npm - upfynai-code - Versions diffs - 2.9.0 → 2.9.2 - Mend

upfynai-code 2.9.0 → 2.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (229) hide show

package/README.md +91 -66
package/client/dist/api-docs.html +838 -0
package/client/dist/assets/AppContent-BXZDeSIC.js +545 -0
package/client/dist/assets/CanvasFullScreen-mnpCnLZ9.js +1 -0
package/client/dist/assets/CanvasWorkspace-4CqmjAVQ.js +163 -0
package/client/dist/assets/DashboardPanel-zFIFlw56.js +1 -0
package/client/dist/assets/FileTree-B0c_GaB3.js +1 -0
package/client/dist/assets/GitPanel-DUP4zVU4.js +2 -0
package/client/dist/assets/KaTeX_AMS-Regular-BQhdFMY1.woff2 +0 -0
package/client/dist/assets/KaTeX_AMS-Regular-DMm9YOAa.woff +0 -0
package/client/dist/assets/KaTeX_AMS-Regular-DRggAlZN.ttf +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Bold-ATXxdsX0.ttf +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Bold-BEiXGLvX.woff +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Bold-Dq_IR9rO.woff2 +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Regular-CTRA-rTL.woff +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Regular-Di6jR-x-.woff2 +0 -0
package/client/dist/assets/KaTeX_Caligraphic-Regular-wX97UBjC.ttf +0 -0
package/client/dist/assets/KaTeX_Fraktur-Bold-BdnERNNW.ttf +0 -0
package/client/dist/assets/KaTeX_Fraktur-Bold-BsDP51OF.woff +0 -0
package/client/dist/assets/KaTeX_Fraktur-Bold-CL6g_b3V.woff2 +0 -0
package/client/dist/assets/KaTeX_Fraktur-Regular-CB_wures.ttf +0 -0
package/client/dist/assets/KaTeX_Fraktur-Regular-CTYiF6lA.woff2 +0 -0
package/client/dist/assets/KaTeX_Fraktur-Regular-Dxdc4cR9.woff +0 -0
package/client/dist/assets/KaTeX_Main-Bold-Cx986IdX.woff2 +0 -0
package/client/dist/assets/KaTeX_Main-Bold-Jm3AIy58.woff +0 -0
package/client/dist/assets/KaTeX_Main-Bold-waoOVXN0.ttf +0 -0
package/client/dist/assets/KaTeX_Main-BoldItalic-DxDJ3AOS.woff2 +0 -0
package/client/dist/assets/KaTeX_Main-BoldItalic-DzxPMmG6.ttf +0 -0
package/client/dist/assets/KaTeX_Main-BoldItalic-SpSLRI95.woff +0 -0
package/client/dist/assets/KaTeX_Main-Italic-3WenGoN9.ttf +0 -0
package/client/dist/assets/KaTeX_Main-Italic-BMLOBm91.woff +0 -0
package/client/dist/assets/KaTeX_Main-Italic-NWA7e6Wa.woff2 +0 -0
package/client/dist/assets/KaTeX_Main-Regular-B22Nviop.woff2 +0 -0
package/client/dist/assets/KaTeX_Main-Regular-Dr94JaBh.woff +0 -0
package/client/dist/assets/KaTeX_Main-Regular-ypZvNtVU.ttf +0 -0
package/client/dist/assets/KaTeX_Math-BoldItalic-B3XSjfu4.ttf +0 -0
package/client/dist/assets/KaTeX_Math-BoldItalic-CZnvNsCZ.woff2 +0 -0
package/client/dist/assets/KaTeX_Math-BoldItalic-iY-2wyZ7.woff +0 -0
package/client/dist/assets/KaTeX_Math-Italic-DA0__PXp.woff +0 -0
package/client/dist/assets/KaTeX_Math-Italic-flOr_0UB.ttf +0 -0
package/client/dist/assets/KaTeX_Math-Italic-t53AETM-.woff2 +0 -0
package/client/dist/assets/KaTeX_SansSerif-Bold-CFMepnvq.ttf +0 -0
package/client/dist/assets/KaTeX_SansSerif-Bold-D1sUS0GD.woff2 +0 -0
package/client/dist/assets/KaTeX_SansSerif-Bold-DbIhKOiC.woff +0 -0
package/client/dist/assets/KaTeX_SansSerif-Italic-C3H0VqGB.woff2 +0 -0
package/client/dist/assets/KaTeX_SansSerif-Italic-DN2j7dab.woff +0 -0
package/client/dist/assets/KaTeX_SansSerif-Italic-YYjJ1zSn.ttf +0 -0
package/client/dist/assets/KaTeX_SansSerif-Regular-BNo7hRIc.ttf +0 -0
package/client/dist/assets/KaTeX_SansSerif-Regular-CS6fqUqJ.woff +0 -0
package/client/dist/assets/KaTeX_SansSerif-Regular-DDBCnlJ7.woff2 +0 -0
package/client/dist/assets/KaTeX_Script-Regular-C5JkGWo-.ttf +0 -0
package/client/dist/assets/KaTeX_Script-Regular-D3wIWfF6.woff2 +0 -0
package/client/dist/assets/KaTeX_Script-Regular-D5yQViql.woff +0 -0
package/client/dist/assets/KaTeX_Size1-Regular-C195tn64.woff +0 -0
package/client/dist/assets/KaTeX_Size1-Regular-Dbsnue_I.ttf +0 -0
package/client/dist/assets/KaTeX_Size1-Regular-mCD8mA8B.woff2 +0 -0
package/client/dist/assets/KaTeX_Size2-Regular-B7gKUWhC.ttf +0 -0
package/client/dist/assets/KaTeX_Size2-Regular-Dy4dx90m.woff2 +0 -0
package/client/dist/assets/KaTeX_Size2-Regular-oD1tc_U0.woff +0 -0
package/client/dist/assets/KaTeX_Size3-Regular-CTq5MqoE.woff +0 -0
package/client/dist/assets/KaTeX_Size3-Regular-DgpXs0kz.ttf +0 -0
package/client/dist/assets/KaTeX_Size4-Regular-BF-4gkZK.woff +0 -0
package/client/dist/assets/KaTeX_Size4-Regular-DWFBv043.ttf +0 -0
package/client/dist/assets/KaTeX_Size4-Regular-Dl5lxZxV.woff2 +0 -0
package/client/dist/assets/KaTeX_Typewriter-Regular-C0xS9mPB.woff +0 -0
package/client/dist/assets/KaTeX_Typewriter-Regular-CO6r4hn1.woff2 +0 -0
package/client/dist/assets/KaTeX_Typewriter-Regular-D3Ib7_Hf.ttf +0 -0
package/client/dist/assets/LoginModal-BRycfsyD.js +13 -0
package/client/dist/assets/MarkdownPreview-DHmk3qzu.js +1 -0
package/client/dist/assets/MermaidBlock-BuBc_G-F.js +2 -0
package/client/dist/assets/Onboarding-BcnaZZ0o.js +1 -0
package/client/dist/assets/PreviewPanel-CqCa92Tf.js +32 -0
package/client/dist/assets/SetupForm-S0g6u5yT.js +1 -0
package/client/dist/assets/WorkflowsPanel-CouH9JDO.js +1 -0
package/client/dist/assets/index-BFuqS0tY.css +1 -0
package/client/dist/assets/index-CNDcVl2g.js +68 -0
package/client/dist/assets/pdf-CE_K4jFx.js +12 -0
package/client/dist/assets/vendor-canvas-BZV40eAE.css +1 -0
package/client/dist/assets/vendor-canvas-D39yWul6.js +49 -0
package/client/dist/assets/vendor-codemirror-CbtmxxaB.js +35 -0
package/client/dist/assets/vendor-diff-DNQpbhrT.js +69 -0
package/client/dist/assets/vendor-i18n-DCFGyhQR.js +1 -0
package/client/dist/assets/vendor-icons-BaD0x9SL.js +711 -0
package/client/dist/assets/vendor-markdown-CimbIo6Y.js +296 -0
package/client/dist/assets/vendor-mermaid-CH7SGc99.js +2556 -0
package/client/dist/assets/vendor-react-96lCPsRK.js +67 -0
package/client/dist/assets/vendor-syntax-DuHI9Ok6.js +16 -0
package/client/dist/assets/vendor-xterm-CZq1hqo1.js +66 -0
package/client/dist/assets/vendor-xterm-qxJ8_QYu.css +32 -0
package/client/dist/clear-cache.html +85 -0
package/client/dist/convert-icons.md +53 -0
package/client/dist/favicon.png +0 -0
package/client/dist/favicon.svg +5 -0
package/client/dist/generate-icons.js +49 -0
package/client/dist/icons/claude-ai-icon.svg +1 -0
package/client/dist/icons/codex-white.svg +3 -0
package/client/dist/icons/codex.svg +3 -0
package/client/dist/icons/cursor-white.svg +12 -0
package/client/dist/icons/cursor.svg +1 -0
package/client/dist/icons/icon-128x128.png +0 -0
package/client/dist/icons/icon-128x128.svg +5 -0
package/client/dist/icons/icon-144x144.png +0 -0
package/client/dist/icons/icon-144x144.svg +5 -0
package/client/dist/icons/icon-152x152.png +0 -0
package/client/dist/icons/icon-152x152.svg +5 -0
package/client/dist/icons/icon-192x192.png +0 -0
package/client/dist/icons/icon-192x192.svg +5 -0
package/client/dist/icons/icon-384x384.png +0 -0
package/client/dist/icons/icon-384x384.svg +5 -0
package/client/dist/icons/icon-512x512.png +0 -0
package/client/dist/icons/icon-512x512.svg +5 -0
package/client/dist/icons/icon-72x72.png +0 -0
package/client/dist/icons/icon-72x72.svg +5 -0
package/client/dist/icons/icon-96x96.png +0 -0
package/client/dist/icons/icon-96x96.svg +5 -0
package/client/dist/icons/icon-template.svg +5 -0
package/client/dist/index.html +119 -0
package/client/dist/logo-128.png +0 -0
package/client/dist/logo-256.png +0 -0
package/client/dist/logo-32.png +0 -0
package/client/dist/logo-512.png +0 -0
package/client/dist/logo-64.png +0 -0
package/client/dist/logo.svg +14 -0
package/client/dist/manifest.json +61 -0
package/client/dist/mcp-docs.html +108 -0
package/client/dist/offline.html +84 -0
package/client/dist/screenshots/cli-selection.png +0 -0
package/client/dist/screenshots/desktop-main.png +0 -0
package/client/dist/screenshots/mobile-chat.png +0 -0
package/client/dist/screenshots/tools-modal.png +0 -0
package/client/dist/sw.js +82 -0
package/commands/upfynai-connect.md +59 -0
package/commands/upfynai-disconnect.md +31 -0
package/commands/upfynai-doctor.md +99 -0
package/commands/upfynai-export.md +49 -0
package/commands/upfynai-local.md +82 -0
package/commands/upfynai-status.md +75 -0
package/commands/upfynai-stop.md +49 -0
package/commands/upfynai-uninstall.md +58 -0
package/commands/upfynai.md +69 -0
package/package.json +143 -82
package/scripts/build-client.js +17 -0
package/scripts/fix-node-pty.js +67 -0
package/scripts/install-commands.js +78 -0
package/server/agent-loop.js +242 -0
package/server/auto-compact.js +99 -0
package/server/claude-sdk.js +797 -0
package/server/cli-ui.js +785 -0
package/server/cli.js +596 -0
package/server/constants/config.js +31 -0
package/server/cursor-cli.js +270 -0
package/server/database/auth.db +0 -0
package/server/database/db.js +1391 -0
package/server/database/init.sql +70 -0
package/server/index.js +3799 -0
package/server/load-env.js +26 -0
package/server/mcp-server.js +621 -0
package/server/middleware/auth.js +176 -0
package/server/middleware/relayHelpers.js +44 -0
package/server/middleware/sandboxRouter.js +174 -0
package/server/openai-codex.js +403 -0
package/server/openrouter.js +137 -0
package/server/projects.js +1807 -0
package/server/provider-factory.js +174 -0
package/server/relay-client.js +379 -0
package/server/routes/agent.js +1226 -0
package/server/routes/auth.js +554 -0
package/server/routes/canvas.js +53 -0
package/server/routes/cli-auth.js +263 -0
package/server/routes/codex.js +396 -0
package/server/routes/commands.js +707 -0
package/server/routes/composio.js +176 -0
package/server/routes/cursor.js +770 -0
package/server/routes/dashboard.js +295 -0
package/server/routes/git.js +1208 -0
package/server/routes/keys.js +34 -0
package/server/routes/mcp-utils.js +48 -0
package/server/routes/mcp.js +661 -0
package/server/routes/payments.js +227 -0
package/server/routes/projects.js +655 -0
package/server/routes/sessions.js +146 -0
package/server/routes/settings.js +261 -0
package/server/routes/taskmaster.js +1928 -0
package/server/routes/user.js +106 -0
package/server/routes/vapi-chat.js +624 -0
package/server/routes/voice.js +235 -0
package/server/routes/webhooks.js +166 -0
package/server/routes/workflows.js +312 -0
package/server/sandbox.js +120 -0
package/server/services/composio.js +204 -0
package/server/services/sessionRegistry.js +139 -0
package/server/services/whisperService.js +84 -0
package/server/services/workflowScheduler.js +206 -0
package/server/tests/relay-flow.test.js +570 -0
package/server/tests/sessions.test.js +259 -0
package/server/utils/commandParser.js +303 -0
package/server/utils/email.js +61 -0
package/server/utils/gitConfig.js +24 -0
package/server/utils/mcp-detector.js +198 -0
package/server/utils/taskmaster-websocket.js +129 -0
package/shared/integrationCatalog.d.ts +12 -0
package/shared/integrationCatalog.js +172 -0
package/shared/modelConstants.js +96 -0
package/bin/cli.js +0 -97
package/dist/agents/claude.js +0 -229
package/dist/agents/codex.js +0 -48
package/dist/agents/cursor.js +0 -48
package/dist/agents/detect.js +0 -51
package/dist/agents/exec.js +0 -31
package/dist/agents/files.js +0 -105
package/dist/agents/git.js +0 -18
package/dist/agents/gitagent.js +0 -67
package/dist/agents/index.js +0 -88
package/dist/agents/shell.js +0 -38
package/dist/agents/utils.js +0 -136
package/scripts/postinstall.js +0 -9
package/scripts/prepublish.js +0 -58
package/src/animation.js +0 -228
package/src/auth.js +0 -122
package/src/config.js +0 -40
package/src/connect.js +0 -416
package/src/launch.js +0 -78
package/src/mcp.js +0 -57
package/src/permissions.js +0 -140
package/src/persistent-shell.js +0 -261
package/src/server.js +0 -54
/package/{dist → shared}/gitagent/index.js +0 -0
/package/{dist → shared}/gitagent/parser.js +0 -0
/package/{dist → shared}/gitagent/prompt-builder.js +0 -0

package/server/tests/relay-flow.test.js ADDED Viewed

@@ -0,0 +1,570 @@
+/**
+ * End-to-end tests for Relay AI Chat Flow & Multi-User Isolation
+ *
+ * Tests verify:
+ * 1. Relay message routing (UI → Backend → CLI → AI → Response)
+ * 2. Streaming event translation (relay-stream → content_block_delta)
+ * 3. Multi-user isolation (broadcasts, sessions, projects, relay connections)
+ * 4. Session locking and ownership
+ * 5. Agent abstraction (executeAction dispatch)
+ *
+ * Run: node --test backend/server/tests/relay-flow.test.js
+ */
+import { describe, it } from 'node:test';
+import assert from 'node:assert/strict';
+// ── Test 1: Relay Connection Isolation ──
+describe('Relay Connection Isolation', () => {
+  it('relayConnections map keys by userId — different users get separate entries', () => {
+    const relayConnections = new Map();
+    // User A connects
+    relayConnections.set(1, { ws: { readyState: 1 }, user: { userId: 1, username: 'userA' }, connectedAt: Date.now() });
+    // User B connects
+    relayConnections.set(2, { ws: { readyState: 1 }, user: { userId: 2, username: 'userB' }, connectedAt: Date.now() });
+    assert.equal(relayConnections.size, 2, 'Two separate relay connections');
+    assert.equal(relayConnections.get(1).user.username, 'userA');
+    assert.equal(relayConnections.get(2).user.username, 'userB');
+    // User A's lookup cannot access User B's relay
+    const relayA = relayConnections.get(1);
+    const relayB = relayConnections.get(2);
+    assert.notEqual(relayA.ws, relayB.ws, 'Different users have different WebSocket connections');
+  });
+  it('hasActiveRelay returns true only for the correct user', () => {
+    const relayConnections = new Map();
+    relayConnections.set(1, { ws: { readyState: 1 } });
+    relayConnections.set(2, { ws: { readyState: 3 } }); // User 2 disconnected (readyState=3)
+    function hasActiveRelay(userId) {
+      if (!userId) return false;
+      const relay = relayConnections.get(Number(userId));
+      return relay && relay.ws.readyState === 1;
+    }
+    assert.equal(hasActiveRelay(1), true, 'User 1 has active relay');
+    assert.ok(!hasActiveRelay(2), 'User 2 relay is disconnected');
+    assert.ok(!hasActiveRelay(3), 'User 3 has no relay');
+    assert.ok(!hasActiveRelay(null), 'Null userId returns falsy');
+    assert.ok(!hasActiveRelay(undefined), 'Undefined userId returns falsy');
+  });
+  it('sendRelayCommand targets only the correct userId relay', () => {
+    const relayConnections = new Map();
+    const sentMessages = { user1: [], user2: [] };
+    relayConnections.set(1, {
+      ws: {
+        readyState: 1,
+        send: (msg) => sentMessages.user1.push(JSON.parse(msg)),
+      }
+    });
+    relayConnections.set(2, {
+      ws: {
+        readyState: 1,
+        send: (msg) => sentMessages.user2.push(JSON.parse(msg)),
+      }
+    });
+    // Send command to user 1's relay
+    const relay = relayConnections.get(1);
+    relay.ws.send(JSON.stringify({ type: 'relay-command', action: 'claude-query', command: 'hello' }));
+    assert.equal(sentMessages.user1.length, 1, 'User 1 received the command');
+    assert.equal(sentMessages.user2.length, 0, 'User 2 did NOT receive the command');
+    assert.equal(sentMessages.user1[0].action, 'claude-query');
+  });
+});
+// ── Test 2: Broadcast User Filtering ──
+describe('Broadcast User Filtering', () => {
+  it('relay-status broadcast only reaches clients with matching userId', () => {
+    const connectedClients = new Set();
+    const received = { userA: [], userB: [], noAuth: [] };
+    const clientA = {
+      readyState: 1,
+      _wsUser: { userId: 1 },
+      send: (msg) => received.userA.push(JSON.parse(msg)),
+    };
+    const clientB = {
+      readyState: 1,
+      _wsUser: { userId: 2 },
+      send: (msg) => received.userB.push(JSON.parse(msg)),
+    };
+    const clientNoAuth = {
+      readyState: 1,
+      _wsUser: null,
+      send: (msg) => received.noAuth.push(JSON.parse(msg)),
+    };
+    connectedClients.add(clientA);
+    connectedClients.add(clientB);
+    connectedClients.add(clientNoAuth);
+    // Broadcast relay-status for userId=1
+    const userId = 1;
+    for (const client of connectedClients) {
+      try {
+        if (client.readyState === 1 && client._wsUser?.userId === userId) {
+          client.send(JSON.stringify({ type: 'relay-status', userId, connected: true }));
+        }
+      } catch { /* ignore */ }
+    }
+    assert.equal(received.userA.length, 1, 'User A received the broadcast');
+    assert.equal(received.userB.length, 0, 'User B did NOT receive it');
+    assert.equal(received.noAuth.length, 0, 'Unauthenticated client did NOT receive it');
+    assert.equal(received.userA[0].type, 'relay-status');
+    assert.equal(received.userA[0].connected, true);
+  });
+  it('projects_updated broadcast only sends user-owned projects', () => {
+    const connectedClients = new Set();
+    const received = { userA: [], userB: [] };
+    const clientA = {
+      readyState: 1,
+      _wsUser: { userId: 1 },
+      send: (msg) => received.userA.push(JSON.parse(msg)),
+    };
+    const clientB = {
+      readyState: 1,
+      _wsUser: { userId: 2 },
+      send: (msg) => received.userB.push(JSON.parse(msg)),
+    };
+    connectedClients.add(clientA);
+    connectedClients.add(clientB);
+    // Simulate per-user project lists
+    const userProjects = {
+      1: [{ name: 'projectA' }],
+      2: [{ name: 'projectB' }],
+    };
+    for (const client of connectedClients) {
+      if (client.readyState !== 1) continue;
+      const uid = client._wsUser?.userId;
+      if (uid && userProjects[uid]) {
+        client.send(JSON.stringify({ type: 'projects_updated', projects: userProjects[uid] }));
+      }
+    }
+    assert.equal(received.userA.length, 1);
+    assert.equal(received.userB.length, 1);
+    assert.equal(received.userA[0].projects[0].name, 'projectA', 'User A sees only projectA');
+    assert.equal(received.userB[0].projects[0].name, 'projectB', 'User B sees only projectB');
+  });
+});
+// ── Test 3: Streaming Event Translation ──
+describe('Streaming Event Translation', () => {
+  it('relay-stream with claude-response translates to content_block_delta', () => {
+    const frontendMessages = [];
+    const writer = {
+      send: (msg) => frontendMessages.push(msg),
+    };
+    // Simulate onStream callback from routeViaRelay
+    const responseType = 'claude-response';
+    const sessionId = 'session-123';
+    let fullContent = '';
+    function onStream(streamData) {
+      if (streamData.type === 'claude-response') {
+        const chunk = streamData.content || '';
+        if (chunk) {
+          fullContent += chunk;
+          writer.send({
+            type: responseType,
+            data: { type: 'content_block_delta', delta: { text: chunk } },
+            sessionId,
+          });
+        }
+      }
+    }
+    // Simulate streaming chunks
+    onStream({ type: 'claude-response', content: 'Hello' });
+    onStream({ type: 'claude-response', content: ', I am Claude.' });
+    onStream({ type: 'claude-response', content: ' How can I help?' });
+    assert.equal(frontendMessages.length, 3, 'Three streaming events sent to frontend');
+    assert.equal(frontendMessages[0].data.type, 'content_block_delta');
+    assert.equal(frontendMessages[0].data.delta.text, 'Hello');
+    assert.equal(frontendMessages[1].data.delta.text, ', I am Claude.');
+    assert.equal(frontendMessages[2].data.delta.text, ' How can I help?');
+    assert.equal(fullContent, 'Hello, I am Claude. How can I help?', 'Full content accumulated correctly');
+  });
+  it('claude-system event translates to relay-session-id', () => {
+    const frontendMessages = [];
+    const writer = { send: (msg) => frontendMessages.push(msg) };
+    const sessionId = 'session-456';
+    let capturedCliSessionId = null;
+    function onStream(streamData) {
+      if (streamData.type === 'claude-system' && streamData.sessionId) {
+        capturedCliSessionId = streamData.sessionId;
+        writer.send({
+          type: 'relay-session-id',
+          sessionId,
+          cliSessionId: capturedCliSessionId,
+          model: streamData.model,
+          cwd: streamData.cwd,
+        });
+      }
+    }
+    onStream({ type: 'claude-system', sessionId: 'cli-sess-789', model: 'claude-sonnet-4-6', cwd: '/home/user/project' });
+    assert.equal(frontendMessages.length, 1);
+    assert.equal(frontendMessages[0].type, 'relay-session-id');
+    assert.equal(frontendMessages[0].cliSessionId, 'cli-sess-789');
+    assert.equal(frontendMessages[0].model, 'claude-sonnet-4-6');
+    assert.equal(capturedCliSessionId, 'cli-sess-789');
+  });
+  it('completion event includes viaRelay: true', () => {
+    const frontendMessages = [];
+    const writer = { send: (msg) => frontendMessages.push(msg) };
+    // Simulate routeViaRelay completion
+    writer.send({
+      type: 'claude-complete',
+      sessionId: 'session-123',
+      cliSessionId: 'cli-sess-456',
+      exitCode: 0,
+      isNewSession: true,
+      viaRelay: true,
+    });
+    assert.equal(frontendMessages[0].type, 'claude-complete');
+    assert.equal(frontendMessages[0].viaRelay, true, 'Must indicate response came via relay');
+    assert.equal(frontendMessages[0].exitCode, 0);
+  });
+});
+// ── Test 4: Session Ownership Isolation ──
+describe('Session Ownership Isolation', () => {
+  it('sessionOwners map enforces user isolation', () => {
+    const sessionOwners = new Map();
+    // User 1 creates a session
+    sessionOwners.set('session-A', 1);
+    // User 2 creates a session
+    sessionOwners.set('session-B', 2);
+    // Simulate getUserSessions filter
+    function getUserSessions(userId, allSessions) {
+      return allSessions.filter(s => {
+        const owner = sessionOwners.get(s.sessionId);
+        return !owner || owner === userId;
+      });
+    }
+    const allSessions = [
+      { sessionId: 'session-A', provider: 'claude' },
+      { sessionId: 'session-B', provider: 'claude' },
+      { sessionId: 'session-C', provider: 'cursor' }, // unowned
+    ];
+    const user1Sessions = getUserSessions(1, allSessions);
+    const user2Sessions = getUserSessions(2, allSessions);
+    assert.equal(user1Sessions.length, 2, 'User 1 sees session-A + unowned session-C');
+    assert.ok(user1Sessions.some(s => s.sessionId === 'session-A'), 'User 1 sees their own session');
+    assert.ok(!user1Sessions.some(s => s.sessionId === 'session-B'), 'User 1 cannot see User 2 session');
+    assert.equal(user2Sessions.length, 2, 'User 2 sees session-B + unowned session-C');
+    assert.ok(user2Sessions.some(s => s.sessionId === 'session-B'), 'User 2 sees their own session');
+    assert.ok(!user2Sessions.some(s => s.sessionId === 'session-A'), 'User 2 cannot see User 1 session');
+  });
+  it('abort rejects when user does not own the session', () => {
+    const sessionOwners = new Map();
+    sessionOwners.set('session-X', 1); // owned by user 1
+    const userId = 2; // user 2 tries to abort
+    const owner = sessionOwners.get('session-X');
+    const canAbort = !owner || owner === userId;
+    assert.equal(canAbort, false, 'User 2 cannot abort User 1 session');
+  });
+});
+// ── Test 5: Agent Action Dispatch ──
+describe('Agent Action Dispatch', () => {
+  it('executeAction routes to correct handler', async () => {
+    const callLog = [];
+    const actionMap = new Map([
+      ['claude-query', async (params) => { callLog.push('claude'); return { exitCode: 0 }; }],
+      ['cursor-query', async (params) => { callLog.push('cursor'); return { exitCode: 0 }; }],
+      ['codex-query', async (params) => { callLog.push('codex'); return { exitCode: 0 }; }],
+      ['shell-exec', async (params) => { callLog.push('shell'); return { output: 'hello' }; }],
+    ]);
+    async function executeAction(action, params) {
+      const handler = actionMap.get(action);
+      if (!handler) throw new Error(`Unknown action: ${action}`);
+      return handler(params);
+    }
+    await executeAction('claude-query', { command: 'hey' });
+    await executeAction('cursor-query', { command: 'hey' });
+    await executeAction('shell-exec', { command: 'ls' });
+    assert.deepEqual(callLog, ['claude', 'cursor', 'shell']);
+    // Unknown action throws
+    await assert.rejects(
+      () => executeAction('unknown-action', {}),
+      { message: 'Unknown action: unknown-action' }
+    );
+  });
+  it('streaming actions are identified correctly', () => {
+    const streamingActions = new Set(['claude-query', 'claude-task-query', 'codex-query', 'cursor-query']);
+    function isStreamingAction(action) {
+      return streamingActions.has(action);
+    }
+    assert.equal(isStreamingAction('claude-query'), true);
+    assert.equal(isStreamingAction('codex-query'), true);
+    assert.equal(isStreamingAction('cursor-query'), true);
+    assert.equal(isStreamingAction('shell-exec'), false);
+    assert.equal(isStreamingAction('file-read'), false);
+    assert.equal(isStreamingAction('git-status'), false);
+  });
+});
+// ── Test 6: Relay Payload Validation ──
+describe('Relay Payload Validation', () => {
+  it('validates action is in allowlist', () => {
+    const ALLOWED_RELAY_ACTIONS = new Set([
+      'claude-query', 'claude-task-query', 'cursor-query', 'codex-query',
+      'shell-exec', 'file-read', 'file-write', 'file-list',
+      'git-status', 'git-diff', 'git-log', 'git-branches',
+      'gitagent-parse', 'detect-agents',
+    ]);
+    function validateRelayPayload(action) {
+      if (!ALLOWED_RELAY_ACTIONS.has(action)) {
+        return { valid: false, reason: `Action "${action}" is not allowed` };
+      }
+      return { valid: true };
+    }
+    assert.equal(validateRelayPayload('claude-query').valid, true);
+    assert.equal(validateRelayPayload('shell-exec').valid, true);
+    assert.equal(validateRelayPayload('rm-rf-everything').valid, false, 'Unknown action blocked');
+    assert.equal(validateRelayPayload('').valid, false, 'Empty action blocked');
+  });
+});
+// ── Test 7: IP Pinning Security ──
+describe('IP Pinning Security', () => {
+  it('blocks relay connection from different IP when another is active', () => {
+    const relayConnections = new Map();
+    // User 1 connects from IP A
+    relayConnections.set(1, { ws: { readyState: 1 }, clientIp: '1.2.3.4', connectedAt: Date.now() });
+    // Same user tries from IP B
+    const existing = relayConnections.get(1);
+    const newIp = '5.6.7.8';
+    const blocked = existing && existing.ws.readyState === 1 && existing.clientIp !== newIp;
+    assert.equal(blocked, true, 'Second connection from different IP is blocked');
+  });
+  it('allows reconnection from same IP', () => {
+    const relayConnections = new Map();
+    relayConnections.set(1, { ws: { readyState: 1 }, clientIp: '1.2.3.4' });
+    const existing = relayConnections.get(1);
+    const sameIp = '1.2.3.4';
+    const blocked = existing && existing.ws.readyState === 1 && existing.clientIp !== sameIp;
+    assert.equal(blocked, false, 'Reconnection from same IP is allowed');
+  });
+  it('allows new connection when previous relay is disconnected', () => {
+    const relayConnections = new Map();
+    relayConnections.set(1, { ws: { readyState: 3 }, clientIp: '1.2.3.4' }); // disconnected
+    const existing = relayConnections.get(1);
+    const newIp = '5.6.7.8';
+    const blocked = existing && existing.ws.readyState === 1 && existing.clientIp !== newIp;
+    assert.equal(blocked, false, 'New connection allowed when previous relay is disconnected');
+  });
+});
+// ── Test 8: Dashboard Stats Cache ──
+describe('Dashboard Stats Cache', () => {
+  it('cache returns fresh data within TTL', () => {
+    const cache = new Map();
+    const CACHE_TTL = 60_000;
+    function getCachedStats(userId) {
+      const entry = cache.get(userId);
+      if (entry && Date.now() - entry.ts < CACHE_TTL) return entry.data;
+      return null;
+    }
+    function setCachedStats(userId, data) {
+      cache.set(userId, { data, ts: Date.now() });
+    }
+    // Set cache
+    const testData = { account: { username: 'testuser' } };
+    setCachedStats(1, testData);
+    // Immediately retrieve — should hit
+    const cached = getCachedStats(1);
+    assert.deepEqual(cached, testData, 'Cache hit returns data');
+    // Different user — should miss
+    const otherUser = getCachedStats(2);
+    assert.equal(otherUser, null, 'Different user has no cache');
+  });
+  it('cache invalidation clears entry for specific user', () => {
+    const cache = new Map();
+    cache.set(1, { data: { user: 'A' }, ts: Date.now() });
+    cache.set(2, { data: { user: 'B' }, ts: Date.now() });
+    // Invalidate user 1 only
+    cache.delete(1);
+    assert.equal(cache.has(1), false, 'User 1 cache invalidated');
+    assert.equal(cache.has(2), true, 'User 2 cache unaffected');
+  });
+});
+// ── Test 9: Frontend SessionStorage Stale-While-Revalidate ──
+describe('Stale-While-Revalidate Pattern', () => {
+  it('shows cached data immediately then updates with fresh data', () => {
+    // Simulate sessionStorage
+    const storage = {};
+    const setItem = (k, v) => { storage[k] = v; };
+    const getItem = (k) => storage[k] || null;
+    // Initial state — no cache
+    let stats = null;
+    let loading = true;
+    const cached = getItem('dash_stats');
+    assert.equal(cached, null, 'No cache initially');
+    assert.equal(loading, true, 'Loading state true initially');
+    // Simulate first load — data comes from server
+    const serverData = { account: { username: 'user1' }, apiKeys: { keys: [] } };
+    stats = serverData;
+    loading = false;
+    setItem('dash_stats', JSON.stringify(serverData));
+    assert.equal(loading, false);
+    assert.deepEqual(stats, serverData);
+    // Simulate second page load — cache hit
+    stats = null;
+    loading = true;
+    const cachedStr = getItem('dash_stats');
+    if (cachedStr) {
+      stats = JSON.parse(cachedStr);
+      loading = false; // Show cached data immediately
+    }
+    assert.equal(loading, false, 'Loading resolved immediately from cache');
+    assert.deepEqual(stats.account.username, 'user1', 'Cached data shown immediately');
+  });
+});
+// ── Test 10: Multi-User Chat Isolation (End-to-End) ──
+describe('Multi-User Chat Isolation (E2E)', () => {
+  it('two users sending commands simultaneously route to correct relays', () => {
+    const relayConnections = new Map();
+    const relayReceived = { user1: [], user2: [] };
+    relayConnections.set(1, {
+      ws: { readyState: 1, send: (msg) => relayReceived.user1.push(JSON.parse(msg)) }
+    });
+    relayConnections.set(2, {
+      ws: { readyState: 1, send: (msg) => relayReceived.user2.push(JSON.parse(msg)) }
+    });
+    // User 1 sends a claude-command
+    function routeToRelay(userId, action, command) {
+      const relay = relayConnections.get(userId);
+      if (!relay || relay.ws.readyState !== 1) throw new Error('No relay');
+      relay.ws.send(JSON.stringify({ type: 'relay-command', action, command }));
+    }
+    routeToRelay(1, 'claude-query', 'Hey, I am user 1');
+    routeToRelay(2, 'claude-query', 'Hey, I am user 2');
+    routeToRelay(1, 'claude-query', 'Second message from user 1');
+    assert.equal(relayReceived.user1.length, 2, 'User 1 relay received 2 commands');
+    assert.equal(relayReceived.user2.length, 1, 'User 2 relay received 1 command');
+    assert.equal(relayReceived.user1[0].command, 'Hey, I am user 1');
+    assert.equal(relayReceived.user2[0].command, 'Hey, I am user 2');
+    assert.equal(relayReceived.user1[1].command, 'Second message from user 1');
+  });
+  it('streaming responses go back to the correct frontend client', () => {
+    // Simulate pending relay requests with different userIds
+    const pendingRelayRequests = new Map();
+    const frontendReceived = { user1: [], user2: [] };
+    const writer1 = { send: (msg) => frontendReceived.user1.push(msg) };
+    const writer2 = { send: (msg) => frontendReceived.user2.push(msg) };
+    pendingRelayRequests.set('req-1', {
+      userId: 1,
+      onStream: (data) => {
+        if (data.type === 'claude-response') {
+          writer1.send({ type: 'claude-response', data: { type: 'content_block_delta', delta: { text: data.content } } });
+        }
+      }
+    });
+    pendingRelayRequests.set('req-2', {
+      userId: 2,
+      onStream: (data) => {
+        if (data.type === 'claude-response') {
+          writer2.send({ type: 'claude-response', data: { type: 'content_block_delta', delta: { text: data.content } } });
+        }
+      }
+    });
+    // Relay stream for user 1
+    const pending1 = pendingRelayRequests.get('req-1');
+    pending1.onStream({ type: 'claude-response', content: 'Hello user 1!' });
+    // Relay stream for user 2
+    const pending2 = pendingRelayRequests.get('req-2');
+    pending2.onStream({ type: 'claude-response', content: 'Hello user 2!' });
+    assert.equal(frontendReceived.user1.length, 1);
+    assert.equal(frontendReceived.user2.length, 1);
+    assert.equal(frontendReceived.user1[0].data.delta.text, 'Hello user 1!');
+    assert.equal(frontendReceived.user2[0].data.delta.text, 'Hello user 2!');
+  });
+});