vezir 0.1.0__tar.gz

vezir-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Blink
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vezir-0.1.0/PKG-INFO

@@ -0,0 +1,216 @@
+Metadata-Version: 2.4
+Name: vezir
+Version: 0.1.0
+Summary: Internal scribe service that wraps meetscribe for team-scale meeting capture, transcription, summarization, and speaker labeling
+Author: Blink
+License: MIT
+Project-URL: Homepage, https://github.com/pretyflaco/vezir
+Project-URL: Repository, https://github.com/pretyflaco/vezir
+Project-URL: Issues, https://github.com/pretyflaco/vezir/issues
+Keywords: meeting,transcription,scribe,team,self-hosted
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Environment :: Web Environment
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: POSIX :: Linux
+Classifier: Operating System :: MacOS
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Multimedia :: Sound/Audio :: Speech
+Classifier: Topic :: Office/Business
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: click>=8.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: ulid-py>=1.1
+Requires-Dist: meetscribe-record>=0.1.0
+Provides-Extra: server
+Requires-Dist: fastapi>=0.110; extra == "server"
+Requires-Dist: uvicorn[standard]>=0.27; extra == "server"
+Requires-Dist: python-multipart>=0.0.9; extra == "server"
+Requires-Dist: jinja2>=3.1; extra == "server"
+Requires-Dist: meetscribe-offline>=0.5.0; extra == "server"
+Provides-Extra: gui
+Provides-Extra: dev
+Requires-Dist: ruff; extra == "dev"
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: pytest-asyncio; extra == "dev"
+Dynamic: license-file
+
+# vezir
+
+Self-hosted scribe service for team-scale meeting capture. Vezir wraps
+[meetscribe](https://github.com/pretyflaco/meetscribe) and turns it into a
+multi-user, Tailscale-hosted service: a designated scribe records a meeting
+on their laptop, the audio uploads to a central GPU-equipped box, and the
+team gets back a diarized transcript, AI summary, and PDF — with speaker
+labels resolved to GitHub handles via a shared web UI.
+
+## Status
+
+Alpha (0.1.0). Designed for small teams that want to keep meeting audio
+inside their own infrastructure: one Tailscale tailnet + one GPU-equipped
+box. Currently dogfooded by the Blink team. Linux clients fully supported,
+macOS thin client deferred.
+
+## Architecture
+
+```
+[Scribe laptop]                       [GPU server]
+  vezir scribe / gui  ──upload──▶     vezir serve (FastAPI)
+   (wraps meet record)                  │
+                                        ├── sqlite job queue
+                                        │
+                                        ▼
+                                      worker
+                                        │ shells out via HOME-shim
+                                        ▼
+                                      meet transcribe (unmodified)
+                                      meet label --auto
+                                      meet sync     ──▶ private git repo
+                                        │
+                                        ▼
+                                      web UI (labeling, dashboard)
+                                       ◀── scribe browser
+```
+
+Meetscribe is invoked as an unmodified subprocess. Vezir owns its own
+job queue, voiceprint database, team roster, and browser auth.
+
+## Repo layout
+
+```
+vezir/
+  vezir/                    # python package
+    cli.py                  # serve, scribe, token issue
+    config.py               # paths, env
+    server/                 # FastAPI app, queue, worker, meet_runner
+    client/                 # vezir scribe (wraps meet record + uploads)
+    web/                    # templates + static
+  data/
+    team.json.example
+  infra/
+    systemd/vezir.service
+  tests/
+```
+
+Runtime data lives **outside** the repo at `~/vezir-data/`.
+
+## Install profiles
+
+| Role | Install command | Footprint |
+|---|---|---|
+| **Scribe client only** (record + upload, GUI optional) | `pip install --user vezir` (or `pip install --user 'vezir[gui]'` if you also want `apt install python3-tk`) | ~30 MB |
+| **Server** (FastAPI + worker + dashboard + labeling UI) | `pip install --user 'vezir[server]'` | ~3 GB (pulls meetscribe-offline = whisperx + torch + pyannote) |
+
+The split is enforced by `pyproject.toml`'s `[project.optional-dependencies]`:
+the base install uses [meetscribe-record](https://github.com/pretyflaco/meetscribe-record)
+(capture only). The `[server]` extra adds [meetscribe-offline](https://github.com/pretyflaco/meetscribe)
+for the heavy transcription/diarization/summarization pipeline.
+
+## Quick start (server, on a GPU box reachable over Tailscale)
+
+```bash
+git clone https://github.com/pretyflaco/vezir.git
+cd vezir
+pip install --user -e '.[server]'
+
+# Seed voiceprints from existing meetscribe profile DB
+mkdir -p ~/vezir-data
+vezir voiceprints seed --from ~/.config/meet/speaker_profiles.json
+
+# Sync target — sandbox repo for development.
+# vezir's worker invokes `meet sync --force --meeting-type sandbox-<HHMMSSZ>-<rand>`
+# which bypasses meetscribe's schedule and team-presence gates and
+# guarantees a unique per-session folder. Every successful job lands in
+# meetings/<date>_sandbox-<HHMMSSZ>-<rand>/ on the configured repo
+# (e.g. meetings/2026-04-25_sandbox-194051Z-VZJJ3P/).
+cat > ~/vezir-data/sync_config.json <<'EOF'
+{
+  "repo_url": "https://github.com/pretyflaco/vezir-meetings.git",
+  "meetings": [],
+  "team_members": [],
+  "min_team_members": 0
+}
+EOF
+
+# Initialize team roster (used by labeling UI autocomplete)
+cp data/team.json.example ~/vezir-data/team.json
+$EDITOR ~/vezir-data/team.json
+
+# Issue a token for yourself
+vezir token issue --github kasita
+
+# Start the service
+vezir serve
+
+# Or, to skip git sync (artifacts stay only in ~/vezir-data/sessions/<id>/)
+VEZIR_SKIP_SYNC=1 vezir serve
+```
+
+### Sync target governance
+
+This is intentionally pointed at a private **dev sandbox** repo
+(`pretyflaco/vezir-meetings`) during the pilot. Two reasons:
+
+- production meeting-archive repos (e.g. `blinkbitcoin/blink-wip`) get
+  schedule + team-presence gating from meetscribe; vezir uses `--force`
+  to override that, which is appropriate for a dev sandbox but not for
+  production
+- vezir may rewrite history or recreate the repo while the pipeline is
+  being shaken down
+
+To graduate to production: change `repo_url` in
+`~/vezir-data/sync_config.json`, drop `--force` (planned: env var
+`VEZIR_SYNC_FORCE=0`), and let meetscribe's existing schedule/team-gate
+decide what to push.
+
+## Quick start (scribe client)
+
+```bash
+# Install vezir + meetscribe-record (lightweight; ~30 MB).
+pip install --user vezir
+
+# Optional: GUI widget (Tkinter); on Debian/Ubuntu:
+sudo apt install python3-tk
+
+# Configure (one-time): server URL = Tailscale name of your vezir server
+export VEZIR_URL=http://your-vezir-server:8000
+export VEZIR_TOKEN=<token-issued-on-server>
+
+# CLI scribe
+vezir scribe --title "what this meeting is about"
+# Talk; Ctrl+C when done.
+
+# Or GUI scribe (always-on-top widget)
+vezir gui
+```
+
+When the recording is uploaded, vezir prints a dashboard URL. Open it in
+your browser; the GUI's "Open dashboard" button does this for you. The
+URL flows through `/login?token=...` so the browser is signed in via
+HttpOnly cookie before it lands on the session page; subsequent access
+from the same browser does not require re-passing the token.
+
+## Environment variables
+
+| Variable | Default | Effect |
+|---|---|---|
+| `VEZIR_DATA` | `~/vezir-data` | All runtime state — sessions, voiceprints, queue, tokens, sync_config |
+| `VEZIR_HOST` | `0.0.0.0` | Bind address for `vezir serve` |
+| `VEZIR_PORT` | `8000` | Port for `vezir serve` |
+| `VEZIR_URL` | `http://localhost:8000` | Server URL for `vezir scribe` clients |
+| `VEZIR_TOKEN` | — | Bearer token for `vezir scribe` clients |
+| `VEZIR_LOG_LEVEL` | `INFO` | Logging level |
+| `VEZIR_MEET_BIN` | `$(which meet)` | Path to meetscribe `meet` binary |
+| `VEZIR_SKIP_SYNC` | unset | Set to `1` to skip the `meet sync` step entirely |
+| `VEZIR_DELETE_AUDIO` | unset | Set to `1` to delete audio after artifacts are produced (storage policy). Default OFF during pilot. |
+| `VEZIR_SYNC_MEETING_TYPE` | `sandbox` | Subfolder name (under `meetings/`) used by `meet sync --force`. Will be removed once vezir respects schedules. |
+
+## License
+
+MIT — see [LICENSE](LICENSE).

vezir-0.1.0/README.md

@@ -0,0 +1,173 @@
+# vezir
+
+Self-hosted scribe service for team-scale meeting capture. Vezir wraps
+[meetscribe](https://github.com/pretyflaco/meetscribe) and turns it into a
+multi-user, Tailscale-hosted service: a designated scribe records a meeting
+on their laptop, the audio uploads to a central GPU-equipped box, and the
+team gets back a diarized transcript, AI summary, and PDF — with speaker
+labels resolved to GitHub handles via a shared web UI.
+
+## Status
+
+Alpha (0.1.0). Designed for small teams that want to keep meeting audio
+inside their own infrastructure: one Tailscale tailnet + one GPU-equipped
+box. Currently dogfooded by the Blink team. Linux clients fully supported,
+macOS thin client deferred.
+
+## Architecture
+
+```
+[Scribe laptop]                       [GPU server]
+  vezir scribe / gui  ──upload──▶     vezir serve (FastAPI)
+   (wraps meet record)                  │
+                                        ├── sqlite job queue
+                                        │
+                                        ▼
+                                      worker
+                                        │ shells out via HOME-shim
+                                        ▼
+                                      meet transcribe (unmodified)
+                                      meet label --auto
+                                      meet sync     ──▶ private git repo
+                                        │
+                                        ▼
+                                      web UI (labeling, dashboard)
+                                       ◀── scribe browser
+```
+
+Meetscribe is invoked as an unmodified subprocess. Vezir owns its own
+job queue, voiceprint database, team roster, and browser auth.
+
+## Repo layout
+
+```
+vezir/
+  vezir/                    # python package
+    cli.py                  # serve, scribe, token issue
+    config.py               # paths, env
+    server/                 # FastAPI app, queue, worker, meet_runner
+    client/                 # vezir scribe (wraps meet record + uploads)
+    web/                    # templates + static
+  data/
+    team.json.example
+  infra/
+    systemd/vezir.service
+  tests/
+```
+
+Runtime data lives **outside** the repo at `~/vezir-data/`.
+
+## Install profiles
+
+| Role | Install command | Footprint |
+|---|---|---|
+| **Scribe client only** (record + upload, GUI optional) | `pip install --user vezir` (or `pip install --user 'vezir[gui]'` if you also want `apt install python3-tk`) | ~30 MB |
+| **Server** (FastAPI + worker + dashboard + labeling UI) | `pip install --user 'vezir[server]'` | ~3 GB (pulls meetscribe-offline = whisperx + torch + pyannote) |
+
+The split is enforced by `pyproject.toml`'s `[project.optional-dependencies]`:
+the base install uses [meetscribe-record](https://github.com/pretyflaco/meetscribe-record)
+(capture only). The `[server]` extra adds [meetscribe-offline](https://github.com/pretyflaco/meetscribe)
+for the heavy transcription/diarization/summarization pipeline.
+
+## Quick start (server, on a GPU box reachable over Tailscale)
+
+```bash
+git clone https://github.com/pretyflaco/vezir.git
+cd vezir
+pip install --user -e '.[server]'
+
+# Seed voiceprints from existing meetscribe profile DB
+mkdir -p ~/vezir-data
+vezir voiceprints seed --from ~/.config/meet/speaker_profiles.json
+
+# Sync target — sandbox repo for development.
+# vezir's worker invokes `meet sync --force --meeting-type sandbox-<HHMMSSZ>-<rand>`
+# which bypasses meetscribe's schedule and team-presence gates and
+# guarantees a unique per-session folder. Every successful job lands in
+# meetings/<date>_sandbox-<HHMMSSZ>-<rand>/ on the configured repo
+# (e.g. meetings/2026-04-25_sandbox-194051Z-VZJJ3P/).
+cat > ~/vezir-data/sync_config.json <<'EOF'
+{
+  "repo_url": "https://github.com/pretyflaco/vezir-meetings.git",
+  "meetings": [],
+  "team_members": [],
+  "min_team_members": 0
+}
+EOF
+
+# Initialize team roster (used by labeling UI autocomplete)
+cp data/team.json.example ~/vezir-data/team.json
+$EDITOR ~/vezir-data/team.json
+
+# Issue a token for yourself
+vezir token issue --github kasita
+
+# Start the service
+vezir serve
+
+# Or, to skip git sync (artifacts stay only in ~/vezir-data/sessions/<id>/)
+VEZIR_SKIP_SYNC=1 vezir serve
+```
+
+### Sync target governance
+
+This is intentionally pointed at a private **dev sandbox** repo
+(`pretyflaco/vezir-meetings`) during the pilot. Two reasons:
+
+- production meeting-archive repos (e.g. `blinkbitcoin/blink-wip`) get
+  schedule + team-presence gating from meetscribe; vezir uses `--force`
+  to override that, which is appropriate for a dev sandbox but not for
+  production
+- vezir may rewrite history or recreate the repo while the pipeline is
+  being shaken down
+
+To graduate to production: change `repo_url` in
+`~/vezir-data/sync_config.json`, drop `--force` (planned: env var
+`VEZIR_SYNC_FORCE=0`), and let meetscribe's existing schedule/team-gate
+decide what to push.
+
+## Quick start (scribe client)
+
+```bash
+# Install vezir + meetscribe-record (lightweight; ~30 MB).
+pip install --user vezir
+
+# Optional: GUI widget (Tkinter); on Debian/Ubuntu:
+sudo apt install python3-tk
+
+# Configure (one-time): server URL = Tailscale name of your vezir server
+export VEZIR_URL=http://your-vezir-server:8000
+export VEZIR_TOKEN=<token-issued-on-server>
+
+# CLI scribe
+vezir scribe --title "what this meeting is about"
+# Talk; Ctrl+C when done.
+
+# Or GUI scribe (always-on-top widget)
+vezir gui
+```
+
+When the recording is uploaded, vezir prints a dashboard URL. Open it in
+your browser; the GUI's "Open dashboard" button does this for you. The
+URL flows through `/login?token=...` so the browser is signed in via
+HttpOnly cookie before it lands on the session page; subsequent access
+from the same browser does not require re-passing the token.
+
+## Environment variables
+
+| Variable | Default | Effect |
+|---|---|---|
+| `VEZIR_DATA` | `~/vezir-data` | All runtime state — sessions, voiceprints, queue, tokens, sync_config |
+| `VEZIR_HOST` | `0.0.0.0` | Bind address for `vezir serve` |
+| `VEZIR_PORT` | `8000` | Port for `vezir serve` |
+| `VEZIR_URL` | `http://localhost:8000` | Server URL for `vezir scribe` clients |
+| `VEZIR_TOKEN` | — | Bearer token for `vezir scribe` clients |
+| `VEZIR_LOG_LEVEL` | `INFO` | Logging level |
+| `VEZIR_MEET_BIN` | `$(which meet)` | Path to meetscribe `meet` binary |
+| `VEZIR_SKIP_SYNC` | unset | Set to `1` to skip the `meet sync` step entirely |
+| `VEZIR_DELETE_AUDIO` | unset | Set to `1` to delete audio after artifacts are produced (storage policy). Default OFF during pilot. |
+| `VEZIR_SYNC_MEETING_TYPE` | `sandbox` | Subfolder name (under `meetings/`) used by `meet sync --force`. Will be removed once vezir respects schedules. |
+
+## License
+
+MIT — see [LICENSE](LICENSE).

vezir-0.1.0/pyproject.toml

@@ -0,0 +1,74 @@
+[build-system]
+requires = ["setuptools>=68.0", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "vezir"
+version = "0.1.0"
+description = "Internal scribe service that wraps meetscribe for team-scale meeting capture, transcription, summarization, and speaker labeling"
+readme = "README.md"
+requires-python = ">=3.10"
+license = {text = "MIT"}
+authors = [{name = "Blink"}]
+keywords = [
+    "meeting",
+    "transcription",
+    "scribe",
+    "team",
+    "self-hosted",
+]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Environment :: Web Environment",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: POSIX :: Linux",
+    "Operating System :: MacOS",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Multimedia :: Sound/Audio :: Speech",
+    "Topic :: Office/Business",
+]
+dependencies = [
+    # Client-side base. Includes meetscribe-record for `vezir scribe`'s
+    # capture wrapper. Does NOT pull in transcription / diarization /
+    # summarization deps; those land via `pip install vezir[server]`.
+    "click>=8.0",
+    "httpx>=0.27",
+    "ulid-py>=1.1",
+    "meetscribe-record>=0.1.0",
+]
+
+[project.scripts]
+vezir = "vezir.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/pretyflaco/vezir"
+Repository = "https://github.com/pretyflaco/vezir"
+Issues = "https://github.com/pretyflaco/vezir/issues"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["vezir*"]
+
+[tool.setuptools.package-data]
+vezir = ["web/templates/*.html", "web/static/*"]
+
+[project.optional-dependencies]
+# Server side: full FastAPI app + worker that shells out to meetscribe-offline
+# (transcribe, label, sync). Install on the GPU box that runs `vezir serve`.
+server = [
+    "fastapi>=0.110",
+    "uvicorn[standard]>=0.27",
+    "python-multipart>=0.0.9",
+    "jinja2>=3.1",
+    "meetscribe-offline>=0.5.0",
+]
+# GUI scribe widget (Tkinter). Tkinter ships with Python on most distros
+# but some (Debian/Ubuntu minimal) require `apt install python3-tk`.
+# No new pip deps needed.
+gui = []
+dev = ["ruff", "pytest", "pytest-asyncio"]

vezir-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

vezir-0.1.0/tests/test_auth.py

@@ -0,0 +1,180 @@
+"""Tests for browser-friendly auth (cookie + bearer combined)."""
+from __future__ import annotations
+
+import io
+import tempfile
+import wave
+from pathlib import Path
+
+import pytest
+
+
+@pytest.fixture
+def tmp_data(monkeypatch):
+    with tempfile.TemporaryDirectory() as d:
+        monkeypatch.setenv("VEZIR_DATA", d)
+        yield Path(d)
+
+
+@pytest.fixture
+def client_and_token(tmp_data):
+    from fastapi.testclient import TestClient
+    from vezir.server import auth
+    from vezir.server.app import create_app
+
+    token = auth.issue("alice")
+    app = create_app()
+    return TestClient(app, follow_redirects=False), token
+
+
+def _bearer(token: str) -> dict:
+    return {"Authorization": f"Bearer {token}"}
+
+
+# ── /login GET with token (the GUI hand-off) ────────────────────────────────
+
+
+def test_login_get_valid_token_sets_cookie_and_redirects(client_and_token):
+    client, token = client_and_token
+    resp = client.get(f"/login?token={token}&next=/s/abc123")
+    assert resp.status_code == 303
+    assert resp.headers["location"] == "/s/abc123"
+    sc = resp.headers.get("set-cookie", "")
+    assert "vezir_session=" in sc
+    assert "HttpOnly" in sc
+    assert "SameSite=lax" in sc.lower() or "samesite=lax" in sc.lower()
+
+
+def test_login_get_invalid_token_returns_401_form(client_and_token):
+    client, _ = client_and_token
+    resp = client.get("/login?token=vzr_bogus&next=/s/abc")
+    assert resp.status_code == 401
+    assert "Invalid token" in resp.text
+    assert "vezir_session=" not in resp.headers.get("set-cookie", "")
+
+
+def test_login_get_no_token_renders_form(client_and_token):
+    client, _ = client_and_token
+    resp = client.get("/login")
+    assert resp.status_code == 200
+    assert "Sign in" in resp.text
+    assert "<form" in resp.text
+
+
+# ── /login open-redirect protection ─────────────────────────────────────────
+
+
+@pytest.mark.parametrize("bad_next", [
+    "//evil.example.com",
+    "http://evil.example.com",
+    "https://evil.example.com/x",
+    "javascript:alert(1)",
+    "no-leading-slash",
+])
+def test_login_rejects_unsafe_next(client_and_token, bad_next):
+    client, token = client_and_token
+    resp = client.get(f"/login?token={token}&next={bad_next}")
+    assert resp.status_code == 303
+    assert resp.headers["location"] == "/"
+
+
+# ── POST /login (manual paste-token form) ───────────────────────────────────
+
+
+def test_login_post_valid_token_sets_cookie(client_and_token):
+    client, token = client_and_token
+    resp = client.post("/login", data={"token": token, "next": "/"})
+    assert resp.status_code == 303
+    assert resp.headers["location"] == "/"
+    assert "vezir_session=" in resp.headers.get("set-cookie", "")
+
+
+def test_login_post_invalid_token_401(client_and_token):
+    client, _ = client_and_token
+    resp = client.post("/login", data={"token": "vzr_bogus", "next": "/"})
+    assert resp.status_code == 401
+    assert "Invalid token" in resp.text
+
+
+# ── /logout ─────────────────────────────────────────────────────────────────
+
+
+def test_logout_clears_cookie(client_and_token):
+    client, token = client_and_token
+    # log in
+    r1 = client.get(f"/login?token={token}&next=/")
+    assert "vezir_session=" in r1.headers["set-cookie"]
+    # logout
+    r2 = client.get("/logout")
+    assert r2.status_code == 303
+    assert r2.headers["location"] == "/login"
+    sc = r2.headers.get("set-cookie", "")
+    # Cookie clearing has either Max-Age=0 or expired date in the past
+    assert "vezir_session=" in sc
+    assert ('Max-Age=0' in sc) or ('expires=' in sc.lower())
+
+
+# ── Dashboard accepts cookie OR bearer ───────────────────────────────────────
+
+
+def test_dashboard_with_cookie(client_and_token):
+    client, token = client_and_token
+    client.get(f"/login?token={token}&next=/")  # establishes cookie
+    resp = client.get("/")
+    assert resp.status_code == 200
+    assert "Recent sessions" in resp.text or "No sessions yet" in resp.text
+
+
+def test_dashboard_with_bearer(client_and_token):
+    client, token = client_and_token
+    resp = client.get("/", headers=_bearer(token))
+    assert resp.status_code == 200
+
+
+def test_dashboard_no_auth_401(client_and_token):
+    client, _ = client_and_token
+    resp = client.get("/")
+    assert resp.status_code == 401
+
+
+# ── API stays bearer-only (cookie should NOT grant API access) ──────────────
+
+
+def test_api_sessions_rejects_cookie(client_and_token):
+    client, token = client_and_token
+    client.get(f"/login?token={token}&next=/")  # set cookie
+    # Cookie-only — must fail without bearer header
+    resp = client.get("/api/sessions")
+    assert resp.status_code == 401
+
+
+def test_api_sessions_accepts_bearer(client_and_token):
+    client, token = client_and_token
+    resp = client.get("/api/sessions", headers=_bearer(token))
+    assert resp.status_code == 200
+    assert "sessions" in resp.json()
+
+
+# ── Upload endpoint produces dashboard_login_url ────────────────────────────
+
+
+def test_upload_response_includes_login_url(client_and_token):
+    client, token = client_and_token
+    # tiny fake WAV
+    buf = io.BytesIO()
+    with wave.open(buf, "wb") as w:
+        w.setnchannels(1); w.setsampwidth(2); w.setframerate(16000)
+        w.writeframes(b"\x00\x00" * 16000)
+    buf.seek(0)
+
+    resp = client.post(
+        "/upload",
+        headers=_bearer(token),
+        files={"audio": ("foo.wav", buf.read(), "audio/wav")},
+    )
+    assert resp.status_code == 200
+    body = resp.json()
+    assert "dashboard_url" in body
+    assert "dashboard_login_url" in body
+    assert "/login?token=" in body["dashboard_login_url"]
+    assert f"%2Fs%2F{body['session_id']}" in body["dashboard_login_url"]