palaryn 0.1.0 → 0.3.2

package/dist/tests/unit/saas-routes-branches.test.js

@@ -0,0 +1,2165 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const supertest_1 = __importDefault(require("supertest"));
+const app_1 = require("../../src/server/app");
+const defaults_1 = require("../../src/config/defaults");
+// ---------------------------------------------------------------------------
+// Setup
+// ---------------------------------------------------------------------------
+let app;
+let saasStores;
+let gateway;
+const now = new Date().toISOString();
+function createTestConfig() {
+    return {
+        ...defaults_1.DEFAULT_CONFIG,
+        port: 0,
+        host: '127.0.0.1',
+        auth: {
+            ...defaults_1.DEFAULT_CONFIG.auth,
+            enabled: true,
+            api_keys: {},
+            rbac: {
+                enabled: false,
+                roles: {},
+            },
+        },
+        policy: {
+            pack_path: './policy-packs/dev_fast.yaml',
+            default_effect: 'DENY',
+            hot_reload: false,
+        },
+        audit: {
+            enabled: true,
+            log_dir: '',
+            console_output: false,
+            retention_days: 30,
+        },
+        rate_limit: {
+            enabled: false,
+            actor_max_per_window: 100,
+            workspace_max_per_window: 500,
+            window_ms: 60000,
+        },
+        oauth: {
+            enabled: true,
+            session_secret: 'test-session-secret-for-branches',
+            session_ttl_seconds: 3600,
+        },
+    };
+}
+beforeAll(() => {
+    const config = createTestConfig();
+    const result = (0, app_1.createApp)(config);
+    app = result.app;
+    saasStores = result.saasStores;
+    gateway = result.gateway;
+});
+afterAll(() => {
+    gateway.shutdown();
+});
+beforeEach(() => {
+    saasStores.userStore.create({
+        id: 'u1',
+        email: 'test@test.com',
+        display_name: 'Test User',
+        avatar_url: 'https://img.example.com/avatar.png',
+        status: 'active',
+        onboarding_completed: false,
+        created_at: now,
+        updated_at: now,
+    });
+    saasStores.sessionStore.create({
+        id: 'sess1',
+        user_id: 'u1',
+        expires_at: new Date(Date.now() + 3600000).toISOString(),
+        last_active_at: now,
+        created_at: now,
+    });
+});
+afterEach(() => {
+    saasStores.userStore.delete('u1');
+    saasStores.userStore.delete('u2');
+    saasStores.userStore.delete('u3');
+    saasStores.sessionStore.delete('sess1');
+    saasStores.sessionStore.delete('sess2');
+    const allWorkspaces = saasStores.workspaceStore.list();
+    for (const ws of allWorkspaces) {
+        const members = saasStores.workspaceMemberStore.getByWorkspace(ws.id);
+        for (const m of members) {
+            saasStores.workspaceMemberStore.delete(m.id);
+        }
+        const keys = saasStores.userApiKeyStore.getByWorkspace(ws.id);
+        for (const k of keys) {
+            saasStores.userApiKeyStore.delete(k.id);
+        }
+        saasStores.workspaceStore.delete(ws.id);
+    }
+    // Clear approval manager between tests
+    gateway.getApprovalManager().clear();
+});
+// ===========================================================================
+// Helper: seed a workspace + membership
+// ===========================================================================
+function seedWorkspace(opts) {
+    saasStores.workspaceStore.create({
+        id: opts.wsId,
+        name: `WS ${opts.wsId}`,
+        slug: opts.slug,
+        owner_user_id: opts.userId,
+        plan: (opts.plan || 'free'),
+        settings: {},
+        created_at: now,
+        updated_at: now,
+    });
+    saasStores.workspaceMemberStore.create({
+        id: opts.memberId,
+        workspace_id: opts.wsId,
+        user_id: opts.userId,
+        role: opts.role,
+        joined_at: now,
+    });
+}
+// ===========================================================================
+// Tests — Branch Coverage
+// ===========================================================================
+describe('SaaS Routes — Branch Coverage', () => {
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/policies/generate-rule (Lines 798-938)
+    // This is the large uncovered block — LLM-powered rule generation
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/policies/generate-rule', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-gen', slug: 'gen-ws', userId: 'u1', role: 'owner', memberId: 'mem-gen' });
+        });
+        it('returns 401 or 429 without session', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                .send({ description: 'Allow GET requests' });
+            // Without API key header, the auth middleware returns 401;
+            // with many unauthenticated requests, the IP rate limiter may return 429.
+            expect([401, 429]).toContain(res.status);
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-gen');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ description: 'Allow GET requests' })
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 503 when PALARYN_LLM_API_KEY is not set', async () => {
+            // Ensure the env var is not set
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            delete process.env.PALARYN_LLM_API_KEY;
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET requests' })
+                    .expect(503);
+                expect(res.body.error).toContain('AI rule generation is not configured');
+            }
+            finally {
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+            }
+        });
+        it('returns 400 when description is missing', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({})
+                    .expect(400);
+                expect(res.body.error).toContain('description is required');
+            }
+            finally {
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('returns 400 when description is empty string', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: '   ' })
+                    .expect(400);
+                expect(res.body.error).toContain('description is required');
+            }
+            finally {
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('returns 400 when description is not a string', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 12345 })
+                    .expect(400);
+                expect(res.body.error).toContain('description is required');
+            }
+            finally {
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('handles LLM API error (non-ok response)', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            // Mock global fetch to simulate an LLM API error
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: false,
+                status: 500,
+                text: jest.fn().mockResolvedValue('Internal Server Error'),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET requests' })
+                    .expect(502);
+                expect(res.body.error).toContain('Failed to generate rule');
+                expect(res.body.error).toContain('LLM API returned an error');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('handles unparseable LLM response', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: 'this is not valid json at all' }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET requests' })
+                    .expect(500);
+                expect(res.body.error).toContain('Failed to parse generated rule');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('returns a valid rule on successful LLM response', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const mockRule = {
+                name: 'allow-get-github',
+                description: 'Allow GET requests to GitHub',
+                effect: 'allow',
+                priority: 10,
+                conditions: { domains: ['api.github.com'], methods: ['GET'] },
+                extra_field: 'should be stripped',
+            };
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: JSON.stringify(mockRule) }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET requests to GitHub' })
+                    .expect(200);
+                expect(res.body.rule).toBeDefined();
+                expect(res.body.rule.name).toBe('allow-get-github');
+                // Effect should be uppercased
+                expect(res.body.rule.effect).toBe('ALLOW');
+                // extra_field should be stripped
+                expect(res.body.rule.extra_field).toBeUndefined();
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('normalizes rule with missing fields', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            // Rule with no name, no conditions, no effect
+            const mockRule = { priority: 5 };
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: JSON.stringify(mockRule) }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Some rule' })
+                    .expect(200);
+                expect(res.body.rule.name).toBe('generated-rule');
+                expect(res.body.rule.conditions).toEqual({});
+                expect(res.body.rule.effect).toBe('DENY');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('strips markdown code fences from LLM output', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const ruleJson = '{"name":"fenced-rule","effect":"DENY","conditions":{},"priority":1}';
+            const wrappedText = '```json\n' + ruleJson + '\n```';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: wrappedText }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Block everything' })
+                    .expect(200);
+                expect(res.body.rule.name).toBe('fenced-rule');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('handles fetch abort/timeout (AbortError)', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockRejectedValue(Object.assign(new Error('The operation was aborted'), { name: 'AbortError' }));
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET' })
+                    .expect(504);
+                expect(res.body.error).toContain('timed out');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('handles unexpected fetch error', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockRejectedValue(new Error('Network failure'));
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET' })
+                    .expect(500);
+                expect(res.body.error).toContain('Failed to generate rule');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('handles empty content array from LLM', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [],
+                }),
+            });
+            try {
+                // Empty content => text is '' => cleaned is '' => JSON.parse('') fails
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET' })
+                    .expect(500);
+                expect(res.body.error).toContain('Failed to parse generated rule');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('returns 429 when per-user LLM rate limit is exceeded (11th request)', async () => {
+            // Use a dedicated user so rate limit state is isolated from other tests
+            const rlUserId = 'u-ratelimit';
+            const rlSessionId = 'sess-ratelimit';
+            saasStores.userStore.create({
+                id: rlUserId,
+                email: 'rl@test.com',
+                display_name: 'Rate Limit User',
+                status: 'active',
+                onboarding_completed: false,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.sessionStore.create({
+                id: rlSessionId,
+                user_id: rlUserId,
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: now,
+                created_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-gen-rl',
+                workspace_id: 'ws-gen',
+                user_id: rlUserId,
+                role: 'member',
+                joined_at: now,
+            });
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'test-key';
+            const validRule = JSON.stringify({
+                name: 'test-rule',
+                effect: 'ALLOW',
+                conditions: { methods: ['GET'] },
+            });
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: validRule }],
+                }),
+            });
+            try {
+                // Make 10 successful requests (the limit)
+                for (let i = 0; i < 10; i++) {
+                    await (0, supertest_1.default)(app)
+                        .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                        .set('Cookie', `pn_session=${rlSessionId}`)
+                        .send({ description: `Allow GET ${i}` })
+                        .expect(200);
+                }
+                // 11th request should be rate limited
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', `pn_session=${rlSessionId}`)
+                    .send({ description: 'Allow GET again' })
+                    .expect(429);
+                expect(res.body.error).toContain('limit of 10 AI generations per hour');
+                expect(res.body.retry_after_ms).toBeGreaterThan(0);
+            }
+            finally {
+                global.fetch = originalFetch;
+                saasStores.userStore.delete(rlUserId);
+                saasStores.sessionStore.delete(rlSessionId);
+                saasStores.workspaceMemberStore.delete('mem-gen-rl');
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('uses OpenAI API when key starts with sk-proj-', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'sk-proj-test123';
+            const mockRule = {
+                name: 'openai-rule',
+                effect: 'ALLOW',
+                priority: 10,
+                conditions: { methods: ['GET'] },
+            };
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    choices: [{ message: { content: JSON.stringify(mockRule) } }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Allow GET requests' })
+                    .expect(200);
+                expect(res.body.rule.name).toBe('openai-rule');
+                expect(res.body.rule.effect).toBe('ALLOW');
+                // Verify fetch was called with OpenAI URL
+                const fetchCall = global.fetch.mock.calls[0];
+                expect(fetchCall[0]).toBe('https://api.openai.com/v1/chat/completions');
+                expect(JSON.parse(fetchCall[1].body).model).toBe('gpt-4.1-mini');
+                expect(fetchCall[1].headers['Authorization']).toBe('Bearer sk-proj-test123');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('uses Anthropic API when key does not start with sk-', async () => {
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'ant-key-123';
+            const mockRule = {
+                name: 'anthropic-rule',
+                effect: 'DENY',
+                conditions: {},
+            };
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    content: [{ type: 'text', text: JSON.stringify(mockRule) }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', 'pn_session=sess1')
+                    .send({ description: 'Block everything' })
+                    .expect(200);
+                expect(res.body.rule.name).toBe('anthropic-rule');
+                // Verify fetch was called with Anthropic URL
+                const fetchCall = global.fetch.mock.calls[0];
+                expect(fetchCall[0]).toBe('https://api.anthropic.com/v1/messages');
+                expect(fetchCall[1].headers['x-api-key']).toBe('ant-key-123');
+            }
+            finally {
+                global.fetch = originalFetch;
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+        it('uses OpenAI API when key starts with sk- (non-proj)', async () => {
+            // Use a separate user to avoid rate limit from other tests
+            const skUserId = 'u-sk-test';
+            const skSessionId = 'sess-sk-test';
+            saasStores.userStore.create({
+                id: skUserId, email: 'sk@test.com', display_name: 'SK', status: 'active',
+                onboarding_completed: false, created_at: now, updated_at: now,
+            });
+            saasStores.sessionStore.create({
+                id: skSessionId, user_id: skUserId,
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: now, created_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-sk', workspace_id: 'ws-gen', user_id: skUserId, role: 'member', joined_at: now,
+            });
+            const originalKey = process.env.PALARYN_LLM_API_KEY;
+            process.env.PALARYN_LLM_API_KEY = 'sk-oldformat123';
+            const originalFetch = global.fetch;
+            global.fetch = jest.fn().mockResolvedValue({
+                ok: true,
+                json: jest.fn().mockResolvedValue({
+                    choices: [{ message: { content: '{"name":"sk-rule","effect":"ALLOW","conditions":{}}' } }],
+                }),
+            });
+            try {
+                const res = await (0, supertest_1.default)(app)
+                    .post('/api/v1/workspaces/ws-gen/policies/generate-rule')
+                    .set('Cookie', `pn_session=${skSessionId}`)
+                    .send({ description: 'Allow all' })
+                    .expect(200);
+                expect(res.body.rule.name).toBe('sk-rule');
+                const fetchCall = global.fetch.mock.calls[0];
+                expect(fetchCall[0]).toBe('https://api.openai.com/v1/chat/completions');
+            }
+            finally {
+                global.fetch = originalFetch;
+                saasStores.userStore.delete(skUserId);
+                saasStores.sessionStore.delete(skSessionId);
+                saasStores.workspaceMemberStore.delete('mem-sk');
+                if (originalKey !== undefined) {
+                    process.env.PALARYN_LLM_API_KEY = originalKey;
+                }
+                else {
+                    delete process.env.PALARYN_LLM_API_KEY;
+                }
+            }
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces (workspace limit enforcement — lines 127-143)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces — workspace limit enforcement', () => {
+        it('returns 403 when workspace limit is reached for free plan', async () => {
+            // Free plan allows 1 workspace. Create one first (as owner).
+            seedWorkspace({ wsId: 'ws-limit-1', slug: 'limit-1', userId: 'u1', role: 'owner', memberId: 'mem-limit-1', plan: 'free' });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Second Workspace' })
+                .expect(403);
+            expect(res.body.error).toContain('maximum');
+        });
+        it('determines highest plan across owned workspaces (lines 134-137)', async () => {
+            // User owns a free workspace and a pro workspace. Pro allows 5 workspaces.
+            seedWorkspace({ wsId: 'ws-plan-free', slug: 'plan-free', userId: 'u1', role: 'owner', memberId: 'mem-plan-free', plan: 'free' });
+            seedWorkspace({ wsId: 'ws-plan-pro', slug: 'plan-pro', userId: 'u1', role: 'owner', memberId: 'mem-plan-pro', plan: 'pro' });
+            // Pro plan allows 5 workspaces, user has 2, so a 3rd should succeed
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Third Workspace' })
+                .expect(201);
+            expect(res.body.name).toBe('Third Workspace');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id — workspace not found after membership check (lines 199-200)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id — workspace not found edge case', () => {
+        it('returns 404 when workspace record is deleted but membership remains', async () => {
+            // Create workspace + membership, then delete the workspace record
+            seedWorkspace({ wsId: 'ws-phantom', slug: 'phantom-ws', userId: 'u1', role: 'owner', memberId: 'mem-phantom' });
+            saasStores.workspaceStore.delete('ws-phantom');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-phantom')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('Workspace not found');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/events — filter branches (lines 265, 293-294, 300, 312-313)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/events — filter branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-events', slug: 'events-ws', userId: 'u1', role: 'owner', memberId: 'mem-events' });
+            // Seed some events
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-ev-1',
+                task_id: 'task-ev-1',
+                workspace_id: 'ws-events',
+                actor_id: 'agent-alpha',
+                tool_name: 'http.request',
+                metadata: { status: 'allowed', decision: 'allow' },
+            });
+            auditLogger.log({
+                event_type: 'POLICY_DECIDED',
+                tool_call_id: 'tc-ev-2',
+                task_id: 'task-ev-2',
+                workspace_id: 'ws-events',
+                actor_id: 'agent-beta',
+                tool_name: 'slack.post_message',
+                metadata: { status: 'denied', decision: 'deny' },
+            });
+        });
+        it('filters by event_type', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?event_type=TOOL_EXECUTED')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const e of res.body.events) {
+                expect(e.event_type).toBe('TOOL_EXECUTED');
+            }
+        });
+        it('filters by tool name', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?tool=slack')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const e of res.body.events) {
+                expect(e.tool_name).toContain('slack');
+            }
+        });
+        it('filters by actor', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?actor=alpha')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const e of res.body.events) {
+                expect(e.actor_id).toContain('alpha');
+            }
+        });
+        it('filters by status', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?status=denied')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            // All matched events should have a denied status or decision
+            expect(res.body.events.length).toBeGreaterThanOrEqual(0);
+        });
+        it('filters by search query (q)', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?q=http')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const e of res.body.events) {
+                const matches = e.tool_name?.toLowerCase().includes('http') ||
+                    e.actor_id?.toLowerCase().includes('http') ||
+                    e.event_type?.toLowerCase().includes('http');
+                expect(matches).toBe(true);
+            }
+        });
+        it('filters by since timestamp', async () => {
+            const futureTime = new Date(Date.now() + 86400000).toISOString();
+            const res = await (0, supertest_1.default)(app)
+                .get(`/api/v1/workspaces/ws-events/events?since=${futureTime}`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            // No events should be in the future
+            expect(res.body.events).toEqual([]);
+        });
+        it('sorts ascending when sort=asc', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events?sort=asc')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            if (res.body.events.length >= 2) {
+                expect(res.body.events[0].timestamp <= res.body.events[1].timestamp).toBe(true);
+            }
+        });
+        it('returns 403 for non-member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-events');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-events/events')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/api-keys — tags and plan limit branches (lines 372, 382-383)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/api-keys — tag filtering and key limit', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-key-branch', slug: 'key-branch', userId: 'u1', role: 'owner', memberId: 'mem-key-branch', plan: 'free' });
+        });
+        it('filters tags to valid strings and caps at 20', async () => {
+            const mixedTags = [
+                'valid-tag', '', null, 42, 'another-tag', ...Array(20).fill('tag'),
+            ];
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-key-branch/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Tagged Key', tags: mixedTags })
+                .expect(201);
+            // Only valid string tags should remain, capped at 20
+            expect(res.body.tags.length).toBeLessThanOrEqual(20);
+            for (const t of res.body.tags) {
+                expect(typeof t).toBe('string');
+                expect(t.length).toBeGreaterThan(0);
+            }
+        });
+        it('returns 403 when API key limit is reached', async () => {
+            // Free plan allows 5 API keys. Create 5 first.
+            for (let i = 0; i < 5; i++) {
+                saasStores.userApiKeyStore.create({
+                    id: `key-limit-${i}`,
+                    key_hash: `hash-${i}`,
+                    key_prefix: `pn_${i}`,
+                    user_id: 'u1',
+                    workspace_id: 'ws-key-branch',
+                    name: `Key ${i}`,
+                    roles: ['agent'],
+                    tags: [],
+                    revoked: false,
+                    created_at: now,
+                });
+            }
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-key-branch/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Sixth Key' })
+                .expect(403);
+            expect(res.body.error).toContain('maximum');
+        });
+        it('does not count revoked keys toward limit', async () => {
+            // Create 5 keys, all revoked
+            for (let i = 0; i < 5; i++) {
+                saasStores.userApiKeyStore.create({
+                    id: `key-revoked-${i}`,
+                    key_hash: `hash-r-${i}`,
+                    key_prefix: `pn_r${i}`,
+                    user_id: 'u1',
+                    workspace_id: 'ws-key-branch',
+                    name: `Revoked Key ${i}`,
+                    roles: ['agent'],
+                    tags: [],
+                    revoked: true,
+                    created_at: now,
+                });
+            }
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-key-branch/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'New Key After Revokes' })
+                .expect(201);
+            expect(res.body.name).toBe('New Key After Revokes');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PATCH /workspaces/:id/api-keys/:keyId — branches (lines 477-478, 470-472)
+    // -------------------------------------------------------------------------
+    describe('PATCH /workspaces/:id/api-keys/:keyId — validation branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-patch-key', slug: 'patch-key', userId: 'u1', role: 'owner', memberId: 'mem-patch-key' });
+            saasStores.userApiKeyStore.create({
+                id: 'key-to-patch',
+                key_hash: 'hash-patch',
+                key_prefix: 'pn_patch',
+                user_id: 'u1',
+                workspace_id: 'ws-patch-key',
+                name: 'Original Name',
+                roles: ['agent'],
+                tags: ['original'],
+                revoked: false,
+                created_at: now,
+            });
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-patch-key');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-patch-viewer',
+                workspace_id: 'ws-patch-key',
+                user_id: 'u1',
+                role: 'viewer',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-to-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Updated' })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('returns 404 when key does not exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/nonexistent')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Updated' })
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 404 when key belongs to a different workspace', async () => {
+            saasStores.userApiKeyStore.create({
+                id: 'key-other-ws-patch',
+                key_hash: 'hash-other',
+                key_prefix: 'pn_other',
+                user_id: 'u1',
+                workspace_id: 'other-ws',
+                name: 'Other WS Key',
+                roles: ['agent'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-other-ws-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Updated' })
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 400 when no valid fields to update', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-to-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ roles: ['admin'] }) // roles is not updatable
+                .expect(400);
+            expect(res.body.error).toContain('No valid fields');
+        });
+        it('updates name only', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-to-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Renamed Key' })
+                .expect(200);
+            expect(res.body.name).toBe('Renamed Key');
+        });
+        it('updates tags only', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-to-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ tags: ['new-tag-1', 'new-tag-2'] })
+                .expect(200);
+            expect(res.body.tags).toEqual(['new-tag-1', 'new-tag-2']);
+        });
+        it('filters invalid tags during update', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .patch('/api/v1/workspaces/ws-patch-key/api-keys/key-to-patch')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ tags: ['good', '', null, 123, 'also-good'] })
+                .expect(200);
+            expect(res.body.tags).toEqual(['good', 'also-good']);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/traces — filter branches (lines 519, 525-527)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/traces — filter branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-traces-f', slug: 'traces-f', userId: 'u1', role: 'owner', memberId: 'mem-traces-f' });
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-trace-1',
+                task_id: 'task-trace-1',
+                workspace_id: 'ws-traces-f',
+                actor_id: 'agent-gamma',
+                tool_name: 'http.get',
+                metadata: { decision: 'allow', status: 'success' },
+            });
+            auditLogger.log({
+                event_type: 'POLICY_DECIDED',
+                tool_call_id: 'tc-trace-2',
+                task_id: 'task-trace-2',
+                workspace_id: 'ws-traces-f',
+                actor_id: 'agent-delta',
+                tool_name: 'db.query',
+                metadata: { decision: 'deny', status: 'blocked' },
+            });
+        });
+        it('filters by status', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-traces-f/traces?status=deny')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            // Should return only events with deny decision/status
+            expect(res.body.traces).toBeDefined();
+        });
+        it('filters by tool name', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-traces-f/traces?tool=http')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const t of res.body.traces) {
+                expect(t.tool_name.toLowerCase()).toContain('http');
+            }
+        });
+        it('filters by event_type', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-traces-f/traces?event_type=blocked')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            for (const t of res.body.traces) {
+                expect(t.event_type.toLowerCase()).toContain('blocked');
+            }
+        });
+        it('returns 403 for non-member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-traces-f');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-traces-f/traces')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/approvals/:approvalId/approve — error branches (642-644)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/approvals/:approvalId/approve — error handling', () => {
+        beforeEach(() => {
+            gateway.getApprovalManager().clear();
+            seedWorkspace({ wsId: 'ws-app-err', slug: 'app-err', userId: 'u1', role: 'owner', memberId: 'mem-app-err' });
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-app-err');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-app-err/approvals/some-id/approve')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 400 when resolveById throws (already resolved)', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-double-approve',
+                task_id: 'task-double-approve',
+                workspace_id: 'ws-app-err',
+                actor: { id: 'agent-x', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'write' },
+                args: { method: 'POST', url: 'https://example.com' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Test');
+            // Approve once
+            await gateway.getApprovalManager().resolveById(approval.approval_id, 'u1', true);
+            // Try to approve again — should throw
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-app-err/approvals/${approval.approval_id}/approve`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(400);
+            expect(res.body.error).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/approvals/:approvalId/deny — branches (658-659, 664-669, 676-678)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/approvals/:approvalId/deny — branches', () => {
+        beforeEach(() => {
+            gateway.getApprovalManager().clear();
+            seedWorkspace({ wsId: 'ws-deny-br', slug: 'deny-br', userId: 'u1', role: 'owner', memberId: 'mem-deny-br' });
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-deny-br');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-deny-br/approvals/some-id/deny')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 404 when approval not found', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-deny-br/approvals/nonexistent/deny')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 404 when approval belongs to different workspace', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-deny-other',
+                task_id: 'task-deny-other',
+                workspace_id: 'ws-other-deny',
+                actor: { id: 'agent-y', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'read' },
+                args: { method: 'GET', url: 'https://example.com' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Test');
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-deny-br/approvals/${approval.approval_id}/deny`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 400 when resolveById throws (already resolved)', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-deny-double',
+                task_id: 'task-deny-double',
+                workspace_id: 'ws-deny-br',
+                actor: { id: 'agent-z', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'write' },
+                args: { method: 'POST', url: 'https://example.com' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Test');
+            // Deny once
+            await gateway.getApprovalManager().resolveById(approval.approval_id, 'u1', false, 'First deny');
+            // Deny again — should throw
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-deny-br/approvals/${approval.approval_id}/deny`)
+                .set('Cookie', 'pn_session=sess1')
+                .send({ reason: 'Second deny' })
+                .expect(400);
+            expect(res.body.error).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /workspaces/:id/policies — branches (716-717, admin role check)
+    // -------------------------------------------------------------------------
+    describe('PUT /workspaces/:id/policies — role and validation branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-pol-put', slug: 'pol-put', userId: 'u1', role: 'owner', memberId: 'mem-pol-put' });
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-pol-put');
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-pol-put/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when user role is member (not owner/admin)', async () => {
+            saasStores.workspaceMemberStore.delete('mem-pol-put');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-pol-put-member',
+                workspace_id: 'ws-pol-put',
+                user_id: 'u1',
+                role: 'member',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-pol-put/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('returns 400 when policy is invalid', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-pol-put/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: '', rules: 'not-an-array' })
+                .expect(400);
+            expect(res.body.valid).toBe(false);
+            expect(res.body.errors).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /workspaces/:id/policies — branches (753-754, 756-758)
+    // -------------------------------------------------------------------------
+    describe('DELETE /workspaces/:id/policies — branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-pol-del', slug: 'pol-del', userId: 'u1', role: 'owner', memberId: 'mem-pol-del' });
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-pol-del');
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-pol-del/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when user role is viewer', async () => {
+            saasStores.workspaceMemberStore.delete('mem-pol-del');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-pol-del-viewer',
+                workspace_id: 'ws-pol-del',
+                user_id: 'u1',
+                role: 'viewer',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-pol-del/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('successfully resets policy for owner', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-pol-del/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('reset');
+            expect(res.body.is_custom).toBe(false);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/policies/validate — branches (784-785)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/policies/validate — branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-pol-val', slug: 'pol-val', userId: 'u1', role: 'owner', memberId: 'mem-pol-val' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-pol-val');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-pol-val/policies/validate')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('validates a policy pack and returns result', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-pol-val/policies/validate')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'test-pack', version: '1.0', rules: [] })
+                .expect(200);
+            expect(res.body.valid).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/security — DLP severity "low" branch (line 974)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/security — DLP low severity', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-sec-low', slug: 'sec-low', userId: 'u1', role: 'owner', memberId: 'mem-sec-low' });
+        });
+        it('counts events with unknown severity as low', async () => {
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'DLP_SCANNED',
+                tool_call_id: 'tc-dlp-low',
+                task_id: 'task-dlp-low',
+                workspace_id: 'ws-sec-low',
+                actor_id: 'agent-dlp-low',
+                tool_name: 'http.post',
+                metadata: { severity: 'info', detected: ['generic_pattern'] },
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-sec-low/security')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.stats.low).toBeGreaterThanOrEqual(1);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/switch — workspace not found branch (1013-1014)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/switch — workspace not found', () => {
+        it('returns 404 when workspace is deleted but membership exists', async () => {
+            seedWorkspace({ wsId: 'ws-switch-del', slug: 'switch-del', userId: 'u1', role: 'owner', memberId: 'mem-switch-del' });
+            saasStores.workspaceStore.delete('ws-switch-del');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-switch-del/switch')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('Workspace not found');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /workspaces/:id/members/:memberId — branches (1106-1107, member in different ws)
+    // -------------------------------------------------------------------------
+    describe('PUT /workspaces/:id/members/:memberId — member not found branches', () => {
+        beforeEach(() => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'other@test.com',
+                display_name: 'Other User',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            seedWorkspace({ wsId: 'ws-role-br', slug: 'role-br', userId: 'u1', role: 'owner', memberId: 'mem-role-br-owner' });
+        });
+        it('returns 404 when member belongs to a different workspace', async () => {
+            // Create member in a different workspace
+            seedWorkspace({ wsId: 'ws-other-role', slug: 'other-role', userId: 'u2', role: 'owner', memberId: 'mem-other-role' });
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role-br/members/mem-other-role')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'admin' })
+                .expect(404);
+            expect(res.body.error).toContain('Member not found');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /workspaces/:id/members/:memberId — branches (1106-1107, 1117-1122)
+    // -------------------------------------------------------------------------
+    describe('DELETE /workspaces/:id/members/:memberId — additional branches', () => {
+        beforeEach(() => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'other@test.com',
+                display_name: 'Other User',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            seedWorkspace({ wsId: 'ws-del-br', slug: 'del-br', userId: 'u1', role: 'owner', memberId: 'mem-del-br-owner' });
+        });
+        it('returns 404 when target member belongs to different workspace', async () => {
+            seedWorkspace({ wsId: 'ws-del-other', slug: 'del-other', userId: 'u2', role: 'owner', memberId: 'mem-del-other' });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-br/members/mem-del-other')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('Member not found');
+        });
+        it('allows removing owner when another owner exists', async () => {
+            // Add u2 as owner in ws-del-br
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-del-br-u2',
+                workspace_id: 'ws-del-br',
+                user_id: 'u2',
+                role: 'owner',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-br/members/mem-del-br-u2')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/members — plan limit branch (lines 1153-1154)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/members — member limit enforcement', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-mem-limit', slug: 'mem-limit', userId: 'u1', role: 'owner', memberId: 'mem-limit-owner', plan: 'free' });
+        });
+        it('returns 403 when member limit is reached for free plan', async () => {
+            // Free plan allows 3 members. u1 is already a member (1). Add 2 more.
+            for (let i = 2; i <= 3; i++) {
+                const uid = `u-limit-${i}`;
+                saasStores.userStore.create({
+                    id: uid,
+                    email: `limit${i}@test.com`,
+                    display_name: `Limit User ${i}`,
+                    avatar_url: '',
+                    status: 'active',
+                    onboarding_completed: true,
+                    created_at: now,
+                    updated_at: now,
+                });
+                saasStores.workspaceMemberStore.create({
+                    id: `mem-limit-${i}`,
+                    workspace_id: 'ws-mem-limit',
+                    user_id: uid,
+                    role: 'member',
+                    joined_at: now,
+                });
+            }
+            // Now at 3 members (limit). Try to add a 4th.
+            saasStores.userStore.create({
+                id: 'u-limit-4',
+                email: 'limit4@test.com',
+                display_name: 'Limit User 4',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-mem-limit/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'limit4@test.com', role: 'member' })
+                .expect(403);
+            expect(res.body.error).toContain('maximum');
+            // Cleanup extra users
+            saasStores.userStore.delete('u-limit-2');
+            saasStores.userStore.delete('u-limit-3');
+            saasStores.userStore.delete('u-limit-4');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/traces/:taskId — slug matching branch (line 1217)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/traces/:taskId — slug matching', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-trace-slug', slug: 'trace-slug-ws', userId: 'u1', role: 'owner', memberId: 'mem-trace-slug' });
+        });
+        it('returns 403 for non-member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-trace-slug');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trace-slug/traces/some-task')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/anomalies/baseline — no detector branch (1320-1321)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/anomalies/baseline', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-anomaly', slug: 'anomaly-ws', userId: 'u1', role: 'owner', memberId: 'mem-anomaly' });
+        });
+        it('returns fallback when no anomaly detector exists', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-anomaly/anomalies/baseline')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            // Either returns baseline report or the fallback empty object
+            expect(res.body).toBeDefined();
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-anomaly');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-anomaly/anomalies/baseline')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/agents/:actorId/trust — no detector branch (1346-1347)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/agents/:actorId/trust', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-trust', slug: 'trust-ws', userId: 'u1', role: 'owner', memberId: 'mem-trust' });
+        });
+        it('returns trust score', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trust/agents/agent-1/trust')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.actor_id).toBeDefined();
+            expect(res.body.score).toBeDefined();
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-trust');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trust/agents/agent-1/trust')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/agents/trust-leaderboard — branches (1376-1377, 1387-1394)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/agents/trust-leaderboard', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-leader', slug: 'leader-ws', userId: 'u1', role: 'owner', memberId: 'mem-leader' });
+        });
+        it('returns empty agents when no events', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-leader/agents/trust-leaderboard')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.agents).toBeDefined();
+        });
+        it('returns leaderboard with events present', async () => {
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-leader-1',
+                task_id: 'task-leader-1',
+                workspace_id: 'ws-leader',
+                actor_id: 'leaderboard-agent',
+                tool_name: 'http.request',
+                metadata: { decision: 'allow' },
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-leader/agents/trust-leaderboard')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.agents).toBeDefined();
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-leader');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-leader/agents/trust-leaderboard')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /workspaces/:id/replay — branches (1413-1420)
+    // -------------------------------------------------------------------------
+    describe('POST /workspaces/:id/replay', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-replay', slug: 'replay-ws', userId: 'u1', role: 'owner', memberId: 'mem-replay' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-replay');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-replay/replay')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_id: 'task-1', policy_pack_path: './policy-packs/dev_fast.yaml' })
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 400 when task_id is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-replay/replay')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ policy_pack_path: './policy-packs/dev_fast.yaml' })
+                .expect(400);
+            expect(res.body.error).toContain('task_id is required');
+        });
+        it('returns 400 when policy_pack_path is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-replay/replay')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_id: 'task-1' })
+                .expect(400);
+            expect(res.body.error).toContain('policy_pack_path is required');
+        });
+        it('runs replay successfully', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-replay/replay')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_id: 'task-nonexistent', policy_pack_path: './policy-packs/dev_fast.yaml' })
+                .expect(200);
+            expect(res.body).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/llm-usage — branches (1459-1461, 1481-1503, 1514, 1529-1533)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/llm-usage', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-llm', slug: 'llm-ws', userId: 'u1', role: 'owner', memberId: 'mem-llm' });
+        });
+        it('returns empty summary when no LLM events exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-llm/llm-usage')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.summary.total_requests).toBe(0);
+            expect(res.body.summary.total_cost_usd).toBe(0);
+            expect(res.body.summary.total_tokens).toBe(0);
+            expect(res.body.by_model).toEqual([]);
+            expect(res.body.time_series).toBeDefined();
+        });
+        it('aggregates LLM usage from events with model metadata', async () => {
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-llm-1',
+                task_id: 'task-llm-1',
+                workspace_id: 'ws-llm',
+                actor_id: 'agent-llm',
+                tool_name: 'http.request',
+                metadata: {
+                    model: 'claude-3-opus',
+                    provider: 'anthropic',
+                    input_tokens: 100,
+                    output_tokens: 50,
+                    cost_usd: 0.05,
+                    duration_ms: 1200,
+                },
+            });
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-llm-2',
+                task_id: 'task-llm-2',
+                workspace_id: 'ws-llm',
+                actor_id: 'agent-llm',
+                tool_name: 'http.request',
+                metadata: {
+                    model: 'claude-3-opus',
+                    provider: 'anthropic',
+                    input_tokens: 200,
+                    output_tokens: 100,
+                    cost_usd: 0.10,
+                    duration_ms: 800,
+                },
+            });
+            auditLogger.log({
+                event_type: 'TOOL_EXECUTED',
+                tool_call_id: 'tc-llm-3',
+                task_id: 'task-llm-3',
+                workspace_id: 'ws-llm',
+                actor_id: 'agent-llm',
+                tool_name: 'http.request',
+                metadata: {
+                    model: 'gpt-4',
+                    provider: 'openai',
+                    input_tokens: 300,
+                    output_tokens: 150,
+                    cost_usd: 0.20,
+                    duration_ms: 2000,
+                },
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-llm/llm-usage')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.summary.total_requests).toBe(3);
+            expect(res.body.summary.total_cost_usd).toBeCloseTo(0.35, 2);
+            expect(res.body.summary.total_tokens).toBe(900); // 100+50+200+100+300+150
+            expect(res.body.by_model.length).toBe(2);
+            expect(res.body.time_series.length).toBeGreaterThan(0);
+        });
+        it('supports different range query params', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-llm/llm-usage?range=7d')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.summary).toBeDefined();
+            expect(res.body.time_series).toBeDefined();
+        });
+        it('defaults to 24h when invalid range given', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-llm/llm-usage?range=invalid')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.summary).toBeDefined();
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-llm');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-llm/llm-usage')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/rate-limits — branches (1579-1580)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/rate-limits', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-rl-get', slug: 'rl-get', userId: 'u1', role: 'owner', memberId: 'mem-rl-get' });
+        });
+        it('returns global config when no custom config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-rl-get/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.config).toBeDefined();
+            expect(res.body.is_custom).toBe(false);
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-rl-get');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-rl-get/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /workspaces/:id/rate-limits — branches (1597-1598, 1613, 1616)
+    // -------------------------------------------------------------------------
+    describe('PUT /workspaces/:id/rate-limits', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-rl-put', slug: 'rl-put', userId: 'u1', role: 'owner', memberId: 'mem-rl-put' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-rl-put');
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ actor_max_per_window: 50 })
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when user is not owner/admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-rl-put');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-rl-put-viewer',
+                workspace_id: 'ws-rl-put',
+                user_id: 'u1',
+                role: 'viewer',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ actor_max_per_window: 50 })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('returns 400 when actor_max_per_window is invalid', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ actor_max_per_window: -5 })
+                .expect(400);
+            expect(res.body.error).toContain('Validation failed');
+            expect(res.body.errors).toContain('actor_max_per_window must be a positive number');
+        });
+        it('returns 400 when workspace_max_per_window is not a number', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ workspace_max_per_window: 'abc' })
+                .expect(400);
+            expect(res.body.errors).toContain('workspace_max_per_window must be a positive number');
+        });
+        it('returns 400 when window_ms is zero', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ window_ms: 0 })
+                .expect(400);
+            expect(res.body.errors).toContain('window_ms must be a positive number');
+        });
+        it('successfully sets rate limit config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-rl-put/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ actor_max_per_window: 200, workspace_max_per_window: 1000 })
+                .expect(200);
+            expect(res.body.is_custom).toBe(true);
+            expect(res.body.config.actor_max_per_window).toBe(200);
+            expect(res.body.config.workspace_max_per_window).toBe(1000);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /workspaces/:id/rate-limits — branches (1651-1652, 1654-1656)
+    // -------------------------------------------------------------------------
+    describe('DELETE /workspaces/:id/rate-limits', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-rl-del', slug: 'rl-del', userId: 'u1', role: 'owner', memberId: 'mem-rl-del' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-rl-del');
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-rl-del/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when not owner/admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-rl-del');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-rl-del-member',
+                workspace_id: 'ws-rl-del',
+                user_id: 'u1',
+                role: 'member',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-rl-del/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('successfully resets rate limit config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-rl-del/rate-limits')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('reset');
+            expect(res.body.is_custom).toBe(false);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/budget-config — branches (1686-1687)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/budget-config', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-bc-get', slug: 'bc-get', userId: 'u1', role: 'owner', memberId: 'mem-bc-get' });
+        });
+        it('returns global config when no custom budget config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-bc-get/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.config).toBeDefined();
+            expect(res.body.is_custom).toBe(false);
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-bc-get');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-bc-get/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /workspaces/:id/budget-config — branches (1703-1704, 1706-1708, 1720-1728)
+    // -------------------------------------------------------------------------
+    describe('PUT /workspaces/:id/budget-config', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-bc-put', slug: 'bc-put', userId: 'u1', role: 'owner', memberId: 'mem-bc-put' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-bc-put');
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_budget_usd: 50 })
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when not owner/admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-bc-put');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-bc-put-viewer',
+                workspace_id: 'ws-bc-put',
+                user_id: 'u1',
+                role: 'viewer',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_budget_usd: 50 })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('returns 400 when task_budget_usd is negative', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ task_budget_usd: -10 })
+                .expect(400);
+            expect(res.body.error).toContain('Validation failed');
+            expect(res.body.errors).toContain('task_budget_usd must be a positive number');
+        });
+        it('returns 400 when max_steps_per_task is not a number', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ max_steps_per_task: 'lots' })
+                .expect(400);
+            expect(res.body.errors).toContain('max_steps_per_task must be a positive number');
+        });
+        it('validates multiple fields at once', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({
+                task_budget_usd: 0,
+                max_wall_clock_ms: -1,
+                max_retries_per_call: 'abc',
+            })
+                .expect(400);
+            expect(res.body.errors.length).toBeGreaterThanOrEqual(3);
+        });
+        it('successfully sets budget config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-bc-put/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .send({
+                task_budget_usd: 200,
+                workspace_monthly_budget_usd: 10000,
+            })
+                .expect(200);
+            expect(res.body.is_custom).toBe(true);
+            expect(res.body.config.task_budget_usd).toBe(200);
+            expect(res.body.config.workspace_monthly_budget_usd).toBe(10000);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /workspaces/:id/budget-config — branches (1758-1759, 1761-1763)
+    // -------------------------------------------------------------------------
+    describe('DELETE /workspaces/:id/budget-config', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-bc-del', slug: 'bc-del', userId: 'u1', role: 'owner', memberId: 'mem-bc-del' });
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-bc-del');
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-bc-del/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 403 when not owner/admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-bc-del');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-bc-del-member',
+                workspace_id: 'ws-bc-del',
+                user_id: 'u1',
+                role: 'member',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-bc-del/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('successfully resets budget config', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-bc-del/budget-config')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('reset');
+            expect(res.body.is_custom).toBe(false);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/dashboard/stats — branches (various)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/dashboard/stats', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-dash', slug: 'dash-ws', userId: 'u1', role: 'owner', memberId: 'mem-dash' });
+        });
+        it('returns dashboard stats', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-dash/dashboard/stats')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.metrics).toBeDefined();
+            expect(res.body.shield_score).toBeDefined();
+            expect(res.body.pipeline_throughput).toBeDefined();
+            expect(typeof res.body.metrics.requests_per_minute).toBe('number');
+            expect(typeof res.body.metrics.blocked_24h).toBe('number');
+            expect(typeof res.body.metrics.pending_approvals).toBe('number');
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-dash');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-dash/dashboard/stats')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // 401 tests for many endpoints to cover requireSession branch
+    // -------------------------------------------------------------------------
+    describe('401 — requireSession for unauthenticated requests', () => {
+        // Test a few representative endpoints without session cookie.
+        // With auth enabled but no API key, middleware returns 401.
+        // After many unauthenticated requests the IP rate limiter may return 429.
+        // We accept both to avoid flakiness.
+        const endpoints = [
+            { method: 'get', path: '/api/v1/workspaces/ws-1/stats' },
+            { method: 'get', path: '/api/v1/workspaces/ws-1/events' },
+            { method: 'get', path: '/api/v1/workspaces/ws-1/traces' },
+            { method: 'delete', path: '/api/v1/workspaces/ws-1/traces' },
+            { method: 'delete', path: '/api/v1/workspaces/ws-1/traces/task-1' },
+            { method: 'delete', path: '/api/v1/workspaces/ws-1/sessions/sess-1' },
+        ];
+        for (const { method, path } of endpoints) {
+            it(`returns 401 or 429 for ${method.toUpperCase()} ${path} without auth`, async () => {
+                const res = await (0, supertest_1.default)(app)[method](path);
+                expect([401, 429]).toContain(res.status);
+            });
+        }
+    });
+    // -------------------------------------------------------------------------
+    // GET /workspaces/:id/stats — slug matching branch (line 228-229, 239)
+    // -------------------------------------------------------------------------
+    describe('GET /workspaces/:id/stats — branches', () => {
+        beforeEach(() => {
+            seedWorkspace({ wsId: 'ws-stats-br', slug: 'stats-br', userId: 'u1', role: 'owner', memberId: 'mem-stats-br' });
+        });
+        it('returns stats with API keys counted', async () => {
+            // Create some API keys, one revoked
+            saasStores.userApiKeyStore.create({
+                id: 'key-stats-1',
+                key_hash: 'hash-s1',
+                key_prefix: 'pn_s1',
+                user_id: 'u1',
+                workspace_id: 'ws-stats-br',
+                name: 'Active Key',
+                roles: ['agent'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            saasStores.userApiKeyStore.create({
+                id: 'key-stats-2',
+                key_hash: 'hash-s2',
+                key_prefix: 'pn_s2',
+                user_id: 'u1',
+                workspace_id: 'ws-stats-br',
+                name: 'Revoked Key',
+                roles: ['agent'],
+                tags: [],
+                revoked: true,
+                created_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-stats-br/stats')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            // Only non-revoked keys counted
+            expect(res.body.api_keys).toBe(1);
+            expect(res.body.members).toBe(1);
+        });
+        it('returns 403 when not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-stats-br');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-stats-br/stats')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /workspaces/:id/traces/:taskId  (single trace delete)
+    // DELETE /workspaces/:id/sessions/:sessionId (session delete)
+    // -------------------------------------------------------------------------
+    describe('Trace & Session Deletion', () => {
+        const wsId = 'ws-del-traces';
+        beforeEach(() => {
+            seedWorkspace({ wsId, slug: 'del-traces', userId: 'u1', role: 'owner', memberId: 'mem-del-traces' });
+            // Seed some audit events
+            const logger = gateway.getAuditLogger();
+            logger.log({
+                event_type: 'TOOL_CALL_RECEIVED',
+                tool_call_id: 'tc-del-1',
+                session_id: 'sess-del-1',
+                task_id: 'task-del-1',
+                workspace_id: wsId,
+                actor_id: 'agent-1',
+                tool_name: 'http.get',
+                metadata: {},
+            });
+            logger.log({
+                event_type: 'TOOL_RESULT_RETURNED',
+                tool_call_id: 'tc-del-1',
+                session_id: 'sess-del-1',
+                task_id: 'task-del-1',
+                workspace_id: wsId,
+                actor_id: 'agent-1',
+                tool_name: 'http.get',
+                metadata: { status: 'ok', duration_ms: 50 },
+            });
+            logger.log({
+                event_type: 'TOOL_CALL_RECEIVED',
+                tool_call_id: 'tc-del-2',
+                session_id: 'sess-del-2',
+                task_id: 'task-del-2',
+                workspace_id: wsId,
+                actor_id: 'agent-1',
+                tool_name: 'http.post',
+                metadata: {},
+            });
+        });
+        afterEach(() => {
+            gateway.getAuditLogger().clear();
+        });
+        it('DELETE /workspaces/:id/traces clears all events', async () => {
+            const before = gateway.getAuditLogger().getAllEvents().length;
+            expect(before).toBeGreaterThan(0);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/api/v1/workspaces/${wsId}/traces`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+            expect(gateway.getAuditLogger().getAllEvents()).toHaveLength(0);
+        });
+        it('DELETE /workspaces/:id/traces/:taskId removes events for that task_id', async () => {
+            // Verify events exist before
+            const before = gateway.getAuditLogger().getAllEvents().filter(e => e.task_id === 'task-del-1');
+            expect(before.length).toBe(2);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/api/v1/workspaces/${wsId}/traces/task-del-1`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+            // Verify events removed
+            const after = gateway.getAuditLogger().getAllEvents().filter(e => e.task_id === 'task-del-1');
+            expect(after.length).toBe(0);
+            // Other events still exist
+            const remaining = gateway.getAuditLogger().getAllEvents().filter(e => e.task_id === 'task-del-2');
+            expect(remaining.length).toBe(1);
+        });
+        it('DELETE /workspaces/:id/sessions/:sessionId removes events for that session_id', async () => {
+            const before = gateway.getAuditLogger().getAllEvents().filter(e => e.session_id === 'sess-del-1');
+            expect(before.length).toBe(2);
+            const res = await (0, supertest_1.default)(app)
+                .delete(`/api/v1/workspaces/${wsId}/sessions/sess-del-1`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+            const after = gateway.getAuditLogger().getAllEvents().filter(e => e.session_id === 'sess-del-1');
+            expect(after.length).toBe(0);
+            // Other session's events still exist
+            const remaining = gateway.getAuditLogger().getAllEvents().filter(e => e.session_id === 'sess-del-2');
+            expect(remaining.length).toBe(1);
+        });
+        it('returns 403 for non-admin on trace delete', async () => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'viewer@test.com',
+                display_name: 'Viewer',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.sessionStore.create({
+                id: 'sess2',
+                user_id: 'u2',
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: now,
+                created_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-del-traces-viewer',
+                workspace_id: wsId,
+                user_id: 'u2',
+                role: 'viewer',
+                joined_at: now,
+            });
+            await (0, supertest_1.default)(app)
+                .delete(`/api/v1/workspaces/${wsId}/traces/task-del-1`)
+                .set('Cookie', 'pn_session=sess2')
+                .expect(403);
+        });
+        it('returns 403 for non-admin on session delete', async () => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'viewer@test.com',
+                display_name: 'Viewer',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.sessionStore.create({
+                id: 'sess2',
+                user_id: 'u2',
+                expires_at: new Date(Date.now() + 3600000).toISOString(),
+                last_active_at: now,
+                created_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-del-traces-viewer',
+                workspace_id: wsId,
+                user_id: 'u2',
+                role: 'viewer',
+                joined_at: now,
+            });
+            await (0, supertest_1.default)(app)
+                .delete(`/api/v1/workspaces/${wsId}/sessions/sess-del-1`)
+                .set('Cookie', 'pn_session=sess2')
+                .expect(403);
+        });
+    });
+});
+//# sourceMappingURL=saas-routes-branches.test.js.map