test: add team, WS auth/debounce/filtering, promise-queue drain tests

- team.test.ts: scanTeamDir + ensureAuthorInTeam (12 tests)
- websocket.test.ts: JWT auth reject/accept, access filtering,
  graph:updated debounce (6 new tests, total 13)
- promise-queue.test.ts: waitForPending (2 new tests)

1898 tests across 52 suites.

Author: prih

src/tests/promise-queue.test.ts

@@ -42,6 +42,27 @@ describe('PromiseQueue', () => {
     expect(await p3).toBe('recovered');
   });
 
+  it('waitForPending resolves immediately when empty', async () => {
+    const queue = new PromiseQueue();
+    await queue.waitForPending(); // should not hang
+  });
+
+  it('waitForPending waits for in-flight tasks', async () => {
+    const queue = new PromiseQueue();
+    const order: number[] = [];
+
+    queue.enqueue(async () => {
+      await new Promise(r => setTimeout(r, 50));
+      order.push(1);
+    });
+    queue.enqueue(async () => {
+      order.push(2);
+    });
+
+    await queue.waitForPending();
+    expect(order).toEqual([1, 2]);
+  });
+
   it('prevents concurrent execution (simulates race condition)', async () => {
     const queue = new PromiseQueue();
     let counter = 0;

src/tests/team.test.ts

@@ -0,0 +1,104 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { scanTeamDir, ensureAuthorInTeam } from '@/lib/team';
+
+function tmpDir(): string {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'gm-team-'));
+}
+
+describe('scanTeamDir', () => {
+  it('returns empty for non-existent dir', () => {
+    expect(scanTeamDir('/nonexistent/.team')).toEqual([]);
+  });
+
+  it('returns empty for empty dir', () => {
+    const dir = tmpDir();
+    expect(scanTeamDir(dir)).toEqual([]);
+  });
+
+  it('scans team member files', () => {
+    const dir = tmpDir();
+    fs.writeFileSync(path.join(dir, 'alice.md'), '---\nname: Alice\nemail: alice@test.com\n---\n# Alice\n');
+    fs.writeFileSync(path.join(dir, 'bob.md'), '---\nname: Bob\nemail: bob@test.com\n---\n# Bob\n');
+
+    const members = scanTeamDir(dir);
+    expect(members).toHaveLength(2);
+    expect(members.find(m => m.id === 'alice')).toMatchObject({ name: 'Alice', email: 'alice@test.com' });
+    expect(members.find(m => m.id === 'bob')).toMatchObject({ name: 'Bob', email: 'bob@test.com' });
+  });
+
+  it('skips non-md files', () => {
+    const dir = tmpDir();
+    fs.writeFileSync(path.join(dir, 'alice.md'), '---\nname: Alice\nemail: a@t.com\n---\n');
+    fs.writeFileSync(path.join(dir, 'notes.txt'), 'not a team file');
+
+    const members = scanTeamDir(dir);
+    expect(members).toHaveLength(1);
+  });
+
+  it('skips directories', () => {
+    const dir = tmpDir();
+    fs.mkdirSync(path.join(dir, 'subdir.md'), { recursive: true });
+    fs.writeFileSync(path.join(dir, 'alice.md'), '---\nname: Alice\nemail: a@t.com\n---\n');
+
+    const members = scanTeamDir(dir);
+    expect(members).toHaveLength(1);
+  });
+
+  it('uses filename as fallback name', () => {
+    const dir = tmpDir();
+    fs.writeFileSync(path.join(dir, 'charlie.md'), '---\nemail: c@t.com\n---\n');
+
+    const members = scanTeamDir(dir);
+    expect(members[0].name).toBe('charlie');
+  });
+
+  it('handles malformed frontmatter gracefully', () => {
+    const dir = tmpDir();
+    fs.writeFileSync(path.join(dir, 'bad.md'), 'no frontmatter at all');
+    fs.writeFileSync(path.join(dir, 'good.md'), '---\nname: Good\nemail: g@t.com\n---\n');
+
+    const members = scanTeamDir(dir);
+    // Should still have at least the good one; bad one may parse with empty fm
+    expect(members.length).toBeGreaterThanOrEqual(1);
+  });
+});
+
+describe('ensureAuthorInTeam', () => {
+  it('creates team member file', () => {
+    const dir = tmpDir();
+    const teamDir = path.join(dir, '.team');
+    ensureAuthorInTeam(teamDir, { name: 'Alice Dev', email: 'alice@dev.com' });
+
+    expect(fs.existsSync(path.join(teamDir, 'alice-dev.md'))).toBe(true);
+    const content = fs.readFileSync(path.join(teamDir, 'alice-dev.md'), 'utf-8');
+    expect(content).toContain('Alice Dev');
+    expect(content).toContain('alice@dev.com');
+  });
+
+  it('does not overwrite existing file', () => {
+    const dir = tmpDir();
+    const teamDir = path.join(dir, '.team');
+    fs.mkdirSync(teamDir, { recursive: true });
+    fs.writeFileSync(path.join(teamDir, 'alice.md'), 'existing content');
+
+    ensureAuthorInTeam(teamDir, { name: 'Alice', email: 'new@email.com' });
+    const content = fs.readFileSync(path.join(teamDir, 'alice.md'), 'utf-8');
+    expect(content).toBe('existing content');
+  });
+
+  it('skips if no name', () => {
+    const dir = tmpDir();
+    const teamDir = path.join(dir, '.team');
+    ensureAuthorInTeam(teamDir, { name: '', email: 'a@b.com' });
+    expect(fs.existsSync(teamDir)).toBe(false);
+  });
+
+  it('slugifies name correctly', () => {
+    const dir = tmpDir();
+    const teamDir = path.join(dir, '.team');
+    ensureAuthorInTeam(teamDir, { name: 'John O\'Brien III', email: 'j@b.com' });
+    expect(fs.existsSync(path.join(teamDir, 'john-o-brien-iii.md'))).toBe(true);
+  });
+});

src/tests/websocket.test.ts

@@ -2,7 +2,9 @@ import http from 'http';
 import { WebSocket } from 'ws';
 import { EventEmitter } from 'events';
 import { attachWebSocket, type WebSocketHandle } from '@/api/rest/websocket';
+import { signAccessToken } from '@/lib/jwt';
 import type { ProjectManager } from '@/lib/project-manager';
+import type { ServerConfig } from '@/lib/multi-config';
 
 function createMockProjectManager(): ProjectManager & EventEmitter {
   const em = new EventEmitter();
@@ -141,4 +143,151 @@ describe('WebSocket server', () => {
     expect(pm2.listenerCount('note:created')).toBe(0);
     server2.close();
   });
+
+  it('debounces graph:updated events', async () => {
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`);
+    await waitForOpen(ws);
+
+    const messages: any[] = [];
+    ws.on('message', (data) => messages.push(JSON.parse(data.toString())));
+
+    // Emit multiple graph:updated rapidly
+    pm.emit('graph:updated', { projectId: 'test', file: 'a.ts', graph: 'code' });
+    pm.emit('graph:updated', { projectId: 'test', file: 'b.ts', graph: 'code' });
+
+    // Wait for debounce (WS_DEBOUNCE_MS = 1000)
+    await new Promise(r => setTimeout(r, 1500));
+
+    // Should receive a single debounced message with both files
+    const graphUpdates = messages.filter(m => m.type === 'graph:updated');
+    expect(graphUpdates).toHaveLength(1);
+    expect(graphUpdates[0].data.files).toContain('a.ts');
+    expect(graphUpdates[0].data.files).toContain('b.ts');
+    ws.close();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// WebSocket with authentication
+// ---------------------------------------------------------------------------
+
+describe('WebSocket auth', () => {
+  const JWT_SECRET = 'a'.repeat(32);
+  const users = {
+    alice: { name: 'Alice', email: 'alice@test.com', apiKey: 'key-alice' },
+    bob: { name: 'Bob', email: 'bob@test.com', apiKey: 'key-bob' },
+  };
+
+  let server: http.Server;
+  let wsHandle: WebSocketHandle;
+  let pm: ProjectManager & EventEmitter;
+  let port: number;
+
+  beforeAll(async () => {
+    pm = createMockProjectManager();
+    // Add second project that bob can't access
+    (pm as any).getProject = (id: string) => {
+      if (id === 'test') return {
+        config: {
+          graphConfigs: {
+            docs: { enabled: true }, code: { enabled: true },
+            knowledge: { enabled: true, access: { alice: 'rw' } },
+            files: { enabled: true }, tasks: { enabled: true }, skills: { enabled: true },
+          },
+          access: { alice: 'rw' },
+        },
+        workspaceId: undefined,
+      };
+      if (id === 'secret') return {
+        config: {
+          graphConfigs: {
+            docs: { enabled: true, access: { alice: 'rw' } }, code: { enabled: true, access: { alice: 'rw' } },
+            knowledge: { enabled: true, access: { alice: 'rw' } },
+            files: { enabled: true, access: { alice: 'rw' } },
+            tasks: { enabled: true, access: { alice: 'rw' } },
+            skills: { enabled: true, access: { alice: 'rw' } },
+          },
+          access: { alice: 'rw' },
+        },
+        workspaceId: undefined,
+      };
+      return undefined;
+    };
+
+    server = http.createServer();
+    wsHandle = attachWebSocket(server, pm, {
+      jwtSecret: JWT_SECRET,
+      users,
+      serverConfig: { defaultAccess: 'deny', jwtSecret: JWT_SECRET } as ServerConfig,
+    });
+
+    await new Promise<void>((resolve) => {
+      server.listen(0, '127.0.0.1', () => {
+        port = (server.address() as any).port;
+        resolve();
+      });
+    });
+  });
+
+  afterAll(async () => {
+    for (const client of wsHandle.wss.clients) client.terminate();
+    wsHandle.cleanup();
+    await new Promise<void>((resolve) => wsHandle.wss.close(() => resolve()));
+    server.closeAllConnections();
+    await new Promise<void>((resolve) => server.close(() => resolve()));
+  });
+
+  it('rejects connection without cookie', async () => {
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`);
+    await expect(waitForOpen(ws)).rejects.toThrow();
+  });
+
+  it('rejects connection with invalid cookie', async () => {
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`, {
+      headers: { cookie: 'mgm_access=invalid-token' },
+    });
+    await expect(waitForOpen(ws)).rejects.toThrow();
+  });
+
+  it('accepts connection with valid JWT cookie', async () => {
+    const token = signAccessToken('alice', JWT_SECRET, '15m');
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`, {
+      headers: { cookie: `mgm_access=${token}` },
+    });
+    await waitForOpen(ws);
+    expect(ws.readyState).toBe(WebSocket.OPEN);
+    ws.close();
+  });
+
+  it('filters events by user access — alice sees test project', async () => {
+    const token = signAccessToken('alice', JWT_SECRET, '15m');
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`, {
+      headers: { cookie: `mgm_access=${token}` },
+    });
+    await waitForOpen(ws);
+
+    const msgPromise = waitForMessage(ws);
+    pm.emit('note:created', { projectId: 'test', noteId: 'n1' });
+    const msg = await msgPromise;
+    expect(msg.type).toBe('note:created');
+    ws.close();
+  });
+
+  it('filters events by user access — bob does not see secret project', async () => {
+    const token = signAccessToken('bob', JWT_SECRET, '15m');
+    const ws = new WebSocket(`ws://127.0.0.1:${port}/api/ws`, {
+      headers: { cookie: `mgm_access=${token}` },
+    });
+    await waitForOpen(ws);
+
+    const messages: any[] = [];
+    ws.on('message', (data) => messages.push(JSON.parse(data.toString())));
+
+    pm.emit('note:created', { projectId: 'secret', noteId: 'hidden' });
+
+    // Wait briefly — bob should NOT receive the event
+    await new Promise(r => setTimeout(r, 200));
+    expect(messages.filter(m => m.projectId === 'secret')).toHaveLength(0);
+    ws.close();
+  });
 });