palaryn 0.1.0

package/dist/tests/integration/api.test.js

@@ -0,0 +1,1199 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const supertest_1 = __importDefault(require("supertest"));
+const http = __importStar(require("http"));
+const app_1 = require("../../src/server/app");
+// ---------------------------------------------------------------------------
+// Local test HTTP server for the executor to call
+// ---------------------------------------------------------------------------
+let testServer;
+let testServerPort;
+beforeAll((done) => {
+    testServer = http.createServer((req, res) => {
+        if (req.url === '/api/data' && req.method === 'GET') {
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ data: 'test response', items: [1, 2, 3] }));
+        }
+        else if (req.url === '/api/create' && req.method === 'POST') {
+            let body = '';
+            req.on('data', (chunk) => (body += chunk));
+            req.on('end', () => {
+                res.writeHead(201, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ created: true, received: JSON.parse(body) }));
+            });
+        }
+        else if (req.url === '/api/secret-echo') {
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ token: 'Bearer sk-secret-token-12345678' }));
+        }
+        else {
+            res.writeHead(404, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ error: 'not found' }));
+        }
+    });
+    testServer.listen(0, '127.0.0.1', () => {
+        testServerPort = testServer.address().port;
+        done();
+    });
+});
+afterAll((done) => {
+    testServer.close(done);
+});
+// ---------------------------------------------------------------------------
+// Test config factory
+// ---------------------------------------------------------------------------
+function createTestConfig(overrides) {
+    return {
+        port: 0,
+        host: '127.0.0.1',
+        auth: {
+            enabled: true,
+            api_keys: {
+                'test-key': { workspace_id: 'ws_test', description: 'Test key', roles: ['admin'] },
+                'approver-key': { workspace_id: 'ws_test', description: 'Approver key', roles: ['admin'] },
+            },
+        },
+        policy: {
+            pack_path: './policy-packs/dev_fast.yaml',
+            default_effect: 'DENY',
+            hot_reload: false,
+        },
+        dlp: {
+            enabled: true,
+            scan_args: true,
+            scan_output: true,
+            secrets_detection: true,
+            pii_detection: true,
+            default_redaction_method: 'mask',
+        },
+        budget: {
+            task_budget_usd: 2.0,
+            max_steps_per_task: 50,
+            max_retries_per_call: 3,
+            max_wall_clock_ms: 300000,
+        },
+        audit: {
+            enabled: true,
+            log_dir: '',
+            console_output: false,
+            retention_days: 30,
+        },
+        executor: {
+            http: {
+                timeout_ms: 5000,
+                max_retries: 1,
+                backoff_base_ms: 100,
+            },
+            cache: {
+                enabled: true,
+                ttl_ms: 60000,
+            },
+        },
+        approval: {
+            enabled: true,
+            token_secret: 'test-integration-secret',
+            default_ttl_seconds: 3600,
+        },
+        rate_limit: {
+            enabled: true,
+            actor_max_per_window: 100,
+            workspace_max_per_window: 500,
+            window_ms: 60000,
+        },
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Helper: build a valid ToolCall payload
+// ---------------------------------------------------------------------------
+function buildToolCall(overrides) {
+    return {
+        tool_call_id: `tc-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+        task_id: 'task-integ-001',
+        actor: { type: 'agent', id: 'test-agent', display: 'Test Agent' },
+        source: { platform: 'integration-test' },
+        tool: { name: 'http.request', capability: 'read' },
+        args: {
+            method: 'GET',
+            url: `http://127.0.0.1:${testServerPort}/api/data`,
+        },
+        ...overrides,
+    };
+}
+// ---------------------------------------------------------------------------
+// Helper: extract CSRF token from HTML response
+// ---------------------------------------------------------------------------
+function extractCSRFToken(html) {
+    const match = html.match(/name="_csrf"\s+value="([^"]+)"/);
+    return match ? match[1] : '';
+}
+// ===========================================================================
+// Integration Tests
+// ===========================================================================
+describe('Gateway API Integration', () => {
+    let app;
+    let gateway;
+    let healthChecks;
+    beforeEach(() => {
+        const result = (0, app_1.createApp)(createTestConfig());
+        app = result.app;
+        gateway = result.gateway;
+        healthChecks = result.healthChecks;
+        // Disable SSRF protection for tests using localhost
+        gateway.getHttpExecutor().ssrfProtectionEnabled = false;
+    });
+    afterEach(() => {
+        gateway.shutdown();
+    });
+    // -------------------------------------------------------------------------
+    // Health Check
+    // -------------------------------------------------------------------------
+    describe('GET /health', () => {
+        it('should return 200 with status ok', async () => {
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Authentication
+    // -------------------------------------------------------------------------
+    describe('Authentication', () => {
+        it('should return 401 without API key', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .send(buildToolCall());
+            expect(res.status).toBe(401);
+            expect(res.body.error).toContain('Missing API key');
+        });
+        it('should return 403 with invalid API key', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'bad-key')
+                .send(buildToolCall());
+            expect(res.status).toBe(403);
+            expect(res.body.error).toContain('Invalid API key');
+        });
+        it('should accept valid API key via X-API-Key header', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall());
+            expect(res.status).not.toBe(401);
+            expect(res.status).not.toBe(403);
+        });
+        it('should accept valid API key via Bearer token', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('Authorization', 'Bearer test-key')
+                .send(buildToolCall());
+            expect(res.status).not.toBe(401);
+            expect(res.status).not.toBe(403);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /v1/tool/execute
+    // -------------------------------------------------------------------------
+    describe('POST /v1/tool/execute', () => {
+        it('should return 400 when tool_call_id is missing', async () => {
+            const { tool_call_id, ...body } = buildToolCall();
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(body);
+            expect(res.status).toBe(400);
+            expect(res.body.details).toContain('tool_call_id is required');
+        });
+        it('should return 400 when actor is missing', async () => {
+            const { actor, ...body } = buildToolCall();
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(body);
+            expect(res.status).toBe(400);
+        });
+        it('should return 400 when tool is missing', async () => {
+            const { tool, ...body } = buildToolCall();
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(body);
+            expect(res.status).toBe(400);
+        });
+        it('should execute a read request and return status ok', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.policy.decision).toBe('allow');
+        });
+        it('should include all ToolResult fields in response', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall());
+            expect(res.body).toHaveProperty('tool_call_id');
+            expect(res.body).toHaveProperty('task_id');
+            expect(res.body).toHaveProperty('status');
+            expect(res.body).toHaveProperty('policy');
+            expect(res.body).toHaveProperty('dlp');
+            expect(res.body).toHaveProperty('budget');
+            expect(res.body).toHaveProperty('timing');
+            expect(res.body.policy).toHaveProperty('decision');
+            expect(res.body.policy).toHaveProperty('reasons');
+            expect(res.body.dlp).toHaveProperty('detected');
+            expect(res.body.dlp).toHaveProperty('severity');
+            expect(res.body.budget).toHaveProperty('estimated_cost_usd');
+            expect(res.body.budget).toHaveProperty('spent_cost_usd_task');
+            expect(res.body.budget).toHaveProperty('remaining_cost_usd_task');
+            expect(res.body.timing).toHaveProperty('started_at');
+            expect(res.body.timing).toHaveProperty('duration_ms');
+        });
+        it('should return output with http_status and body', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall());
+            expect(res.body.output).toBeDefined();
+            expect(res.body.output.http_status).toBe(200);
+            expect(res.body.output.body).toEqual({ data: 'test response', items: [1, 2, 3] });
+        });
+        it('should allow write operations with dev_fast policy', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'write' },
+                args: {
+                    method: 'POST',
+                    url: `http://127.0.0.1:${testServerPort}/api/create`,
+                    body: { key: 'value' },
+                },
+            }));
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.policy.decision).toBe('allow');
+        });
+        it('should require approval for delete operations with dev_fast policy', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: {
+                    method: 'DELETE',
+                    url: `http://127.0.0.1:${testServerPort}/api/data`,
+                },
+            }));
+            expect(res.status).toBe(202);
+            expect(res.body.status).toBe('needs_approval');
+            expect(res.body.approval).toBeDefined();
+            expect(res.body.approval.token).toBeDefined();
+            expect(res.body.approval.approval_id).toBeDefined();
+        });
+        it('should track budget across multiple calls in the same task', async () => {
+            const taskId = 'task-budget-test';
+            const res1 = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({ task_id: taskId }));
+            const res2 = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({ task_id: taskId }));
+            expect(res2.body.budget.spent_cost_usd_task).toBeGreaterThan(0);
+            expect(res2.body.budget.remaining_cost_usd_task).toBeLessThan(res1.body.budget.remaining_cost_usd_task);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DLP Detection in Pipeline
+    // -------------------------------------------------------------------------
+    describe('DLP Detection', () => {
+        it('should detect secrets in tool call args (Bearer token in header)', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                args: {
+                    method: 'GET',
+                    url: `http://127.0.0.1:${testServerPort}/api/data`,
+                    headers: {
+                        Authorization: 'Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U',
+                    },
+                },
+            }));
+            expect(res.body.dlp.detected.length).toBeGreaterThan(0);
+            expect(res.body.dlp.severity).not.toBe('low');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /v1/tool/approve
+    // -------------------------------------------------------------------------
+    describe('POST /v1/tool/approve', () => {
+        it('should return 400 without approval_token', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .set('X-API-Key', 'test-key')
+                .send({});
+            expect(res.status).toBe(400);
+            expect(res.body.error).toContain('approval_token is required');
+        });
+        it('should approve a pending action with valid token', async () => {
+            // First trigger an approval
+            const execRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            expect(execRes.body.status).toBe('needs_approval');
+            const token = execRes.body.approval.token;
+            // Now approve it (using a different key to avoid self-approval rejection)
+            const approveRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .set('X-API-Key', 'approver-key')
+                .send({
+                approval_token: token,
+                approved: true,
+                approver_id: 'admin-001',
+            });
+            expect(approveRes.status).toBe(200);
+            expect(approveRes.body.status).toBe('ok');
+            expect(approveRes.body.success).toBe(true);
+        });
+        it('should deny a pending action', async () => {
+            const execRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'admin' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            const token = execRes.body.approval.token;
+            const denyRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .set('X-API-Key', 'test-key')
+                .send({
+                approval_token: token,
+                approved: false,
+                approver_id: 'admin-001',
+                reason: 'Not authorized',
+            });
+            expect(denyRes.status).toBe(200);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /v1/tasks/:task_id/trace
+    // -------------------------------------------------------------------------
+    describe('GET /v1/tasks/:task_id/trace', () => {
+        it('should return events for a task after execution', async () => {
+            const taskId = 'task-trace-test';
+            await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({ task_id: taskId }));
+            const res = await (0, supertest_1.default)(app)
+                .get(`/v1/tasks/${taskId}/trace`)
+                .set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.body.task_id).toBe(taskId);
+            expect(res.body.events).toBeInstanceOf(Array);
+            expect(res.body.events.length).toBeGreaterThan(0);
+            // Should include at least TOOL_CALL_RECEIVED and POLICY_DECIDED
+            const eventTypes = res.body.events.map((e) => e.event_type);
+            expect(eventTypes).toContain('TOOL_CALL_RECEIVED');
+            expect(eventTypes).toContain('POLICY_DECIDED');
+        });
+        it('should return empty events for unknown task', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/v1/tasks/nonexistent-task/trace')
+                .set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.body.events).toEqual([]);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /v1/policies/current
+    // -------------------------------------------------------------------------
+    describe('GET /v1/policies/current', () => {
+        it('should return the current policy pack', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/v1/policies/current')
+                .set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.body.name).toBe('dev_fast');
+            expect(res.body.version).toBe('1.0.0');
+            expect(res.body.rules).toBeInstanceOf(Array);
+            expect(res.body.rules.length).toBeGreaterThan(0);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /v1/policies/validate
+    // -------------------------------------------------------------------------
+    describe('POST /v1/policies/validate', () => {
+        it('should validate a valid policy pack', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/policies/validate')
+                .set('X-API-Key', 'test-key')
+                .send({
+                name: 'test-pack',
+                version: '1.0.0',
+                rules: [
+                    { name: 'allow-all', effect: 'ALLOW', conditions: {} },
+                ],
+            });
+            expect(res.status).toBe(200);
+            expect(res.body.valid).toBe(true);
+            expect(res.body.errors).toHaveLength(0);
+        });
+        it('should reject an invalid policy pack', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/policies/validate')
+                .set('X-API-Key', 'test-key')
+                .send({
+                name: '',
+                rules: 'not-an-array',
+            });
+            expect(res.status).toBe(200);
+            expect(res.body.valid).toBe(false);
+            expect(res.body.errors.length).toBeGreaterThan(0);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /v1/approvals/pending
+    // -------------------------------------------------------------------------
+    describe('GET /v1/approvals/pending', () => {
+        it('should list pending approvals after triggering them', async () => {
+            // Trigger an approval
+            await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            const res = await (0, supertest_1.default)(app)
+                .get('/v1/approvals/pending')
+                .set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.body.approvals).toBeInstanceOf(Array);
+            expect(res.body.approvals.length).toBeGreaterThan(0);
+            expect(res.body.approvals[0]).toHaveProperty('approval_id');
+            expect(res.body.approvals[0]).toHaveProperty('tool_name');
+            expect(res.body.approvals[0].status).toBe('pending');
+        });
+        it('should filter by workspace_id', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/v1/approvals/pending?workspace_id=nonexistent')
+                .set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.body.approvals).toEqual([]);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Full Pipeline
+    // -------------------------------------------------------------------------
+    describe('Full Pipeline', () => {
+        it('should process a complete read request end-to-end', async () => {
+            const taskId = `task-e2e-${Date.now()}`;
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({ task_id: taskId }));
+            // Verify response structure
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            // Policy
+            expect(res.body.policy.decision).toBe('allow');
+            // Budget
+            expect(res.body.budget.estimated_cost_usd).toBeGreaterThan(0);
+            expect(res.body.budget.remaining_cost_usd_task).toBeGreaterThan(0);
+            // Timing
+            expect(res.body.timing.started_at).toBeDefined();
+            expect(res.body.timing.duration_ms).toBeGreaterThanOrEqual(0);
+            // Output
+            expect(res.body.output).toBeDefined();
+            expect(res.body.output.http_status).toBe(200);
+            // Verify audit trace was created
+            const traceRes = await (0, supertest_1.default)(app)
+                .get(`/v1/tasks/${taskId}/trace`)
+                .set('X-API-Key', 'test-key');
+            expect(traceRes.body.events.length).toBeGreaterThanOrEqual(4);
+            const types = traceRes.body.events.map((e) => e.event_type);
+            expect(types).toContain('TOOL_CALL_RECEIVED');
+            expect(types).toContain('POLICY_DECIDED');
+            expect(types).toContain('TOOL_EXECUTED');
+            expect(types).toContain('TOOL_RESULT_RETURNED');
+        });
+        it('should handle a write + approve + verify trace flow', async () => {
+            const taskId = `task-approve-flow-${Date.now()}`;
+            // Step 1: Execute a delete operation (requires approval)
+            const execRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                task_id: taskId,
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            expect(execRes.body.status).toBe('needs_approval');
+            // Step 2: Approve (using a different key to avoid self-approval rejection)
+            const token = execRes.body.approval.token;
+            const approveRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .set('X-API-Key', 'approver-key')
+                .send({ approval_token: token, approved: true, approver_id: 'admin' });
+            expect(approveRes.body.success).toBe(true);
+            // Step 3: Verify trace includes approval events
+            const traceRes = await (0, supertest_1.default)(app)
+                .get(`/v1/tasks/${taskId}/trace`)
+                .set('X-API-Key', 'test-key');
+            const types = traceRes.body.events.map((e) => e.event_type);
+            expect(types).toContain('TOOL_CALL_RECEIVED');
+            expect(types).toContain('POLICY_DECIDED');
+            expect(types).toContain('APPROVAL_REQUESTED');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Auth disabled mode
+    // -------------------------------------------------------------------------
+    describe('Auth disabled mode', () => {
+        it('should work without API key when auth is disabled', async () => {
+            const config = createTestConfig({
+                auth: { enabled: false, api_keys: {} },
+            });
+            const { app: noAuthApp, gateway: noAuthGateway } = (0, app_1.createApp)(config);
+            noAuthGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+            const res = await (0, supertest_1.default)(noAuthApp)
+                .post('/v1/tool/execute')
+                .send(buildToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            noAuthGateway.shutdown();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // RBAC Enforcement through HTTP
+    // -------------------------------------------------------------------------
+    describe('RBAC enforcement through HTTP', () => {
+        let rbacApp;
+        let rbacGateway;
+        beforeEach(() => {
+            const config = createTestConfig({
+                auth: {
+                    enabled: true,
+                    api_keys: {
+                        'admin-key': {
+                            workspace_id: 'ws_test',
+                            description: 'Admin key',
+                            roles: ['admin'],
+                        },
+                        'readonly-key': {
+                            workspace_id: 'ws_test',
+                            description: 'Readonly key',
+                            roles: ['readonly'],
+                        },
+                        'agent-key': {
+                            workspace_id: 'ws_test',
+                            description: 'Agent key',
+                            roles: ['agent'],
+                        },
+                    },
+                    rbac: {
+                        enabled: true,
+                        roles: {
+                            admin: {
+                                permissions: ['admin:full'],
+                            },
+                            readonly: {
+                                permissions: ['policy:read', 'trace:read'],
+                            },
+                            agent: {
+                                permissions: ['tool:execute', 'trace:read'],
+                            },
+                        },
+                        default_role: 'readonly',
+                    },
+                },
+            });
+            const result = (0, app_1.createApp)(config);
+            rbacApp = result.app;
+            rbacGateway = result.gateway;
+            rbacGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+        });
+        afterEach(() => {
+            rbacGateway.shutdown();
+        });
+        it('should allow admin key to read policies', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .get('/v1/policies/current')
+                .set('X-API-Key', 'admin-key');
+            expect(res.status).toBe(200);
+            expect(res.body.name).toBe('dev_fast');
+        });
+        it('should allow admin key to execute tools', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'admin-key')
+                .send(buildToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('should allow admin key to validate policies', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .post('/v1/policies/validate')
+                .set('X-API-Key', 'admin-key')
+                .send({
+                name: 'test-pack',
+                version: '1.0.0',
+                rules: [{ name: 'allow-all', effect: 'ALLOW', conditions: {} }],
+            });
+            expect(res.status).toBe(200);
+            expect(res.body.valid).toBe(true);
+        });
+        it('should deny readonly key from executing tools', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'readonly-key')
+                .send(buildToolCall());
+            expect(res.status).toBe(403);
+            expect(res.body.error).toContain('Insufficient permissions');
+            expect(res.body.error).toContain('tool:execute');
+        });
+        it('should allow readonly key to read policies', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .get('/v1/policies/current')
+                .set('X-API-Key', 'readonly-key');
+            expect(res.status).toBe(200);
+            expect(res.body.name).toBe('dev_fast');
+        });
+        it('should deny readonly key from managing approvals', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .get('/v1/approvals/pending')
+                .set('X-API-Key', 'readonly-key');
+            expect(res.status).toBe(403);
+            expect(res.body.error).toContain('Insufficient permissions');
+        });
+        it('should allow agent key to execute tools', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'agent-key')
+                .send(buildToolCall());
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('should deny agent key from writing policies', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .post('/v1/policies/validate')
+                .set('X-API-Key', 'agent-key')
+                .send({
+                name: 'test-pack',
+                version: '1.0.0',
+                rules: [{ name: 'allow-all', effect: 'ALLOW', conditions: {} }],
+            });
+            expect(res.status).toBe(403);
+            expect(res.body.error).toContain('Insufficient permissions');
+            expect(res.body.error).toContain('policy:write');
+        });
+        it('should allow agent key to read traces', async () => {
+            const res = await (0, supertest_1.default)(rbacApp)
+                .get('/v1/tasks/some-task/trace')
+                .set('X-API-Key', 'agent-key');
+            expect(res.status).toBe(200);
+            expect(res.body.task_id).toBe('some-task');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // OPA Fallback Chain
+    // -------------------------------------------------------------------------
+    describe('OPA fallback chain', () => {
+        let opaApp;
+        let opaGateway;
+        beforeEach(() => {
+            const config = createTestConfig({
+                policy: {
+                    pack_path: './policy-packs/dev_fast.yaml',
+                    default_effect: 'DENY',
+                    hot_reload: false,
+                    opa: {
+                        enabled: true,
+                        server_url: 'http://127.0.0.1:19999', // unreachable port
+                        policy_path: 'v1/data/palaryn/policy',
+                        timeout_ms: 500,
+                        fallback_decision: 'deny',
+                    },
+                },
+            });
+            const result = (0, app_1.createApp)(config);
+            opaApp = result.app;
+            opaGateway = result.gateway;
+            opaGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+        });
+        afterEach(() => {
+            opaGateway.shutdown();
+        });
+        it('should fall back to YAML policy when OPA is unreachable and allow read operations', async () => {
+            const res = await (0, supertest_1.default)(opaApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall());
+            // dev_fast.yaml allows read operations
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.policy.decision).toBe('allow');
+        });
+        it('should fall back to YAML policy when OPA is unreachable and allow write operations', async () => {
+            const res = await (0, supertest_1.default)(opaApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'write' },
+                args: {
+                    method: 'POST',
+                    url: `http://127.0.0.1:${testServerPort}/api/create`,
+                    body: { key: 'value' },
+                },
+            }));
+            // dev_fast.yaml allows write operations
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.policy.decision).toBe('allow');
+        });
+        it('should fall back to YAML policy when OPA is unreachable and require approval for delete', async () => {
+            const res = await (0, supertest_1.default)(opaApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            // dev_fast.yaml requires approval for delete operations
+            expect(res.status).toBe(202);
+            expect(res.body.status).toBe('needs_approval');
+            expect(res.body.approval).toBeDefined();
+            expect(res.body.approval.token).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Anomaly Blocking
+    // -------------------------------------------------------------------------
+    describe('Anomaly blocking', () => {
+        let anomalyApp;
+        let anomalyGateway;
+        beforeEach(() => {
+            const config = createTestConfig({
+                anomaly: {
+                    enabled: true,
+                    action: 'block',
+                    window_ms: 60000,
+                    z_score_threshold: 3,
+                    min_samples: 5,
+                },
+            });
+            const result = (0, app_1.createApp)(config);
+            anomalyApp = result.app;
+            anomalyGateway = result.gateway;
+            anomalyGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+        });
+        afterEach(() => {
+            anomalyGateway.shutdown();
+        });
+        it('should block when capability escalation to admin is detected', async () => {
+            const actorId = `anomaly-actor-${Date.now()}`;
+            // First request with 'read' capability - establishes baseline capability
+            const res1 = await (0, supertest_1.default)(anomalyApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                actor: { type: 'agent', id: actorId, display: 'Anomaly Test Agent' },
+                tool: { name: 'http.request', capability: 'read' },
+            }));
+            expect(res1.status).toBe(200);
+            expect(res1.body.status).toBe('ok');
+            // Second request with 'admin' capability - triggers capability escalation
+            // with high severity (read -> admin is a jump from level 0 to level 3)
+            const res2 = await (0, supertest_1.default)(anomalyApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                actor: { type: 'agent', id: actorId, display: 'Anomaly Test Agent' },
+                tool: { name: 'http.request', capability: 'admin' },
+                args: { method: 'GET', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            // Anomaly detector should block before policy eval due to high severity
+            expect(res2.status).toBe(403);
+            expect(res2.body.status).toBe('blocked');
+            expect(res2.body.policy.rule_id).toBe('anomaly_detection');
+            expect(res2.body.policy.reasons).toEqual(expect.arrayContaining([expect.stringContaining('capability_escalation')]));
+        });
+        it('should not block when action is log instead of block', async () => {
+            // Create a separate app with action: 'log'
+            const logConfig = createTestConfig({
+                anomaly: {
+                    enabled: true,
+                    action: 'log',
+                    window_ms: 60000,
+                    z_score_threshold: 3,
+                    min_samples: 5,
+                },
+            });
+            const { app: logApp, gateway: logGateway } = (0, app_1.createApp)(logConfig);
+            logGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+            const actorId = `log-actor-${Date.now()}`;
+            // First request establishes baseline
+            await (0, supertest_1.default)(logApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                actor: { type: 'agent', id: actorId, display: 'Log Test Agent' },
+                tool: { name: 'http.request', capability: 'read' },
+            }));
+            // Second request with escalation - should NOT block since action is 'log'
+            // (admin capability still requires approval per dev_fast.yaml policy)
+            const res2 = await (0, supertest_1.default)(logApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                actor: { type: 'agent', id: actorId, display: 'Log Test Agent' },
+                tool: { name: 'http.request', capability: 'admin' },
+                args: { method: 'GET', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            // Should reach policy engine (not blocked by anomaly), but policy requires approval for admin
+            expect(res2.status).toBe(202);
+            expect(res2.body.status).toBe('needs_approval');
+            logGateway.shutdown();
+        });
+        it('should allow first request from an actor without anomaly blocking', async () => {
+            const actorId = `fresh-actor-${Date.now()}`;
+            const res = await (0, supertest_1.default)(anomalyApp)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                actor: { type: 'agent', id: actorId, display: 'Fresh Agent' },
+                tool: { name: 'http.request', capability: 'read' },
+            }));
+            // First request should not trigger any anomaly
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Admin Form Submissions
+    // -------------------------------------------------------------------------
+    describe('Admin form submissions', () => {
+        it('should return HTML for GET /admin', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+            expect(res.text).toContain('Palaryn');
+        });
+        it('should return HTML for GET /admin/approvals', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin/approvals').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+        });
+        it('should redirect on POST /admin/approvals/:id/approve for valid approval', async () => {
+            // First create a pending approval via the API
+            const execRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            expect(execRes.body.status).toBe('needs_approval');
+            const approvalId = execRes.body.approval.approval_id;
+            // GET the approvals page to obtain a CSRF token
+            const getRes = await (0, supertest_1.default)(app).get('/admin/approvals').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            // POST to approve via admin form
+            const res = await (0, supertest_1.default)(app)
+                .post(`/admin/approvals/${approvalId}/approve`)
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken });
+            expect(res.status).toBe(302);
+            expect(res.headers['location']).toBe('/admin/approvals');
+        });
+        it('should redirect on POST /admin/approvals/:id/deny for valid approval', async () => {
+            // Create a pending approval
+            const execRes = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            expect(execRes.body.status).toBe('needs_approval');
+            const approvalId = execRes.body.approval.approval_id;
+            // GET the approvals page to obtain a CSRF token
+            const getRes = await (0, supertest_1.default)(app).get('/admin/approvals').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            const res = await (0, supertest_1.default)(app)
+                .post(`/admin/approvals/${approvalId}/deny`)
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken });
+            expect(res.status).toBe(302);
+            expect(res.headers['location']).toBe('/admin/approvals');
+        });
+        it('should redirect on POST /admin/approvals/:id/approve for nonexistent approval', async () => {
+            // Create a real approval so the page renders forms with CSRF tokens
+            await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool: { name: 'http.request', capability: 'delete' },
+                args: { method: 'DELETE', url: `http://127.0.0.1:${testServerPort}/api/data` },
+            }));
+            const getRes = await (0, supertest_1.default)(app).get('/admin/approvals').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            const res = await (0, supertest_1.default)(app)
+                .post('/admin/approvals/nonexistent-id/approve')
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken });
+            // Still redirects even if approval not found (graceful handling)
+            expect(res.status).toBe(302);
+            expect(res.headers['location']).toBe('/admin/approvals');
+        });
+        it('should return validation result on POST /admin/policies/validate with valid policy', async () => {
+            const getRes = await (0, supertest_1.default)(app).get('/admin/policies').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            const validPolicy = JSON.stringify({
+                name: 'test-pack',
+                version: '1.0.0',
+                rules: [{ name: 'allow-all', effect: 'ALLOW', conditions: {} }],
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/admin/policies/validate')
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken, policy_json: validPolicy });
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+            // The response HTML should indicate the policy is valid
+            expect(res.text).toMatch(/valid/i);
+        });
+        it('should return validation errors on POST /admin/policies/validate with invalid JSON', async () => {
+            const getRes = await (0, supertest_1.default)(app).get('/admin/policies').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            const res = await (0, supertest_1.default)(app)
+                .post('/admin/policies/validate')
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken, policy_json: 'not valid json{{{' });
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+            // The response should contain an error indication
+            expect(res.text).toMatch(/error|invalid/i);
+        });
+        it('should create an API key on POST /admin/api-keys and redirect', async () => {
+            const getRes = await (0, supertest_1.default)(app).get('/admin/api-keys').set('X-API-Key', 'test-key');
+            const csrfToken = extractCSRFToken(getRes.text);
+            const res = await (0, supertest_1.default)(app)
+                .post('/admin/api-keys')
+                .set('X-API-Key', 'test-key')
+                .type('form')
+                .send({ _csrf: csrfToken, workspace_id: 'ws_new', description: 'Integration test key' });
+            expect(res.status).toBe(302);
+            expect(res.headers['location']).toMatch(/^\/admin\/api-keys\?created=key-/);
+        });
+        it('should list API keys on GET /admin/api-keys including the default test key', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin/api-keys').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+            expect(res.text).toContain('test-key');
+        });
+        it('should return HTML for GET /admin/policies', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin/policies').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+            expect(res.text).toContain('dev_fast');
+        });
+        it('should return HTML for GET /admin/budgets', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin/budgets').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+        });
+        it('should return HTML for GET /admin/traces', async () => {
+            const res = await (0, supertest_1.default)(app).get('/admin/traces').set('X-API-Key', 'test-key');
+            expect(res.status).toBe(200);
+            expect(res.headers['content-type']).toMatch(/text\/html/);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // Public Endpoint Rate Limiting
+    // -------------------------------------------------------------------------
+    describe('Public endpoint rate limiting', () => {
+        let rateLimitedApp;
+        let rateLimitedGateway;
+        beforeEach(() => {
+            const config = createTestConfig({
+                public_rate_limit: {
+                    max_per_window: 3,
+                    window_ms: 60000,
+                },
+            });
+            const result = (0, app_1.createApp)(config);
+            rateLimitedApp = result.app;
+            rateLimitedGateway = result.gateway;
+            rateLimitedGateway.getHttpExecutor().ssrfProtectionEnabled = false;
+        });
+        afterEach(() => {
+            rateLimitedGateway.shutdown();
+        });
+        it('should return 429 on /health after exceeding the public rate limit', async () => {
+            // Send requests up to the limit (3)
+            for (let i = 0; i < 3; i++) {
+                const res = await (0, supertest_1.default)(rateLimitedApp).get('/health');
+                expect(res.status).toBe(200);
+            }
+            // The 4th request should be rate limited
+            const res = await (0, supertest_1.default)(rateLimitedApp).get('/health');
+            expect(res.status).toBe(429);
+            expect(res.body.error).toBe('Too many requests');
+            expect(res.body.error_code).toBe('RATE_LIMIT_EXCEEDED');
+            expect(res.body.details.retry_after_ms).toBeDefined();
+            expect(res.body.details.retry_after_ms).toBeGreaterThan(0);
+        });
+        it('should return 429 on /metrics after exceeding the public rate limit', async () => {
+            // Send requests up to the limit (3)
+            for (let i = 0; i < 3; i++) {
+                const res = await (0, supertest_1.default)(rateLimitedApp).get('/metrics');
+                expect(res.status).toBe(200);
+            }
+            // The 4th request should be rate limited
+            const res = await (0, supertest_1.default)(rateLimitedApp).get('/metrics');
+            expect(res.status).toBe(429);
+            expect(res.body.error).toBe('Too many requests');
+            expect(res.body.details.retry_after_ms).toBeDefined();
+        });
+        it('should share the rate limit window across /health and /metrics for the same IP', async () => {
+            // Use 2 requests on /health
+            await (0, supertest_1.default)(rateLimitedApp).get('/health');
+            await (0, supertest_1.default)(rateLimitedApp).get('/health');
+            // Use 1 request on /metrics (3rd total)
+            const metricsRes = await (0, supertest_1.default)(rateLimitedApp).get('/metrics');
+            expect(metricsRes.status).toBe(200);
+            // 4th request on either endpoint should be blocked
+            const blockedHealth = await (0, supertest_1.default)(rateLimitedApp).get('/health');
+            expect(blockedHealth.status).toBe(429);
+            const blockedMetrics = await (0, supertest_1.default)(rateLimitedApp).get('/metrics');
+            expect(blockedMetrics.status).toBe(429);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // S3: Error messages never leak internal details
+    // -------------------------------------------------------------------------
+    describe('S3: Error message redaction', () => {
+        it('should return generic error on tool-execute failure, not raw error message', async () => {
+            // Send a tool call targeting a host that will fail (connection refused)
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/execute')
+                .set('X-API-Key', 'test-key')
+                .send(buildToolCall({
+                tool_call_id: `tc-s3-${Date.now()}`,
+                args: { method: 'GET', url: 'http://127.0.0.1:1/will-fail' },
+            }));
+            // The response should not contain raw error messages like "ECONNREFUSED"
+            // or stack traces. The gateway returns a ToolResult with a sanitized error field.
+            const body = JSON.stringify(res.body);
+            expect(body).not.toContain('ECONNREFUSED');
+            expect(body).not.toContain('stack');
+            expect(body).not.toContain('node_modules');
+            // The error field should be a generic message, not the raw error
+            expect(res.body.error).toBe('Tool execution failed');
+        });
+        it('should return generic error on approve endpoint failure', async () => {
+            // Send an invalid approval token
+            const res = await (0, supertest_1.default)(app)
+                .post('/v1/tool/approve')
+                .set('X-API-Key', 'test-key')
+                .send({ token: 'invalid-jwt-token', approved: true, approver_id: 'admin' });
+            // Should not leak JWT verification internals
+            const body = JSON.stringify(res.body);
+            expect(body).not.toContain('JsonWebTokenError');
+            expect(body).not.toContain('jwt malformed');
+            expect(body).not.toContain('stack');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // A4: Health check returns 503 when unhealthy
+    // -------------------------------------------------------------------------
+    describe('A4: Health check HTTP status', () => {
+        it('should return 200 when all health checks are ok', async () => {
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('ok');
+        });
+        it('should return 503 when a health check reports unhealthy', async () => {
+            // Inject an unhealthy check into the shared healthChecks array
+            healthChecks.push({
+                name: 'test-db',
+                check: async () => ({ status: 'unhealthy', message: 'connection refused' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(503);
+            expect(res.body.status).toBe('unhealthy');
+        });
+        it('should return 200 when health checks are degraded but not unhealthy', async () => {
+            healthChecks.push({
+                name: 'test-cache',
+                check: async () => ({ status: 'degraded', message: 'slow response' }),
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(200);
+            expect(res.body.status).toBe('degraded');
+        });
+        it('should return 503 when a health check throws an exception', async () => {
+            healthChecks.push({
+                name: 'test-failing',
+                check: async () => { throw new Error('connection timeout'); },
+            });
+            const res = await (0, supertest_1.default)(app).get('/health');
+            expect(res.status).toBe(503);
+            expect(res.body.status).toBe('unhealthy');
+        });
+    });
+});
+//# sourceMappingURL=api.test.js.map