test(coverage): channels incremental push (71→73%)

- presentation.rs: split_sentences, group_sentences, merge_short,
  segment_delay monotonic/bounded, is_structured_content detection,
  segment_for_delivery edge cases.
- runtime/dispatch.rs: contains_any, starts_with_any, full coverage of
  select_acknowledgment_reaction across all 7 categories + deterministic
  + empty/single-char inputs.
- commands.rs: doctor_channels with telegram/discord/slack/imessage/
  multiple-config branches.
- discord/api: check_channel_permissions mock-server tests — admin bypass,
  all-missing, everyone-allow, channel overwrite deny, member lookup
  failure. Added check_channel_permissions_at_base seam.
- lark: should_refresh_last_recv, LarkChannel::new, is_user_allowed
  wildcard/empty allowlist, parse_event_payload edge cases (unsupported
  type / empty sender / missing event / post type).
- email_channel: is_sender_allowed full matrix (empty/wildcard/exact/
  @-prefix/bare-domain/subdomain-confusion), strip_html empty/tags-only/
  unclosed/whitespace collapse.
- voice/schemas: tolerate event interleaving in broadcast-channel test
  (schema bus is process-global).

Author: CodeGhost21

src/openhuman/channels/commands.rs

@@ -308,4 +308,89 @@ mod tests {
         config.channels_config = crate::openhuman::config::ChannelsConfig::default();
         doctor_channels(config).await.unwrap();
     }
+
+    #[tokio::test]
+    async fn doctor_channels_runs_with_telegram_config() {
+        use crate::openhuman::config::{StreamMode, TelegramConfig};
+        let mut config = Config::default();
+        config.channels_config = crate::openhuman::config::ChannelsConfig::default();
+        config.channels_config.telegram = Some(TelegramConfig {
+            bot_token: "fake:token".into(),
+            allowed_users: vec!["user1".into()],
+            stream_mode: StreamMode::default(),
+            draft_update_interval_ms: 2000,
+            mention_only: false,
+        });
+        let _ = doctor_channels(config).await;
+    }
+
+    #[tokio::test]
+    async fn doctor_channels_runs_with_discord_config() {
+        use crate::openhuman::config::DiscordConfig;
+        let mut config = Config::default();
+        config.channels_config = crate::openhuman::config::ChannelsConfig::default();
+        config.channels_config.discord = Some(DiscordConfig {
+            bot_token: "fake".into(),
+            guild_id: Some("123".into()),
+            channel_id: Some("456".into()),
+            allowed_users: vec![],
+            listen_to_bots: false,
+            mention_only: true,
+        });
+        let _ = doctor_channels(config).await;
+    }
+
+    #[tokio::test]
+    async fn doctor_channels_runs_with_slack_config() {
+        use crate::openhuman::config::SlackConfig;
+        let mut config = Config::default();
+        config.channels_config = crate::openhuman::config::ChannelsConfig::default();
+        config.channels_config.slack = Some(SlackConfig {
+            bot_token: "fake".into(),
+            app_token: None,
+            channel_id: Some("C123".into()),
+            allowed_users: vec![],
+        });
+        let _ = doctor_channels(config).await;
+    }
+
+    #[tokio::test]
+    async fn doctor_channels_runs_with_imessage_config() {
+        use crate::openhuman::config::IMessageConfig;
+        let mut config = Config::default();
+        config.channels_config = crate::openhuman::config::ChannelsConfig::default();
+        config.channels_config.imessage = Some(IMessageConfig {
+            allowed_contacts: vec!["a@b.com".into()],
+        });
+        let _ = doctor_channels(config).await;
+    }
+
+    #[tokio::test]
+    async fn doctor_channels_runs_with_multiple_channels() {
+        use crate::openhuman::config::{DiscordConfig, SlackConfig, StreamMode, TelegramConfig};
+        let mut config = Config::default();
+        config.channels_config = crate::openhuman::config::ChannelsConfig::default();
+        config.channels_config.telegram = Some(TelegramConfig {
+            bot_token: "fake".into(),
+            allowed_users: vec![],
+            stream_mode: StreamMode::default(),
+            draft_update_interval_ms: 2000,
+            mention_only: false,
+        });
+        config.channels_config.discord = Some(DiscordConfig {
+            bot_token: "fake".into(),
+            guild_id: Some("123".into()),
+            channel_id: Some("456".into()),
+            allowed_users: vec![],
+            listen_to_bots: false,
+            mention_only: false,
+        });
+        config.channels_config.slack = Some(SlackConfig {
+            bot_token: "fake".into(),
+            app_token: None,
+            channel_id: Some("C123".into()),
+            allowed_users: vec![],
+        });
+        let _ = doctor_channels(config).await;
+    }
 }

src/openhuman/channels/providers/discord/api.rs

@@ -130,9 +130,19 @@ pub async fn check_channel_permissions(
     token: &str,
     guild_id: &str,
     channel_id: &str,
+) -> anyhow::Result<BotPermissionCheck> {
+    check_channel_permissions_at_base(DISCORD_API_BASE, token, guild_id, channel_id).await
+}
+
+/// Test seam: see [`check_channel_permissions`].
+async fn check_channel_permissions_at_base(
+    base: &str,
+    token: &str,
+    guild_id: &str,
+    channel_id: &str,
 ) -> anyhow::Result<BotPermissionCheck> {
     // Fetch the bot's guild member info which includes computed permissions
-    let url = format!("{DISCORD_API_BASE}/guilds/{guild_id}/members/@me");
+    let url = format!("{base}/guilds/{guild_id}/members/@me");
     tracing::debug!(
         "[discord-api] checking permissions in channel {channel_id} (guild {guild_id})"
     );
@@ -152,7 +162,7 @@ pub async fn check_channel_permissions(
     let member: serde_json::Value = resp.json().await?;
 
     // Fetch guild roles to compute permissions
-    let roles_url = format!("{DISCORD_API_BASE}/guilds/{guild_id}/roles");
+    let roles_url = format!("{base}/guilds/{guild_id}/roles");
     let roles_resp = build_client()
         .get(&roles_url)
         .header("Authorization", auth_header(token))
@@ -200,7 +210,7 @@ pub async fn check_channel_permissions(
     }
 
     // Now check channel-level permission overwrites
-    let channel_url = format!("{DISCORD_API_BASE}/channels/{channel_id}");
+    let channel_url = format!("{base}/channels/{channel_id}");
     let ch_resp = build_client()
         .get(&channel_url)
         .header("Authorization", auth_header(token))
@@ -515,4 +525,146 @@ mod tests {
         let channels = list_guild_channels_at_base(&base, "t", "g").await.unwrap();
         assert!(channels.is_empty());
     }
+
+    // ── check_channel_permissions ─────────────────────────────────
+
+    /// Build a mock Discord that answers all three endpoints the permissions
+    /// check touches: `/guilds/<id>/members/@me`, `/guilds/<id>/roles`, and
+    /// `/channels/<id>`.
+    fn permissions_mock(
+        member: serde_json::Value,
+        roles: serde_json::Value,
+        channel: serde_json::Value,
+    ) -> Router {
+        use axum::extract::Path;
+        Router::new()
+            .route(
+                "/guilds/{guild_id}/members/@me",
+                get(move |Path(_g): Path<String>| {
+                    let m = member.clone();
+                    async move { Json(m) }
+                }),
+            )
+            .route(
+                "/guilds/{guild_id}/roles",
+                get(move |Path(_g): Path<String>| {
+                    let r = roles.clone();
+                    async move { Json(r) }
+                }),
+            )
+            .route(
+                "/channels/{channel_id}",
+                get(move |Path(_c): Path<String>| {
+                    let c = channel.clone();
+                    async move { Json(c) }
+                }),
+            )
+    }
+
+    #[tokio::test]
+    async fn check_channel_permissions_administrator_bypasses_everything() {
+        let member = json!({ "roles": ["role-admin"], "user": { "id": "bot-1" } });
+        // Role with Administrator bit (1<<3 = 8) — overrides all other checks.
+        let roles = json!([
+            { "id": "role-admin", "permissions": "8" }
+        ]);
+        let channel = json!({ "permission_overwrites": [] });
+        let base = spawn_mock(permissions_mock(member, roles, channel)).await;
+        let out = check_channel_permissions_at_base(&base, "token", "guild-1", "channel-1")
+            .await
+            .unwrap();
+        assert!(out.can_view_channel);
+        assert!(out.can_send_messages);
+        assert!(out.can_read_message_history);
+        assert!(out.missing_permissions.is_empty());
+    }
+
+    #[tokio::test]
+    async fn check_channel_permissions_flags_missing_bits_when_role_lacks_them() {
+        // No roles grant any of the 3 permissions → all missing.
+        let member = json!({ "roles": ["role-nobody"], "user": { "id": "bot-1" } });
+        let roles = json!([
+            { "id": "role-nobody", "permissions": "0" }
+        ]);
+        let channel = json!({ "permission_overwrites": [] });
+        let base = spawn_mock(permissions_mock(member, roles, channel)).await;
+        let out = check_channel_permissions_at_base(&base, "t", "guild-1", "channel-1")
+            .await
+            .unwrap();
+        assert!(!out.can_view_channel);
+        assert!(!out.can_send_messages);
+        assert!(!out.can_read_message_history);
+        assert!(out
+            .missing_permissions
+            .contains(&"VIEW_CHANNEL".to_string()));
+        assert!(out
+            .missing_permissions
+            .contains(&"SEND_MESSAGES".to_string()));
+        assert!(out
+            .missing_permissions
+            .contains(&"READ_MESSAGE_HISTORY".to_string()));
+    }
+
+    #[tokio::test]
+    async fn check_channel_permissions_grants_everything_when_everyone_role_allows() {
+        // @everyone role (id == guild_id) grants VIEW|SEND|HISTORY
+        // = 1024 | 2048 | 65536 = 68608
+        let member = json!({ "roles": [], "user": { "id": "bot-1" } });
+        let roles = json!([
+            { "id": "guild-1", "permissions": "68608" }
+        ]);
+        let channel = json!({ "permission_overwrites": [] });
+        let base = spawn_mock(permissions_mock(member, roles, channel)).await;
+        let out = check_channel_permissions_at_base(&base, "t", "guild-1", "channel-1")
+            .await
+            .unwrap();
+        assert!(out.can_view_channel);
+        assert!(out.can_send_messages);
+        assert!(out.can_read_message_history);
+        assert!(out.missing_permissions.is_empty());
+    }
+
+    #[tokio::test]
+    async fn check_channel_permissions_channel_overwrite_can_deny_permission() {
+        // @everyone role grants everything, but the channel's @everyone
+        // overwrite denies VIEW_CHANNEL — expect VIEW missing.
+        let member = json!({ "roles": [], "user": { "id": "bot-1" } });
+        let roles = json!([
+            { "id": "guild-1", "permissions": "68608" }
+        ]);
+        let channel = json!({
+            "permission_overwrites": [
+                {
+                    "id": "guild-1",
+                    "type": 0,
+                    "allow": "0",
+                    "deny": "1024"  // VIEW_CHANNEL
+                }
+            ]
+        });
+        let base = spawn_mock(permissions_mock(member, roles, channel)).await;
+        let out = check_channel_permissions_at_base(&base, "t", "guild-1", "channel-1")
+            .await
+            .unwrap();
+        assert!(!out.can_view_channel);
+        assert!(out
+            .missing_permissions
+            .contains(&"VIEW_CHANNEL".to_string()));
+    }
+
+    #[tokio::test]
+    async fn check_channel_permissions_errors_on_member_lookup_failure() {
+        use axum::http::StatusCode;
+        let app = Router::new().route(
+            "/guilds/{guild_id}/members/@me",
+            get(|| async { (StatusCode::UNAUTHORIZED, "bad token") }),
+        );
+        let base = spawn_mock(app).await;
+        let err = check_channel_permissions_at_base(&base, "t", "g", "c")
+            .await
+            .unwrap_err()
+            .to_string();
+        assert!(err.contains("member info failed"));
+        assert!(err.contains("401"));
+    }
 }

src/openhuman/channels/providers/email_channel.rs

@@ -965,4 +965,95 @@ mod tests {
         let debug_str = format!("{:?}", config);
         assert!(debug_str.contains("imap.debug.com"));
     }
+
+    // ── is_sender_allowed comprehensive matrix ─────────────────────
+
+    fn channel_with_allowlist(allowlist: Vec<String>) -> EmailChannel {
+        let cfg = EmailConfig {
+            imap_host: "imap.x".into(),
+            imap_port: 993,
+            imap_folder: "INBOX".into(),
+            smtp_host: "smtp.x".into(),
+            smtp_port: 465,
+            smtp_tls: true,
+            username: "u".into(),
+            password: "p".into(),
+            from_address: "me@x".into(),
+            idle_timeout_secs: 300,
+            allowed_senders: allowlist,
+        };
+        EmailChannel::new(cfg)
+    }
+
+    #[test]
+    fn is_sender_allowed_empty_denies_all() {
+        let ch = channel_with_allowlist(vec![]);
+        assert!(!ch.is_sender_allowed("anyone@any.com"));
+    }
+
+    #[test]
+    fn is_sender_allowed_wildcard_allows_everyone() {
+        let ch = channel_with_allowlist(vec!["*".into()]);
+        assert!(ch.is_sender_allowed("anyone@any.com"));
+        assert!(ch.is_sender_allowed("other@different.com"));
+    }
+
+    #[test]
+    fn is_sender_allowed_full_email_exact_match_case_insensitive() {
+        let ch = channel_with_allowlist(vec!["alice@example.com".into()]);
+        assert!(ch.is_sender_allowed("alice@example.com"));
+        assert!(ch.is_sender_allowed("ALICE@EXAMPLE.COM"));
+        assert!(!ch.is_sender_allowed("bob@example.com"));
+    }
+
+    #[test]
+    fn is_sender_allowed_at_prefix_domain_match() {
+        let ch = channel_with_allowlist(vec!["@trusted.com".into()]);
+        assert!(ch.is_sender_allowed("user@trusted.com"));
+        assert!(ch.is_sender_allowed("other@Trusted.com"));
+        assert!(!ch.is_sender_allowed("user@untrusted.com"));
+    }
+
+    #[test]
+    fn is_sender_allowed_bare_domain_match_is_case_insensitive() {
+        let ch = channel_with_allowlist(vec!["trusted.com".into()]);
+        assert!(ch.is_sender_allowed("user@trusted.com"));
+        assert!(ch.is_sender_allowed("USER@TRUSTED.COM"));
+        assert!(!ch.is_sender_allowed("user@other.com"));
+    }
+
+    #[test]
+    fn is_sender_allowed_prevents_subdomain_confusion() {
+        // "trusted.com" must NOT match "user@malicioustrusted.com"
+        let ch = channel_with_allowlist(vec!["trusted.com".into()]);
+        assert!(!ch.is_sender_allowed("user@notmytrusted.com"));
+        assert!(!ch.is_sender_allowed("user@trusted.com.evil.com"));
+    }
+
+    // ── strip_html edge cases ──────────────────────────────────────
+
+    #[test]
+    fn strip_html_empty_string() {
+        assert_eq!(EmailChannel::strip_html(""), "");
+    }
+
+    #[test]
+    fn strip_html_only_tags() {
+        assert_eq!(EmailChannel::strip_html("<p></p><br/>"), "");
+    }
+
+    #[test]
+    fn strip_html_unclosed_tag_eats_rest_until_gt() {
+        // A '<' without '>' enters tag mode; anything after until a '>' is
+        // discarded. This is the implementation's behaviour — lock it in.
+        assert_eq!(EmailChannel::strip_html("before<never closed"), "before");
+    }
+
+    #[test]
+    fn strip_html_collapses_whitespace_runs() {
+        assert_eq!(
+            EmailChannel::strip_html("<p>hello</p>\n\n\n   <p>world</p>"),
+            "hello world"
+        );
+    }
 }