slackhive 0.1.37 → 0.1.39

package/apps/web/src/lib/__tests__/db.integration.test.ts

@@ -0,0 +1,271 @@
+/**
+ * @fileoverview Integration tests for db.ts — requires a real Postgres connection.
+ *
+ * Set TEST_DATABASE_URL to run these tests. Without it, the entire suite is
+ * skipped so CI (which has no DB) is not affected.
+ *
+ * @module web/lib/__tests__/db.integration.test
+ */
+
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import type { Agent } from '@slackhive/shared';
+
+// Swap DATABASE_URL for the test database before importing db functions.
+// This must happen before the module is loaded so the singleton pool picks it up.
+if (process.env.TEST_DATABASE_URL) {
+  process.env.DATABASE_URL = process.env.TEST_DATABASE_URL;
+}
+
+import {
+  createAgent,
+  getAgentById,
+  updateAgentClaudeMd,
+  deleteAgent,
+  upsertSkill,
+  getAgentSkills,
+  deleteSkill,
+  createSnapshot,
+  listSnapshots,
+  getSnapshotById,
+  deleteSnapshot,
+  userCanWriteAgent,
+  grantAgentWrite,
+  revokeAgentWrite,
+  createUser,
+  deleteUser,
+  getUserByUsername,
+} from '@/lib/db';
+
+const DB_AVAILABLE = !!process.env.TEST_DATABASE_URL;
+
+describe.skipIf(!DB_AVAILABLE)('db integration tests', () => {
+
+  // ---------------------------------------------------------------------------
+  // createAgent + getAgentById
+  // ---------------------------------------------------------------------------
+
+  describe('createAgent + getAgentById', () => {
+    let agentId: string;
+
+    afterAll(async () => {
+      if (agentId) await deleteAgent(agentId);
+    });
+
+    it('creates an agent and fetches it by id', async () => {
+      const agent = await createAgent({
+        slug: `test-agent-${Date.now()}`,
+        name: 'Test Agent',
+        persona: 'A test persona',
+        description: 'Integration test agent',
+        slackBotToken: 'xoxb-test',
+        slackAppToken: 'xapp-test',
+        slackSigningSecret: 'secret',
+        model: 'claude-opus-4-6',
+      }, 'test-user');
+
+      agentId = agent.id;
+
+      expect(agent.id).toBeTruthy();
+      expect(agent.slug).toMatch(/^test-agent-/);
+      expect(agent.name).toBe('Test Agent');
+      expect(agent.persona).toBe('A test persona');
+      expect(agent.createdBy).toBe('test-user');
+
+      const fetched = await getAgentById(agent.id);
+      expect(fetched).not.toBeNull();
+      expect(fetched!.id).toBe(agent.id);
+      expect(fetched!.name).toBe('Test Agent');
+    });
+
+    it('returns null for a non-existent agent id', async () => {
+      const result = await getAgentById('00000000-0000-0000-0000-000000000000');
+      expect(result).toBeNull();
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // updateAgentClaudeMd
+  // ---------------------------------------------------------------------------
+
+  describe('updateAgentClaudeMd', () => {
+    let agentId: string;
+
+    beforeAll(async () => {
+      const agent = await createAgent({
+        slug: `test-claude-md-${Date.now()}`,
+        name: 'Claude MD Test',
+        slackBotToken: 'xoxb-test',
+        slackAppToken: 'xapp-test',
+        slackSigningSecret: 'secret',
+      }, 'test-user');
+      agentId = agent.id;
+    });
+
+    afterAll(async () => {
+      if (agentId) await deleteAgent(agentId);
+    });
+
+    it('updates claudeMd and reflects the change on re-fetch', async () => {
+      const newContent = '# Updated CLAUDE.md\n\nNew content here.';
+      await updateAgentClaudeMd(agentId, newContent);
+
+      const fetched = await getAgentById(agentId);
+      expect(fetched!.claudeMd).toBe(newContent);
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // upsertSkill + getAgentSkills + deleteSkill
+  // ---------------------------------------------------------------------------
+
+  describe('upsertSkill + getAgentSkills + deleteSkill', () => {
+    let agentId: string;
+
+    beforeAll(async () => {
+      const agent = await createAgent({
+        slug: `test-skills-${Date.now()}`,
+        name: 'Skills Test',
+        slackBotToken: 'xoxb-test',
+        slackAppToken: 'xapp-test',
+        slackSigningSecret: 'secret',
+      }, 'test-user');
+      agentId = agent.id;
+    });
+
+    afterAll(async () => {
+      if (agentId) await deleteAgent(agentId);
+    });
+
+    it('adds two skills and lists them in sort order', async () => {
+      await upsertSkill(agentId, '00-core', 'main.md', '# Main', 0);
+      await upsertSkill(agentId, '00-core', 'extra.md', '# Extra', 1);
+
+      const skills = await getAgentSkills(agentId);
+      expect(skills).toHaveLength(2);
+      // Sort order: main.md (0) before extra.md (1)
+      expect(skills[0].filename).toBe('main.md');
+      expect(skills[1].filename).toBe('extra.md');
+    });
+
+    it('deletes one skill and leaves only one remaining', async () => {
+      const skills = await getAgentSkills(agentId);
+      await deleteSkill(skills[0].id);
+
+      const remaining = await getAgentSkills(agentId);
+      expect(remaining).toHaveLength(1);
+      expect(remaining[0].filename).toBe('extra.md');
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // createSnapshot + listSnapshots + getSnapshotById + deleteSnapshot
+  // ---------------------------------------------------------------------------
+
+  describe('snapshots', () => {
+    let agentId: string;
+    let snapshotId: string;
+
+    beforeAll(async () => {
+      const agent = await createAgent({
+        slug: `test-snapshot-${Date.now()}`,
+        name: 'Snapshot Test',
+        slackBotToken: 'xoxb-test',
+        slackAppToken: 'xapp-test',
+        slackSigningSecret: 'secret',
+      }, 'test-user');
+      agentId = agent.id;
+    });
+
+    afterAll(async () => {
+      if (agentId) await deleteAgent(agentId);
+    });
+
+    it('creates a snapshot and it appears in listSnapshots', async () => {
+      const snap = await createSnapshot(
+        agentId,
+        'manual',
+        'test-user',
+        'initial snapshot',
+        [{ category: '00-core', filename: 'main.md', content: '# Main', sort_order: 0 }],
+        ['Read'],
+        [],
+        [],
+        '# Main',
+      );
+      snapshotId = snap.id;
+
+      expect(snap.id).toBeTruthy();
+      expect(snap.label).toBe('initial snapshot');
+      expect(snap.trigger).toBe('manual');
+      expect(snap.compiledMd).toBe('# Main');
+
+      const list = await listSnapshots(agentId);
+      expect(list.some(s => s.id === snap.id)).toBe(true);
+    });
+
+    it('fetches a snapshot by id', async () => {
+      const fetched = await getSnapshotById(snapshotId);
+      expect(fetched).not.toBeNull();
+      expect(fetched!.id).toBe(snapshotId);
+      expect(fetched!.skillsJson).toHaveLength(1);
+    });
+
+    it('deletes a snapshot and it no longer appears in listSnapshots', async () => {
+      await deleteSnapshot(snapshotId);
+      const list = await listSnapshots(agentId);
+      expect(list.some(s => s.id === snapshotId)).toBe(false);
+    });
+  });
+
+  // ---------------------------------------------------------------------------
+  // userCanWriteAgent + grantAgentWrite + revokeAgentWrite
+  // ---------------------------------------------------------------------------
+
+  describe('userCanWriteAgent', () => {
+    let agentId: string;
+    let editorUserId: string;
+    const editorUsername = `test-editor-${Date.now()}`;
+
+    beforeAll(async () => {
+      const agent = await createAgent({
+        slug: `test-access-${Date.now()}`,
+        name: 'Access Test',
+        slackBotToken: 'xoxb-test',
+        slackAppToken: 'xapp-test',
+        slackSigningSecret: 'secret',
+      }, 'system');
+      agentId = agent.id;
+
+      // Create a test editor user
+      const user = await createUser(editorUsername, 'hashed-password', 'editor');
+      editorUserId = user.id;
+    });
+
+    afterAll(async () => {
+      if (agentId) await deleteAgent(agentId);
+      if (editorUserId) await deleteUser(editorUserId);
+    });
+
+    it('returns true for admin role without a DB check', async () => {
+      const result = await userCanWriteAgent(agentId, 'any-admin', 'admin');
+      expect(result).toBe(true);
+    });
+
+    it('returns false for editor with no grants', async () => {
+      const result = await userCanWriteAgent(agentId, editorUsername, 'editor');
+      expect(result).toBe(false);
+    });
+
+    it('returns true after grantAgentWrite', async () => {
+      await grantAgentWrite(agentId, editorUserId);
+      const result = await userCanWriteAgent(agentId, editorUsername, 'editor');
+      expect(result).toBe(true);
+    });
+
+    it('returns false after revokeAgentWrite', async () => {
+      await revokeAgentWrite(agentId, editorUserId);
+      const result = await userCanWriteAgent(agentId, editorUsername, 'editor');
+      expect(result).toBe(false);
+    });
+  });
+});

package/apps/web/src/lib/__tests__/diff.test.ts

@@ -0,0 +1,102 @@
+/**
+ * @fileoverview Unit tests for the lineDiff utility in diff.ts.
+ *
+ * @module web/lib/__tests__/diff.test
+ */
+
+import { describe, it, expect } from 'vitest';
+import { lineDiff } from '@/lib/diff';
+
+describe('lineDiff', () => {
+  it('returns a single same entry for two empty strings', () => {
+    // ''.split('\n') yields [''], so one same entry with an empty line
+    expect(lineDiff('', '')).toEqual([{ type: 'same', line: '' }]);
+  });
+
+  it('returns all same entries for identical strings', () => {
+    const result = lineDiff('hello\nworld', 'hello\nworld');
+    expect(result).toEqual([
+      { type: 'same', line: 'hello' },
+      { type: 'same', line: 'world' },
+    ]);
+  });
+
+  it('returns add entries for new lines when old is empty', () => {
+    // old = '' → [''], new = 'foo\nbar' → ['foo','bar']
+    // '' does not match 'foo' or 'bar', so it becomes a remove; foo and bar become adds
+    const result = lineDiff('', 'foo\nbar');
+    const adds = result.filter(l => l.type === 'add').map(l => l.line);
+    expect(adds).toEqual(['foo', 'bar']);
+  });
+
+  it('returns remove entries for old lines when new is empty', () => {
+    // old = 'foo\nbar' → ['foo','bar'], new = '' → ['']
+    // foo and bar become removes; '' becomes an add
+    const result = lineDiff('foo\nbar', '');
+    const removes = result.filter(l => l.type === 'remove').map(l => l.line);
+    expect(removes).toEqual(['foo', 'bar']);
+  });
+
+  it('detects one line added in the middle', () => {
+    const result = lineDiff('a\nb', 'a\nc\nb');
+    expect(result).toContainEqual({ type: 'add', line: 'c' });
+    expect(result.filter(l => l.type === 'same').map(l => l.line)).toEqual(['a', 'b']);
+  });
+
+  it('detects one line removed from the middle', () => {
+    const result = lineDiff('a\nb\nc', 'a\nc');
+    expect(result).toContainEqual({ type: 'remove', line: 'b' });
+    expect(result.filter(l => l.type === 'same').map(l => l.line)).toEqual(['a', 'c']);
+  });
+
+  it('produces all removes then all adds for a complete replacement', () => {
+    const result = lineDiff('old1\nold2', 'new1\nnew2');
+    const types = result.map(l => l.type);
+    // All removes should come before all adds
+    const firstAdd = types.indexOf('add');
+    const lastRemove = types.lastIndexOf('remove');
+    expect(firstAdd).toBeGreaterThan(-1);
+    expect(lastRemove).toBeGreaterThan(-1);
+    expect(lastRemove).toBeLessThan(firstAdd);
+    expect(result.filter(l => l.type === 'remove').map(l => l.line)).toEqual(['old1', 'old2']);
+    expect(result.filter(l => l.type === 'add').map(l => l.line)).toEqual(['new1', 'new2']);
+  });
+
+  it('treats lines with only whitespace differences as different', () => {
+    const result = lineDiff('hello', 'hello ');
+    expect(result).toContainEqual({ type: 'remove', line: 'hello' });
+    expect(result).toContainEqual({ type: 'add', line: 'hello ' });
+  });
+
+  it('treats lines differing only by indentation as different', () => {
+    const result = lineDiff('  indented', 'indented');
+    expect(result).toContainEqual({ type: 'remove', line: '  indented' });
+    expect(result).toContainEqual({ type: 'add', line: 'indented' });
+  });
+
+  it('handles Windows CRLF by treating \\r as part of the line content', () => {
+    // lineDiff splits on \n only; \r stays attached to the line
+    const result = lineDiff('line1\r\nline2', 'line1\nline2');
+    const removeLines = result.filter(l => l.type === 'remove').map(l => l.line);
+    const addLines = result.filter(l => l.type === 'add').map(l => l.line);
+    expect(removeLines).toContain('line1\r');
+    expect(addLines).toContain('line1');
+  });
+
+  it('handles a single line with no newlines', () => {
+    const result = lineDiff('old', 'new');
+    expect(result).toContainEqual({ type: 'remove', line: 'old' });
+    expect(result).toContainEqual({ type: 'add', line: 'new' });
+  });
+
+  it('handles multiline: first same, middle change, last same', () => {
+    const oldText = 'line1\noriginal\nline3';
+    const newText = 'line1\nchanged\nline3';
+    const result = lineDiff(oldText, newText);
+    expect(result[0]).toEqual({ type: 'same', line: 'line1' });
+    const middleEntries = result.slice(1, result.length - 1);
+    expect(middleEntries).toContainEqual({ type: 'remove', line: 'original' });
+    expect(middleEntries).toContainEqual({ type: 'add', line: 'changed' });
+    expect(result[result.length - 1]).toEqual({ type: 'same', line: 'line3' });
+  });
+});

package/apps/web/src/lib/__tests__/mcp-mask.test.ts

@@ -0,0 +1,274 @@
+/**
+ * @fileoverview Unit tests for mcp-mask.ts — maskMcpConfig, maskMcpServer, mergeMcpConfig.
+ *
+ * These tests cover the core security behaviour: secrets are never returned to
+ * the client in plaintext, and sending back "********" placeholders on PATCH
+ * never overwrites the real stored value.
+ *
+ * No database connection required — all tests use inline data.
+ *
+ * @module web/lib/__tests__/mcp-mask.test
+ */
+
+import { describe, it, expect } from 'vitest';
+import { maskMcpConfig, maskMcpServer, mergeMcpConfig } from '@/lib/mcp-mask';
+import type { McpServer } from '@slackhive/shared';
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+function makeServer(overrides: Partial<McpServer> = {}): McpServer {
+  return {
+    id: 'mcp-1',
+    name: 'test-mcp',
+    type: 'stdio',
+    config: { command: 'node', args: ['server.js'], env: { SECRET: 'real-secret', API_KEY: 'real-key' } },
+    description: 'Test server',
+    enabled: true,
+    createdAt: new Date(),
+    ...overrides,
+  };
+}
+
+// ─── maskMcpConfig ────────────────────────────────────────────────────────────
+
+describe('maskMcpConfig', () => {
+  it('masks all env values for stdio config', () => {
+    const config = { command: 'node', args: ['s.js'], env: { SECRET: 'real-secret', KEY: 'real-key' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.env.SECRET).toBe('********');
+    expect(result.env.KEY).toBe('********');
+  });
+
+  it('preserves env keys after masking', () => {
+    const config = { command: 'node', args: [], env: { DB_URL: 'postgres://...', TOKEN: 'abc' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(Object.keys(result.env)).toEqual(['DB_URL', 'TOKEN']);
+  });
+
+  it('preserves non-secret fields (command, args) for stdio', () => {
+    const config = { command: 'node', args: ['server.js'], env: { KEY: 'val' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.command).toBe('node');
+    expect(result.args).toEqual(['server.js']);
+  });
+
+  it('masks all header values for sse config', () => {
+    const config = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer tok', 'X-Key': 'secret' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.headers.Authorization).toBe('********');
+    expect(result.headers['X-Key']).toBe('********');
+  });
+
+  it('preserves url for sse config after masking headers', () => {
+    const config = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer tok' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.url).toBe('https://api.example.com/sse');
+  });
+
+  it('masks header values for http config', () => {
+    const config = { url: 'https://api.example.com/mcp', headers: { 'X-Api-Key': 'supersecret' } };
+    const result = maskMcpConfig(config) as typeof config;
+    expect((result as typeof config).headers['X-Api-Key']).toBe('********');
+  });
+
+  it('returns config unchanged when no env or headers present (stdio without env)', () => {
+    const config = { command: 'node', args: ['s.js'] };
+    const result = maskMcpConfig(config);
+    expect(result).toEqual(config);
+  });
+
+  it('returns config unchanged when env is empty object', () => {
+    const config = { command: 'node', args: [], env: {} };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.env).toEqual({});
+  });
+
+  it('does not mutate the original config object', () => {
+    const config = { command: 'node', args: [], env: { SECRET: 'real' } };
+    maskMcpConfig(config);
+    expect((config as typeof config).env.SECRET).toBe('real');
+  });
+});
+
+// ─── maskMcpServer ────────────────────────────────────────────────────────────
+
+describe('maskMcpServer', () => {
+  it('returns a server with masked env values', () => {
+    const server = makeServer();
+    const result = maskMcpServer(server);
+    const cfg = result.config as { env: Record<string, string> };
+    expect(cfg.env.SECRET).toBe('********');
+    expect(cfg.env.API_KEY).toBe('********');
+  });
+
+  it('preserves all non-config fields on the server', () => {
+    const server = makeServer({ name: 'my-mcp', type: 'stdio', enabled: false });
+    const result = maskMcpServer(server);
+    expect(result.id).toBe('mcp-1');
+    expect(result.name).toBe('my-mcp');
+    expect(result.type).toBe('stdio');
+    expect(result.enabled).toBe(false);
+  });
+
+  it('does not mutate the original server object', () => {
+    const server = makeServer();
+    maskMcpServer(server);
+    const cfg = server.config as { env: Record<string, string> };
+    expect(cfg.env.SECRET).toBe('real-secret');
+  });
+});
+
+// ─── mergeMcpConfig ───────────────────────────────────────────────────────────
+
+describe('mergeMcpConfig', () => {
+  it('preserves existing secret when incoming value is "********"', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'real-secret' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: '********' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.env.SECRET).toBe('real-secret');
+  });
+
+  it('uses new value when incoming is not "********"', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'old-secret' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: 'new-secret' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.env.SECRET).toBe('new-secret');
+  });
+
+  it('handles mixed masked and real values in same PATCH', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'real-secret', NEW_KEY: 'old-val' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: '********', NEW_KEY: 'updated' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.env.SECRET).toBe('real-secret');
+    expect(result.env.NEW_KEY).toBe('updated');
+  });
+
+  it('removes a key deleted by the user (key absent from incoming)', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'real', OLD_KEY: 'val' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: '********' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect('OLD_KEY' in result.env).toBe(false);
+  });
+
+  it('adds a new key introduced in the PATCH', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'real' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: '********', NEW_KEY: 'new-val' } };
+    const result = mergeMcpConfig(existing, incoming) as { command: string; args: string[]; env: Record<string, string> };
+    expect(result.env.SECRET).toBe('real');
+    expect(result.env.NEW_KEY).toBe('new-val');
+  });
+
+  it('preserves existing header secret for sse config', () => {
+    const existing = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer real-token' } };
+    const incoming = { url: 'https://api.example.com/sse', headers: { Authorization: '********' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.headers.Authorization).toBe('Bearer real-token');
+  });
+
+  it('updates url even when headers are masked', () => {
+    const existing = { url: 'https://old.example.com/sse', headers: { Authorization: 'Bearer tok' } };
+    const incoming = { url: 'https://new.example.com/sse', headers: { Authorization: '********' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.url).toBe('https://new.example.com/sse');
+    expect(result.headers.Authorization).toBe('Bearer tok');
+  });
+
+  it('returns incoming unchanged when neither env nor headers exist', () => {
+    const existing = { command: 'node', args: ['s.js'] };
+    const incoming = { command: 'python', args: ['s.py'] };
+    const result = mergeMcpConfig(existing, incoming);
+    expect(result).toEqual(incoming);
+  });
+
+  it('does not mutate the existing config', () => {
+    const existing = { command: 'node', args: [], env: { SECRET: 'real' } };
+    const incoming = { command: 'node', args: [], env: { SECRET: 'new' } };
+    mergeMcpConfig(existing, incoming);
+    expect(existing.env.SECRET).toBe('real');
+  });
+});
+
+// ─── maskMcpConfig — envRefs and tsSource pass-through ───────────────────────
+
+describe('maskMcpConfig — envRefs and tsSource are not secrets', () => {
+  it('passes envRefs through unchanged when masking env values', () => {
+    const config = {
+      command: 'tsx',
+      args: ['server.ts'],
+      env: { EXTRA: 'val' },
+      envRefs: { DATABASE_URL: 'REDSHIFT_DATABASE_URL' },
+    };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.envRefs).toEqual({ DATABASE_URL: 'REDSHIFT_DATABASE_URL' });
+    expect(result.env.EXTRA).toBe('********');
+  });
+
+  it('passes tsSource through unchanged when masking env values', () => {
+    const config = {
+      command: 'tsx',
+      args: ['server.ts'],
+      env: { SECRET: 'val' },
+      tsSource: 'import { Server } from "@modelcontextprotocol/sdk/server/index.js";',
+    };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.tsSource).toBe(config.tsSource);
+    expect(result.env.SECRET).toBe('********');
+  });
+
+  it('passes envRefs and tsSource through even with no inline env', () => {
+    const config = {
+      command: 'tsx',
+      args: [],
+      envRefs: { DB: 'MY_DB_URL' },
+      tsSource: '// inline source',
+    };
+    const result = maskMcpConfig(config) as typeof config;
+    expect(result.envRefs).toEqual({ DB: 'MY_DB_URL' });
+    expect(result.tsSource).toBe('// inline source');
+  });
+});
+
+// ─── mergeMcpConfig — envRefs handling ────────────────────────────────────────
+
+describe('mergeMcpConfig — envRefs are config fields, not secrets', () => {
+  it('replaces envRefs with incoming value', () => {
+    const existing = { command: 'tsx', args: [], envRefs: { DB: 'OLD_KEY' } };
+    const incoming = { command: 'tsx', args: [], envRefs: { DB: 'NEW_KEY' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.envRefs).toEqual({ DB: 'NEW_KEY' });
+  });
+
+  it('removes envRefs when incoming omits them', () => {
+    const existing = { command: 'tsx', args: [], envRefs: { DB: 'SOME_KEY' } };
+    const incoming = { command: 'tsx', args: [] };
+    const result = mergeMcpConfig(existing, incoming) as unknown as Record<string, unknown>;
+    expect(result.envRefs).toBeUndefined();
+  });
+});
+
+// ─── mergeMcpConfig — header branch gaps (lines 81-84) ───────────────────────
+
+describe('mergeMcpConfig — header key deletion and new key for sse/http', () => {
+  it('removes a header key deleted by the user', () => {
+    const existing = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer tok', 'X-Old': 'val' } };
+    const incoming = { url: 'https://api.example.com/sse', headers: { Authorization: '********' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect('X-Old' in result.headers).toBe(false);
+    expect(result.headers.Authorization).toBe('Bearer tok');
+  });
+
+  it('adds a new header key introduced in the PATCH', () => {
+    const existing = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer tok' } };
+    const incoming = { url: 'https://api.example.com/sse', headers: { Authorization: '********', 'X-New': 'newval' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.headers.Authorization).toBe('Bearer tok');
+    expect((result.headers as Record<string, string>)['X-New']).toBe('newval');
+  });
+
+  it('uses new real header value when not masked', () => {
+    const existing = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer old' } };
+    const incoming = { url: 'https://api.example.com/sse', headers: { Authorization: 'Bearer new' } };
+    const result = mergeMcpConfig(existing, incoming) as typeof existing;
+    expect(result.headers.Authorization).toBe('Bearer new');
+  });
+});