feat(yerin): global security chat endpoint /api/security/yerin

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

tests/api/security_yerin.test.js

@@ -0,0 +1,39 @@
+import { describe, it, expect, beforeAll } from 'vitest';
+import { fileURLToPath } from 'url';
+import request from 'supertest';
+import { pool } from '../../lib/db/pool.js';
+import { createApp } from '../../server.js';
+import { resetDb } from '../helpers/db.js';
+import { migrateUp } from '../../lib/db/migrate.js';
+
+const FAKE = fileURLToPath(new URL('../fixtures/fake-claude-security.js', import.meta.url));
+let app;
+beforeAll(async () => {
+  await resetDb(); await migrateUp();
+  process.env.OWNER_TOKEN = 'test-token';
+  app = createApp();
+  app.locals.claudeExe = FAKE;
+});
+const auth = (r) => r.set('Authorization', 'Bearer test-token');
+
+describe('Yerin security API', () => {
+  it('GET creates the global conversation and returns Yerin + empty history', async () => {
+    const res = await auth(request(app).get('/api/security/yerin'));
+    expect(res.status).toBe(200);
+    expect(res.body.agent.slug).toBe('yerin');
+    expect(res.body.conversation_id).toBeTruthy();
+    expect(res.body.messages).toEqual([]);
+  });
+  it('POST /turn streams SSE and persists user+assistant; no draft event', async () => {
+    const res = await auth(request(app).post('/api/security/yerin/turn')).send({ text: 'any new threats?' });
+    expect(res.status).toBe(200);
+    expect(res.headers['content-type']).toMatch(/text\/event-stream/);
+    expect(res.text).toMatch(/event: delta/);
+    expect(res.text).toMatch(/event: tool/);
+    expect(res.text).toMatch(/event: done/);
+    expect(res.text).not.toMatch(/event: draft/);
+    const { rows: msgs } = await pool.query(`SELECT role, body FROM messages ORDER BY created_at`);
+    expect(msgs.map(m => m.role)).toEqual(['user', 'assistant']);
+    expect(msgs[1].body).toBe('No new threats.');
+  });
+});