fix(api): harden user self-service and resource linking

packages/api/src/__tests__/assistant-tools-user-self-service-mfa-status.test.ts

@@ -0,0 +1,52 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { SystemRole } from "@capakraken/shared";
+import {
+  createToolContext,
+  executeTool,
+  totpValidateMock,
+} from "./assistant-tools-user-self-service-mfa-test-helpers.js";
+
+describe("assistant user self-service MFA tools - status", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    totpValidateMock.mockReset();
+  });
+
+  it("returns MFA status through the real user router path", async () => {
+    const db = {
+      user: {
+        findUnique: vi.fn().mockResolvedValue({
+          totpEnabled: true,
+        }),
+      },
+    };
+    const ctx = createToolContext(db, SystemRole.ADMIN);
+
+    const result = await executeTool("get_mfa_status", "{}", ctx);
+
+    expect(db.user.findUnique).toHaveBeenCalledWith({
+      where: { id: "user_1" },
+      select: { totpEnabled: true },
+    });
+    expect(JSON.parse(result.content)).toEqual({
+      totpEnabled: true,
+    });
+  });
+
+  it("returns a stable error when reading MFA status for a missing user", async () => {
+    const ctx = createToolContext(
+      {
+        user: {
+          findUnique: vi.fn().mockResolvedValue(null),
+        },
+      },
+      SystemRole.ADMIN,
+    );
+
+    const result = await executeTool("get_mfa_status", "{}", ctx);
+
+    expect(JSON.parse(result.content)).toEqual({
+      error: "User not found with the given criteria.",
+    });
+  });
+});