSessions.find((s) => s.id === session.id);
+    assert.ok(
+      !foundFromProject,
+      "session should NOT appear in project dir listing (directory filter is an exact match on session.directory)"
+    );
+  });
+});

package/test/integration/session-reuse.test.js

@@ -564,9 +564,9 @@ describe("integration: worktree creation with worktree_name", () => {
     assert.ok(worktreeCreateCalled, "Should create worktree when worktree_name is configured");
     assert.strictEqual(createdWorktreeName, "pr-42", "Should expand worktree_name template");
     assert.ok(sessionCreated, "Should create session");
-    // Session creation uses the worktree directory (sets working directory)
-    // The PATCH with project directory re-associates it with the correct project
-    assert.strictEqual(sessionDirectory, "/worktree/pr-42", "Session should be created in worktree directory");
+    // Session creation uses the worktree directory (sets actual working dir)
+    // PATCH with project dir handles UI scoping (best-effort)
+    assert.strictEqual(sessionDirectory, "/worktree/pr-42", "Session should be created with worktree as working directory");
   });
 
   it("reuses stored directory when reprocessing same item", async () => {
@@ -618,8 +618,8 @@ describe("integration: worktree creation with worktree_name", () => {
     assert.ok(result.success, "Action should succeed");
     // Should NOT create a new worktree since we have existing_directory
     assert.strictEqual(worktreeCreateCalled, false, "Should NOT create new worktree when existing_directory provided");
-    // Session creation uses the existing worktree directory (sets working directory)
-    assert.strictEqual(sessionDirectory, existingWorktreeDir, "Session should be created in existing worktree directory");
+    // Session creation uses the worktree directory (sets actual working dir)
+    assert.strictEqual(sessionDirectory, existingWorktreeDir, "Session should be created with worktree as working directory");
   });
 
   it("skips session reuse when working in a worktree", async () => {
@@ -631,7 +631,6 @@ describe("integration: worktree creation with worktree_name", () => {
     let sessionListQueried = false;
     let sessionCreated = false;
     let sessionCreateDirectory = null;
-    let patchDirectory = null;
     
     const existingWorktreeDir = "/worktree/calm-wizard";
     
@@ -655,10 +654,7 @@ describe("integration: worktree creation with worktree_name", () => {
         sessionCreateDirectory = req.query?.directory;
         return { body: { id: "ses_new" } };
       },
-      "PATCH /session/ses_new": (req) => {
-        patchDirectory = req.query?.directory;
-        return { body: {} };
-      },
+      "PATCH /session/ses_new": () => ({ body: {} }),
       "POST /session/ses_new/message": () => ({ body: { success: true } }),
       "POST /session/ses_new/command": () => ({ body: { success: true } }),
     });
@@ -678,13 +674,10 @@ describe("integration: worktree creation with worktree_name", () => {
     // Should NOT query for existing sessions when in a worktree
     assert.strictEqual(sessionListQueried, false,
       "Should skip session reuse entirely when in a worktree");
-    // Should create a new session with the worktree directory (correct working dir)
+    // Should create a new session with the worktree as working directory
     assert.ok(sessionCreated, "Should create a new session");
     assert.strictEqual(sessionCreateDirectory, existingWorktreeDir,
-      "Session should be created in worktree directory");
-    // PATCH re-associates the session with the correct project
-    assert.strictEqual(patchDirectory, "/proj",
-      "PATCH should use project directory for correct project scoping");
+      "New session should be created with worktree as working directory");
   });
 });
 
@@ -974,3 +967,275 @@ describe("integration: stacked PR session reuse", () => {
     }
   });
 });
+
+/**
+ * Session creation invariants
+ *
+ * These tests encode the three correctness requirements for every session
+ * created by pilot. They assert OUTCOMES (which directory was used for which
+ * API call), not implementation details (which function was called or how
+ * parameters were threaded).
+ *
+ * DO NOT CHANGE these tests when refactoring session creation internals.
+ * They should only change if the desired behavior changes.
+ *
+ * See service/session-context.js for the full invariant documentation.
+ *
+ *   A. Project scoping  – POST /session uses projectDirectory
+ *   B. Working directory – messages use workingDirectory (the worktree path)
+ *   C. Session isolation – worktree sessions are never reused across PRs
+ *
+ * Implementation note: these tests use a fetch interceptor (options.fetch)
+ * to capture which URL parameters were used for each API call. This is more
+ * reliable than reading the directory inside the mock server's request
+ * handler, because the AbortController in createSessionViaApi aborts the
+ * connection after receiving response headers — which can race with the mock
+ * server's body-buffering. The interceptor captures the URL synchronously
+ * before the request is sent, avoiding the race entirely.
+ */
+describe("session creation invariants", () => {
+  let mockServer;
+
+  afterEach(async () => {
+    if (mockServer) {
+      await mockServer.close();
+      mockServer = null;
+    }
+  });
+
+  /**
+   * Build a fetch interceptor that records which directory was used for
+   * POST /session (session creation) and POST /session/:id/message or
+   * POST /session/:id/command (message delivery), then forwards to the
+   * real mock server.
+   */
+  function makeFetchInterceptor(calls) {
+    return async (url, opts) => {
+      const u = new URL(url);
+      const method = opts?.method || "GET";
+
+      // Short-circuit message/command: return mock 200 directly.
+      // The AbortController in sendMessageToSession/createSessionViaApi aborts
+      // the connection after response headers arrive, which races with the mock
+      // server's body-buffering (req.on("end") never fires). Returning a
+      // synthetic Response here avoids the race entirely.
+      if (method === "POST" && /^\/session\/[^/]+\/(message|command)$/.test(u.pathname)) {
+        calls.messageDirectory = u.searchParams.get("directory");
+        calls.messageSessionId = u.pathname.split("/")[2];
+        return new Response(JSON.stringify({ success: true }), {
+          status: 200,
+          headers: { "Content-Type": "application/json" },
+        });
+      }
+
+      if (method === "POST" && u.pathname === "/session") {
+        calls.sessionCreateDirectory = u.searchParams.get("directory");
+        calls.sessionCreated = true;
+      }
+      if (method === "PATCH" && /^\/session\/[^/]+$/.test(u.pathname)) {
+        calls.patchDirectory = u.searchParams.get("directory");
+        calls.patchSessionId = u.pathname.split("/")[2];
+      }
+      if (method === "GET" && u.pathname === "/session") {
+        calls.sessionListQueried = true;
+      }
+      return fetch(url, opts);
+    };
+  }
+
+  it("session created with worktree directory, message sent to worktree", async () => {
+    // POST /session must use the worktree directory — this sets session.directory
+    // and determines where the agent operates. OpenCode derives the correct
+    // projectID from the git root (sandbox worktrees share the same root commit).
+    // Verified against a real server in test/integration/real-server.test.js.
+
+    const calls = {};
+
+    mockServer = await createMockServer({
+      "GET /project": () => ({
+        body: [{ id: "proj_1", worktree: "/proj", sandboxes: [], time: { created: 1 } }],
+      }),
+      "GET /experimental/worktree": () => ({ body: [] }),
+      "POST /experimental/worktree": (req) => ({
+        body: { name: req.body?.name, directory: `/worktree/${req.body?.name}` },
+      }),
+      "GET /session": () => ({ body: [] }),
+      "GET /session/status": () => ({ body: {} }),
+      "POST /session": () => ({ body: { id: "ses_inv" } }),
+      "PATCH /session/ses_inv": () => ({ body: {} }),
+    });
+
+    const result = await executeAction(
+      { number: 99, title: "Invariant test PR" },
+      { path: "/proj", prompt: "review", worktree_name: "pr-{number}" },
+      { discoverServer: async () => mockServer.url, fetch: makeFetchInterceptor(calls) }
+    );
+
+    assert.ok(result.success, `Action should succeed (warning: ${result.warning || "none"})`);
+
+    // Session creation uses the worktree directory
+    assert.strictEqual(calls.sessionCreateDirectory, "/worktree/pr-99",
+      "POST /session must use workingDirectory so agent operates in worktree");
+
+    // Message also uses the worktree directory
+    assert.strictEqual(calls.messageDirectory, "/worktree/pr-99",
+      "POST /message must use workingDirectory for correct file operations");
+  });
+
+  it("reprocessing uses existing worktree directory for session and message", async () => {
+    // When reprocessing an item (e.g., new feedback on a PR), the existing worktree
+    // directory is passed. Session creation and messages must both use it.
+
+    const calls = {};
+
+    mockServer = await createMockServer({
+      "GET /project": () => ({
+        body: [{ id: "proj_1", worktree: "/proj", sandboxes: [], time: { created: 1 } }],
+      }),
+      "GET /session": () => ({ body: [] }),
+      "GET /session/status": () => ({ body: {} }),
+      "POST /session": () => ({ body: { id: "ses_reprocess_inv" } }),
+      "PATCH /session/ses_reprocess_inv": () => ({ body: {} }),
+    });
+
+    const result = await executeAction(
+      { number: 42, title: "Reprocessed PR" },
+      {
+        path: "/proj",
+        prompt: "review",
+        worktree_name: "pr-{number}",
+        existing_directory: "/worktree/calm-wizard",
+      },
+      { discoverServer: async () => mockServer.url, fetch: makeFetchInterceptor(calls) }
+    );
+
+    assert.ok(result.success, `Action should succeed (warning: ${result.warning || "none"})`);
+
+    // Session creation uses the existing worktree directory
+    assert.strictEqual(calls.sessionCreateDirectory, "/worktree/calm-wizard",
+      "POST /session must use workingDirectory for correct session directory");
+
+    // Message uses the existing worktree directory
+    assert.strictEqual(calls.messageDirectory, "/worktree/calm-wizard",
+      "POST /message must use workingDirectory for correct file operations");
+  });
+
+  it("invariant C: second PR in same project gets its own session", async () => {
+    // Two PRs in the same project (/proj). PR #1 already has an active session.
+    // PR #2 works in a different worktree. Session reuse must NOT return PR #1's
+    // session — each PR must get its own session.
+
+    const calls = { sessionListQueried: false, sessionCreated: false };
+
+    mockServer = await createMockServer({
+      "GET /project": () => ({
+        body: [{ id: "proj_1", worktree: "/proj", sandboxes: [], time: { created: 1 } }],
+      }),
+      "GET /experimental/worktree": () => ({ body: ["/worktree/pr-200"] }),
+      "GET /session": () => ({
+        // Return PR #1's session — this should NOT be reused for PR #2
+        body: [{ id: "ses_pr1", time: { created: 1, updated: 2 } }],
+      }),
+      "GET /session/status": () => ({ body: { ses_pr1: { type: "idle" } } }),
+      "POST /session": () => ({ body: { id: "ses_pr2" } }),
+      "PATCH /session/ses_pr2": () => ({ body: {} }),
+    });
+
+    const result = await executeAction(
+      { number: 200, title: "PR #200" },
+      {
+        path: "/proj",
+        prompt: "review",
+        worktree_name: "pr-{number}",
+        existing_directory: "/worktree/pr-200",
+      },
+      { discoverServer: async () => mockServer.url, fetch: makeFetchInterceptor(calls) }
+    );
+
+    assert.ok(result.success, `Action should succeed (warning: ${result.warning || "none"})`);
+
+    // Invariant C: session reuse is skipped entirely when in a worktree
+    assert.strictEqual(calls.sessionListQueried, false,
+      "INVARIANT C VIOLATED: worktree sessions must not query for reusable sessions");
+
+    // A new session must be created for this PR
+    assert.ok(calls.sessionCreated,
+      "INVARIANT C VIOLATED: each worktree PR must get its own new session");
+
+    // The returned session must be the new one, not PR #1's
+    assert.strictEqual(result.sessionId, "ses_pr2",
+      "INVARIANT C VIOLATED: result must reference the newly created session, not PR #1's");
+  });
+
+  it("invariant C exception: non-worktree sessions ARE reused", async () => {
+    // Session reuse should still work for items NOT running in a worktree.
+    // A non-worktree item (path == cwd) should find and reuse an existing session.
+
+    const calls = { sessionListQueried: false, sessionCreated: false };
+
+    mockServer = await createMockServer({
+      "GET /project": () => ({
+        body: [{ id: "proj_1", worktree: "/proj", sandboxes: [], time: { created: 1 } }],
+      }),
+      "GET /session": () => ({
+        body: [{ id: "ses_existing", time: { created: 1, updated: 2 } }],
+      }),
+      "GET /session/status": () => ({ body: { ses_existing: { type: "idle" } } }),
+      "POST /session": () => ({ body: { id: "ses_should_not_create" } }),
+      "PATCH /session/ses_existing": () => ({ body: {} }),
+    });
+
+    const result = await executeAction(
+      { number: 1, title: "Non-worktree item" },
+      {
+        path: "/proj",
+        prompt: "review",
+        // No worktree_name, no existing_directory → non-worktree mode
+      },
+      { discoverServer: async () => mockServer.url, fetch: makeFetchInterceptor(calls) }
+    );
+
+    assert.ok(result.success, `Action should succeed (warning: ${result.warning || "none"})`);
+
+    // Non-worktree: session reuse SHOULD work
+    assert.ok(calls.sessionListQueried,
+      "Non-worktree items should query for reusable sessions");
+    assert.strictEqual(calls.sessionCreated, false,
+      "Should reuse existing session, not create a new one");
+    assert.strictEqual(result.sessionId, "ses_existing",
+      "Should return the reused session ID");
+    assert.ok(result.sessionReused,
+      "Should flag the session as reused");
+  });
+
+  it("invariants A+B hold for non-worktree sessions (degenerate case)", async () => {
+    // When there is no worktree, both directories are the same.
+    // POST /session and POST /message should both use the project directory.
+
+    const calls = {};
+
+    mockServer = await createMockServer({
+      "GET /project": () => ({
+        body: [{ id: "proj_1", worktree: "/proj", sandboxes: [], time: { created: 1 } }],
+      }),
+      "GET /session": () => ({ body: [] }),
+      "GET /session/status": () => ({ body: {} }),
+      "POST /session": () => ({ body: { id: "ses_nwt" } }),
+      "PATCH /session/ses_nwt": () => ({ body: {} }),
+    });
+
+    const result = await executeAction(
+      { number: 1, title: "No worktree" },
+      { path: "/proj", prompt: "review" },
+      { discoverServer: async () => mockServer.url, fetch: makeFetchInterceptor(calls) }
+    );
+
+    assert.ok(result.success, `Action should succeed (warning: ${result.warning || "none"})`);
+
+    // Both should be the project directory when no worktree is involved
+    assert.strictEqual(calls.sessionCreateDirectory, "/proj",
+      "Non-worktree: session creation should use project directory");
+    assert.strictEqual(calls.messageDirectory, "/proj",
+      "Non-worktree: message should use project directory");
+  });
+});