Polish user actions and runtime controls

server/app.test.ts

@@ -36,6 +36,16 @@ class FakeRuntime implements RuntimeController {
     return this.start();
   }
 
+  async stop() {
+    this.status = {
+      status: 'idle',
+      pid: null,
+      startedAt: null,
+      lastError: null,
+    };
+    return this.getSnapshot();
+  }
+
   async reload() {
     return this.getSnapshot();
   }
@@ -101,6 +111,41 @@ describe('panel api', () => {
     );
   });
 
+  it('updates a user through the api', async () => {
+    const app = await createTestApp();
+    const token = await authorize(app);
+    const initial = await request(app).get('/api/state').set('Authorization', `Bearer ${token}`);
+    const userId = initial.body.userRecords[0].id;
+
+    const updated = await request(app).put(`/api/users/${userId}`).set('Authorization', `Bearer ${token}`).send({
+      username: 'night-shift-updated',
+      password: 'fresh-secret',
+      serviceId: 'socks-lab',
+      quotaMb: 512,
+    });
+
+    expect(updated.status).toBe(200);
+    expect(updated.body.userRecords.find((entry: { id: string }) => entry.id === userId)).toMatchObject({
+      username: 'night-shift-updated',
+      password: 'fresh-secret',
+      serviceId: 'socks-lab',
+      quotaBytes: 512 * 1024 * 1024,
+    });
+  });
+
+  it('stops the runtime through the api', async () => {
+    const app = await createTestApp();
+    const token = await authorize(app);
+
+    await request(app).post('/api/runtime/start').set('Authorization', `Bearer ${token}`);
+    const stopped = await request(app).post('/api/runtime/stop').set('Authorization', `Bearer ${token}`);
+
+    expect(stopped.status).toBe(200);
+    expect(stopped.body.service.status).toBe('idle');
+    expect(stopped.body.service.pidLabel).toBe('pid -');
+    expect(stopped.body.service.lastEvent).toMatch(/stop requested/i);
+  });
+
   it('rejects system updates when two services reuse the same port', async () => {
     const app = await createTestApp();
     const token = await authorize(app);