test(server): 增强 auth/ws/sse 测试覆盖率

- auth/token.ts: 50% → 100%
  - 新增 authMiddleware 中间件完整测试
  - 覆盖本地 IP 检测、远程认证、跳过路径等场景
  - 新增 getAuthContext 测试

- ws.ts: 90% → 98%
  - 新增 Blob/非标准数据类型处理测试
  - 新增 addMessage 返回 null 场景测试
  - 新增 tool_response 和 permission_response 边界测试

- sse.ts: 新增事件格式化和统计测试

测试数量: 344 → 369 (+25)
总体覆盖率: 80.82% → 82.98%

packages/server/tests/unit/auth/token.test.ts

@@ -5,6 +5,7 @@
  */
 
 import { describe, it, expect, beforeEach, vi } from 'vitest';
+import { Hono } from 'hono';
 import {
   generateToken,
   maskToken,
@@ -15,6 +16,8 @@ import {
   setAuthEnabled,
   validateToken,
   extractToken,
+  authMiddleware,
+  getAuthContext,
 } from '../../../src/auth/token.js';
 import { createMockHonoContext } from '../../mocks/hono.mock.js';
 
@@ -220,4 +223,182 @@ describe('Auth Token', () => {
       expect(token).toBeNull();
     });
   });
+
+  describe('authMiddleware - 认证中间件', () => {
+    let app: Hono;
+
+    beforeEach(() => {
+      app = new Hono();
+      app.use('*', authMiddleware);
+      app.get('/test', (c) => {
+        const auth = getAuthContext(c);
+        return c.json({ auth });
+      });
+      app.get('/health', (c) => c.json({ status: 'ok' }));
+    });
+
+    it('认证禁用时允许所有请求', async () => {
+      initAuth({ enabled: false });
+
+      const res = await app.request('/test');
+      const json = await res.json();
+
+      expect(res.status).toBe(200);
+      expect(json.auth.authenticated).toBe(true);
+    });
+
+    it('跳过配置的路径', async () => {
+      initAuth({ enabled: true, skipPaths: ['/health'] });
+
+      const res = await app.request('/health');
+
+      expect(res.status).toBe(200);
+    });
+
+    it('本地请求 (x-forwarded-for: 127.0.0.1) 跳过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-forwarded-for': '127.0.0.1' },
+      });
+      const json = await res.json();
+
+      expect(res.status).toBe(200);
+      expect(json.auth.authenticated).toBe(true);
+    });
+
+    it('本地请求 (x-forwarded-for: ::1) 跳过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-forwarded-for': '::1' },
+      });
+
+      expect(res.status).toBe(200);
+    });
+
+    it('本地请求 (x-real-ip: 192.168.1.1) 跳过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-real-ip': '192.168.1.1' },
+      });
+
+      expect(res.status).toBe(200);
+    });
+
+    it('本地请求 (x-real-ip: 10.0.0.1) 跳过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-real-ip': '10.0.0.1' },
+      });
+
+      expect(res.status).toBe(200);
+    });
+
+    it('本地请求 (x-forwarded-for: 172.16.0.1) 跳过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-forwarded-for': '172.16.0.1' },
+      });
+
+      expect(res.status).toBe(200);
+    });
+
+    it('无代理头时默认为本地请求', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      // 不设置任何代理头，应该被视为本地请求
+      const res = await app.request('/test');
+
+      expect(res.status).toBe(200);
+    });
+
+    it('远程请求无 token 时返回 401', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: { 'x-forwarded-for': '8.8.8.8' },
+      });
+      const json = await res.json();
+
+      expect(res.status).toBe(401);
+      expect(json.error).toBe('Authentication required');
+    });
+
+    it('远程请求无效 token 时返回 401', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: {
+          'x-forwarded-for': '8.8.8.8',
+          authorization: 'Bearer invalid-token',
+        },
+      });
+      const json = await res.json();
+
+      expect(res.status).toBe(401);
+      expect(json.error).toBe('Invalid token');
+    });
+
+    it('远程请求有效 token 时通过认证', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      const res = await app.request('/test', {
+        headers: {
+          'x-forwarded-for': '8.8.8.8',
+          authorization: 'Bearer valid-token',
+        },
+      });
+      const json = await res.json();
+
+      expect(res.status).toBe(200);
+      expect(json.auth.authenticated).toBe(true);
+      expect(json.auth.tokenHint).toBe('vali...oken');
+    });
+
+    it('query parameter token 也可以认证', async () => {
+      initAuth({ enabled: true, tokens: ['query-token-12345'] });
+
+      const res = await app.request('/test?token=query-token-12345', {
+        headers: { 'x-forwarded-for': '8.8.8.8' },
+      });
+      const json = await res.json();
+
+      expect(res.status).toBe(200);
+      expect(json.auth.authenticated).toBe(true);
+    });
+
+    it('x-forwarded-for 多个 IP 时使用第一个', async () => {
+      initAuth({ enabled: true, tokens: ['valid-token'] });
+
+      // 第一个是本地 IP
+      const res = await app.request('/test', {
+        headers: { 'x-forwarded-for': '127.0.0.1, 8.8.8.8, 1.1.1.1' },
+      });
+
+      expect(res.status).toBe(200);
+    });
+  });
+
+  describe('getAuthContext - 获取认证上下文', () => {
+    it('未设置时返回 authenticated: false', () => {
+      const c = createMockHonoContext();
+      (c.get as any) = vi.fn().mockReturnValue(undefined);
+
+      const auth = getAuthContext(c as any);
+      expect(auth.authenticated).toBe(false);
+    });
+
+    it('已设置时返回设置的值', () => {
+      const c = createMockHonoContext();
+      const mockAuth = { authenticated: true, tokenHint: 'test...hint' };
+      (c.get as any) = vi.fn().mockReturnValue(mockAuth);
+
+      const auth = getAuthContext(c as any);
+      expect(auth).toEqual(mockAuth);
+    });
+  });
 });