feat(actions): /api/actions routes (run/pending/approve/reject)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/api/actions.test.js

@@ -0,0 +1,35 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import request from 'supertest';
+import { resetDb } from '../helpers/db.js';
+import { migrateUp } from '../../lib/db/migrate.js';
+import { createApp } from '../../server.js';
+
+let app;
+beforeAll(async () => {
+  await resetDb(); await migrateUp();
+  process.env.OWNER_TOKEN = 'test-token';
+  process.env.ACTIONS_CONFIG = new URL('../fixtures/actions.test.json', import.meta.url).pathname;
+  app = createApp();
+});
+const auth = (r) => r.set('Authorization', 'Bearer test-token');
+
+describe('actions API', () => {
+  it('GET / lists the whitelist (owner)', async () => {
+    const res = await auth(request(app).get('/api/actions'));
+    expect(res.status).toBe(200);
+    expect(res.body.actions.map(a => a.id)).toContain('stop-ct107');
+  });
+  it('no auth is rejected', async () => {
+    const res = await request(app).get('/api/actions');
+    expect(res.status).toBe(401);
+  });
+  it('risky run queues; appears in /pending; reject resolves it (owner)', async () => {
+    const run = await auth(request(app).post('/api/actions/stop-ct107/run'));
+    expect(run.status).toBe(200);
+    expect(run.body.queued).toBe(true);
+    const pend = await auth(request(app).get('/api/actions/pending'));
+    expect(pend.body.pending.some(p => p.id === run.body.action_row_id)).toBe(true);
+    const rej = await auth(request(app).post(`/api/actions/pending/${run.body.action_row_id}/reject`));
+    expect(rej.body.status).toBe('rejected');
+  });
+});