fix: VIS-04 + F-5 — conditional TestFlowBanner + gate setup/status post-auth

VIS-04: ModelLab TestFlowBanner now checks `models.length > 0 && !modelError`
before showing "Model configured. Run adversarial attacks?" — prevents
contradictory state when the main panel is in error.

F-5: /api/setup/status now returns 401 to unauthenticated callers once setup
is complete (users exist). Pre-setup (no users), the endpoint remains open
so the setup wizard can render. Prevents minor recon of instance provisioning
state.

Also: model-lab.test.tsx mock updated for useModelContext import.

Verified: typecheck PASS, vitest 6252/6252.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: SchenLong

packages/dojolm-web/src/app/api/setup/status/route.ts

@@ -2,12 +2,18 @@
  * File: /api/setup/status/route.ts
  * Purpose: Returns whether initial setup is needed (no users in DB)
  * Story: Setup Wizard
+ *
+ * Security (F-5, 2026-04-16): Once setup is complete (users exist), this
+ * endpoint returns 401 to unauthenticated callers. Only the login page
+ * and authenticated sessions may check setup status post-setup — this
+ * prevents unauthenticated recon from learning whether the instance has
+ * been provisioned.
  */
 
 import { NextResponse } from 'next/server';
 import { isDemoMode } from '@/lib/demo';
 
-export async function GET() {
+export async function GET(req: Request) {
   // Demo mode: always show setup wizard on page load
   if (isDemoMode()) {
     return NextResponse.json({ needsSetup: true });
@@ -16,7 +22,23 @@ export async function GET() {
   try {
     const { userRepo } = await import('@/lib/db/repositories/user.repository');
     const count = userRepo.countUsers();
-    return NextResponse.json({ needsSetup: count === 0 });
+
+    // Setup incomplete (no users) — always allow so the setup wizard can render
+    if (count === 0) {
+      return NextResponse.json({ needsSetup: true });
+    }
+
+    // Setup complete — gate behind auth to prevent unauthenticated recon (F-5)
+    const { getSessionFromRequest } = await import('@/lib/auth/session');
+    const session = getSessionFromRequest(req);
+    if (!session) {
+      return NextResponse.json(
+        { error: 'Authentication required' },
+        { status: 401 }
+      );
+    }
+
+    return NextResponse.json({ needsSetup: false });
   } catch {
     return NextResponse.json(
       { error: 'Failed to check setup status' },

packages/dojolm-web/src/components/__tests__/model-lab.test.tsx

@@ -80,6 +80,7 @@ vi.mock('@/lib/contexts', () => ({
   LLMModelProvider: ({ children }: { children: ReactNode }) => <>{children}</>,
   LLMExecutionProvider: ({ children }: { children: ReactNode }) => <>{children}</>,
   LLMResultsProvider: ({ children }: { children: ReactNode }) => <>{children}</>,
+  useModelContext: () => ({ models: [{ id: 'test-model' }], error: null, isLoading: false }),
 }))
 
 vi.mock('@/components/reports/ConsolidatedReportButton', () => ({

packages/dojolm-web/src/components/llm/ModelLab.tsx

@@ -16,7 +16,7 @@ import { ModelList } from './ModelList';
 import { ComparisonView } from './ComparisonView';
 import { CustomProviderBuilder } from './CustomProviderBuilder';
 import { JutsuTab } from './JutsuTab';
-import { LLMModelProvider, LLMExecutionProvider, LLMResultsProvider } from '@/lib/contexts';
+import { LLMModelProvider, LLMExecutionProvider, LLMResultsProvider, useModelContext } from '@/lib/contexts';
 import { Brain, GitCompare, Wrench, ScrollText, Crosshair } from 'lucide-react';
 import { TestFlowBanner } from '@/components/ui/TestFlowBanner';
 import { GuardBadge } from '@/components/guard';
@@ -50,6 +50,7 @@ const VALID_TABS: readonly ModelLabTab[] = ['models', 'compare', 'jutsu', 'custo
 export function ModelLab({ initialTab = 'models' }: ModelLabProps) {
   const [activeTab, setActiveTab] = useState<ModelLabTab>(initialTab);
   const { setActiveTab: navigateTo } = useNavigation();
+  const { models, error: modelError } = useModelContext();
 
   return (
     <div className="space-y-6">
@@ -109,7 +110,7 @@ export function ModelLab({ initialTab = 'models' }: ModelLabProps) {
       </Tabs>
 
       <TestFlowBanner
-        show={true}
+        show={models.length > 0 && !modelError}
         message="Model configured. Run adversarial attacks against it?"
         actionLabel="Open Atemi Lab"
         targetNavId="adversarial"