npm - palaryn - Versions diffs - 0.1.0 → 0.3.2 - Mend

palaryn 0.1.0 → 0.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (344) hide show

package/README.md +243 -588
package/dist/sdk/typescript/src/client.js +2 -2
package/dist/sdk/typescript/src/client.js.map +1 -1
package/dist/src/anomaly/detector.d.ts +7 -4
package/dist/src/anomaly/detector.d.ts.map +1 -1
package/dist/src/anomaly/detector.js +22 -12
package/dist/src/anomaly/detector.js.map +1 -1
package/dist/src/audit/logger.d.ts +10 -0
package/dist/src/audit/logger.d.ts.map +1 -1
package/dist/src/audit/logger.js +52 -38
package/dist/src/audit/logger.js.map +1 -1
package/dist/src/auth/routes.d.ts.map +1 -1
package/dist/src/auth/routes.js +35 -0
package/dist/src/auth/routes.js.map +1 -1
package/dist/src/budget/manager.d.ts +5 -0
package/dist/src/budget/manager.d.ts.map +1 -1
package/dist/src/budget/manager.js +32 -0
package/dist/src/budget/manager.js.map +1 -1
package/dist/src/budget/model-pricing.d.ts +20 -0
package/dist/src/budget/model-pricing.d.ts.map +1 -0
package/dist/src/budget/model-pricing.js +107 -0
package/dist/src/budget/model-pricing.js.map +1 -0
package/dist/src/budget/usage-extractor.d.ts +3 -1
package/dist/src/budget/usage-extractor.d.ts.map +1 -1
package/dist/src/budget/usage-extractor.js +47 -3
package/dist/src/budget/usage-extractor.js.map +1 -1
package/dist/src/config/defaults.d.ts.map +1 -1
package/dist/src/config/defaults.js +65 -13
package/dist/src/config/defaults.js.map +1 -1
package/dist/src/dlp/tool-patterns.d.ts +7 -0
package/dist/src/dlp/tool-patterns.d.ts.map +1 -0
package/dist/src/dlp/tool-patterns.js +34 -0
package/dist/src/dlp/tool-patterns.js.map +1 -0
package/dist/src/executor/filesystem-executor.d.ts +28 -0
package/dist/src/executor/filesystem-executor.d.ts.map +1 -0
package/dist/src/executor/filesystem-executor.js +192 -0
package/dist/src/executor/filesystem-executor.js.map +1 -0
package/dist/src/executor/http-executor.d.ts.map +1 -1
package/dist/src/executor/http-executor.js +22 -2
package/dist/src/executor/http-executor.js.map +1 -1
package/dist/src/executor/index.d.ts +4 -0
package/dist/src/executor/index.d.ts.map +1 -1
package/dist/src/executor/index.js +9 -1
package/dist/src/executor/index.js.map +1 -1
package/dist/src/executor/shell-executor.d.ts +22 -0
package/dist/src/executor/shell-executor.d.ts.map +1 -0
package/dist/src/executor/shell-executor.js +119 -0
package/dist/src/executor/shell-executor.js.map +1 -0
package/dist/src/executor/sql-executor.d.ts +29 -0
package/dist/src/executor/sql-executor.d.ts.map +1 -0
package/dist/src/executor/sql-executor.js +114 -0
package/dist/src/executor/sql-executor.js.map +1 -0
package/dist/src/executor/websocket-executor.d.ts +26 -0
package/dist/src/executor/websocket-executor.d.ts.map +1 -0
package/dist/src/executor/websocket-executor.js +205 -0
package/dist/src/executor/websocket-executor.js.map +1 -0
package/dist/src/interceptor/index.d.ts +2 -0
package/dist/src/interceptor/index.d.ts.map +1 -0
package/dist/src/interceptor/index.js +6 -0
package/dist/src/interceptor/index.js.map +1 -0
package/dist/src/interceptor/provider-interceptor.d.ts +36 -0
package/dist/src/interceptor/provider-interceptor.d.ts.map +1 -0
package/dist/src/interceptor/provider-interceptor.js +302 -0
package/dist/src/interceptor/provider-interceptor.js.map +1 -0
package/dist/src/mcp/auth-verifier.d.ts.map +1 -1
package/dist/src/mcp/auth-verifier.js +3 -2
package/dist/src/mcp/auth-verifier.js.map +1 -1
package/dist/src/mcp/bridge.d.ts +14 -10
package/dist/src/mcp/bridge.d.ts.map +1 -1
package/dist/src/mcp/bridge.js +51 -227
package/dist/src/mcp/bridge.js.map +1 -1
package/dist/src/mcp/http-transport.d.ts +2 -0
package/dist/src/mcp/http-transport.d.ts.map +1 -1
package/dist/src/mcp/http-transport.js +117 -66
package/dist/src/mcp/http-transport.js.map +1 -1
package/dist/src/mcp/internal-auth.d.ts +13 -0
package/dist/src/mcp/internal-auth.d.ts.map +1 -0
package/dist/src/mcp/internal-auth.js +12 -0
package/dist/src/mcp/internal-auth.js.map +1 -0
package/dist/src/mcp/tool-definitions.d.ts +41 -0
package/dist/src/mcp/tool-definitions.d.ts.map +1 -0
package/dist/src/mcp/tool-definitions.js +491 -0
package/dist/src/mcp/tool-definitions.js.map +1 -0
package/dist/src/middleware/auth.js.map +1 -1
package/dist/src/middleware/session.js.map +1 -1
package/dist/src/middleware/validate.d.ts +8 -0
package/dist/src/middleware/validate.d.ts.map +1 -1
package/dist/src/middleware/validate.js +45 -0
package/dist/src/middleware/validate.js.map +1 -1
package/dist/src/policy/engine.d.ts +4 -0
package/dist/src/policy/engine.d.ts.map +1 -1
package/dist/src/policy/engine.js +117 -0
package/dist/src/policy/engine.js.map +1 -1
package/dist/src/saas/routes.d.ts.map +1 -1
package/dist/src/saas/routes.js +355 -22
package/dist/src/saas/routes.js.map +1 -1
package/dist/src/server/app.d.ts.map +1 -1
package/dist/src/server/app.js +24 -3
package/dist/src/server/app.js.map +1 -1
package/dist/src/server/gateway.d.ts.map +1 -1
package/dist/src/server/gateway.js +17 -0
package/dist/src/server/gateway.js.map +1 -1
package/dist/src/server/index.d.ts.map +1 -1
package/dist/src/server/index.js +18 -0
package/dist/src/server/index.js.map +1 -1
package/dist/src/storage/interfaces.d.ts +14 -3
package/dist/src/storage/interfaces.d.ts.map +1 -1
package/dist/src/storage/memory.d.ts +2 -0
package/dist/src/storage/memory.d.ts.map +1 -1
package/dist/src/storage/memory.js +6 -0
package/dist/src/storage/memory.js.map +1 -1
package/dist/src/storage/postgres.d.ts +5 -0
package/dist/src/storage/postgres.d.ts.map +1 -1
package/dist/src/storage/postgres.js +16 -0
package/dist/src/storage/postgres.js.map +1 -1
package/dist/src/storage/redis.d.ts +10 -0
package/dist/src/storage/redis.d.ts.map +1 -1
package/dist/src/storage/redis.js +65 -0
package/dist/src/storage/redis.js.map +1 -1
package/dist/src/types/budget.d.ts +4 -0
package/dist/src/types/budget.d.ts.map +1 -1
package/dist/src/types/config.d.ts +58 -0
package/dist/src/types/config.d.ts.map +1 -1
package/dist/src/types/events.d.ts +1 -0
package/dist/src/types/events.d.ts.map +1 -1
package/dist/src/types/policy.d.ts +11 -1
package/dist/src/types/policy.d.ts.map +1 -1
package/dist/src/types/tool-result.d.ts +11 -0
package/dist/src/types/tool-result.d.ts.map +1 -1
package/dist/tests/unit/app-routes.test.d.ts +2 -0
package/dist/tests/unit/app-routes.test.d.ts.map +1 -0
package/dist/tests/unit/app-routes.test.js +715 -0
package/dist/tests/unit/app-routes.test.js.map +1 -0
package/dist/tests/unit/audit-logger.test.js +105 -0
package/dist/tests/unit/audit-logger.test.js.map +1 -1
package/dist/tests/unit/auth-providers.test.d.ts +2 -0
package/dist/tests/unit/auth-providers.test.d.ts.map +1 -0
package/dist/tests/unit/auth-providers.test.js +279 -0
package/dist/tests/unit/auth-providers.test.js.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts +2 -0
package/dist/tests/unit/auth-routes-extended.test.d.ts.map +1 -0
package/dist/tests/unit/auth-routes-extended.test.js +993 -0
package/dist/tests/unit/auth-routes-extended.test.js.map +1 -0
package/dist/tests/unit/auth-verifier.test.d.ts +2 -0
package/dist/tests/unit/auth-verifier.test.d.ts.map +1 -0
package/dist/tests/unit/auth-verifier.test.js +505 -0
package/dist/tests/unit/auth-verifier.test.js.map +1 -0
package/dist/tests/unit/billing-routes.test.d.ts +2 -0
package/dist/tests/unit/billing-routes.test.d.ts.map +1 -0
package/dist/tests/unit/billing-routes.test.js +432 -0
package/dist/tests/unit/billing-routes.test.js.map +1 -0
package/dist/tests/unit/config-defaults.test.d.ts +2 -0
package/dist/tests/unit/config-defaults.test.d.ts.map +1 -0
package/dist/tests/unit/config-defaults.test.js +119 -0
package/dist/tests/unit/config-defaults.test.js.map +1 -0
package/dist/tests/unit/defaults.test.js +0 -10
package/dist/tests/unit/defaults.test.js.map +1 -1
package/dist/tests/unit/filesystem-executor.test.d.ts +2 -0
package/dist/tests/unit/filesystem-executor.test.d.ts.map +1 -0
package/dist/tests/unit/filesystem-executor.test.js +280 -0
package/dist/tests/unit/filesystem-executor.test.js.map +1 -0
package/dist/tests/unit/gateway-branches.test.d.ts +2 -0
package/dist/tests/unit/gateway-branches.test.d.ts.map +1 -0
package/dist/tests/unit/gateway-branches.test.js +1039 -0
package/dist/tests/unit/gateway-branches.test.js.map +1 -0
package/dist/tests/unit/http-executor-branches.test.d.ts +2 -0
package/dist/tests/unit/http-executor-branches.test.d.ts.map +1 -0
package/dist/tests/unit/http-executor-branches.test.js +495 -0
package/dist/tests/unit/http-executor-branches.test.js.map +1 -0
package/dist/tests/unit/logger.test.d.ts +2 -0
package/dist/tests/unit/logger.test.d.ts.map +1 -0
package/dist/tests/unit/logger.test.js +97 -0
package/dist/tests/unit/logger.test.js.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts +2 -0
package/dist/tests/unit/mcp-internal-auth.test.d.ts.map +1 -0
package/dist/tests/unit/mcp-internal-auth.test.js +445 -0
package/dist/tests/unit/mcp-internal-auth.test.js.map +1 -0
package/dist/tests/unit/metrics.test.js +102 -0
package/dist/tests/unit/metrics.test.js.map +1 -1
package/dist/tests/unit/model-pricing.test.d.ts +2 -0
package/dist/tests/unit/model-pricing.test.d.ts.map +1 -0
package/dist/tests/unit/model-pricing.test.js +87 -0
package/dist/tests/unit/model-pricing.test.js.map +1 -0
package/dist/tests/unit/oauth-stores.test.d.ts +2 -0
package/dist/tests/unit/oauth-stores.test.d.ts.map +1 -0
package/dist/tests/unit/oauth-stores.test.js +260 -0
package/dist/tests/unit/oauth-stores.test.js.map +1 -0
package/dist/tests/unit/policy-engine.test.js +466 -0
package/dist/tests/unit/policy-engine.test.js.map +1 -1
package/dist/tests/unit/provider-interceptor.test.d.ts +2 -0
package/dist/tests/unit/provider-interceptor.test.d.ts.map +1 -0
package/dist/tests/unit/provider-interceptor.test.js +472 -0
package/dist/tests/unit/provider-interceptor.test.js.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-branches.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-branches.test.js +2165 -0
package/dist/tests/unit/saas-routes-branches.test.js.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-crud.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-crud.test.js +332 -0
package/dist/tests/unit/saas-routes-crud.test.js.map +1 -0
package/dist/tests/unit/saas-routes-data.test.d.ts +2 -0
package/dist/tests/unit/saas-routes-data.test.d.ts.map +1 -0
package/dist/tests/unit/saas-routes-data.test.js +405 -0
package/dist/tests/unit/saas-routes-data.test.js.map +1 -0
package/dist/tests/unit/saas-routes.test.js +3 -3
package/dist/tests/unit/saas-routes.test.js.map +1 -1
package/dist/tests/unit/shell-executor.test.d.ts +2 -0
package/dist/tests/unit/shell-executor.test.d.ts.map +1 -0
package/dist/tests/unit/shell-executor.test.js +145 -0
package/dist/tests/unit/shell-executor.test.js.map +1 -0
package/dist/tests/unit/sql-executor.test.d.ts +2 -0
package/dist/tests/unit/sql-executor.test.d.ts.map +1 -0
package/dist/tests/unit/sql-executor.test.js +177 -0
package/dist/tests/unit/sql-executor.test.js.map +1 -0
package/dist/tests/unit/stream-proxy.test.d.ts +2 -0
package/dist/tests/unit/stream-proxy.test.d.ts.map +1 -0
package/dist/tests/unit/stream-proxy.test.js +147 -0
package/dist/tests/unit/stream-proxy.test.js.map +1 -0
package/dist/tests/unit/tool-definitions.test.d.ts +2 -0
package/dist/tests/unit/tool-definitions.test.d.ts.map +1 -0
package/dist/tests/unit/tool-definitions.test.js +184 -0
package/dist/tests/unit/tool-definitions.test.js.map +1 -0
package/dist/tests/unit/usage-extractor.test.js +140 -0
package/dist/tests/unit/usage-extractor.test.js.map +1 -1
package/dist/tests/unit/webhook-handler.test.d.ts +2 -0
package/dist/tests/unit/webhook-handler.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-handler.test.js +453 -0
package/dist/tests/unit/webhook-handler.test.js.map +1 -0
package/dist/tests/unit/webhook-routes.test.d.ts +2 -0
package/dist/tests/unit/webhook-routes.test.d.ts.map +1 -0
package/dist/tests/unit/webhook-routes.test.js +69 -0
package/dist/tests/unit/webhook-routes.test.js.map +1 -0
package/dist/tests/unit/websocket-executor.test.d.ts +2 -0
package/dist/tests/unit/websocket-executor.test.d.ts.map +1 -0
package/dist/tests/unit/websocket-executor.test.js +121 -0
package/dist/tests/unit/websocket-executor.test.js.map +1 -0
package/package.json +8 -2
package/policy-packs/demo_fail.yaml +41 -0
package/policy-packs/full_tools.yaml +136 -0
package/src/admin/index.ts +1 -0
package/src/admin/routes.ts +509 -0
package/src/admin/templates.ts +572 -0
package/src/anomaly/detector.ts +730 -0
package/src/anomaly/index.ts +1 -0
package/src/approval/manager.ts +569 -0
package/src/approval/webhook.ts +133 -0
package/src/audit/logger.ts +490 -0
package/src/auth/index.ts +5 -0
package/src/auth/password.ts +21 -0
package/src/auth/pkce.ts +22 -0
package/src/auth/providers.ts +208 -0
package/src/auth/routes.ts +561 -0
package/src/auth/session.ts +84 -0
package/src/billing/index.ts +6 -0
package/src/billing/plan-enforcer.ts +135 -0
package/src/billing/routes.ts +229 -0
package/src/billing/stripe-client.ts +58 -0
package/src/billing/webhook-handler.ts +182 -0
package/src/billing/webhook-routes.ts +28 -0
package/src/budget/manager.ts +679 -0
package/src/budget/model-pricing.ts +119 -0
package/src/budget/usage-extractor.ts +214 -0
package/src/cli.ts +91 -0
package/src/config/defaults.ts +261 -0
package/src/config/validate.ts +88 -0
package/src/dlp/composite-scanner.ts +213 -0
package/src/dlp/index.ts +9 -0
package/src/dlp/interfaces.ts +34 -0
package/src/dlp/patterns.ts +30 -0
package/src/dlp/prompt-injection-backend.ts +181 -0
package/src/dlp/prompt-injection-patterns.ts +302 -0
package/src/dlp/regex-backend.ts +181 -0
package/src/dlp/scanner.ts +502 -0
package/src/dlp/text-normalizer.ts +225 -0
package/src/dlp/tool-patterns.ts +35 -0
package/src/dlp/trufflehog-backend.ts +190 -0
package/src/executor/filesystem-executor.ts +196 -0
package/src/executor/http-executor.ts +349 -0
package/src/executor/index.ts +9 -0
package/src/executor/interfaces.ts +11 -0
package/src/executor/noop-executor.ts +23 -0
package/src/executor/registry.ts +64 -0
package/src/executor/shell-executor.ts +148 -0
package/src/executor/slack-executor.ts +176 -0
package/src/executor/sql-executor.ts +146 -0
package/src/executor/websocket-executor.ts +211 -0
package/src/index.ts +24 -0
package/src/interceptor/index.ts +1 -0
package/src/interceptor/provider-interceptor.ts +315 -0
package/src/mcp/auth-verifier.ts +152 -0
package/src/mcp/bridge.ts +703 -0
package/src/mcp/http-transport.ts +698 -0
package/src/mcp/index.ts +9 -0
package/src/mcp/internal-auth.ts +14 -0
package/src/mcp/oauth-pages.ts +139 -0
package/src/mcp/oauth-postgres-stores.ts +278 -0
package/src/mcp/oauth-provider.ts +536 -0
package/src/mcp/oauth-stores.ts +202 -0
package/src/mcp/server.ts +55 -0
package/src/mcp/tool-definitions.ts +562 -0
package/src/metrics/collector.ts +357 -0
package/src/metrics/index.ts +1 -0
package/src/middleware/auth.ts +814 -0
package/src/middleware/session.ts +85 -0
package/src/middleware/validate.ts +130 -0
package/src/policy/engine.ts +815 -0
package/src/policy/index.ts +2 -0
package/src/policy/opa-engine.ts +829 -0
package/src/proxy/forward-proxy.ts +649 -0
package/src/proxy/index.ts +1 -0
package/src/ratelimit/limiter.ts +196 -0
package/src/replay/engine.ts +142 -0
package/src/replay/index.ts +1 -0
package/src/saas/index.ts +1 -0
package/src/saas/routes.ts +2178 -0
package/src/server/app.ts +985 -0
package/src/server/errors.ts +49 -0
package/src/server/gateway.ts +1130 -0
package/src/server/index.ts +307 -0
package/src/server/logger.ts +255 -0
package/src/server/stream-proxy.ts +202 -0
package/src/storage/file-persistence.ts +315 -0
package/src/storage/index.ts +4 -0
package/src/storage/interfaces.ts +287 -0
package/src/storage/memory.ts +686 -0
package/src/storage/postgres.ts +1831 -0
package/src/storage/redis.ts +835 -0
package/src/tracing/index.ts +1 -0
package/src/tracing/provider.ts +100 -0
package/src/trust/calculator.ts +141 -0
package/src/trust/index.ts +7 -0
package/src/types/budget.ts +36 -0
package/src/types/config.ts +278 -0
package/src/types/events.ts +41 -0
package/src/types/express.d.ts +14 -0
package/src/types/index.ts +7 -0
package/src/types/policy.ts +83 -0
package/src/types/stripe-config.ts +11 -0
package/src/types/subscription.ts +59 -0
package/src/types/tool-call.ts +47 -0
package/src/types/tool-result.ts +82 -0
package/src/types/user.ts +125 -0
package/tsconfig.json +24 -0

package/dist/tests/unit/app-routes.test.js ADDED Viewed

@@ -0,0 +1,715 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const supertest_1 = __importDefault(require("supertest"));
+const app_1 = require("../../src/server/app");
+// ---------------------------------------------------------------------------
+// Test config helper
+// ---------------------------------------------------------------------------
+function testConfig(overrides) {
+    return {
+        port: 0,
+        host: '127.0.0.1',
+        auth: { enabled: false, api_keys: {} },
+        policy: { pack_path: './policy-packs/dev_fast.yaml', default_effect: 'ALLOW', hot_reload: false },
+        dlp: { enabled: false, scan_args: false, scan_output: false, secrets_detection: false, pii_detection: false, default_redaction_method: 'mask' },
+        budget: { task_budget_usd: 100, max_steps_per_task: 1000, max_retries_per_call: 3, max_wall_clock_ms: 300000 },
+        audit: { enabled: false, log_dir: '', console_output: false, retention_days: 30 },
+        executor: { http: { timeout_ms: 5000, max_retries: 1, backoff_base_ms: 100 }, cache: { enabled: false, ttl_ms: 0 } },
+        approval: { enabled: false, token_secret: 'test-secret', default_ttl_seconds: 3600 },
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Minimal valid tool call body (passes validateToolCall middleware)
+// ---------------------------------------------------------------------------
+function validToolCall(extra) {
+    return {
+        tool_call_id: 'tc-000001',
+        task_id: 'task-001',
+        actor: { type: 'agent', id: 'agent-1' },
+        source: { platform: 'test' },
+        tool: { name: 'http', capability: 'read' },
+        args: { method: 'GET', url: 'https://example.com' },
+        ...extra,
+    };
+}
+// ---------------------------------------------------------------------------
+// Suite
+// ---------------------------------------------------------------------------
+describe('app.ts routes', () => {
+    let app;
+    let gateway;
+    let metrics;
+    let healthChecks;
+    beforeEach(() => {
+        const result = (0, app_1.createApp)(testConfig());
+        app = result.app;
+        gateway = result.gateway;
+        metrics = result.metrics;
+        healthChecks = result.healthChecks;
+    });
+    afterEach(async () => {
+        await gateway.shutdown();
+    });
+    // =========================================================================
+    // 1. GET /health
+    // =========================================================================
+    describe('GET /health', () => {
+        it('returns { status: "ok" } when no health checks registered', async () => {
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body).toEqual({ status: 'ok' });
+        });
+        it('returns check results when a healthy health check is registered', async () => {
+            healthChecks.push({
+                name: 'test-db',
+                check: async () => ({ status: 'ok' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('returns 503 when an unhealthy health check is registered', async () => {
+            healthChecks.push({
+                name: 'test-db',
+                check: async () => ({ status: 'unhealthy', message: 'connection refused' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(503);
+            expect(res.body.status).toBe('unhealthy');
+        });
+        it('returns 200 with degraded status when health check is degraded', async () => {
+            healthChecks.push({
+                name: 'test-cache',
+                check: async () => ({ status: 'degraded', message: 'high latency' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('degraded');
+        });
+        it('marks overall as unhealthy when health check throws', async () => {
+            healthChecks.push({
+                name: 'test-crash',
+                check: async () => { throw new Error('boom'); },
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(503);
+            expect(res.body.status).toBe('unhealthy');
+        });
+        it('unhealthy overrides degraded when multiple checks present', async () => {
+            healthChecks.push({ name: 'degraded-svc', check: async () => ({ status: 'degraded' }) }, { name: 'unhealthy-svc', check: async () => ({ status: 'unhealthy' }) });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(503);
+            expect(res.body.status).toBe('unhealthy');
+        });
+        it('returns minimal response for unauthenticated requests (no version/uptime)', async () => {
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.body).not.toHaveProperty('version');
+            expect(res.body).not.toHaveProperty('uptime_seconds');
+            expect(res.body).not.toHaveProperty('checks');
+        });
+        it('always returns minimal response since session middleware is registered after /health', async () => {
+            // The session middleware is registered after the /health route in app.ts,
+            // so (req as any).auth is always undefined for /health requests.
+            // This test verifies the unauthenticated path is always taken.
+            healthChecks.push({
+                name: 'test-svc',
+                check: async () => ({ status: 'ok' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            // No version, uptime, checks, or timestamp in unauthenticated response
+            expect(res.body).toEqual({ status: 'ok' });
+        });
+    });
+    // =========================================================================
+    // 2. GET /ready
+    // =========================================================================
+    describe('GET /ready', () => {
+        it('returns { ready: true } in normal state', async () => {
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            expect(res.status).toBe(200);
+            expect(res.body.ready).toBe(true);
+            // Should always include policy_engine check
+            expect(res.body.checks.find((c) => c.name === 'policy_engine')).toBeDefined();
+        });
+        it('returns 503 { ready: false } when gateway is shutting down', async () => {
+            // Trigger shutdown to set isShuttingDown = true
+            await gateway.shutdown();
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            expect(res.status).toBe(503);
+            expect(res.body.ready).toBe(false);
+            const gwCheck = res.body.checks.find((c) => c.name === 'gateway');
+            expect(gwCheck.status).toBe('unhealthy');
+            expect(gwCheck.message).toBe('shutting down');
+        });
+        it('returns 503 when a health check throws', async () => {
+            healthChecks.push({
+                name: 'test-db',
+                check: async () => { throw new Error('db connection failed'); },
+            });
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            expect(res.status).toBe(503);
+            expect(res.body.ready).toBe(false);
+            const dbCheck = res.body.checks.find((c) => c.name === 'test-db');
+            expect(dbCheck.status).toBe('unhealthy');
+            expect(dbCheck.message).toBe('db connection failed');
+        });
+        it('includes error message from non-Error throw', async () => {
+            healthChecks.push({
+                name: 'test-db',
+                check: async () => { throw 'string error'; },
+            });
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            expect(res.status).toBe(503);
+            const dbCheck = res.body.checks.find((c) => c.name === 'test-db');
+            expect(dbCheck.status).toBe('unhealthy');
+            expect(dbCheck.message).toBe('check failed');
+        });
+        it('returns 503 when health check returns unhealthy', async () => {
+            healthChecks.push({
+                name: 'test-redis',
+                check: async () => ({ status: 'unhealthy', message: 'timeout' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            expect(res.status).toBe(503);
+            expect(res.body.ready).toBe(false);
+        });
+        it('returns 200 when health check is degraded (ready but degraded)', async () => {
+            healthChecks.push({
+                name: 'test-cache',
+                check: async () => ({ status: 'degraded', message: 'slow' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/ready');
+            // degraded does not make ready=false, only unhealthy does
+            expect(res.status).toBe(200);
+            expect(res.body.ready).toBe(true);
+        });
+    });
+    // =========================================================================
+    // 3. GET /metrics
+    // =========================================================================
+    describe('GET /metrics', () => {
+        it('returns metrics without auth in non-production', async () => {
+            const res = await (0, supertest_1.default)(app).get('/metrics');
+            expect(res.status).toBe(200);
+            expect(res.text).toContain('palaryn_');
+        });
+        it('returns 401 in production mode with auth enabled and no key', async () => {
+            const origEnv = process.env.NODE_ENV;
+            process.env.NODE_ENV = 'production';
+            try {
+                const prodResult = (0, app_1.createApp)(testConfig({
+                    auth: { enabled: true, api_keys: { 'prod-key-12345': { workspace_id: 'ws-1' } } },
+                }));
+                const res = await (0, supertest_1.default)(prodResult.app).get('/metrics');
+                expect(res.status).toBe(401);
+                expect(res.body.error_code).toBe('AUTH_REQUIRED');
+                await prodResult.gateway.shutdown();
+            }
+            finally {
+                process.env.NODE_ENV = origEnv;
+            }
+        });
+        it('returns metrics in production mode with x-api-key header', async () => {
+            const origEnv = process.env.NODE_ENV;
+            process.env.NODE_ENV = 'production';
+            try {
+                const prodResult = (0, app_1.createApp)(testConfig({
+                    auth: { enabled: true, api_keys: { 'prod-key-12345': { workspace_id: 'ws-1' } } },
+                }));
+                const res = await (0, supertest_1.default)(prodResult.app)
+                    .get('/metrics')
+                    .set('x-api-key', 'prod-key-12345');
+                expect(res.status).toBe(200);
+                expect(res.text).toContain('palaryn_');
+                await prodResult.gateway.shutdown();
+            }
+            finally {
+                process.env.NODE_ENV = origEnv;
+            }
+        });
+        it('returns metrics in production mode with bearer token', async () => {
+            const origEnv = process.env.NODE_ENV;
+            process.env.NODE_ENV = 'production';
+            try {
+                const prodResult = (0, app_1.createApp)(testConfig({
+                    auth: { enabled: true, api_keys: { 'bearer-key-123': { workspace_id: 'ws-1' } } },
+                }));
+                const res = await (0, supertest_1.default)(prodResult.app)
+                    .get('/metrics')
+                    .set('Authorization', 'Bearer some-bearer-token');
+                expect(res.status).toBe(200);
+                await prodResult.gateway.shutdown();
+            }
+            finally {
+                process.env.NODE_ENV = origEnv;
+            }
+        });
+        it('returns 500 when metrics.getMetrics() throws', async () => {
+            jest.spyOn(metrics, 'getMetrics').mockRejectedValueOnce(new Error('metrics boom'));
+            const res = await (0, supertest_1.default)(app).get('/metrics');
+            expect(res.status).toBe(500);
+        });
+    });
+    // =========================================================================
+    // 4. GET /install.sh
+    // =========================================================================
+    describe('GET /install.sh', () => {
+        it('returns install script with text/plain content type when file exists', async () => {
+            // Mock fs to simulate install.sh existing (path resolution differs in Jest vs dist)
+            const fs = require('fs');
+            const origExistsSync = fs.existsSync;
+            const origReadFileSync = fs.readFileSync;
+            fs.existsSync = (p) => {
+                if (p.endsWith('install.sh'))
+                    return true;
+                return origExistsSync(p);
+            };
+            fs.readFileSync = (p, enc) => {
+                if (typeof p === 'string' && p.endsWith('install.sh'))
+                    return '#!/bin/sh\necho "install"';
+                return origReadFileSync(p, enc);
+            };
+            try {
+                const result2 = (0, app_1.createApp)(testConfig());
+                const res = await (0, supertest_1.default)(result2.app).get('/install.sh');
+                expect(res.status).toBe(200);
+                expect(res.headers['content-type']).toContain('text/plain');
+                expect(res.text).toContain('#!/bin/sh');
+                await result2.gateway.shutdown();
+            }
+            finally {
+                fs.existsSync = origExistsSync;
+                fs.readFileSync = origReadFileSync;
+            }
+        });
+        it('returns 404 when file does not exist', async () => {
+            const fs = require('fs');
+            const origExistsSync = fs.existsSync;
+            fs.existsSync = (p) => {
+                if (p.endsWith('install.sh'))
+                    return false;
+                return origExistsSync(p);
+            };
+            try {
+                const result2 = (0, app_1.createApp)(testConfig());
+                const res = await (0, supertest_1.default)(result2.app).get('/install.sh');
+                expect(res.status).toBe(404);
+                expect(res.text).toContain('install.sh not found');
+                await result2.gateway.shutdown();
+            }
+            finally {
+                fs.existsSync = origExistsSync;
+            }
+        });
+    });
+    // =========================================================================
+    // 5. POST /v1/tool/execute
+    // =========================================================================
+    describe('POST /v1/tool/execute', () => {
+        it('returns 200 when gateway.execute returns status "ok"', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'ok',
+                policy: { decision: 'allow', reasons: [] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                output: { http_status: 200, body: { data: 'ok' } },
+                timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('returns 403 when gateway.execute returns status "blocked"', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'blocked',
+                policy: { decision: 'deny', rule_id: 'block-all', reasons: ['blocked by policy'] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 5 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(403);
+            expect(res.body.status).toBe('blocked');
+        });
+        it('returns 429 when blocked with rate_limit rule_id', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'blocked',
+                policy: { decision: 'deny', rule_id: 'rate_limit', reasons: ['rate limited'] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 5 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(429);
+        });
+        it('returns 202 when status is "needs_approval"', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'needs_approval',
+                policy: { decision: 'require_approval', reasons: ['requires admin approval'] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 5 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(202);
+            expect(res.body.status).toBe('needs_approval');
+        });
+        it('sanitizes error in result (never leaks internal details)', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'ok',
+                policy: { decision: 'allow', reasons: [] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                error: 'Internal path /var/secrets/key.pem leaked',
+                timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.error).toBe('Tool execution failed');
+        });
+        it('returns 500 when gateway.execute throws', async () => {
+            jest.spyOn(gateway, 'execute').mockRejectedValueOnce(new Error('unexpected crash'));
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('TOOL_EXECUTION_ERROR');
+        });
+        it('returns 500 when gateway.execute throws non-Error', async () => {
+            jest.spyOn(gateway, 'execute').mockRejectedValueOnce('string error');
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('TOOL_EXECUTION_ERROR');
+        });
+        it('merges api_key_tags into context.labels', async () => {
+            // Create an app with auth enabled and an API key that has tags
+            const authConfig = testConfig({
+                auth: {
+                    enabled: true,
+                    api_keys: {
+                        'tagged-key-12345': {
+                            workspace_id: 'ws-tags',
+                            roles: ['operator'],
+                        },
+                    },
+                },
+            });
+            const authResult = (0, app_1.createApp)(authConfig);
+            // The api_key_tags won't be set by config-based keys (they come from SaaS keys),
+            // but we can test the merge logic by setting auth context via a mock.
+            // Instead, we spy on execute to verify the toolCall passed to it has merged labels.
+            const executeSpy = jest.spyOn(authResult.gateway, 'execute').mockResolvedValueOnce({
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'ok',
+                policy: { decision: 'allow', reasons: [] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+            });
+            const res = await (0, supertest_1.default)(authResult.app)
+                .post('/v1/tool/execute')
+                .set('x-api-key', 'tagged-key-12345')
+                .send(validToolCall({
+                context: { labels: ['existing-label'] },
+            }));
+            expect(res.status).toBe(200);
+            // Gateway should have been called with the tool call
+            expect(executeSpy).toHaveBeenCalled();
+            await authResult.gateway.shutdown();
+        });
+        it('returns 403 for capability-specific RBAC check when rbac is enabled', async () => {
+            const rbacConfig = testConfig({
+                auth: {
+                    enabled: true,
+                    api_keys: {
+                        'rbac-key-12345': {
+                            workspace_id: 'ws-rbac',
+                            roles: ['reader'],
+                        },
+                    },
+                    rbac: {
+                        enabled: true,
+                        roles: {
+                            reader: {
+                                permissions: ['tool:execute:read'],
+                            },
+                        },
+                    },
+                },
+            });
+            const rbacResult = (0, app_1.createApp)(rbacConfig);
+            // Request with a write capability but only reader role
+            const res = await (0, supertest_1.default)(rbacResult.app)
+                .post('/v1/tool/execute')
+                .set('x-api-key', 'rbac-key-12345')
+                .send(validToolCall({
+                tool: { name: 'http', capability: 'write' },
+            }));
+            // The reader role has tool:execute:read but not tool:execute:write
+            // However, the broad rbacToolExecute middleware checks tool:execute
+            // which the reader doesn't have either, so it may be blocked at the middleware level
+            expect([403]).toContain(res.status);
+            await rbacResult.gateway.shutdown();
+        });
+    });
+    // =========================================================================
+    // 6. POST /v1/tool/approve
+    // =========================================================================
+    describe('POST /v1/tool/approve', () => {
+        it('returns 400 when approval_token is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approved: true });
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+            expect(res.body.error).toContain('approval_token');
+        });
+        it('returns { status: "ok" } on successful approval', async () => {
+            jest.spyOn(gateway, 'processApproval').mockResolvedValueOnce({
+                success: true,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'valid-token-123', approved: true });
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.success).toBe(true);
+        });
+        it('returns 400 when processApproval returns success=false', async () => {
+            jest.spyOn(gateway, 'processApproval').mockResolvedValueOnce({
+                success: false,
+                error: 'Token expired',
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'expired-token', approved: true });
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+            expect(res.body.error).toContain('Token expired');
+        });
+        it('returns 400 with default message when processApproval fails without error', async () => {
+            jest.spyOn(gateway, 'processApproval').mockResolvedValueOnce({
+                success: false,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'bad-token' });
+            expect(res.status).toBe(400);
+            expect(res.body.error).toContain('Approval processing failed');
+        });
+        it('returns 500 when processApproval throws', async () => {
+            jest.spyOn(gateway, 'processApproval').mockRejectedValueOnce(new Error('internal failure'));
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'crash-token' });
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('INTERNAL_ERROR');
+        });
+        it('returns 500 when processApproval throws non-Error', async () => {
+            jest.spyOn(gateway, 'processApproval').mockRejectedValueOnce('string crash');
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'crash-token' });
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('INTERNAL_ERROR');
+        });
+        it('uses approved=true when approved field is omitted (defaults to approved !== false)', async () => {
+            const spy = jest.spyOn(gateway, 'processApproval').mockResolvedValueOnce({ success: true });
+            await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({ approval_token: 'token-no-approved-field' });
+            // approved !== false should be true when approved is undefined
+            expect(spy).toHaveBeenCalledWith('token-no-approved-field', expect.any(String), true, undefined, undefined);
+        });
+    });
+    // =========================================================================
+    // 7. POST /v1/usage/report
+    // =========================================================================
+    describe('POST /v1/usage/report', () => {
+        it('returns 400 when tool_call_id is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({ task_id: 'task-001' });
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+            expect(res.body.error).toContain('tool_call_id');
+        });
+        it('returns 400 when task_id is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({ tool_call_id: 'tc-001' });
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+        });
+        it('returns 400 when both tool_call_id and task_id are missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({});
+            expect(res.status).toBe(400);
+        });
+        it('returns { status: "ok" } on successful usage report', async () => {
+            jest.spyOn(gateway, 'reportUsage').mockImplementation(() => { });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({
+                tool_call_id: 'tc-001',
+                task_id: 'task-001',
+                actual_cost_usd: 0.05,
+                usage: { input_tokens: 100, output_tokens: 50 },
+            });
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('returns 500 when reportUsage throws an Error', async () => {
+            jest.spyOn(gateway, 'reportUsage').mockImplementation(() => {
+                throw new Error('storage failure');
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({ tool_call_id: 'tc-001', task_id: 'task-001' });
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('INTERNAL_ERROR');
+        });
+        it('returns 500 when reportUsage throws a non-Error', async () => {
+            jest.spyOn(gateway, 'reportUsage').mockImplementation(() => {
+                throw 'string error';
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/usage/report')
+                .send({ tool_call_id: 'tc-001', task_id: 'task-001' });
+            expect(res.status).toBe(500);
+            expect(res.body.error_code).toBe('INTERNAL_ERROR');
+        });
+    });
+    // =========================================================================
+    // 8. Error handler
+    // =========================================================================
+    describe('Global error handler', () => {
+        it('returns 400 with VALIDATION_FAILED for invalid JSON body', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('Content-Type', 'application/json')
+                .send('{ invalid json }');
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+            expect(res.body.error).toContain('Invalid JSON');
+        });
+        it('returns 413 for body too large', async () => {
+            // The express.json() limit is 10MB; send > 10MB
+            const largeBody = 'x'.repeat(11 * 1024 * 1024);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('Content-Type', 'application/json')
+                .send(largeBody);
+            expect(res.status).toBe(413);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+            expect(res.body.error).toContain('too large');
+        });
+    });
+    // =========================================================================
+    // 9. IP rate limiter
+    // =========================================================================
+    describe('IP rate limiter', () => {
+        it('allows requests within limit', async () => {
+            // Use a very tight rate limit
+            const limitedResult = (0, app_1.createApp)(testConfig({
+                public_rate_limit: { max_per_window: 5, window_ms: 60000 },
+            }));
+            const res = await (0, supertest_1.default)(limitedResult.app).get('/health');
+            expect(res.status).toBe(200);
+            await limitedResult.gateway.shutdown();
+        });
+        it('returns 429 when exceeding the rate limit', async () => {
+            const limitedResult = (0, app_1.createApp)(testConfig({
+                public_rate_limit: { max_per_window: 2, window_ms: 60000 },
+            }));
+            // Make requests up to the limit
+            await (0, supertest_1.default)(limitedResult.app).get('/health');
+            await (0, supertest_1.default)(limitedResult.app).get('/health');
+            // Third request should be blocked
+            const res = await (0, supertest_1.default)(limitedResult.app).get('/health');
+            expect(res.status).toBe(429);
+            expect(res.body.error_code).toBe('RATE_LIMIT_EXCEEDED');
+            expect(res.body.details).toHaveProperty('retry_after_ms');
+            await limitedResult.gateway.shutdown();
+        });
+    });
+    // =========================================================================
+    // Additional route coverage
+    // =========================================================================
+    describe('POST /v1/tool/execute - validation', () => {
+        it('returns 400 for missing required fields', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send({ tool_call_id: 'tc-bad' });
+            expect(res.status).toBe(400);
+            expect(res.body.error_code).toBe('VALIDATION_FAILED');
+        });
+    });
+    describe('POST /v1/tool/execute - status fallback to 500', () => {
+        it('returns 500 for an unknown result status', async () => {
+            const mockResult = {
+                tool_call_id: 'tc-000001',
+                task_id: 'task-001',
+                status: 'error',
+                policy: { decision: 'allow', reasons: [] },
+                dlp: { detected: [], redactions: [], severity: 'low' },
+                budget: { estimated_cost_usd: 0, spent_cost_usd_task: 0, remaining_cost_usd_task: 100 },
+                timing: { started_at: new Date().toISOString(), duration_ms: 10 },
+            };
+            jest.spyOn(gateway, 'execute').mockResolvedValueOnce(mockResult);
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(validToolCall());
+            expect(res.status).toBe(500);
+        });
+    });
+    describe('POST /v1/tool/approve - denial flow', () => {
+        it('handles explicit denied approval (approved=false)', async () => {
+            const spy = jest.spyOn(gateway, 'processApproval').mockResolvedValueOnce({ success: true });
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .send({
+                approval_token: 'deny-token',
+                approved: false,
+                reason: 'Not needed',
+            });
+            expect(res.status).toBe(200);
+            expect(spy).toHaveBeenCalledWith('deny-token', expect.any(String), false, 'Not needed', undefined);
+        });
+    });
+});
+//# sourceMappingURL=app-routes.test.js.map