From 895a7e07e2fa6474dbd30c70062e25f03bbbfd9b Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 4 Feb 2026 15:16:12 +0000
Subject: [PATCH] Verify host uninstall enforces token binding

---
 internal/api/host_agents_additional_test.go | 25 +++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/internal/api/host_agents_additional_test.go b/internal/api/host_agents_additional_test.go
index 61737f768..b41dbdf3b 100644
--- a/internal/api/host_agents_additional_test.go
+++ b/internal/api/host_agents_additional_test.go
@@ -164,6 +164,31 @@ func TestHostAgentHandlers_HandleUninstall(t *testing.T) {
 	}
 }
 
+func TestHostAgentHandlers_HandleUninstallRejectsTokenMismatch(t *testing.T) {
+	handler, monitor := newHostAgentHandlers(t, nil)
+	hostID := seedHostAgent(t, monitor)
+
+	state := monitorState(t, monitor)
+	state.UpsertHost(models.Host{
+		ID:       hostID,
+		Hostname: "host-token-mismatch.local",
+		TokenID:  "token-1",
+	})
+
+	body := []byte(`{"hostId":"` + hostID + `"}`)
+	req := httptest.NewRequest(http.MethodPost, "/api/agents/host/uninstall", bytes.NewReader(body))
+	attachAPITokenRecord(req, &config.APITokenRecord{
+		ID:     "token-2",
+		Scopes: []string{config.ScopeHostReport},
+	})
+	rec := httptest.NewRecorder()
+
+	handler.HandleUninstall(rec, req)
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("status = %d, want 403: %s", rec.Code, rec.Body.String())
+	}
+}
+
 func TestHostAgentHandlers_HandleLinkUnlink(t *testing.T) {
 	handler, monitor := newHostAgentHandlers(t, nil)
 	hostID := seedHostAgent(t, monitor)