slackhive 0.1.37 → 0.1.39

package/apps/web/src/lib/__tests__/auth.test.ts

@@ -0,0 +1,262 @@
+/**
+ * @fileoverview Unit tests for auth.ts — signSession, verifySession,
+ * getSessionFromRequest, requireRole, and authenticateUser.
+ *
+ * No database connection required for session/cookie tests.
+ * authenticateUser DB path is tested via vi.mock.
+ *
+ * @module web/lib/__tests__/auth.test
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import * as crypto from 'crypto';
+
+// Mock DB dependency before importing auth
+vi.mock('@/lib/db', () => ({
+  getUserByUsername: vi.fn(),
+}));
+
+import {
+  signSession,
+  verifySession,
+  getSessionFromRequest,
+  requireRole,
+  authenticateUser,
+  COOKIE_NAME,
+} from '@/lib/auth';
+import { getUserByUsername } from '@/lib/db';
+import type { SessionPayload } from '@/lib/auth';
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function makeRequest(cookie?: string): Request {
+  return new Request('http://localhost/api/test', {
+    headers: cookie ? { cookie } : {},
+  });
+}
+
+function makeSignedCookie(payload: SessionPayload, secret = 'change-this-secret-in-production'): string {
+  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
+  const sig = crypto.createHmac('sha256', secret).update(data).digest('base64url');
+  return `${data}.${sig}`;
+}
+
+// ─── signSession / verifySession ──────────────────────────────────────────────
+
+describe('signSession + verifySession', () => {
+  it('round-trips a valid session payload', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'editor' };
+    const cookie = signSession(payload);
+    const result = verifySession(cookie);
+    expect(result).toEqual(payload);
+  });
+
+  it('round-trips all role types', () => {
+    const roles: SessionPayload['role'][] = ['superadmin', 'admin', 'editor', 'viewer'];
+    for (const role of roles) {
+      const payload: SessionPayload = { username: 'user', role };
+      expect(verifySession(signSession(payload))).toEqual(payload);
+    }
+  });
+
+  it('returns null for a tampered signature', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'admin' };
+    const cookie = signSession(payload);
+    const [data] = cookie.split('.');
+    const tampered = `${data}.invalidsignature`;
+    expect(verifySession(tampered)).toBeNull();
+  });
+
+  it('returns null for a tampered payload (data changed, sig unchanged)', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'editor' };
+    const cookie = signSession(payload);
+    const [, sig] = cookie.split('.');
+    const evilPayload = Buffer.from(JSON.stringify({ username: 'alice', role: 'superadmin' })).toString('base64url');
+    const tampered = `${evilPayload}.${sig}`;
+    expect(verifySession(tampered)).toBeNull();
+  });
+
+  it('returns null when cookie has no dot separator', () => {
+    expect(verifySession('nodothere')).toBeNull();
+  });
+
+  it('returns null when cookie has more than one dot', () => {
+    expect(verifySession('part1.part2.part3')).toBeNull();
+  });
+
+  it('returns null for an empty string', () => {
+    expect(verifySession('')).toBeNull();
+  });
+
+  it('returns null when payload is valid base64 but not JSON', () => {
+    const notJson = Buffer.from('not-json').toString('base64url');
+    const sig = crypto
+      .createHmac('sha256', 'change-this-secret-in-production')
+      .update(notJson)
+      .digest('base64url');
+    expect(verifySession(`${notJson}.${sig}`)).toBeNull();
+  });
+
+  it('returns null when signed with a different secret', () => {
+    const cookie = makeSignedCookie({ username: 'alice', role: 'admin' }, 'other-secret');
+    expect(verifySession(cookie)).toBeNull();
+  });
+
+  it('produces different cookies for different payloads', () => {
+    const a = signSession({ username: 'alice', role: 'admin' });
+    const b = signSession({ username: 'alice', role: 'editor' });
+    expect(a).not.toBe(b);
+  });
+});
+
+// ─── getSessionFromRequest ────────────────────────────────────────────────────
+
+describe('getSessionFromRequest', () => {
+  it('extracts and verifies a valid session from the cookie header', () => {
+    const payload: SessionPayload = { username: 'bob', role: 'viewer' };
+    const value = signSession(payload);
+    const req = makeRequest(`${COOKIE_NAME}=${value}`);
+    expect(getSessionFromRequest(req)).toEqual(payload);
+  });
+
+  it('returns null when no cookie header is present', () => {
+    const req = makeRequest();
+    expect(getSessionFromRequest(req)).toBeNull();
+  });
+
+  it('returns null when cookie header has no auth_session key', () => {
+    const req = makeRequest('other_cookie=abc123');
+    expect(getSessionFromRequest(req)).toBeNull();
+  });
+
+  it('returns null when the session cookie is tampered', () => {
+    const req = makeRequest(`${COOKIE_NAME}=invalid.garbage`);
+    expect(getSessionFromRequest(req)).toBeNull();
+  });
+
+  it('extracts session when auth_session is among multiple cookies', () => {
+    const payload: SessionPayload = { username: 'charlie', role: 'admin' };
+    const value = signSession(payload);
+    const req = makeRequest(`other=val; ${COOKIE_NAME}=${value}; another=foo`);
+    expect(getSessionFromRequest(req)).toEqual(payload);
+  });
+
+  it('handles URL-encoded cookie values', () => {
+    const payload: SessionPayload = { username: 'dave', role: 'editor' };
+    const value = encodeURIComponent(signSession(payload));
+    const req = makeRequest(`${COOKIE_NAME}=${value}`);
+    expect(getSessionFromRequest(req)).toEqual(payload);
+  });
+});
+
+// ─── requireRole ─────────────────────────────────────────────────────────────
+
+describe('requireRole', () => {
+  it('returns session when role meets minimum (viewer requires viewer)', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'viewer' };
+    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
+    expect(requireRole(req, 'viewer')).toEqual(payload);
+  });
+
+  it('returns session when role exceeds minimum (admin requires editor)', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'admin' };
+    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
+    expect(requireRole(req, 'editor')).toEqual(payload);
+  });
+
+  it('superadmin passes any role requirement', () => {
+    const payload: SessionPayload = { username: 'root', role: 'superadmin' };
+    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
+    expect(requireRole(req, 'admin')).toEqual(payload);
+  });
+
+  it('throws when role is below minimum (viewer requires editor)', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'viewer' };
+    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
+    expect(() => requireRole(req, 'editor')).toThrow('Insufficient permissions');
+  });
+
+  it('throws when not authenticated (no cookie)', () => {
+    const req = makeRequest();
+    expect(() => requireRole(req, 'viewer')).toThrow('Not authenticated');
+  });
+
+  it('editor cannot meet admin requirement', () => {
+    const payload: SessionPayload = { username: 'alice', role: 'editor' };
+    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
+    expect(() => requireRole(req, 'admin')).toThrow('Insufficient permissions');
+  });
+});
+
+// ─── authenticateUser ─────────────────────────────────────────────────────────
+
+describe('authenticateUser', () => {
+  beforeEach(() => vi.clearAllMocks());
+
+  it('returns superadmin session for env-var credentials', async () => {
+    const result = await authenticateUser('admin', 'changeme');
+    expect(result).toEqual({ username: 'admin', role: 'superadmin' });
+  });
+
+  it('returns null for wrong superadmin password', async () => {
+    const result = await authenticateUser('admin', 'wrongpass');
+    expect(result).toBeNull();
+  });
+
+  it('returns null when DB user does not exist', async () => {
+    vi.mocked(getUserByUsername).mockResolvedValue(null);
+    const result = await authenticateUser('unknown', 'pass');
+    expect(result).toBeNull();
+  });
+
+  it('returns null when DB user password does not match', async () => {
+    vi.mocked(getUserByUsername).mockResolvedValue({
+      id: 'u1', username: 'bob', role: 'editor',
+      passwordHash: '$2b$10$invalidhashthatisnevervalid123456789012',
+      createdAt: new Date().toISOString(),
+    });
+    const result = await authenticateUser('bob', 'wrongpass');
+    expect(result).toBeNull();
+  });
+
+  it('does not hit DB for superadmin credentials', async () => {
+    await authenticateUser('admin', 'changeme');
+    expect(getUserByUsername).not.toHaveBeenCalled();
+  });
+});
+
+// ─── hashPassword ─────────────────────────────────────────────────────────────
+
+describe('hashPassword', () => {
+  it('returns a bcrypt hash string', async () => {
+    const { hashPassword } = await import('@/lib/auth');
+    const hash = await hashPassword('mysecret');
+    expect(hash).toMatch(/^\$2[ab]\$10\$/);
+  });
+
+  it('produces a different hash each call (salt)', async () => {
+    const { hashPassword } = await import('@/lib/auth');
+    const h1 = await hashPassword('same');
+    const h2 = await hashPassword('same');
+    expect(h1).not.toBe(h2);
+  });
+
+  it('produces a hash that bcrypt can verify', async () => {
+    const { hashPassword } = await import('@/lib/auth');
+    const bcrypt = (await import('bcryptjs')).default;
+    const hash = await hashPassword('testpass');
+    expect(await bcrypt.compare('testpass', hash)).toBe(true);
+  });
+});
+
+// ─── Production secret guard ────────────────────────────────────────────────
+
+describe('production secret guard', () => {
+  it('does not throw in test/dev environment', () => {
+    // The module already loaded successfully via the top-level import.
+    // If the guard fired incorrectly, this entire test file would have
+    // failed to import. Verify the module exported the expected function.
+    expect(signSession).toBeDefined();
+    expect(typeof signSession).toBe('function');
+  });
+});

package/apps/web/src/lib/__tests__/boss-registry.test.ts

@@ -0,0 +1,323 @@
+/**
+ * @fileoverview Unit tests for boss-registry.ts — regenerateBossRegistry.
+ *
+ * Tests cover the registry content generation logic: team listing, delegation
+ * instructions, Slack mention format, multi-boss routing, and edge cases like
+ * agents with no Slack user ID or no team members.
+ *
+ * All DB calls are mocked via vi.mock — no database connection required.
+ *
+ * @module web/lib/__tests__/boss-registry.test
+ */
+
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import type { Agent } from '@slackhive/shared';
+
+// Mock DB dependencies before importing the module under test
+vi.mock('@/lib/db', () => ({
+  getAllAgents: vi.fn(),
+  updateAgentClaudeMd: vi.fn().mockResolvedValue(undefined),
+  publishAgentEvent: vi.fn().mockResolvedValue(undefined),
+}));
+
+import { regenerateBossRegistry } from '@/lib/boss-registry';
+import { getAllAgents, updateAgentClaudeMd, publishAgentEvent } from '@/lib/db';
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function makeAgent(overrides: Partial<Agent>): Agent {
+  return {
+    id: 'agent-1',
+    slug: 'agent',
+    name: 'Agent',
+    persona: undefined,
+    description: undefined,
+    slackBotToken: 'xoxb-fake',
+    slackAppToken: 'xapp-fake',
+    slackSigningSecret: 'secret',
+    slackBotUserId: undefined,
+    model: 'claude-opus-4-5',
+    status: 'stopped',
+    enabled: true,
+    isBoss: false,
+    reportsTo: [],
+    claudeMd: '',
+    createdBy: 'system',
+    createdAt: new Date(),
+    updatedAt: new Date(),
+    ...overrides,
+  };
+}
+
+// ─── Tests ────────────────────────────────────────────────────────────────────
+
+describe('regenerateBossRegistry', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('does nothing when there are no boss agents', async () => {
+    vi.mocked(getAllAgents).mockResolvedValue([
+      makeAgent({ id: 'a1', isBoss: false }),
+    ]);
+
+    await regenerateBossRegistry();
+
+    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
+    expect(publishAgentEvent).not.toHaveBeenCalled();
+  });
+
+  it('does nothing when boss has no team members with slackBotUserId', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: undefined });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
+  });
+
+  it('generates registry with correct agent mention and description', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', name: 'DataBot', isBoss: false,
+      reportsTo: ['boss-1'], slackBotUserId: 'U123ABC',
+      description: 'Runs Redshift queries',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('**DataBot** (<@U123ABC>) — Runs Redshift queries');
+  });
+
+  it('uses slug-based fallback mention when slackBotUserId is missing', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    // specialist has no slackBotUserId — registry should fall back to @slug
+    const specialist = makeAgent({
+      id: 'spec-1', name: 'DataBot', slug: 'data-bot', isBoss: false,
+      reportsTo: ['boss-1'], slackBotUserId: undefined,
+      description: 'Runs Redshift queries',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    // regenerateSingleBossRegistry skips agents with no slackBotUserId
+    // so updateAgentClaudeMd should NOT be called
+    await regenerateBossRegistry();
+    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
+  });
+
+  it('uses default description when agent description is undefined', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', name: 'Writer', isBoss: false,
+      reportsTo: ['boss-1'], slackBotUserId: 'U999',
+      description: undefined,
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('No description provided.');
+  });
+
+  it('includes boss name in the registry heading', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'HQ Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('# HQ Boss — Team Orchestrator');
+  });
+
+  it('includes delegation instructions in the registry', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('ALWAYS delegate');
+    expect(content).toContain('## Your Team');
+    expect(content).toContain('## How to delegate');
+  });
+
+  it('publishes a reload event after updating the registry', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    expect(publishAgentEvent).toHaveBeenCalledWith({ type: 'reload', agentId: 'boss-1' });
+  });
+
+  it('handles multiple bosses independently', async () => {
+    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
+    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
+    const spec1 = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1', name: 'Alpha' });
+    const spec2 = makeAgent({ id: 'spec-2', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U2', name: 'Beta' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec1, spec2]);
+
+    await regenerateBossRegistry();
+
+    expect(updateAgentClaudeMd).toHaveBeenCalledTimes(2);
+
+    const [call1, call2] = vi.mocked(updateAgentClaudeMd).mock.calls;
+    const contents = [call1[1], call2[1]];
+
+    expect(contents.some(c => c.includes('Boss One') && c.includes('Alpha'))).toBe(true);
+    expect(contents.some(c => c.includes('Boss Two') && c.includes('Beta'))).toBe(true);
+  });
+
+  it('does not include agents from other boss teams in a boss registry', async () => {
+    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
+    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
+    const spec1 = makeAgent({ id: 'spec-1', name: 'Alpha', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1' });
+    const spec2 = makeAgent({ id: 'spec-2', name: 'Beta', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U2' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec1, spec2]);
+
+    await regenerateBossRegistry();
+
+    const [call1, call2] = vi.mocked(updateAgentClaudeMd).mock.calls;
+    const contents = [call1[1], call2[1]];
+    const boss1Content = contents.find(c => c.includes('Boss One'))!;
+    const boss2Content = contents.find(c => c.includes('Boss Two'))!;
+
+    expect(boss1Content).not.toContain('Beta');
+    expect(boss2Content).not.toContain('Alpha');
+  });
+
+  it('uses fallback description when agent description is empty string', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const specialist = makeAgent({
+      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'],
+      slackBotUserId: 'U1', description: '',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
+
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('No description provided.');
+  });
+
+  it('skips a boss agent that appears in another boss team (boss is also a specialist)', async () => {
+    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Top Boss' });
+    // boss2 reports to boss1 but is also a boss itself
+    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Mid Boss', reportsTo: ['boss-1'], slackBotUserId: 'U2' });
+    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U3', name: 'Worker' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec]);
+
+    await regenerateBossRegistry();
+
+    // boss1's registry should include boss2 (it reports to boss1)
+    const boss1Call = vi.mocked(updateAgentClaudeMd).mock.calls.find(c => c[0] === 'boss-1');
+    expect(boss1Call).toBeDefined();
+    expect(boss1Call![1]).toContain('Mid Boss');
+  });
+
+  it('does not call updateAgentClaudeMd when getAllAgents throws', async () => {
+    vi.mocked(getAllAgents).mockRejectedValue(new Error('DB connection failed'));
+
+    await expect(regenerateBossRegistry()).rejects.toThrow('DB connection failed');
+    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
+  });
+
+  it('handles an agent reporting to multiple bosses', async () => {
+    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
+    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
+    const shared = makeAgent({
+      id: 'spec-1', name: 'SharedBot', isBoss: false,
+      reportsTo: ['boss-1', 'boss-2'], slackBotUserId: 'U1',
+    });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, shared]);
+
+    await regenerateBossRegistry();
+
+    expect(updateAgentClaudeMd).toHaveBeenCalledTimes(2);
+    const contents = vi.mocked(updateAgentClaudeMd).mock.calls.map(c => c[1]);
+    expect(contents[0]).toContain('SharedBot');
+    expect(contents[1]).toContain('SharedBot');
+  });
+
+  it('includes boss self-mention in delegation instructions when boss has slackBotUserId', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slackBotUserId: 'UBOSS' });
+    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('<@UBOSS>');
+  });
+
+  it('falls back to @slug in delegation instructions when boss has no slackBotUserId', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slug: 'my-boss', slackBotUserId: undefined });
+    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('@my-boss');
+  });
+
+  it('includes post-delegation confirmation instructions', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slackBotUserId: 'UBOSS' });
+    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
+    await regenerateBossRegistry();
+
+    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
+    expect(content).toContain('After a specialist responds');
+    expect(content).toContain("When you're done, please tag");
+  });
+});
+
+// ─── slug fallback branch (line 48) ──────────────────────────────────────────
+// The branch `a.slackBotUserId ? <@id> : @slug` is only reachable if the
+// filter on line 44 is bypassed. Since the filter removes agents without
+// slackBotUserId, the ternary's false branch (slug fallback) is dead code.
+// We document this explicitly rather than testing unreachable code.
+describe('mention format branch coverage note', () => {
+  beforeEach(() => vi.clearAllMocks());
+
+  it('always uses <@userId> format because filter removes agents without slackBotUserId', async () => {
+    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
+    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'UABC', slug: 'my-bot' });
+
+    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
+    await regenerateBossRegistry();
+
+    const calls = vi.mocked(updateAgentClaudeMd).mock.calls;
+    expect(calls.length).toBe(1);
+    const registryContent = calls[0][1];
+    expect(registryContent).toContain('<@UABC>');
+    expect(registryContent).not.toContain('@my-bot');
+  });
+});