tinytown 0.10.0

A simple, fast multi-agent orchestration system using Redis for message passing
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011

/*
 * Copyright (c) 2024-Present, Jeremy Plichta
 * Licensed under the MIT License
 */

//! Integration tests for the townhall daemon REST API (Issue #15).
//!
//! These tests verify the townhall REST API endpoints including:
//! - Health endpoints (/health, /ready, /metrics, /v1/status)
//! - Agent management (/v1/agents)
//! - Task assignment and backlog (/v1/tasks, /v1/backlog)
//! - Messaging (/v1/messages)
//! - Recovery operations (/v1/recover, /v1/reclaim)
//!
//! Test infrastructure includes:
//! - `TownhallTestServer`: Wrapper for testing townhall with a real Redis backend
//! - `TestTownhall`: Test fixture providing full E2E testing capabilities
//! - Helper functions for common test scenarios

use tempfile::TempDir;
use tinytown::town::AgentHandle;
use tinytown::{Task, Town};
use uuid::Uuid;

// ============================================================================
// TEST FIXTURES AND HELPERS
// ============================================================================

/// Test server wrapper that manages a townhall instance for testing.
/// Includes the underlying Town (with Redis) and provides HTTP client access.
pub struct TownhallTestServer {
    /// The underlying town with Redis connection
    pub town: Town,
    /// Temp directory for the town (cleaned up on drop)
    pub temp_dir: TempDir,
    /// Base URL for the townhall REST API (when server is running)
    pub base_url: Option<String>,
}

impl TownhallTestServer {
    /// Create a new test server with a fresh town and Redis instance.
    /// Uses the default Redis mode so CI does not depend on per-test socket startup.
    pub async fn new(name: &str) -> Result<Self, Box<dyn std::error::Error>> {
        let temp_dir = TempDir::new()?;
        let town_name = unique_town_name(name);
        let town = Town::init(temp_dir.path(), &town_name).await?;

        Ok(Self {
            town,
            temp_dir,
            base_url: None,
        })
    }

    /// Get the town's channel for direct Redis operations
    pub fn channel(&self) -> &tinytown::Channel {
        self.town.channel()
    }

    /// Get the town's config
    pub fn config(&self) -> &tinytown::Config {
        self.town.config()
    }

    /// Create a test agent in the town
    pub async fn spawn_test_agent(&self, name: &str) -> Result<AgentHandle, tinytown::Error> {
        self.town.spawn_agent(name, "test-cli").await
    }

    /// Add a task to the backlog
    pub async fn add_backlog_task(
        &self,
        description: &str,
    ) -> Result<tinytown::TaskId, tinytown::Error> {
        let task = Task::new(description);
        let task_id = task.id;
        self.channel().set_task(&task).await?;
        self.channel().backlog_push(task_id).await?;
        Ok(task_id)
    }
}

fn unique_town_name(prefix: &str) -> String {
    format!("{prefix}-{}", Uuid::new_v4())
}

impl Drop for TownhallTestServer {
    fn drop(&mut self) {
        // Clean up Redis when test ends
        let pid_file = self.temp_dir.path().join(".tt/redis.pid");
        if let Ok(pid_str) = std::fs::read_to_string(&pid_file)
            && let Ok(pid) = pid_str.trim().parse::<i32>()
        {
            // SAFETY: This kills our test Redis process, which is safe to do.
            unsafe {
                libc::kill(pid, libc::SIGKILL);
            }
        }
    }
}

// ============================================================================
// EXPECTED API RESPONSE TYPES (for deserializing townhall responses)
// ============================================================================

/// Standard RFC 7807 error response format
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct ApiError {
    pub r#type: String,
    pub title: String,
    pub status: u16,
    pub detail: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub instance: Option<String>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub request_id: Option<String>,
}

/// Health check response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct HealthResponse {
    pub status: String,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub version: Option<String>,
}

/// Scaling signal response.
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct ScalingSignalResponse {
    pub town: String,
    pub timestamp: String,
    pub queue_depth: usize,
    pub pending_tasks: usize,
    pub in_flight_tasks: usize,
    pub active_agents: usize,
    pub cold_agents: usize,
    pub desired_agents: usize,
    pub max_agents: usize,
    pub scaling_recommendation: String,
}

/// Town status response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct TownStatusResponse {
    pub name: String,
    pub agent_count: usize,
    pub backlog_count: usize,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub redis_connected: Option<bool>,
}

/// Agent list response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct AgentListResponse {
    pub agents: Vec<AgentInfo>,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cursor: Option<String>,
}

/// Agent info in list response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct AgentInfo {
    pub id: String,
    pub name: String,
    pub state: String,
    pub cli: String,
}

/// Backlog task entry
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct BacklogEntry {
    pub id: String,
    pub description: String,
    #[serde(default)]
    pub tags: Vec<String>,
}

/// Backlog list response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct BacklogListResponse {
    pub tasks: Vec<BacklogEntry>,
    pub total: usize,
    #[serde(skip_serializing_if = "Option::is_none")]
    pub cursor: Option<String>,
}

/// Message send request
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct SendMessageRequest {
    pub to: String,
    pub message: String,
    #[serde(default)]
    pub kind: String, // "task" | "query" | "info" | "ack"
    #[serde(default)]
    pub urgent: bool,
}

/// Message send response
#[derive(Debug, Clone, serde::Deserialize, serde::Serialize)]
pub struct SendMessageResponse {
    pub message_id: String,
    pub delivered: bool,
}

// ============================================================================
// PLACEHOLDER TESTS - These will test townhall when it's implemented
// ============================================================================

/// Test that the test infrastructure itself works correctly.
#[tokio::test]
async fn test_townhall_test_server_creation() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-infra-test").await?;

    // Verify town was created
    assert!(server.config().name.starts_with("townhall-infra-test-"));

    // Verify we can spawn agents through the test server
    let agent = server.spawn_test_agent("test-worker").await?;
    let state = agent.state().await?;
    assert!(state.is_some());

    Ok(())
}

/// Test that backlog operations work through the test server.
#[tokio::test]
async fn test_townhall_test_server_backlog() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-backlog-infra-test").await?;

    // Add tasks to backlog
    let task1_id = server.add_backlog_task("Task 1 for testing").await?;
    let task2_id = server.add_backlog_task("Task 2 for testing").await?;

    // Verify backlog has the tasks
    let backlog = server.channel().backlog_list().await?;
    assert_eq!(backlog.len(), 2);
    assert_eq!(backlog[0], task1_id);
    assert_eq!(backlog[1], task2_id);

    Ok(())
}

/// Test agent spawn and list through test infrastructure.
#[tokio::test]
async fn test_townhall_test_server_agents() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-agents-infra-test").await?;

    // Spawn multiple agents
    let _agent1 = server.spawn_test_agent("worker-1").await?;
    let _agent2 = server.spawn_test_agent("worker-2").await?;
    let _agent3 = server.spawn_test_agent("reviewer").await?;

    // List agents
    let agents = server.town.list_agents().await;
    assert_eq!(agents.len(), 3);

    // Verify agent names
    let names: Vec<&str> = agents.iter().map(|a| a.name.as_str()).collect();
    assert!(names.contains(&"worker-1"));
    assert!(names.contains(&"worker-2"));
    assert!(names.contains(&"reviewer"));

    Ok(())
}

// ============================================================================
// TOWNHALL REST API TESTS
// ============================================================================

// Import townhall router creation - note: this requires the bin to expose create_router
// For now, we test via the services layer which is what townhall uses

/// Test GET /healthz equivalent via service layer
#[tokio::test]
async fn test_services_status() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-status-test").await?;

    // Test AgentService::status (what /v1/status uses)
    let status = tinytown::AgentService::status(&server.town).await?;
    assert!(status.name.starts_with("townhall-status-test-"));
    assert_eq!(status.agent_count, 0);

    Ok(())
}

/// Test agent spawn via service layer (what POST /v1/agents uses)
#[tokio::test]
async fn test_services_spawn_agent() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-spawn-test").await?;

    let result =
        tinytown::AgentService::spawn(&server.town, "test-worker", Some("test-cli")).await?;
    assert_eq!(result.name, "test-worker");
    assert_eq!(result.cli, "test-cli");

    // Verify agent exists
    let agents = tinytown::AgentService::list(&server.town).await?;
    assert_eq!(agents.len(), 1);
    assert_eq!(agents[0].name, "test-worker");

    Ok(())
}

/// Test backlog operations via service layer (what /v1/backlog uses)
#[tokio::test]
async fn test_services_backlog() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-backlog-test").await?;

    // Add to backlog
    let result = tinytown::BacklogService::add(
        server.channel(),
        "Test task",
        Some(vec!["test".to_string()]),
    )
    .await?;
    assert_eq!(result.description, "Test task");

    // List backlog
    let items = tinytown::BacklogService::list(server.channel()).await?;
    assert_eq!(items.len(), 1);
    assert_eq!(items[0].description, "Test task");
    assert_eq!(items[0].tags, vec!["test"]);

    Ok(())
}

/// Test task assignment via service layer (what POST /v1/tasks/assign uses)
#[tokio::test]
async fn test_services_assign_task() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-assign-test").await?;

    // First spawn an agent
    let _agent = server.spawn_test_agent("worker").await?;

    // Assign a task
    let result = tinytown::TaskService::assign(&server.town, "worker", "Do something").await?;
    assert_eq!(result.agent_name, "worker");

    let inbox = server
        .town
        .channel()
        .peek_inbox(result.agent_id, 10)
        .await?;
    assert_eq!(inbox.len(), 1);
    match &inbox[0].msg_type {
        tinytown::MessageType::TaskAssign { task_id } => {
            assert_eq!(task_id, &result.task_id.to_string());
        }
        other => panic!("expected TaskAssign, got {:?}", other),
    }

    // Verify task is pending
    let pending = tinytown::TaskService::list_pending(&server.town).await?;
    assert_eq!(pending.len(), 1);
    assert_eq!(pending[0].task_id, result.task_id);
    assert_eq!(pending[0].description, "Do something");

    Ok(())
}

/// Test message sending via service layer (what POST /v1/messages/send uses)
#[tokio::test]
async fn test_services_send_message() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-message-test").await?;

    // Spawn an agent
    let _agent = server.spawn_test_agent("receiver").await?;

    // Send a message
    let result = tinytown::MessageService::send(
        &server.town,
        "receiver",
        "Hello!",
        tinytown::app::services::messages::MessageKind::Task,
        false,
    )
    .await?;
    assert!(!result.urgent);

    // Check inbox
    let inbox = tinytown::MessageService::get_inbox(&server.town, "receiver").await?;
    assert_eq!(inbox.total_messages, 1);

    Ok(())
}

/// Verify `MessageService::send_as` records the specified sender (agent name or UUID)
/// instead of always attributing the message to the supervisor sentinel.
#[tokio::test]
async fn test_services_send_as_preserves_sender() -> Result<(), Box<dyn std::error::Error>> {
    let server = TownhallTestServer::new("townhall-send-as-test").await?;
    let sender = server.spawn_test_agent("sender").await?;
    let _receiver = server.spawn_test_agent("receiver").await?;

    // Send by agent name.
    tinytown::MessageService::send_as(
        &server.town,
        Some("sender"),
        "receiver",
        "hi from sender",
        tinytown::app::services::messages::MessageKind::Info,
        false,
    )
    .await?;

    // Send by UUID.
    tinytown::MessageService::send_as(
        &server.town,
        Some(&sender.id().to_string()),
        "receiver",
        "hi again",
        tinytown::app::services::messages::MessageKind::Info,
        false,
    )
    .await?;

    // Default path (no from) still uses supervisor.
    tinytown::MessageService::send_as(
        &server.town,
        None,
        "receiver",
        "system fyi",
        tinytown::app::services::messages::MessageKind::Info,
        false,
    )
    .await?;

    let receiver_handle = server.town.agent("receiver").await?;
    let peeked = server
        .channel()
        .peek_inbox(receiver_handle.id(), 10)
        .await?;
    assert_eq!(peeked.len(), 3);

    let froms: Vec<_> = peeked.iter().map(|m| m.from).collect();
    assert!(
        froms.contains(&sender.id()),
        "agent-name send should map to sender id"
    );
    assert!(
        froms.iter().filter(|&&id| id == sender.id()).count() >= 2,
        "uuid send should also map to sender id"
    );
    assert!(
        froms.contains(&tinytown::AgentId::supervisor()),
        "default path should still produce a supervisor-attributed message"
    );

    Ok(())
}

/// Verify that `POST /v1/messages` honors an optional `from` field when provided.
#[tokio::test]
async fn test_townhall_send_endpoint_accepts_from() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let server = TownhallTestServer::new("townhall-send-from-test").await?;
    let sender = server.spawn_test_agent("sender").await?;
    let _receiver = server.spawn_test_agent("receiver").await?;

    let auth_config = Arc::new(AuthConfig::default());
    let state = Arc::new(AppState {
        town: server.town.clone(),
        auth_config,
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    test_server
        .post("/v1/messages/send")
        .json(&serde_json::json!({
            "to": "receiver",
            "from": "sender",
            "message": "hello",
            "kind": "info"
        }))
        .await
        .assert_status(axum::http::StatusCode::CREATED);

    let receiver_handle = server.town.agent("receiver").await?;
    let peeked = server.channel().peek_inbox(receiver_handle.id(), 5).await?;
    assert_eq!(peeked.len(), 1);
    assert_eq!(peeked[0].from, sender.id());

    Ok(())
}

/// Test that the inbox endpoint supports GET for read semantics while keeping POST compatibility.
#[tokio::test]
async fn test_townhall_inbox_endpoint_supports_get_and_post()
-> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let server = TownhallTestServer::new("townhall-inbox-route-test").await?;
    server.spawn_test_agent("receiver").await?;
    tinytown::MessageService::send(
        &server.town,
        "receiver",
        "Hello over townhall",
        tinytown::app::services::messages::MessageKind::Info,
        false,
    )
    .await?;

    let auth_config = Arc::new(AuthConfig::default());
    let state = Arc::new(AppState {
        town: server.town.clone(),
        auth_config,
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    test_server
        .get("/v1/agents/receiver/inbox")
        .await
        .assert_status_ok()
        .assert_json_contains(&serde_json::json!({
            "agent": "receiver",
            "total": 1
        }));

    test_server
        .post("/v1/agents/receiver/inbox")
        .await
        .assert_status_ok()
        .assert_json_contains(&serde_json::json!({
            "agent": "receiver",
            "total": 1
        }));

    Ok(())
}

/// Test that backlog removal is exposed through the REST router and deletes task data.
#[tokio::test]
async fn test_townhall_delete_backlog_endpoint() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, BacklogService, create_router};

    let server = TownhallTestServer::new("townhall-backlog-delete-route-test").await?;
    let added = BacklogService::add(server.channel(), "Remove me", None).await?;

    let auth_config = Arc::new(AuthConfig::default());
    let state = Arc::new(AppState {
        town: server.town.clone(),
        auth_config,
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    test_server
        .delete(&format!("/v1/backlog/{}", added.task_id))
        .await
        .assert_status_ok()
        .assert_json_contains(&serde_json::json!({
            "removed": true,
            "task_id": added.task_id.to_string()
        }));

    assert!(BacklogService::list(server.channel()).await?.is_empty());
    assert!(server.channel().get_task(added.task_id).await?.is_none());

    Ok(())
}

// ============================================================================
// AUTHENTICATION TESTS (Issue #16)
// ============================================================================

/// Test that auth module functions work correctly.
#[tokio::test]
async fn test_auth_api_key_generation_and_verification() {
    let (raw_key, hash) = tinytown::generate_api_key();

    // Key should be a long hex string
    assert!(raw_key.len() >= 32);

    // Hash should be Argon2id format
    assert!(hash.starts_with("$argon2"));

    // Verification should work
    use argon2::{Argon2, PasswordHash, PasswordVerifier};
    let parsed_hash = PasswordHash::new(&hash).expect("valid hash");
    assert!(
        Argon2::default()
            .verify_password(raw_key.as_bytes(), &parsed_hash)
            .is_ok()
    );

    // Wrong key should fail
    assert!(
        Argon2::default()
            .verify_password(b"wrong-key", &parsed_hash)
            .is_err()
    );
}

/// Test principal scope checking.
#[tokio::test]
async fn test_principal_scopes() {
    use std::collections::HashSet;
    use tinytown::{Principal, Scope};

    // Local admin has all scopes
    let admin = Principal::local_admin();
    assert!(admin.has_scope(Scope::TownRead));
    assert!(admin.has_scope(Scope::TownWrite));
    assert!(admin.has_scope(Scope::AgentManage));
    assert!(admin.has_scope(Scope::Admin));

    // Principal with only TownRead
    let mut scopes = HashSet::new();
    scopes.insert(Scope::TownRead);
    let reader = tinytown::Principal {
        id: "reader".to_string(),
        scopes,
    };
    assert!(reader.has_scope(Scope::TownRead));
    assert!(!reader.has_scope(Scope::TownWrite));
    assert!(!reader.has_scope(Scope::AgentManage));
    assert!(!reader.has_scope(Scope::Admin));
}

/// Test that health endpoint works without auth.
#[tokio::test]
async fn test_health_endpoint_no_auth_required() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let temp_dir = tempfile::TempDir::new()?;
    let town_name = unique_town_name("auth-health-test");
    let town = tinytown::Town::init(temp_dir.path(), &town_name).await?;

    // Create router with API key auth mode (but health should still work)
    let auth_config = Arc::new(AuthConfig {
        mode: tinytown::AuthMode::ApiKey,
        api_key_hash: Some("$argon2id$v=19$m=19456,t=2,p=1$fake$fake".to_string()),
        ..Default::default()
    });
    let state = Arc::new(AppState { town, auth_config });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    // Public probe endpoints should work without auth
    test_server
        .get("/health")
        .await
        .assert_status_ok()
        .assert_json_contains(&serde_json::json!({
            "status": "ok"
        }));
    test_server.get("/healthz").await.assert_status_ok();
    test_server
        .get("/ready")
        .await
        .assert_status_ok()
        .assert_json_contains(&serde_json::json!({
            "status": "ready",
            "redis": "connected",
            "dispatcher": "idle",
            "town": town_name
        }));
    test_server.get("/readyz").await.assert_status_ok();
    test_server
        .get("/metrics")
        .await
        .assert_status_ok()
        .assert_header("content-type", "text/plain; version=0.0.4; charset=utf-8")
        .assert_text_contains("tinytown_up 1")
        .assert_text_contains("tinytown_ready 1");

    Ok(())
}

/// Test that the metrics endpoint reflects current town state.
#[tokio::test]
async fn test_metrics_endpoint_reports_town_metrics() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, BacklogService, TaskService, create_router};

    let server = TownhallTestServer::new("townhall-metrics-test").await?;
    server.spawn_test_agent("worker-1").await?;
    server.spawn_test_agent("worker-2").await?;
    BacklogService::add(server.channel(), "Backlog metrics task", None).await?;
    TaskService::assign(&server.town, "worker-1", "Assigned metrics task").await?;
    let mut completed_task = tinytown::Task::new("Completed metrics task");
    completed_task.complete("metrics complete");
    server.channel().set_task(&completed_task).await?;

    let storage = tinytown::mission::MissionStorage::new(
        server.town.channel().conn().clone(),
        server.town.channel().town_name(),
    );
    let mut mission =
        tinytown::mission::MissionRun::new(vec![tinytown::mission::ObjectiveRef::Issue {
            owner: "redis-field-engineering".to_string(),
            repo: "tinytown".to_string(),
            number: 58,
        }]);
    mission.start();
    mission.record_dispatch_tick();
    storage.save_mission(&mission).await?;
    storage.add_active(mission.id).await?;

    let auth_config = Arc::new(AuthConfig::default());
    let state = Arc::new(AppState {
        town: server.town.clone(),
        auth_config,
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    let response = test_server.get("/metrics").await;
    response
        .assert_status_ok()
        .assert_header("content-type", "text/plain; version=0.0.4; charset=utf-8")
        .assert_text_contains("tinytown_up 1")
        .assert_text_contains("tinytown_ready 1")
        .assert_text_contains("tinytown_agents_total{state=\"starting\"} 2")
        .assert_text_contains("tinytown_tasks_pending 2")
        .assert_text_contains("tinytown_tasks_completed_total 1")
        .assert_text_contains("tinytown_missions_active 1")
        .assert_text_contains("tinytown_redis_latency_seconds ")
        .assert_text_contains("tinytown_backlog_tasks 1");

    Ok(())
}

/// Test that the scaling endpoint reports pending work and recommends scaling up.
#[tokio::test]
async fn test_scaling_endpoint_reports_scale_up_signal() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, BacklogService, TaskService, create_router};

    let server = TownhallTestServer::new("townhall-scaling-up-test").await?;
    server.spawn_test_agent("worker-1").await?;
    BacklogService::add(server.channel(), "Backlog scaling task", None).await?;
    TaskService::assign(&server.town, "worker-1", "Assigned scaling task").await?;

    let state = Arc::new(AppState {
        town: server.town.clone(),
        auth_config: Arc::new(AuthConfig::default()),
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    let response = test_server.get("/api/scaling").await;
    response.assert_status_ok();
    let body: ScalingSignalResponse = response.json();

    assert_eq!(body.queue_depth, 2);
    assert_eq!(body.pending_tasks, 2);
    assert_eq!(body.in_flight_tasks, 0);
    assert_eq!(body.active_agents, 1);
    assert_eq!(body.cold_agents, 0);
    assert_eq!(body.desired_agents, 2);
    assert_eq!(body.max_agents, 10);
    assert_eq!(body.scaling_recommendation, "scale_up");

    Ok(())
}

/// Test that the scaling endpoint recommends scale-to-zero for long-idle workers.
#[tokio::test]
async fn test_scaling_endpoint_reports_scale_to_zero_for_idle_workers()
-> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, Config, create_router};

    let temp_dir = TempDir::new()?;
    let mut config = Config::new(unique_town_name("townhall-scale-to-zero"), temp_dir.path());
    config.agent.idle_timeout_secs = 1;
    let town = tinytown::Town::init_with_config(config).await?;
    let handle = town.spawn_agent("idle-worker", "test-cli").await?;

    let mut agent = town
        .channel()
        .get_agent_state(handle.id())
        .await?
        .expect("idle worker should exist");
    agent.state = tinytown::AgentState::Idle;
    agent.last_active_at = chrono::Utc::now() - chrono::Duration::seconds(10);
    town.channel().set_agent_state(&agent).await?;

    let state = Arc::new(AppState {
        town: town.clone(),
        auth_config: Arc::new(AuthConfig::default()),
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    let response = test_server.get("/api/scaling").await;
    response.assert_status_ok();
    let body: ScalingSignalResponse = response.json();

    assert_eq!(body.queue_depth, 0);
    assert_eq!(body.pending_tasks, 0);
    assert_eq!(body.in_flight_tasks, 0);
    assert_eq!(body.active_agents, 1);
    assert_eq!(body.desired_agents, 0);
    assert_eq!(body.scaling_recommendation, "scale_to_zero");

    Ok(())
}

/// Test that the scaling endpoint uses docket stream depth when streams are enabled.
#[tokio::test]
async fn test_scaling_endpoint_uses_docket_stream_depth() -> Result<(), Box<dyn std::error::Error>>
{
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, Config, TaskId, create_router};

    let temp_dir = TempDir::new()?;
    let mut config = Config::new(
        unique_town_name("townhall-scaling-streams"),
        temp_dir.path(),
    );
    config.use_streams = true;
    let town = tinytown::Town::init_with_config(config).await?;

    town.channel().docket_ensure_group().await?;
    let task_one = TaskId::new();
    let task_two = TaskId::new();
    town.channel()
        .docket_push(task_one, "Stream task one", "normal", "conductor", "worker")
        .await?;
    town.channel()
        .docket_push(task_two, "Stream task two", "normal", "conductor", "worker")
        .await?;
    let _ = town.channel().docket_read("worker-1", 100).await?;

    let state = Arc::new(AppState {
        town: town.clone(),
        auth_config: Arc::new(AuthConfig::default()),
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    let response = test_server.get("/api/scaling").await;
    response.assert_status_ok();
    let body: ScalingSignalResponse = response.json();

    assert_eq!(body.pending_tasks, 1);
    assert_eq!(body.in_flight_tasks, 1);
    assert_eq!(body.queue_depth, 2);
    assert_eq!(body.desired_agents, 2);
    assert_eq!(body.scaling_recommendation, "scale_up");

    Ok(())
}

/// Test that acknowledged stream entries no longer contribute to scaling backlog.
#[tokio::test]
async fn test_scaling_endpoint_excludes_acknowledged_stream_entries()
-> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, Config, TaskId, create_router};

    let temp_dir = TempDir::new()?;
    let mut config = Config::new(
        unique_town_name("townhall-scaling-streams-acked"),
        temp_dir.path(),
    );
    config.use_streams = true;
    let town = tinytown::Town::init_with_config(config).await?;

    town.channel().docket_ensure_group().await?;
    let task_id = TaskId::new();
    town.channel()
        .docket_push(task_id, "Acked task", "normal", "conductor", "worker")
        .await?;
    let (entry_id, _) = town
        .channel()
        .docket_read("worker-1", 100)
        .await?
        .expect("stream entry should be readable");
    town.channel().docket_ack(&entry_id).await?;

    let state = Arc::new(AppState {
        town: town.clone(),
        auth_config: Arc::new(AuthConfig::default()),
    });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    let response = test_server.get("/api/scaling").await;
    response.assert_status_ok();
    let body: ScalingSignalResponse = response.json();

    assert_eq!(body.pending_tasks, 0);
    assert_eq!(body.in_flight_tasks, 0);
    assert_eq!(body.queue_depth, 0);
    assert_eq!(body.desired_agents, 0);

    Ok(())
}

/// Test that protected endpoints require authentication.
#[tokio::test]
async fn test_protected_endpoints_require_auth() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let temp_dir = tempfile::TempDir::new()?;
    let town_name = unique_town_name("auth-protected-test");
    let town = tinytown::Town::init(temp_dir.path(), &town_name).await?;

    // Create router with API key auth mode
    let (raw_key, hash) = tinytown::generate_api_key();
    let auth_config = Arc::new(AuthConfig {
        mode: tinytown::AuthMode::ApiKey,
        api_key_hash: Some(hash),
        ..Default::default()
    });
    let state = Arc::new(AppState { town, auth_config });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    // Request without auth should return 401
    test_server
        .get("/v1/status")
        .await
        .assert_status_unauthorized();

    // Request with wrong key should return 401
    test_server
        .get("/v1/status")
        .add_header(axum_test::http::header::AUTHORIZATION, "Bearer wrong-key")
        .await
        .assert_status_unauthorized();

    // Request with correct key should succeed
    test_server
        .get("/v1/status")
        .add_header(
            axum_test::http::header::AUTHORIZATION,
            format!("Bearer {}", raw_key),
        )
        .await
        .assert_status_ok();

    Ok(())
}

/// Test that X-API-Key header also works for authentication.
#[tokio::test]
async fn test_x_api_key_header_auth() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let temp_dir = tempfile::TempDir::new()?;
    let town_name = unique_town_name("auth-x-api-key-test");
    let town = tinytown::Town::init(temp_dir.path(), &town_name).await?;

    let (raw_key, hash) = tinytown::generate_api_key();
    let auth_config = Arc::new(AuthConfig {
        mode: tinytown::AuthMode::ApiKey,
        api_key_hash: Some(hash),
        ..Default::default()
    });
    let state = Arc::new(AppState { town, auth_config });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    // Request with X-API-Key header should succeed
    test_server
        .get("/v1/town")
        .add_header("x-api-key", raw_key)
        .await
        .assert_status_ok();

    Ok(())
}

/// Test that auth.mode=none allows all requests.
#[tokio::test]
async fn test_auth_mode_none_allows_all() -> Result<(), Box<dyn std::error::Error>> {
    use axum_test::TestServer;
    use std::sync::Arc;
    use tinytown::{AppState, AuthConfig, create_router};

    let temp_dir = tempfile::TempDir::new()?;
    let town_name = unique_town_name("auth-none-test");
    let town = tinytown::Town::init(temp_dir.path(), &town_name).await?;

    // auth.mode = none (default)
    let auth_config = Arc::new(AuthConfig::default());
    let state = Arc::new(AppState { town, auth_config });
    let app = create_router(state);
    let test_server = TestServer::new(app);

    // All endpoints should work without auth
    test_server.get("/v1/status").await.assert_status_ok();
    test_server.get("/v1/agents").await.assert_status_ok();
    test_server.get("/v1/backlog").await.assert_status_ok();

    Ok(())
}