palaryn 0.1.0

package/dist/tests/unit/saas-routes.test.js

@@ -0,0 +1,1399 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const supertest_1 = __importDefault(require("supertest"));
+const app_1 = require("../../src/server/app");
+const defaults_1 = require("../../src/config/defaults");
+// ---------------------------------------------------------------------------
+// Setup
+// ---------------------------------------------------------------------------
+let app;
+let saasStores;
+let gateway;
+const now = new Date().toISOString();
+function createTestConfig() {
+    return {
+        ...defaults_1.DEFAULT_CONFIG,
+        port: 0,
+        host: '127.0.0.1',
+        auth: {
+            ...defaults_1.DEFAULT_CONFIG.auth,
+            enabled: true,
+            api_keys: {},
+            rbac: {
+                enabled: false,
+                roles: {},
+            },
+        },
+        policy: {
+            pack_path: './policy-packs/dev_fast.yaml',
+            default_effect: 'DENY',
+            hot_reload: false,
+        },
+        audit: {
+            enabled: true,
+            log_dir: '',
+            console_output: false,
+            retention_days: 30,
+        },
+        rate_limit: {
+            enabled: false,
+            actor_max_per_window: 100,
+            workspace_max_per_window: 500,
+            window_ms: 60000,
+        },
+        oauth: {
+            enabled: true,
+            session_secret: 'test-session-secret-for-saas',
+            session_ttl_seconds: 3600,
+        },
+    };
+}
+beforeAll(() => {
+    const config = createTestConfig();
+    const result = (0, app_1.createApp)(config);
+    app = result.app;
+    saasStores = result.saasStores;
+    gateway = result.gateway;
+});
+beforeEach(() => {
+    // Seed fresh user, session, workspace, and membership before each test
+    saasStores.userStore.create({
+        id: 'u1',
+        email: 'test@test.com',
+        display_name: 'Test User',
+        avatar_url: 'https://img.example.com/avatar.png',
+        status: 'active',
+        onboarding_completed: false,
+        created_at: now,
+        updated_at: now,
+    });
+    saasStores.sessionStore.create({
+        id: 'sess1',
+        user_id: 'u1',
+        expires_at: new Date(Date.now() + 3600000).toISOString(),
+        last_active_at: now,
+        created_at: now,
+    });
+});
+afterEach(() => {
+    // Clean up all stores between tests to prevent cross-contamination
+    // We need to delete known items since in-memory stores don't have a clear method
+    saasStores.userStore.delete('u1');
+    saasStores.userStore.delete('u2');
+    saasStores.sessionStore.delete('sess1');
+    saasStores.sessionStore.delete('sess2');
+    // Clean up any workspaces/members/keys created during tests
+    const allWorkspaces = saasStores.workspaceStore.list();
+    for (const ws of allWorkspaces) {
+        const members = saasStores.workspaceMemberStore.getByWorkspace(ws.id);
+        for (const m of members) {
+            saasStores.workspaceMemberStore.delete(m.id);
+        }
+        const keys = saasStores.userApiKeyStore.getByWorkspace(ws.id);
+        for (const k of keys) {
+            saasStores.userApiKeyStore.delete(k.id);
+        }
+        saasStores.workspaceStore.delete(ws.id);
+    }
+});
+// ===========================================================================
+// Tests
+// ===========================================================================
+describe('SaaS Routes', () => {
+    // -------------------------------------------------------------------------
+    // Authentication
+    // -------------------------------------------------------------------------
+    describe('401 without session cookie', () => {
+        it('returns 401 for GET /api/v1/user/profile without session', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/user/profile')
+                .expect(401);
+            expect(res.body.error).toBeDefined();
+        });
+        it('returns 401 for GET /api/v1/workspaces without session', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces')
+                .expect(401);
+            expect(res.body.error).toBeDefined();
+        });
+        it('returns 401 for POST /api/v1/workspaces without session', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .send({ name: 'Test' })
+                .expect(401);
+            expect(res.body.error).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/user/profile
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/user/profile', () => {
+        it('returns user profile with session cookie', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/user/profile')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.id).toBe('u1');
+            expect(res.body.email).toBe('test@test.com');
+            expect(res.body.display_name).toBe('Test User');
+            expect(res.body.avatar_url).toBe('https://img.example.com/avatar.png');
+            expect(res.body.status).toBe('active');
+            expect(res.body.onboarding_completed).toBe(false);
+            expect(res.body.created_at).toBe(now);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /api/v1/user/profile
+    // -------------------------------------------------------------------------
+    describe('PUT /api/v1/user/profile', () => {
+        it('updates display_name', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/user/profile')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ display_name: 'Alice Updated' })
+                .expect(200);
+            expect(res.body.display_name).toBe('Alice Updated');
+            // Verify it was persisted
+            const user = saasStores.userStore.getById('u1');
+            expect(user?.display_name).toBe('Alice Updated');
+        });
+        it('returns 400 when display_name is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/user/profile')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(400);
+            expect(res.body.error).toContain('display_name');
+        });
+        it('returns 400 when display_name is empty string', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/user/profile')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ display_name: '   ' })
+                .expect(400);
+            expect(res.body.error).toContain('display_name');
+        });
+        it('returns 400 when display_name exceeds 100 characters', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/user/profile')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ display_name: 'x'.repeat(101) })
+                .expect(400);
+            expect(res.body.error).toContain('100 characters');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /api/v1/user/onboarding
+    // -------------------------------------------------------------------------
+    describe('PUT /api/v1/user/onboarding', () => {
+        it('marks onboarding as complete', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/user/onboarding')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.onboarding_completed).toBe(true);
+            // Verify persisted
+            const user = saasStores.userStore.getById('u1');
+            expect(user?.onboarding_completed).toBe(true);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces', () => {
+        it('returns user workspaces', async () => {
+            // Create a workspace and membership
+            saasStores.workspaceStore.create({
+                id: 'ws-test-1',
+                name: 'Test Workspace',
+                slug: 'test-workspace',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-test-1',
+                workspace_id: 'ws-test-1',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.workspaces).toHaveLength(1);
+            expect(res.body.workspaces[0].id).toBe('ws-test-1');
+            expect(res.body.workspaces[0].name).toBe('Test Workspace');
+            expect(res.body.workspaces[0].role).toBe('owner');
+        });
+        it('returns empty workspaces when user has no memberships', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.workspaces).toEqual([]);
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces', () => {
+        it('creates a workspace and membership', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'New Workspace' })
+                .expect(201);
+            expect(res.body.name).toBe('New Workspace');
+            expect(res.body.slug).toBe('new-workspace');
+            expect(res.body.owner_user_id).toBe('u1');
+            expect(res.body.plan).toBe('free');
+            expect(res.body.id).toBeDefined();
+            // Verify membership was created
+            const members = saasStores.workspaceMemberStore.getByWorkspace(res.body.id);
+            expect(members).toHaveLength(1);
+            expect(members[0].user_id).toBe('u1');
+            expect(members[0].role).toBe('owner');
+        });
+        it('generates a slug from the name when slug is not provided', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'My Cool Project!' })
+                .expect(201);
+            expect(res.body.slug).toBe('my-cool-project-');
+        });
+        it('uses the provided slug', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Test', slug: 'custom-slug' })
+                .expect(201);
+            expect(res.body.slug).toBe('custom-slug');
+        });
+        it('returns 400 when name is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(400);
+            expect(res.body.error).toContain('name');
+        });
+        it('returns 409 when slug is already taken', async () => {
+            // Create first workspace
+            saasStores.workspaceStore.create({
+                id: 'ws-existing',
+                name: 'Existing',
+                slug: 'existing-slug',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'New', slug: 'existing-slug' })
+                .expect(409);
+            expect(res.body.error).toContain('slug');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id', () => {
+        it('returns workspace details for a member', async () => {
+            saasStores.workspaceStore.create({
+                id: 'ws-detail-1',
+                name: 'Detail Workspace',
+                slug: 'detail-ws',
+                owner_user_id: 'u1',
+                plan: 'pro',
+                settings: { feature_x: true },
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-detail-1',
+                workspace_id: 'ws-detail-1',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-detail-1')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.id).toBe('ws-detail-1');
+            expect(res.body.name).toBe('Detail Workspace');
+            expect(res.body.plan).toBe('pro');
+            expect(res.body.role).toBe('owner');
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceStore.create({
+                id: 'ws-private',
+                name: 'Private Workspace',
+                slug: 'private-ws',
+                owner_user_id: 'u2',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-private')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+        it('returns 404 when workspace does not exist but user has no membership', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-nonexistent')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            // The route checks membership first, so it returns 403 not 404
+            expect(res.body.error).toBeDefined();
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces/:id/api-keys
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces/:id/api-keys', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-keys',
+                name: 'Keys Workspace',
+                slug: 'keys-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-keys',
+                workspace_id: 'ws-keys',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('creates an API key and returns the plaintext key', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Production Key', roles: ['agent'] })
+                .expect(201);
+            expect(res.body.id).toBeDefined();
+            expect(res.body.key).toBeDefined();
+            expect(res.body.key).toMatch(/^pn_[0-9a-f]{64}$/);
+            expect(res.body.key_prefix).toBeDefined();
+            expect(res.body.key_prefix.startsWith('pn_')).toBe(true);
+            expect(res.body.name).toBe('Production Key');
+            expect(res.body.roles).toEqual(['agent']);
+            expect(res.body.workspace_id).toBe('ws-keys');
+            expect(res.body.created_at).toBeDefined();
+        });
+        it('stores the key hash (not the plaintext) in the store', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Stored Key' })
+                .expect(201);
+            const storedKey = saasStores.userApiKeyStore.getById(res.body.id);
+            expect(storedKey).toBeDefined();
+            expect(storedKey?.key_hash).toBeDefined();
+            // The hash should not equal the plaintext key
+            expect(storedKey?.key_hash).not.toBe(res.body.key);
+        });
+        it('defaults roles to [agent] when not provided', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Default Roles Key' })
+                .expect(201);
+            expect(res.body.roles).toEqual(['agent']);
+        });
+        it('returns 400 when name is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({})
+                .expect(400);
+            expect(res.body.error).toContain('name');
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            // Add user as member (not owner/admin)
+            saasStores.workspaceMemberStore.delete('mem-keys');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-keys-viewer',
+                workspace_id: 'ws-keys',
+                user_id: 'u1',
+                role: 'member',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ name: 'Unauthorized Key' })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/api-keys
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/api-keys', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-list-keys',
+                name: 'List Keys Workspace',
+                slug: 'list-keys-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-list-keys',
+                workspace_id: 'ws-list-keys',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('lists keys without returning the key hash', async () => {
+            // Create some keys in the store directly
+            saasStores.userApiKeyStore.create({
+                id: 'k1',
+                key_hash: 'hash-secret-1',
+                key_prefix: 'pn_abc123',
+                user_id: 'u1',
+                workspace_id: 'ws-list-keys',
+                name: 'Key One',
+                roles: ['agent'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            saasStores.userApiKeyStore.create({
+                id: 'k2',
+                key_hash: 'hash-secret-2',
+                key_prefix: 'pn_def456',
+                user_id: 'u1',
+                workspace_id: 'ws-list-keys',
+                name: 'Key Two',
+                roles: ['admin'],
+                tags: [],
+                revoked: true,
+                created_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-list-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.api_keys).toHaveLength(2);
+            // Verify no hash is returned
+            for (const key of res.body.api_keys) {
+                expect(key.key_hash).toBeUndefined();
+                expect(key.id).toBeDefined();
+                expect(key.key_prefix).toBeDefined();
+                expect(key.name).toBeDefined();
+                expect(key.roles).toBeDefined();
+                expect(key.revoked).toBeDefined();
+                expect(key.created_at).toBeDefined();
+            }
+        });
+        it('returns empty array when no keys exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-list-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.api_keys).toEqual([]);
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-list-keys');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-list-keys/api-keys')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /api/v1/workspaces/:id/api-keys/:keyId
+    // -------------------------------------------------------------------------
+    describe('DELETE /api/v1/workspaces/:id/api-keys/:keyId', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-del-keys',
+                name: 'Del Keys WS',
+                slug: 'del-keys-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-del-keys',
+                workspace_id: 'ws-del-keys',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            saasStores.userApiKeyStore.create({
+                id: 'key-to-revoke',
+                key_hash: 'hash-revokable',
+                key_prefix: 'pn_rev123',
+                user_id: 'u1',
+                workspace_id: 'ws-del-keys',
+                name: 'Revokable Key',
+                roles: ['agent'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+        });
+        it('revokes the API key', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-keys/api-keys/key-to-revoke')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.id).toBe('key-to-revoke');
+            // Verify the key is now revoked
+            const key = saasStores.userApiKeyStore.getById('key-to-revoke');
+            expect(key?.revoked).toBe(true);
+        });
+        it('returns 404 when key does not exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-keys/api-keys/nonexistent-key')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 404 when key belongs to a different workspace', async () => {
+            // Create key in a different workspace
+            saasStores.userApiKeyStore.create({
+                id: 'key-other-ws',
+                key_hash: 'hash-other',
+                key_prefix: 'pn_other',
+                user_id: 'u1',
+                workspace_id: 'ws-other',
+                name: 'Other WS Key',
+                roles: ['agent'],
+                tags: [],
+                revoked: false,
+                created_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-keys/api-keys/key-other-ws')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            saasStores.workspaceMemberStore.delete('mem-del-keys');
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-del-keys-member',
+                workspace_id: 'ws-del-keys',
+                user_id: 'u1',
+                role: 'viewer',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-del-keys/api-keys/key-to-revoke')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/approvals
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/approvals', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-approvals',
+                name: 'Approvals Workspace',
+                slug: 'approvals-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-approvals',
+                workspace_id: 'ws-approvals',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns empty approvals when none exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-approvals/approvals')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.approvals).toEqual([]);
+        });
+        it('returns pending approvals for the workspace', async () => {
+            // Create a pending approval via the gateway
+            const toolCall = {
+                tool_call_id: 'tc-approval-1',
+                task_id: 'task-approval-1',
+                workspace_id: 'ws-approvals',
+                actor: { id: 'agent-1', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'write' },
+                args: { method: 'DELETE', url: 'https://example.com/resource' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Destructive operation');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-approvals/approvals')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.approvals).toHaveLength(1);
+            expect(res.body.approvals[0].tool_name).toBe('http.request');
+            expect(res.body.approvals[0].reason).toBe('Destructive operation');
+            // Ensure JWT token is NOT exposed
+            expect(res.body.approvals[0].token).toBeUndefined();
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-approvals');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-approvals/approvals')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces/:id/approvals/:approvalId/approve
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces/:id/approvals/:approvalId/approve', () => {
+        beforeEach(() => {
+            gateway.getApprovalManager().clear();
+            saasStores.workspaceStore.create({
+                id: 'ws-approve',
+                name: 'Approve Workspace',
+                slug: 'approve-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-approve',
+                workspace_id: 'ws-approve',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('approves a pending approval', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-approve-2',
+                task_id: 'task-approve-2',
+                workspace_id: 'ws-approve',
+                actor: { id: 'agent-2', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'write' },
+                args: { method: 'POST', url: 'https://example.com/create' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Needs review');
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-approve/approvals/${approval.approval_id}/approve`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('approved');
+            expect(res.body.approval_id).toBe(approval.approval_id);
+            // Verify the approval is now approved
+            const updated = gateway.getApprovalManager().getApproval(approval.approval_id);
+            expect(updated?.status).toBe('approved');
+        });
+        it('returns 404 for non-existent approval', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-approve/approvals/nonexistent/approve')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+        it('returns 404 when approval belongs to different workspace', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-approve-other',
+                task_id: 'task-approve-other',
+                workspace_id: 'ws-other-approval',
+                actor: { id: 'agent-3', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'read' },
+                args: { method: 'GET', url: 'https://example.com' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Test');
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-approve/approvals/${approval.approval_id}/approve`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(404);
+            expect(res.body.error).toContain('not found');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces/:id/approvals/:approvalId/deny
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces/:id/approvals/:approvalId/deny', () => {
+        beforeEach(() => {
+            gateway.getApprovalManager().clear();
+            saasStores.workspaceStore.create({
+                id: 'ws-deny',
+                name: 'Deny Workspace',
+                slug: 'deny-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-deny',
+                workspace_id: 'ws-deny',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('denies a pending approval', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-deny-1',
+                task_id: 'task-deny-1',
+                workspace_id: 'ws-deny',
+                actor: { id: 'agent-4', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'delete' },
+                args: { method: 'DELETE', url: 'https://example.com/resource' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Destructive');
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-deny/approvals/${approval.approval_id}/deny`)
+                .set('Cookie', 'pn_session=sess1')
+                .send({ reason: 'Not authorized for this resource' })
+                .expect(200);
+            expect(res.body.status).toBe('denied');
+            expect(res.body.approval_id).toBe(approval.approval_id);
+            // Verify the approval is now denied
+            const updated = gateway.getApprovalManager().getApproval(approval.approval_id);
+            expect(updated?.status).toBe('denied');
+        });
+        it('uses default reason when none provided', async () => {
+            const toolCall = {
+                tool_call_id: 'tc-deny-2',
+                task_id: 'task-deny-2',
+                workspace_id: 'ws-deny',
+                actor: { id: 'agent-5', type: 'agent' },
+                source: { platform: 'test' },
+                tool: { name: 'http.request', version: '1.0', capability: 'write' },
+                args: { method: 'PUT', url: 'https://example.com/update' },
+                timestamp: new Date().toISOString(),
+            };
+            const { approval } = gateway.getApprovalManager().createApproval(toolCall, 'admin', 'Test');
+            const res = await (0, supertest_1.default)(app)
+                .post(`/api/v1/workspaces/ws-deny/approvals/${approval.approval_id}/deny`)
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('denied');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/traces/:taskId
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/traces/:taskId', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-trace-detail',
+                name: 'Trace Detail Workspace',
+                slug: 'trace-detail-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-trace-detail',
+                workspace_id: 'ws-trace-detail',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns events for a task', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trace-detail/traces/some-task-id')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.task_id).toBe('some-task-id');
+            expect(Array.isArray(res.body.events)).toBe(true);
+            expect(typeof res.body.total).toBe('number');
+        });
+        it('returns empty events for unknown task', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trace-detail/traces/nonexistent-task')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.task_id).toBe('nonexistent-task');
+            expect(res.body.events).toEqual([]);
+            expect(res.body.total).toBe(0);
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-trace-detail');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-trace-detail/traces/some-task')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/policies
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/policies', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-policies',
+                name: 'Policies Workspace',
+                slug: 'policies-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-policies',
+                workspace_id: 'ws-policies',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns the current policy pack', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-policies/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.policy).toBeDefined();
+            expect(res.body.policy.name).toBeDefined();
+            expect(res.body.policy.version).toBeDefined();
+            expect(Array.isArray(res.body.policy.rules)).toBe(true);
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-policies');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-policies/policies')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/security
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/security', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-security',
+                name: 'Security Workspace',
+                slug: 'security-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-security',
+                workspace_id: 'ws-security',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns empty events and stats when no DLP events exist', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-security/security')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.events).toEqual([]);
+            expect(res.body.total).toBe(0);
+            expect(res.body.stats).toBeDefined();
+            expect(res.body.stats.total).toBe(0);
+            expect(res.body.stats.high).toBe(0);
+            expect(res.body.stats.medium).toBe(0);
+            expect(res.body.stats.low).toBe(0);
+            expect(res.body.stats.unique_patterns).toBe(0);
+        });
+        it('returns DLP events with severity stats when events exist', async () => {
+            // Seed DLP events
+            const auditLogger = gateway.getAuditLogger();
+            auditLogger.log({
+                event_type: 'DLP_SCANNED',
+                tool_call_id: 'tc-dlp-1',
+                task_id: 'task-dlp-1',
+                workspace_id: 'ws-security',
+                actor_id: 'agent-dlp',
+                tool_name: 'http.request',
+                metadata: { severity: 'high', detected: ['aws_key', 'api_token'], redaction_count: 2 },
+            });
+            auditLogger.log({
+                event_type: 'DLP_SCANNED',
+                tool_call_id: 'tc-dlp-2',
+                task_id: 'task-dlp-2',
+                workspace_id: 'ws-security',
+                actor_id: 'agent-dlp',
+                tool_name: 'http.post',
+                metadata: { severity: 'medium', detected: ['email_address'], redaction_count: 1 },
+            });
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-security/security')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.events).toHaveLength(2);
+            expect(res.body.total).toBe(2);
+            expect(res.body.stats.total).toBe(2);
+            expect(res.body.stats.high).toBe(1);
+            expect(res.body.stats.medium).toBe(1);
+            expect(res.body.stats.low).toBe(0);
+            expect(res.body.stats.unique_patterns).toBe(3); // aws_key, api_token, email_address
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-security');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-security/security')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces/:id/switch
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces/:id/switch', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-switch-1',
+                name: 'Switch WS 1',
+                slug: 'switch-ws-1',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-switch-1',
+                workspace_id: 'ws-switch-1',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            saasStores.workspaceStore.create({
+                id: 'ws-switch-2',
+                name: 'Switch WS 2',
+                slug: 'switch-ws-2',
+                owner_user_id: 'u1',
+                plan: 'pro',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-switch-2',
+                workspace_id: 'ws-switch-2',
+                user_id: 'u1',
+                role: 'admin',
+                joined_at: now,
+            });
+        });
+        it('switches workspace and returns workspace with role', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-switch-2/switch')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.id).toBe('ws-switch-2');
+            expect(res.body.name).toBe('Switch WS 2');
+            expect(res.body.role).toBe('admin');
+            // Verify session was updated
+            const session = saasStores.sessionStore.getById('sess1');
+            expect(session?.workspace_id).toBe('ws-switch-2');
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-switch-2');
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-switch-2/switch')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/members
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/members', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-members',
+                name: 'Members Workspace',
+                slug: 'members-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-members-1',
+                workspace_id: 'ws-members',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns enriched member list with viewer role', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-members/members')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.members).toHaveLength(1);
+            expect(res.body.members[0].user_id).toBe('u1');
+            expect(res.body.members[0].email).toBe('test@test.com');
+            expect(res.body.members[0].display_name).toBe('Test User');
+            expect(res.body.members[0].role).toBe('owner');
+            expect(res.body.viewer_role).toBe('owner');
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-members-1');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-members/members')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // PUT /api/v1/workspaces/:id/members/:memberId (role change)
+    // -------------------------------------------------------------------------
+    describe('PUT /api/v1/workspaces/:id/members/:memberId', () => {
+        beforeEach(() => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'other@test.com',
+                display_name: 'Other User',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceStore.create({
+                id: 'ws-role',
+                name: 'Role WS',
+                slug: 'role-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-role-owner',
+                workspace_id: 'ws-role',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-role-target',
+                workspace_id: 'ws-role',
+                user_id: 'u2',
+                role: 'member',
+                joined_at: now,
+            });
+        });
+        it('changes a member role', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role/members/mem-role-target')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'admin' })
+                .expect(200);
+            expect(res.body.role).toBe('admin');
+            const updated = saasStores.workspaceMemberStore.getById('mem-role-target');
+            expect(updated?.role).toBe('admin');
+        });
+        it('returns 400 when changing own role', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role/members/mem-role-owner')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'admin' })
+                .expect(400);
+            expect(res.body.error).toContain('Cannot change your own role');
+        });
+        it('returns 400 for invalid role', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role/members/mem-role-target')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'superadmin' })
+                .expect(400);
+            expect(res.body.error).toContain('role must be one of');
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            saasStores.workspaceMemberStore.update('mem-role-owner', { role: 'member' });
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role/members/mem-role-target')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'admin' })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+        it('returns 404 for non-existent member', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .put('/api/v1/workspaces/ws-role/members/nonexistent-member')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'admin' })
+                .expect(404);
+            expect(res.body.error).toContain('Member not found');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // DELETE /api/v1/workspaces/:id/members/:memberId (remove member)
+    // -------------------------------------------------------------------------
+    describe('DELETE /api/v1/workspaces/:id/members/:memberId', () => {
+        beforeEach(() => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'other@test.com',
+                display_name: 'Other User',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceStore.create({
+                id: 'ws-remove',
+                name: 'Remove WS',
+                slug: 'remove-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-remove-owner',
+                workspace_id: 'ws-remove',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-remove-target',
+                workspace_id: 'ws-remove',
+                user_id: 'u2',
+                role: 'member',
+                joined_at: now,
+            });
+        });
+        it('removes a member', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-remove/members/mem-remove-target')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.status).toBe('ok');
+            expect(res.body.id).toBe('mem-remove-target');
+            expect(saasStores.workspaceMemberStore.getById('mem-remove-target')).toBeUndefined();
+        });
+        it('returns 400 when removing yourself', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-remove/members/mem-remove-owner')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(400);
+            expect(res.body.error).toContain('Cannot remove yourself');
+        });
+        it('returns 400 when removing the last owner', async () => {
+            // Make target an owner
+            saasStores.workspaceMemberStore.update('mem-remove-target', { role: 'owner' });
+            // Remove the original owner's role so target is the only owner
+            // Actually, u1 is still owner, so there are 2 owners. Let's remove u1's ownership first
+            saasStores.workspaceMemberStore.update('mem-remove-owner', { role: 'admin' });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-remove/members/mem-remove-target')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(400);
+            expect(res.body.error).toContain('Cannot remove the last owner');
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            saasStores.workspaceMemberStore.update('mem-remove-owner', { role: 'viewer' });
+            const res = await (0, supertest_1.default)(app)
+                .delete('/api/v1/workspaces/ws-remove/members/mem-remove-target')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // POST /api/v1/workspaces/:id/members (add member by email)
+    // -------------------------------------------------------------------------
+    describe('POST /api/v1/workspaces/:id/members', () => {
+        beforeEach(() => {
+            saasStores.userStore.create({
+                id: 'u2',
+                email: 'other@test.com',
+                display_name: 'Other User',
+                avatar_url: '',
+                status: 'active',
+                onboarding_completed: true,
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceStore.create({
+                id: 'ws-add',
+                name: 'Add WS',
+                slug: 'add-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-add-owner',
+                workspace_id: 'ws-add',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('adds an existing user by email', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'other@test.com', role: 'member' })
+                .expect(201);
+            expect(res.body.user_id).toBe('u2');
+            expect(res.body.email).toBe('other@test.com');
+            expect(res.body.display_name).toBe('Other User');
+            expect(res.body.role).toBe('member');
+            expect(res.body.id).toBeDefined();
+        });
+        it('defaults role to member when invalid role given', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'other@test.com', role: 'superadmin' })
+                .expect(201);
+            expect(res.body.role).toBe('member');
+        });
+        it('returns 404 when user email not found', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'nonexistent@test.com', role: 'member' })
+                .expect(404);
+            expect(res.body.error).toContain('User not found');
+        });
+        it('returns 409 when user is already a member', async () => {
+            // Add user first
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-add-existing',
+                workspace_id: 'ws-add',
+                user_id: 'u2',
+                role: 'member',
+                joined_at: now,
+            });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'other@test.com', role: 'member' })
+                .expect(409);
+            expect(res.body.error).toContain('already a member');
+        });
+        it('returns 400 when email is missing', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ role: 'member' })
+                .expect(400);
+            expect(res.body.error).toContain('email');
+        });
+        it('returns 403 when user is not owner or admin', async () => {
+            saasStores.workspaceMemberStore.update('mem-add-owner', { role: 'member' });
+            const res = await (0, supertest_1.default)(app)
+                .post('/api/v1/workspaces/ws-add/members')
+                .set('Cookie', 'pn_session=sess1')
+                .send({ email: 'other@test.com', role: 'member' })
+                .expect(403);
+            expect(res.body.error).toContain('owners and admins');
+        });
+    });
+    // -------------------------------------------------------------------------
+    // GET /api/v1/workspaces/:id/budgets (with spending data)
+    // -------------------------------------------------------------------------
+    describe('GET /api/v1/workspaces/:id/budgets', () => {
+        beforeEach(() => {
+            saasStores.workspaceStore.create({
+                id: 'ws-budgets',
+                name: 'Budgets Workspace',
+                slug: 'budgets-ws',
+                owner_user_id: 'u1',
+                plan: 'free',
+                settings: {},
+                created_at: now,
+                updated_at: now,
+            });
+            saasStores.workspaceMemberStore.create({
+                id: 'mem-budgets',
+                workspace_id: 'ws-budgets',
+                user_id: 'u1',
+                role: 'owner',
+                joined_at: now,
+            });
+        });
+        it('returns budget config with spending summary', async () => {
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-budgets/budgets')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(200);
+            expect(res.body.workspace_id).toBe('ws-budgets');
+            expect(res.body.config).toBeDefined();
+            expect(res.body.spending).toBeDefined();
+            expect(typeof res.body.spending.task_total).toBe('number');
+            expect(typeof res.body.spending.user_daily_total).toBe('number');
+            expect(typeof res.body.spending.user_monthly_total).toBe('number');
+            expect(typeof res.body.spending.workspace_daily_total).toBe('number');
+            expect(typeof res.body.spending.workspace_monthly_total).toBe('number');
+        });
+        it('returns 403 when user is not a member', async () => {
+            saasStores.workspaceMemberStore.delete('mem-budgets');
+            const res = await (0, supertest_1.default)(app)
+                .get('/api/v1/workspaces/ws-budgets/budgets')
+                .set('Cookie', 'pn_session=sess1')
+                .expect(403);
+            expect(res.body.error).toContain('Not a member');
+        });
+    });
+});
+//# sourceMappingURL=saas-routes.test.js.map