test: fill remaining coverage gaps — large payloads, CORS, OAuth negatives, WS reconnect, cross-graph REST

Author: prih

demo-projects/test-sandbox/tests/08-edge-cases.ts

@@ -290,6 +290,73 @@ test('Search with unicode query → no crash', async () => {
   assert(res.status < 500, 'should not 500');
 });
 
+// ─── 8.7 Large payload ─────────────────────────────────────────
+
+group('8.7 Large payload');
+
+test('POST body near limit (5MB) → accepted', async () => {
+  const bigContent = 'x'.repeat(5 * 1024 * 1024);
+  const res = await post('/knowledge/notes', {
+    title: 'Big Note',
+    content: bigContent,
+  });
+  // Should be accepted (limit is 10mb)
+  if (res.ok) {
+    await del(`/knowledge/notes/${res.data.id}`);
+  }
+  assert(res.status < 500, `should not 500, got ${res.status}`);
+});
+
+test('POST body exceeding limit (15MB) → 413', async () => {
+  const hugeContent = 'x'.repeat(15 * 1024 * 1024);
+  const res = await post('/knowledge/notes', {
+    title: 'Huge Note',
+    content: hugeContent,
+  });
+  assert(res.status === 413 || res.status === 400, `expected 413 or 400, got ${res.status}`);
+});
+
+// ─── 8.8 CORS headers ──────────────────────────────────────────
+
+group('8.8 CORS headers');
+
+test('Response includes CORS headers', async () => {
+  const res = await get('/api/auth/status');
+  assertOk(res);
+  // CORS is enabled (app.use(cors(...))), should have Access-Control-Allow-Origin
+  const origin = res.headers.get('access-control-allow-origin');
+  assertExists(origin, 'Access-Control-Allow-Origin header');
+});
+
+test('OPTIONS preflight returns CORS headers', async () => {
+  const url = `http://127.0.0.1:3737/api/auth/status`;
+  const res = await fetch(url, {
+    method: 'OPTIONS',
+    headers: {
+      'Origin': 'http://localhost:3000',
+      'Access-Control-Request-Method': 'GET',
+    },
+  });
+  assert(res.status < 500, `OPTIONS should not 500, got ${res.status}`);
+  const allow = res.headers.get('access-control-allow-origin')
+    ?? res.headers.get('access-control-allow-methods');
+  assertExists(allow, 'CORS preflight headers');
+});
+
+// ─── 8.9 Invalid project ────────────────────────────────────────
+
+group('8.9 Invalid project');
+
+test('GET /api/projects/nonexistent/stats → 404', async () => {
+  const res = await get('http://127.0.0.1:3737/api/projects/nonexistent/stats');
+  assertStatus(res, 404);
+});
+
+test('GET /api/projects/nonexistent/knowledge/notes → 404', async () => {
+  const res = await get('http://127.0.0.1:3737/api/projects/nonexistent/knowledge/notes');
+  assertStatus(res, 404);
+});
+
 // ─── Run ─────────────────────────────────────────────────────────
 
 export async function run() {

demo-projects/test-sandbox/tests/11-oauth.ts

@@ -210,6 +210,66 @@ test('POST /api/oauth/end-session — returns 200', async () => {
   assertOk(res);
 });
 
+// ─── 11.8 Negative OAuth cases ─────────────────────────────────
+
+group('11.8 Negative OAuth cases');
+
+test('POST /api/oauth/token — invalid grant_type → error', async () => {
+  const res = await restWith(BASE, 'POST', '/api/oauth/token', {
+    grant_type: 'client_credentials',
+    client_id: 'test-client',
+  });
+  assert(res.status >= 400, 'unsupported grant_type should fail');
+});
+
+test('POST /api/oauth/token — missing code → error', async () => {
+  const res = await restWith(BASE, 'POST', '/api/oauth/token', {
+    grant_type: 'authorization_code',
+    client_id: 'test-client',
+    redirect_uri: 'http://localhost:9999/callback',
+    code_verifier: codeVerifier,
+  });
+  assert(res.status >= 400, 'missing code should fail');
+});
+
+test('POST /api/oauth/token — expired/fake code → error', async () => {
+  const res = await restWith(BASE, 'POST', '/api/oauth/token', {
+    grant_type: 'authorization_code',
+    code: 'fake-expired-code-12345',
+    client_id: 'test-client',
+    redirect_uri: 'http://localhost:9999/callback',
+    code_verifier: codeVerifier,
+  });
+  assert(res.status >= 400, 'fake code should fail');
+});
+
+test('POST /api/oauth/token — refresh with invalid token → error', async () => {
+  const res = await restWith(BASE, 'POST', '/api/oauth/token', {
+    grant_type: 'refresh_token',
+    refresh_token: 'invalid-refresh-token',
+    client_id: 'test-client',
+  });
+  assert(res.status >= 400, 'invalid refresh token should fail');
+});
+
+test('POST /api/oauth/authorize — missing code_challenge → error', async () => {
+  const res = await restWith(BASE, 'POST', '/api/oauth/authorize', {
+    response_type: 'code',
+    client_id: 'test-client',
+    redirect_uri: 'http://localhost:9999/callback',
+    // no code_challenge
+  }, { cookie: cookieHeader(adminCookies) });
+  assert(res.status >= 400, 'missing code_challenge should fail');
+});
+
+test('GET /api/oauth/userinfo with revoked token — still works (revoke is no-op)', async () => {
+  // OAuth revoke endpoint returns 200 but does not actually invalidate JWTs
+  // (stateless tokens can't be revoked without a blocklist)
+  const res = await restWith(BASE, 'GET', '/api/oauth/userinfo',
+    undefined, { bearer: accessToken });
+  assertOk(res);
+});
+
 // ─── Teardown ────────────────────────────────────────────────────
 
 group('Teardown');

demo-projects/test-sandbox/tests/13-websocket.ts

@@ -236,6 +236,70 @@ test('Add attachment → receives event', async () => {
   try { require('fs').unlinkSync(tmpFile); } catch {}
 });
 
+// ─── 13.7 WebSocket reconnection ───────────────────────────────
+
+group('13.7 WebSocket reconnection');
+
+test('Reconnect after close — receives events', async () => {
+  // Close current connection
+  if (ws && ws.readyState === WebSocket.OPEN) ws.close();
+  await wait(500);
+
+  // Reconnect
+  await connectWs();
+  assert(ws.readyState === WebSocket.OPEN, 'ws should reconnect');
+
+  // Verify events still flow
+  clearReceived();
+  await restWith(BASE, 'POST', '/api/projects/sandbox/knowledge/notes',
+    { title: 'Reconnect Test', content: 'test' });
+  const evt = await findEvent('note:created');
+  assertExists(evt, 'note:created after reconnect');
+
+  // Cleanup
+  const listRes = await restWith(BASE, 'GET', '/api/projects/sandbox/knowledge/notes');
+  for (const n of (listRes.data.results ?? listRes.data)) {
+    if (n.title === 'Reconnect Test') {
+      await restWith(BASE, 'DELETE', `/api/projects/sandbox/knowledge/notes/${n.id}`);
+    }
+  }
+});
+
+test('Multiple WS clients receive same event', async () => {
+  const received2: any[] = [];
+  const ws2 = new WebSocket(`ws://127.0.0.1:${PORT}/api/ws`);
+  await new Promise<void>((resolve, reject) => {
+    ws2.on('open', resolve);
+    ws2.on('error', reject);
+    setTimeout(() => reject(new Error('ws2 timeout')), 5000);
+  });
+  ws2.on('message', (data) => {
+    try { received2.push(JSON.parse(data.toString())); } catch {}
+  });
+
+  clearReceived();
+  await restWith(BASE, 'POST', '/api/projects/sandbox/knowledge/notes',
+    { title: 'Multi WS Test', content: 'test' });
+
+  // Both clients should receive the event
+  const evt1 = await findEvent('note:created');
+  assertExists(evt1, 'client 1 received');
+
+  await wait(500);
+  const evt2 = received2.find(e => e.type === 'note:created');
+  assertExists(evt2, 'client 2 received');
+
+  ws2.close();
+
+  // Cleanup
+  const listRes = await restWith(BASE, 'GET', '/api/projects/sandbox/knowledge/notes');
+  for (const n of (listRes.data.results ?? listRes.data)) {
+    if (n.title === 'Multi WS Test') {
+      await restWith(BASE, 'DELETE', `/api/projects/sandbox/knowledge/notes/${n.id}`);
+    }
+  }
+});
+
 // ─── Teardown ────────────────────────────────────────────────────
 
 group('Teardown');

demo-projects/test-sandbox/tests/15-workspace.ts

@@ -224,6 +224,38 @@ test('Shared graphs have same counts from both projects', async () => {
   assertEqual(resA.data.tasks.nodes, resB.data.tasks.nodes, 'tasks nodes should be same');
 });
 
+// ─── 15.9 Concurrent workspace writes ──────────────────────────
+
+group('15.9 Concurrent workspace writes');
+
+test('Parallel note creates from both projects — all succeed', async () => {
+  const promises = [
+    ...Array.from({ length: 5 }, (_, i) =>
+      restWith(BASE, 'POST', `${API_A()}/knowledge/notes`, {
+        title: `WS Concurrent A-${i}`, content: `from A #${i}`,
+      }),
+    ),
+    ...Array.from({ length: 5 }, (_, i) =>
+      restWith(BASE, 'POST', `${API_B()}/knowledge/notes`, {
+        title: `WS Concurrent B-${i}`, content: `from B #${i}`,
+      }),
+    ),
+  ];
+  const results = await Promise.all(promises);
+  const ok = results.filter(r => r.ok);
+  assert(ok.length === 10, `all 10 should succeed, got ${ok.length}`);
+
+  // Verify all visible from both projects
+  const notesA = await restWith(BASE, 'GET', `${API_A()}/knowledge/notes`);
+  const notesB = await restWith(BASE, 'GET', `${API_B()}/knowledge/notes`);
+  assertOk(notesA);
+  assertOk(notesB);
+  const listA = notesA.data.results ?? notesA.data;
+  const listB = notesB.data.results ?? notesB.data;
+  assert(listA.length >= 10, `project A should see >= 10 notes, got ${listA.length}`);
+  assertEqual(listA.length, listB.length, 'both projects see same count');
+});
+
 // ─── Cleanup ─────────────────────────────────────────────────────
 
 group('Cleanup');