slackhive 0.1.40 → 0.1.42

package/apps/web/src/lib/__tests__/auth.test.ts

@@ -1,262 +0,0 @@
-/**
- * @fileoverview Unit tests for auth.ts — signSession, verifySession,
- * getSessionFromRequest, requireRole, and authenticateUser.
- *
- * No database connection required for session/cookie tests.
- * authenticateUser DB path is tested via vi.mock.
- *
- * @module web/lib/__tests__/auth.test
- */
-
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-import * as crypto from 'crypto';
-
-// Mock DB dependency before importing auth
-vi.mock('@/lib/db', () => ({
-  getUserByUsername: vi.fn(),
-}));
-
-import {
-  signSession,
-  verifySession,
-  getSessionFromRequest,
-  requireRole,
-  authenticateUser,
-  COOKIE_NAME,
-} from '@/lib/auth';
-import { getUserByUsername } from '@/lib/db';
-import type { SessionPayload } from '@/lib/auth';
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function makeRequest(cookie?: string): Request {
-  return new Request('http://localhost/api/test', {
-    headers: cookie ? { cookie } : {},
-  });
-}
-
-function makeSignedCookie(payload: SessionPayload, secret = 'change-this-secret-in-production'): string {
-  const data = Buffer.from(JSON.stringify(payload)).toString('base64url');
-  const sig = crypto.createHmac('sha256', secret).update(data).digest('base64url');
-  return `${data}.${sig}`;
-}
-
-// ─── signSession / verifySession ──────────────────────────────────────────────
-
-describe('signSession + verifySession', () => {
-  it('round-trips a valid session payload', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'editor' };
-    const cookie = signSession(payload);
-    const result = verifySession(cookie);
-    expect(result).toEqual(payload);
-  });
-
-  it('round-trips all role types', () => {
-    const roles: SessionPayload['role'][] = ['superadmin', 'admin', 'editor', 'viewer'];
-    for (const role of roles) {
-      const payload: SessionPayload = { username: 'user', role };
-      expect(verifySession(signSession(payload))).toEqual(payload);
-    }
-  });
-
-  it('returns null for a tampered signature', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'admin' };
-    const cookie = signSession(payload);
-    const [data] = cookie.split('.');
-    const tampered = `${data}.invalidsignature`;
-    expect(verifySession(tampered)).toBeNull();
-  });
-
-  it('returns null for a tampered payload (data changed, sig unchanged)', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'editor' };
-    const cookie = signSession(payload);
-    const [, sig] = cookie.split('.');
-    const evilPayload = Buffer.from(JSON.stringify({ username: 'alice', role: 'superadmin' })).toString('base64url');
-    const tampered = `${evilPayload}.${sig}`;
-    expect(verifySession(tampered)).toBeNull();
-  });
-
-  it('returns null when cookie has no dot separator', () => {
-    expect(verifySession('nodothere')).toBeNull();
-  });
-
-  it('returns null when cookie has more than one dot', () => {
-    expect(verifySession('part1.part2.part3')).toBeNull();
-  });
-
-  it('returns null for an empty string', () => {
-    expect(verifySession('')).toBeNull();
-  });
-
-  it('returns null when payload is valid base64 but not JSON', () => {
-    const notJson = Buffer.from('not-json').toString('base64url');
-    const sig = crypto
-      .createHmac('sha256', 'change-this-secret-in-production')
-      .update(notJson)
-      .digest('base64url');
-    expect(verifySession(`${notJson}.${sig}`)).toBeNull();
-  });
-
-  it('returns null when signed with a different secret', () => {
-    const cookie = makeSignedCookie({ username: 'alice', role: 'admin' }, 'other-secret');
-    expect(verifySession(cookie)).toBeNull();
-  });
-
-  it('produces different cookies for different payloads', () => {
-    const a = signSession({ username: 'alice', role: 'admin' });
-    const b = signSession({ username: 'alice', role: 'editor' });
-    expect(a).not.toBe(b);
-  });
-});
-
-// ─── getSessionFromRequest ────────────────────────────────────────────────────
-
-describe('getSessionFromRequest', () => {
-  it('extracts and verifies a valid session from the cookie header', () => {
-    const payload: SessionPayload = { username: 'bob', role: 'viewer' };
-    const value = signSession(payload);
-    const req = makeRequest(`${COOKIE_NAME}=${value}`);
-    expect(getSessionFromRequest(req)).toEqual(payload);
-  });
-
-  it('returns null when no cookie header is present', () => {
-    const req = makeRequest();
-    expect(getSessionFromRequest(req)).toBeNull();
-  });
-
-  it('returns null when cookie header has no auth_session key', () => {
-    const req = makeRequest('other_cookie=abc123');
-    expect(getSessionFromRequest(req)).toBeNull();
-  });
-
-  it('returns null when the session cookie is tampered', () => {
-    const req = makeRequest(`${COOKIE_NAME}=invalid.garbage`);
-    expect(getSessionFromRequest(req)).toBeNull();
-  });
-
-  it('extracts session when auth_session is among multiple cookies', () => {
-    const payload: SessionPayload = { username: 'charlie', role: 'admin' };
-    const value = signSession(payload);
-    const req = makeRequest(`other=val; ${COOKIE_NAME}=${value}; another=foo`);
-    expect(getSessionFromRequest(req)).toEqual(payload);
-  });
-
-  it('handles URL-encoded cookie values', () => {
-    const payload: SessionPayload = { username: 'dave', role: 'editor' };
-    const value = encodeURIComponent(signSession(payload));
-    const req = makeRequest(`${COOKIE_NAME}=${value}`);
-    expect(getSessionFromRequest(req)).toEqual(payload);
-  });
-});
-
-// ─── requireRole ─────────────────────────────────────────────────────────────
-
-describe('requireRole', () => {
-  it('returns session when role meets minimum (viewer requires viewer)', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'viewer' };
-    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
-    expect(requireRole(req, 'viewer')).toEqual(payload);
-  });
-
-  it('returns session when role exceeds minimum (admin requires editor)', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'admin' };
-    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
-    expect(requireRole(req, 'editor')).toEqual(payload);
-  });
-
-  it('superadmin passes any role requirement', () => {
-    const payload: SessionPayload = { username: 'root', role: 'superadmin' };
-    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
-    expect(requireRole(req, 'admin')).toEqual(payload);
-  });
-
-  it('throws when role is below minimum (viewer requires editor)', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'viewer' };
-    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
-    expect(() => requireRole(req, 'editor')).toThrow('Insufficient permissions');
-  });
-
-  it('throws when not authenticated (no cookie)', () => {
-    const req = makeRequest();
-    expect(() => requireRole(req, 'viewer')).toThrow('Not authenticated');
-  });
-
-  it('editor cannot meet admin requirement', () => {
-    const payload: SessionPayload = { username: 'alice', role: 'editor' };
-    const req = makeRequest(`${COOKIE_NAME}=${signSession(payload)}`);
-    expect(() => requireRole(req, 'admin')).toThrow('Insufficient permissions');
-  });
-});
-
-// ─── authenticateUser ─────────────────────────────────────────────────────────
-
-describe('authenticateUser', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('returns superadmin session for env-var credentials', async () => {
-    const result = await authenticateUser('admin', 'changeme');
-    expect(result).toEqual({ username: 'admin', role: 'superadmin' });
-  });
-
-  it('returns null for wrong superadmin password', async () => {
-    const result = await authenticateUser('admin', 'wrongpass');
-    expect(result).toBeNull();
-  });
-
-  it('returns null when DB user does not exist', async () => {
-    vi.mocked(getUserByUsername).mockResolvedValue(null);
-    const result = await authenticateUser('unknown', 'pass');
-    expect(result).toBeNull();
-  });
-
-  it('returns null when DB user password does not match', async () => {
-    vi.mocked(getUserByUsername).mockResolvedValue({
-      id: 'u1', username: 'bob', role: 'editor',
-      passwordHash: '$2b$10$invalidhashthatisnevervalid123456789012',
-      createdAt: new Date().toISOString(),
-    });
-    const result = await authenticateUser('bob', 'wrongpass');
-    expect(result).toBeNull();
-  });
-
-  it('does not hit DB for superadmin credentials', async () => {
-    await authenticateUser('admin', 'changeme');
-    expect(getUserByUsername).not.toHaveBeenCalled();
-  });
-});
-
-// ─── hashPassword ─────────────────────────────────────────────────────────────
-
-describe('hashPassword', () => {
-  it('returns a bcrypt hash string', async () => {
-    const { hashPassword } = await import('@/lib/auth');
-    const hash = await hashPassword('mysecret');
-    expect(hash).toMatch(/^\$2[ab]\$10\$/);
-  });
-
-  it('produces a different hash each call (salt)', async () => {
-    const { hashPassword } = await import('@/lib/auth');
-    const h1 = await hashPassword('same');
-    const h2 = await hashPassword('same');
-    expect(h1).not.toBe(h2);
-  });
-
-  it('produces a hash that bcrypt can verify', async () => {
-    const { hashPassword } = await import('@/lib/auth');
-    const bcrypt = (await import('bcryptjs')).default;
-    const hash = await hashPassword('testpass');
-    expect(await bcrypt.compare('testpass', hash)).toBe(true);
-  });
-});
-
-// ─── Production secret guard ────────────────────────────────────────────────
-
-describe('production secret guard', () => {
-  it('does not throw in test/dev environment', () => {
-    // The module already loaded successfully via the top-level import.
-    // If the guard fired incorrectly, this entire test file would have
-    // failed to import. Verify the module exported the expected function.
-    expect(signSession).toBeDefined();
-    expect(typeof signSession).toBe('function');
-  });
-});

package/apps/web/src/lib/__tests__/boss-registry.test.ts

@@ -1,323 +0,0 @@
-/**
- * @fileoverview Unit tests for boss-registry.ts — regenerateBossRegistry.
- *
- * Tests cover the registry content generation logic: team listing, delegation
- * instructions, Slack mention format, multi-boss routing, and edge cases like
- * agents with no Slack user ID or no team members.
- *
- * All DB calls are mocked via vi.mock — no database connection required.
- *
- * @module web/lib/__tests__/boss-registry.test
- */
-
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-import type { Agent } from '@slackhive/shared';
-
-// Mock DB dependencies before importing the module under test
-vi.mock('@/lib/db', () => ({
-  getAllAgents: vi.fn(),
-  updateAgentClaudeMd: vi.fn().mockResolvedValue(undefined),
-  publishAgentEvent: vi.fn().mockResolvedValue(undefined),
-}));
-
-import { regenerateBossRegistry } from '@/lib/boss-registry';
-import { getAllAgents, updateAgentClaudeMd, publishAgentEvent } from '@/lib/db';
-
-// ─── Helpers ─────────────────────────────────────────────────────────────────
-
-function makeAgent(overrides: Partial<Agent>): Agent {
-  return {
-    id: 'agent-1',
-    slug: 'agent',
-    name: 'Agent',
-    persona: undefined,
-    description: undefined,
-    slackBotToken: 'xoxb-fake',
-    slackAppToken: 'xapp-fake',
-    slackSigningSecret: 'secret',
-    slackBotUserId: undefined,
-    model: 'claude-opus-4-5',
-    status: 'stopped',
-    enabled: true,
-    isBoss: false,
-    reportsTo: [],
-    claudeMd: '',
-    createdBy: 'system',
-    createdAt: new Date(),
-    updatedAt: new Date(),
-    ...overrides,
-  };
-}
-
-// ─── Tests ────────────────────────────────────────────────────────────────────
-
-describe('regenerateBossRegistry', () => {
-  beforeEach(() => {
-    vi.clearAllMocks();
-  });
-
-  it('does nothing when there are no boss agents', async () => {
-    vi.mocked(getAllAgents).mockResolvedValue([
-      makeAgent({ id: 'a1', isBoss: false }),
-    ]);
-
-    await regenerateBossRegistry();
-
-    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
-    expect(publishAgentEvent).not.toHaveBeenCalled();
-  });
-
-  it('does nothing when boss has no team members with slackBotUserId', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: undefined });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
-  });
-
-  it('generates registry with correct agent mention and description', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', name: 'DataBot', isBoss: false,
-      reportsTo: ['boss-1'], slackBotUserId: 'U123ABC',
-      description: 'Runs Redshift queries',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('**DataBot** (<@U123ABC>) — Runs Redshift queries');
-  });
-
-  it('uses slug-based fallback mention when slackBotUserId is missing', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    // specialist has no slackBotUserId — registry should fall back to @slug
-    const specialist = makeAgent({
-      id: 'spec-1', name: 'DataBot', slug: 'data-bot', isBoss: false,
-      reportsTo: ['boss-1'], slackBotUserId: undefined,
-      description: 'Runs Redshift queries',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    // regenerateSingleBossRegistry skips agents with no slackBotUserId
-    // so updateAgentClaudeMd should NOT be called
-    await regenerateBossRegistry();
-    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
-  });
-
-  it('uses default description when agent description is undefined', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', name: 'Writer', isBoss: false,
-      reportsTo: ['boss-1'], slackBotUserId: 'U999',
-      description: undefined,
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('No description provided.');
-  });
-
-  it('includes boss name in the registry heading', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'HQ Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('# HQ Boss — Team Orchestrator');
-  });
-
-  it('includes delegation instructions in the registry', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('ALWAYS delegate');
-    expect(content).toContain('## Your Team');
-    expect(content).toContain('## How to delegate');
-  });
-
-  it('publishes a reload event after updating the registry', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    expect(publishAgentEvent).toHaveBeenCalledWith({ type: 'reload', agentId: 'boss-1' });
-  });
-
-  it('handles multiple bosses independently', async () => {
-    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
-    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
-    const spec1 = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1', name: 'Alpha' });
-    const spec2 = makeAgent({ id: 'spec-2', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U2', name: 'Beta' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec1, spec2]);
-
-    await regenerateBossRegistry();
-
-    expect(updateAgentClaudeMd).toHaveBeenCalledTimes(2);
-
-    const [call1, call2] = vi.mocked(updateAgentClaudeMd).mock.calls;
-    const contents = [call1[1], call2[1]];
-
-    expect(contents.some(c => c.includes('Boss One') && c.includes('Alpha'))).toBe(true);
-    expect(contents.some(c => c.includes('Boss Two') && c.includes('Beta'))).toBe(true);
-  });
-
-  it('does not include agents from other boss teams in a boss registry', async () => {
-    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
-    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
-    const spec1 = makeAgent({ id: 'spec-1', name: 'Alpha', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'U1' });
-    const spec2 = makeAgent({ id: 'spec-2', name: 'Beta', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U2' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec1, spec2]);
-
-    await regenerateBossRegistry();
-
-    const [call1, call2] = vi.mocked(updateAgentClaudeMd).mock.calls;
-    const contents = [call1[1], call2[1]];
-    const boss1Content = contents.find(c => c.includes('Boss One'))!;
-    const boss2Content = contents.find(c => c.includes('Boss Two'))!;
-
-    expect(boss1Content).not.toContain('Beta');
-    expect(boss2Content).not.toContain('Alpha');
-  });
-
-  it('uses fallback description when agent description is empty string', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const specialist = makeAgent({
-      id: 'spec-1', isBoss: false, reportsTo: ['boss-1'],
-      slackBotUserId: 'U1', description: '',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, specialist]);
-
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('No description provided.');
-  });
-
-  it('skips a boss agent that appears in another boss team (boss is also a specialist)', async () => {
-    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Top Boss' });
-    // boss2 reports to boss1 but is also a boss itself
-    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Mid Boss', reportsTo: ['boss-1'], slackBotUserId: 'U2' });
-    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-2'], slackBotUserId: 'U3', name: 'Worker' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, spec]);
-
-    await regenerateBossRegistry();
-
-    // boss1's registry should include boss2 (it reports to boss1)
-    const boss1Call = vi.mocked(updateAgentClaudeMd).mock.calls.find(c => c[0] === 'boss-1');
-    expect(boss1Call).toBeDefined();
-    expect(boss1Call![1]).toContain('Mid Boss');
-  });
-
-  it('does not call updateAgentClaudeMd when getAllAgents throws', async () => {
-    vi.mocked(getAllAgents).mockRejectedValue(new Error('DB connection failed'));
-
-    await expect(regenerateBossRegistry()).rejects.toThrow('DB connection failed');
-    expect(updateAgentClaudeMd).not.toHaveBeenCalled();
-  });
-
-  it('handles an agent reporting to multiple bosses', async () => {
-    const boss1 = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss One' });
-    const boss2 = makeAgent({ id: 'boss-2', isBoss: true, name: 'Boss Two' });
-    const shared = makeAgent({
-      id: 'spec-1', name: 'SharedBot', isBoss: false,
-      reportsTo: ['boss-1', 'boss-2'], slackBotUserId: 'U1',
-    });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss1, boss2, shared]);
-
-    await regenerateBossRegistry();
-
-    expect(updateAgentClaudeMd).toHaveBeenCalledTimes(2);
-    const contents = vi.mocked(updateAgentClaudeMd).mock.calls.map(c => c[1]);
-    expect(contents[0]).toContain('SharedBot');
-    expect(contents[1]).toContain('SharedBot');
-  });
-
-  it('includes boss self-mention in delegation instructions when boss has slackBotUserId', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slackBotUserId: 'UBOSS' });
-    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('<@UBOSS>');
-  });
-
-  it('falls back to @slug in delegation instructions when boss has no slackBotUserId', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slug: 'my-boss', slackBotUserId: undefined });
-    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('@my-boss');
-  });
-
-  it('includes post-delegation confirmation instructions', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss', slackBotUserId: 'UBOSS' });
-    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'USPEC' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
-    await regenerateBossRegistry();
-
-    const content = vi.mocked(updateAgentClaudeMd).mock.calls[0][1];
-    expect(content).toContain('After a specialist responds');
-    expect(content).toContain("When you're done, please tag");
-  });
-});
-
-// ─── slug fallback branch (line 48) ──────────────────────────────────────────
-// The branch `a.slackBotUserId ? <@id> : @slug` is only reachable if the
-// filter on line 44 is bypassed. Since the filter removes agents without
-// slackBotUserId, the ternary's false branch (slug fallback) is dead code.
-// We document this explicitly rather than testing unreachable code.
-describe('mention format branch coverage note', () => {
-  beforeEach(() => vi.clearAllMocks());
-
-  it('always uses <@userId> format because filter removes agents without slackBotUserId', async () => {
-    const boss = makeAgent({ id: 'boss-1', isBoss: true, name: 'Boss' });
-    const spec = makeAgent({ id: 'spec-1', isBoss: false, reportsTo: ['boss-1'], slackBotUserId: 'UABC', slug: 'my-bot' });
-
-    vi.mocked(getAllAgents).mockResolvedValue([boss, spec]);
-    await regenerateBossRegistry();
-
-    const calls = vi.mocked(updateAgentClaudeMd).mock.calls;
-    expect(calls.length).toBe(1);
-    const registryContent = calls[0][1];
-    expect(registryContent).toContain('<@UABC>');
-    expect(registryContent).not.toContain('@my-bot');
-  });
-});