refactor: Phase 3 — reorganize tests into module-mirroring subdirectories

Move 97 test files from flat tests/ into 13 subdirectories:
  tests/dashboard/   (8 files — routes, mobile, mission control)
  tests/swarm/       (17 files — coordinator, docker, routing, tasks)
  tests/timmy/       (12 files — agent, backends, CLI, tools)
  tests/self_coding/  (14 files — git safety, indexer, self-modify)
  tests/lightning/   (3 files — L402, LND, interface)
  tests/creative/    (8 files — assembler, director, image/music/video)
  tests/integrations/ (10 files — chat bridge, telegram, voice, websocket)
  tests/mcp/         (4 files — bootstrap, discovery, executor)
  tests/spark/       (3 files — engine, tools, events)
  tests/hands/       (3 files — registry, oracle, phase5)
  tests/scripture/   (1 file)
  tests/infrastructure/ (3 files — router cascade, API)
  tests/security/    (3 files — XSS, regression)

Fix Path(__file__) reference in test_mobile_scenarios.py for new depth.
Add __init__.py to all test subdirectories.

Tests: 1503 passed, 9 failed (pre-existing), 53 errors (pre-existing)

https://claude.ai/code/session_019oMFNvD8uSGSSmBMGkBfQN

tests/security/test_security_fixes_xss.py

@@ -0,0 +1,69 @@
+import pytest
+from fastapi.templating import Jinja2Templates
+
+def test_agent_chat_msg_xss_prevention():
+    """Verify XSS prevention in agent_chat_msg.html."""
+    templates = Jinja2Templates(directory="src/dashboard/templates")
+    payload = "<script>alert('xss')</script>"
+    class MockAgent:
+        def __init__(self):
+            self.name = "TestAgent"
+            self.id = "test-agent"
+    
+    response = templates.get_template("partials/agent_chat_msg.html").render({
+        "message": payload,
+        "response": payload,
+        "error": payload,
+        "agent": MockAgent(),
+        "timestamp": "12:00:00"
+    })
+    
+    # Check that payload is escaped
+    assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
+    assert payload not in response
+
+def test_agent_panel_xss_prevention():
+    """Verify XSS prevention in agent_panel.html."""
+    templates = Jinja2Templates(directory="src/dashboard/templates")
+    payload = "<script>alert('xss')</script>"
+    class MockAgent:
+        def __init__(self):
+            self.name = payload
+            self.id = "test-agent"
+            self.status = "idle"
+            self.capabilities = payload
+            
+    class MockTask:
+        def __init__(self):
+            self.id = "task-1"
+            self.status = type('obj', (object,), {'value': 'completed'})
+            self.created_at = "2026-02-26T12:00:00"
+            self.description = payload
+            self.result = payload
+
+    response = templates.get_template("partials/agent_panel.html").render({
+        "agent": MockAgent(),
+        "tasks": [MockTask()]
+    })
+    
+    assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
+    assert payload not in response
+
+def test_swarm_sidebar_xss_prevention():
+    """Verify XSS prevention in swarm_agents_sidebar.html."""
+    templates = Jinja2Templates(directory="src/dashboard/templates")
+    payload = "<script>alert('xss')</script>"
+    class MockAgent:
+        def __init__(self):
+            self.name = payload
+            self.id = "test-agent"
+            self.status = "idle"
+            self.capabilities = payload
+            self.last_seen = "2026-02-26T12:00:00"
+
+    response = templates.get_template("partials/swarm_agents_sidebar.html").render({
+        "agents": [MockAgent()]
+    })
+    
+    assert "&lt;script&gt;alert(&#39;xss&#39;)&lt;/script&gt;" in response
+    assert payload not in response

tests/security/test_security_regression.py

@@ -0,0 +1,75 @@
+import hmac
+import hashlib
+import base64
+import pytest
+from timmy_serve.l402_proxy import create_l402_challenge, verify_l402_token, Macaroon, _sign
+
+def test_l402_macaroon_forgery_prevention():
+    """Test that knowing the hmac_secret is not enough to forge a macaroon.
+    
+    The forgery attempt uses the same hmac_secret found in a valid macaroon
+    but doesn't know the server's internal _MACAROON_SECRET.
+    """
+    # 1. Create a valid challenge
+    challenge = create_l402_challenge(100, "valid")
+    valid_token = challenge["macaroon"]
+    
+    # 2. Extract components from the valid macaroon
+    valid_mac = Macaroon.deserialize(valid_token)
+    assert valid_mac is not None
+    
+    # 3. Attempt to forge a macaroon for a different (unpaid) identifier
+    # but using the same hmac_secret and the same signing logic a naive 
+    # attacker might assume (if it was just hmac(hmac_secret, identifier)).
+    fake_identifier = "forged-payment-hash"
+    
+    # Naive forgery attempt:
+    fake_signature = hmac.new(
+        valid_mac.hmac_secret.encode(), 
+        fake_identifier.encode(), 
+        hashlib.sha256
+    ).hexdigest()
+    
+    fake_mac = Macaroon(
+        identifier=fake_identifier,
+        signature=fake_signature,
+        hmac_secret=valid_mac.hmac_secret,
+        version=valid_mac.version,
+        location=valid_mac.location
+    )
+    fake_token = fake_mac.serialize()
+    
+    # 4. Verification should fail because the server uses two-key derivation
+    assert verify_l402_token(fake_token) is False
+
+def test_xss_protection_in_templates():
+    """Verify that templates now use the escape filter for user-controlled content."""
+    templates_to_check = [
+        ("src/dashboard/templates/partials/chat_message.html", "{{ user_message | e }}"),
+        ("src/dashboard/templates/partials/history.html", "{{ msg.content | e }}"),
+        ("src/dashboard/templates/briefing.html", "{{ briefing.summary | e }}"),
+        ("src/dashboard/templates/partials/approval_card_single.html", "{{ item.title | e }}"),
+        ("src/dashboard/templates/marketplace.html", "{{ agent.name | e }}"),
+    ]
+    
+    for path, expected_snippet in templates_to_check:
+        with open(path, "r") as f:
+            content = f.read()
+            assert expected_snippet in content, f"XSS fix missing in {path}"
+
+def test_macaroon_serialization_v2():
+    """Test that the new serialization format includes the hmac_secret."""
+    mac = Macaroon(identifier="id", signature="sig", hmac_secret="secret")
+    serialized = mac.serialize()
+    
+    # Decode manually to check parts
+    raw = base64.urlsafe_b64decode(serialized.encode()).decode()
+    parts = raw.split(":")
+    assert len(parts) == 5
+    assert parts[2] == "id"
+    assert parts[3] == "sig"
+    assert parts[4] == "secret"
+    
+    # Test deserialization
+    restored = Macaroon.deserialize(serialized)
+    assert restored.hmac_secret == "secret"

tests/security/test_xss_prevention.py

@@ -0,0 +1,25 @@
+"""Regression tests for XSS prevention in the dashboard."""
+
+import pytest
+from fastapi.testclient import TestClient
+
+def test_mobile_test_page_xss_prevention(client: TestClient):
+    """
+    Verify that the mobile-test page uses safer DOM manipulation.
+    This test checks the template content for the presence of textContent 
+    and proper usage of innerHTML for known safe constants.
+    """
+    response = client.get("/mobile-test")
+    assert response.status_code == 200
+    content = response.text
+    
+    # Check that we are using textContent for dynamic content
+    assert "textContent =" in content
+    
+    # Check that we've updated the summaryBody.innerHTML usage to be safer
+    # or replaced with appendChild/textContent where appropriate.
+    # The fix uses innerHTML with template literals for structural parts 
+    # but textContent for data parts.
+    assert "summaryBody.innerHTML = '';" in content
+    assert "p.textContent =" in content
+    assert "statusMsg.textContent =" in content