From c8932a47a6b9f1bea80c8a65ca45d8a1b73a6e67 Mon Sep 17 00:00:00 2001
From: "Molecule AI Dev Engineer A (Kimi)"
 <dev-engineer-a-kimi@agents.moleculesai.app>
Date: Tue, 9 Jun 2026 16:58:50 +0000
Subject: [PATCH] test(middleware): add missing unit tests for tenantSlug and
 cpSessionVerifyURL

Adds coverage for two previously-untested helpers in session_auth.go:
- TestTenantSlug: verifies slug read from MOLECULE_ORG_SLUG env var.
- TestTenantSlug_TrimSpace: verifies surrounding whitespace is trimmed.
- TestTenantSlug_Empty: verifies empty env returns empty string.
- TestCPSessionVerifyURL: verifies URL construction with CP_UPSTREAM_URL.
- TestCPSessionVerifyURL_TrailingSlash: verifies trailing slash is stripped.
- TestCPSessionVerifyURL_EscapeSlug: verifies slug is URL-encoded.
- TestCPSessionVerifyURL_NoCPConfigured: verifies empty CP_UPSTREAM_URL returns .

Full middleware suite (117 tests) passes.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .../internal/middleware/session_auth_test.go  | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)

diff --git a/workspace-server/internal/middleware/session_auth_test.go b/workspace-server/internal/middleware/session_auth_test.go
index 6e6e9a087..783552c43 100644
--- a/workspace-server/internal/middleware/session_auth_test.go
+++ b/workspace-server/internal/middleware/session_auth_test.go
@@ -227,3 +227,58 @@ func TestCacheKey_SlugSeparator(t *testing.T) {
 		t.Errorf("cacheKey collides on ambiguous splits")
 	}
 }
+
+func TestTenantSlug(t *testing.T) {
+	t.Setenv("MOLECULE_ORG_SLUG", "acme-corp")
+	if got := tenantSlug(); got != "acme-corp" {
+		t.Errorf("tenantSlug() = %q, want %q", got, "acme-corp")
+	}
+}
+
+func TestTenantSlug_TrimSpace(t *testing.T) {
+	t.Setenv("MOLECULE_ORG_SLUG", "  spaced-slug  ")
+	if got := tenantSlug(); got != "spaced-slug" {
+		t.Errorf("tenantSlug() = %q, want %q", got, "spaced-slug")
+	}
+}
+
+func TestTenantSlug_Empty(t *testing.T) {
+	t.Setenv("MOLECULE_ORG_SLUG", "")
+	if got := tenantSlug(); got != "" {
+		t.Errorf("tenantSlug() = %q, want empty", got)
+	}
+}
+
+func TestCPSessionVerifyURL(t *testing.T) {
+	t.Setenv("CP_UPSTREAM_URL", "https://cp.test")
+	got := cpSessionVerifyURL("acme")
+	want := "https://cp.test/cp/auth/tenant-member?slug=acme"
+	if got != want {
+		t.Errorf("cpSessionVerifyURL() = %q, want %q", got, want)
+	}
+}
+
+func TestCPSessionVerifyURL_TrailingSlash(t *testing.T) {
+	t.Setenv("CP_UPSTREAM_URL", "https://cp.test/")
+	got := cpSessionVerifyURL("acme")
+	want := "https://cp.test/cp/auth/tenant-member?slug=acme"
+	if got != want {
+		t.Errorf("cpSessionVerifyURL() = %q, want %q", got, want)
+	}
+}
+
+func TestCPSessionVerifyURL_EscapeSlug(t *testing.T) {
+	t.Setenv("CP_UPSTREAM_URL", "https://cp.test")
+	got := cpSessionVerifyURL("acme corp")
+	want := "https://cp.test/cp/auth/tenant-member?slug=acme+corp"
+	if got != want {
+		t.Errorf("cpSessionVerifyURL() = %q, want %q", got, want)
+	}
+}
+
+func TestCPSessionVerifyURL_NoCPConfigured(t *testing.T) {
+	t.Setenv("CP_UPSTREAM_URL", "")
+	if got := cpSessionVerifyURL("acme"); got != "" {
+		t.Errorf("cpSessionVerifyURL() = %q, want empty when CP_UPSTREAM_URL unset", got)
+	}
+}
-- 
2.52.0