Add comprehensive test coverage and fix middleware test conflicts

- Add CheckOnboarding middleware tests (6 tests)
- Add API key store endpoint tests (7 tests)
- Add open-external URL endpoint tests (10 tests)
- Fix existing tests by mocking ApiKeyService for middleware
- All 116 tests now passing with 333 assertions
- Complete coverage for security, validation, and error handling
- Preserve existing functionality while adding onboarding protection

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: vijaythecoder

tests/Feature/ApiKeyStoreTest.php

@@ -0,0 +1,146 @@
+<?php
+
+namespace Tests\Feature;
+
+use App\Services\ApiKeyService;
+use Mockery;
+use Tests\TestCase;
+
+class ApiKeyStoreTest extends TestCase
+{
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+    }
+
+    protected function tearDown(): void
+    {
+        Mockery::close();
+        parent::tearDown();
+    }
+
+    public function test_stores_valid_api_key_successfully(): void
+    {
+        $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+        $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+
+        $validApiKey = 'sk-1234567890abcdef1234567890abcdef1234567890abcdef';
+
+        $mockApiKeyService->shouldReceive('validateApiKey')
+            ->once()
+            ->with($validApiKey)
+            ->andReturn(true);
+
+        $mockApiKeyService->shouldReceive('setApiKey')
+            ->once()
+            ->with($validApiKey);
+
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => $validApiKey
+        ]);
+
+        $response->assertStatus(200)
+                 ->assertJson([
+                     'success' => true,
+                     'message' => 'API key saved successfully.'
+                 ]);
+    }
+
+    public function test_rejects_invalid_api_key(): void
+    {
+        $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+        $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+
+        $invalidApiKey = 'sk-1234567890abcdef1234567890abcdef1234567890invalid';
+
+        $mockApiKeyService->shouldReceive('validateApiKey')
+            ->once()
+            ->with($invalidApiKey)
+            ->andReturn(false);
+
+        $mockApiKeyService->shouldNotReceive('setApiKey');
+
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => $invalidApiKey
+        ]);
+
+        $response->assertStatus(422)
+                 ->assertJson([
+                     'success' => false,
+                     'message' => 'The provided API key is invalid. Please check and try again.'
+                 ]);
+    }
+
+    public function test_validates_required_api_key_field(): void
+    {
+        $response = $this->postJson('/api/openai/api-key', []);
+
+        $response->assertStatus(422)
+                 ->assertJsonValidationErrors(['api_key']);
+    }
+
+    public function test_validates_api_key_minimum_length(): void
+    {
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => 'sk-short'
+        ]);
+
+        $response->assertStatus(422)
+                 ->assertJsonValidationErrors(['api_key']);
+    }
+
+    public function test_validates_api_key_is_string(): void
+    {
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => 123456
+        ]);
+
+        $response->assertStatus(422)
+                 ->assertJsonValidationErrors(['api_key']);
+    }
+
+    public function test_handles_api_key_service_exception(): void
+    {
+        $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+        $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+
+        $validApiKey = 'sk-1234567890abcdef1234567890abcdef1234567890abcdef';
+
+        $mockApiKeyService->shouldReceive('validateApiKey')
+            ->once()
+            ->with($validApiKey)
+            ->andThrow(new \Exception('Service error'));
+
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => $validApiKey
+        ]);
+
+        // Controller doesn't handle exceptions, so it returns 500
+        $response->assertStatus(500);
+    }
+
+    public function test_api_key_endpoint_accessible_without_existing_api_key(): void
+    {
+        // This test ensures the middleware allows access to the API key store endpoint
+        // even when no API key is configured
+        
+        $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+        $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+
+        $validApiKey = 'sk-1234567890abcdef1234567890abcdef1234567890abcdef';
+
+        $mockApiKeyService->shouldReceive('validateApiKey')
+            ->once()
+            ->andReturn(true);
+
+        $mockApiKeyService->shouldReceive('setApiKey')
+            ->once();
+
+        $response = $this->postJson('/api/openai/api-key', [
+            'api_key' => $validApiKey
+        ]);
+
+        $response->assertStatus(200);
+    }
+}

tests/Feature/Controllers/ConversationControllerTest.php

@@ -3,8 +3,14 @@
 use App\Models\ConversationSession;
 use App\Models\ConversationTranscript;
 use App\Models\ConversationInsight;
+use App\Services\ApiKeyService;
 
 beforeEach(function () {
+    // Mock API key service to return true (API key exists) for all conversation tests
+    $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+    $mockApiKeyService->shouldReceive('hasApiKey')->andReturn(true);
+    $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+    
     // Create a test conversation session for some tests
     $this->session = ConversationSession::create([
         'user_id' => null,

tests/Feature/DashboardTest.php

@@ -1,11 +1,23 @@
 <?php
 
+use App\Services\ApiKeyService;
+
 test('dashboard page is accessible', function () {
+    // Mock API key service to return true (API key exists)
+    $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+    $mockApiKeyService->shouldReceive('hasApiKey')->andReturn(true);
+    $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+    
     $response = $this->get('/dashboard');
     $response->assertStatus(200);
 });
 
 test('realtime agent page is accessible', function () {
+    // Mock API key service to return true (API key exists)
+    $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+    $mockApiKeyService->shouldReceive('hasApiKey')->andReturn(true);
+    $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+    
     $response = $this->get('/realtime-agent');
     $response->assertStatus(200);
 });

tests/Feature/ExampleTest.php

@@ -1,6 +1,13 @@
 <?php
 
+use App\Services\ApiKeyService;
+
 it('returns a successful response', function () {
+    // Mock API key service to return true (API key exists)
+    $mockApiKeyService = Mockery::mock(ApiKeyService::class);
+    $mockApiKeyService->shouldReceive('hasApiKey')->andReturn(true);
+    $this->app->instance(ApiKeyService::class, $mockApiKeyService);
+    
     $response = $this->get('/');
 
     $response->assertStatus(200);

tests/Feature/OpenExternalTest.php

@@ -0,0 +1,179 @@
+<?php
+
+namespace Tests\Feature;
+
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Mockery;
+use Native\Laravel\Facades\Shell;
+use Tests\TestCase;
+
+class OpenExternalTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        
+        // Reset Shell facade mock for each test
+        Shell::clearResolvedInstance('Shell');
+    }
+
+    protected function tearDown(): void
+    {
+        Mockery::close();
+        parent::tearDown();
+    }
+
+    public function test_opens_valid_url_successfully(): void
+    {
+        Shell::shouldReceive('openExternal')
+            ->once()
+            ->with('https://github.com/vijaythecoder/clueless');
+
+        $response = $this->postJson('/api/open-external', [
+            'url' => 'https://github.com/vijaythecoder/clueless'
+        ]);
+
+        $response->assertStatus(200)
+                 ->assertJson([
+                     'success' => true
+                 ]);
+    }
+
+    public function test_opens_openai_url_successfully(): void
+    {
+        Shell::shouldReceive('openExternal')
+            ->once()
+            ->with('https://platform.openai.com/api-keys');
+
+        $response = $this->postJson('/api/open-external', [
+            'url' => 'https://platform.openai.com/api-keys'
+        ]);
+
+        $response->assertStatus(200)
+                 ->assertJson([
+                     'success' => true
+                 ]);
+    }
+
+    public function test_rejects_invalid_url(): void
+    {
+        $response = $this->postJson('/api/open-external', [
+            'url' => 'not-a-valid-url'
+        ]);
+
+        $response->assertStatus(400)
+                 ->assertJson([
+                     'error' => 'Invalid URL'
+                 ]);
+    }
+
+    public function test_rejects_malicious_urls(): void
+    {
+        $maliciousUrls = [
+            'javascript:alert("xss")',
+            'data:text/html,<script>alert("xss")</script>',
+            'not-a-url'
+        ];
+
+        foreach ($maliciousUrls as $url) {
+            $response = $this->postJson('/api/open-external', [
+                'url' => $url
+            ]);
+
+            $response->assertStatus(400)
+                     ->assertJson([
+                         'error' => 'Invalid URL'
+                     ]);
+        }
+    }
+
+    public function test_requires_url_parameter(): void
+    {
+        $response = $this->postJson('/api/open-external', []);
+
+        $response->assertStatus(400);
+    }
+
+    public function test_handles_empty_url(): void
+    {
+        $response = $this->postJson('/api/open-external', [
+            'url' => ''
+        ]);
+
+        $response->assertStatus(400)
+                 ->assertJson([
+                     'error' => 'Invalid URL'
+                 ]);
+    }
+
+    public function test_handles_null_url(): void
+    {
+        $response = $this->postJson('/api/open-external', [
+            'url' => null
+        ]);
+
+        $response->assertStatus(400)
+                 ->assertJson([
+                     'error' => 'Invalid URL'
+                 ]);
+    }
+
+    public function test_allows_https_urls(): void
+    {
+        $validUrls = [
+            'https://github.com',
+            'https://platform.openai.com',
+            'https://www.example.com',
+            'https://subdomain.example.com/path?query=value'
+        ];
+
+        foreach ($validUrls as $url) {
+            Shell::shouldReceive('openExternal')
+                ->once()
+                ->with($url);
+
+            $response = $this->postJson('/api/open-external', [
+                'url' => $url
+            ]);
+
+            $response->assertStatus(200)
+                     ->assertJson([
+                         'success' => true
+                     ]);
+        }
+    }
+
+    public function test_allows_http_urls(): void
+    {
+        Shell::shouldReceive('openExternal')
+            ->once()
+            ->with('http://example.com');
+
+        $response = $this->postJson('/api/open-external', [
+            'url' => 'http://example.com'
+        ]);
+
+        $response->assertStatus(200)
+                 ->assertJson([
+                     'success' => true
+                 ]);
+    }
+
+    public function test_handles_shell_exception(): void
+    {
+        Shell::shouldReceive('openExternal')
+            ->once()
+            ->with('https://github.com')
+            ->andThrow(new \Exception('Shell error'));
+
+        $response = $this->postJson('/api/open-external', [
+            'url' => 'https://github.com'
+        ]);
+
+        // The route doesn't handle exceptions explicitly, so it would return 500
+        // In a real implementation, you might want to catch and handle this
+        $response->assertStatus(500);
+    }
+}