test(server): 增强 auth/ws/sse 测试覆盖率

- auth/token.ts: 50% → 100%
  - 新增 authMiddleware 中间件完整测试
  - 覆盖本地 IP 检测、远程认证、跳过路径等场景
  - 新增 getAuthContext 测试

- ws.ts: 90% → 98%
  - 新增 Blob/非标准数据类型处理测试
  - 新增 addMessage 返回 null 场景测试
  - 新增 tool_response 和 permission_response 边界测试

- sse.ts: 新增事件格式化和统计测试

测试数量: 344 → 369 (+25)
总体覆盖率: 80.82% → 82.98%

packages/server/tests/unit/ws.test.ts

@@ -202,6 +202,94 @@ describe('WebSocket Handler', () => {
         content: '',
       });
     });
+
+    it('处理 Blob 数据', async () => {
+      const ws = createMockWSContext();
+
+      const message = { type: 'message', payload: { content: 'Blob test' } };
+      const blob = new Blob([JSON.stringify(message)]);
+
+      await handleWebSocketMessage(ws as any, 'session-1', blob);
+
+      expect(mockAddMessage).toHaveBeenCalledWith('session-1', {
+        role: 'user',
+        content: 'Blob test',
+      });
+    });
+
+    it('处理非标准数据类型（转为字符串）', async () => {
+      const ws = createMockWSContext();
+
+      // 使用一个对象作为数据，它会被 String() 转换
+      const message = { type: 'cancel' };
+      const objData = { toString: () => JSON.stringify(message) };
+
+      await handleWebSocketMessage(ws as any, 'session-1', objData);
+
+      expect(cancelProcessing).toHaveBeenCalledWith('session-1');
+    });
+
+    it('addMessage 返回 null 时不调用 processMessage', async () => {
+      const ws = createMockWSContext();
+      mockAddMessage.mockReturnValue(null);
+
+      const message = JSON.stringify({
+        type: 'message',
+        payload: { content: 'Test' },
+      });
+
+      await handleWebSocketMessage(ws as any, 'session-1', message);
+
+      expect(mockAddMessage).toHaveBeenCalled();
+      expect(processMessage).not.toHaveBeenCalled();
+    });
+
+    it('处理 tool_response 类型消息（TODO 场景）', async () => {
+      const ws = createMockWSContext();
+      const message = JSON.stringify({
+        type: 'tool_response',
+        payload: { toolId: 'tool-123', result: 'success' },
+      });
+
+      // 当前实现是 TODO，所以不会有任何处理
+      await handleWebSocketMessage(ws as any, 'session-1', message);
+
+      // 不应该发送错误消息
+      expect(ws.send).not.toHaveBeenCalledWith(
+        expect.stringContaining('"type":"error"')
+      );
+    });
+
+    it('permission_response 无 requestId 时不调用 handler', async () => {
+      const ws = createMockWSContext();
+      const message = JSON.stringify({
+        type: 'permission_response',
+        payload: { allow: true },
+      });
+
+      await handleWebSocketMessage(ws as any, 'session-1', message);
+
+      expect(handlePermissionResponse).not.toHaveBeenCalled();
+    });
+
+    it('permission_response handler 返回 false 时打印警告', async () => {
+      const consoleWarnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      const { handlePermissionResponse: mockHandler } = await import('../../src/permission/handler.js');
+      vi.mocked(mockHandler).mockReturnValue(false);
+
+      const ws = createMockWSContext();
+      const message = JSON.stringify({
+        type: 'permission_response',
+        payload: { requestId: 'unknown-req', allow: true },
+      });
+
+      await handleWebSocketMessage(ws as any, 'session-1', message);
+
+      expect(consoleWarnSpy).toHaveBeenCalledWith(
+        expect.stringContaining('unknown-req')
+      );
+      consoleWarnSpy.mockRestore();
+    });
   });
 
   describe('handleWebSocketClose - 关闭处理', () => {