tep 0.11.0

data/test/test_mcp.rb

@@ -0,0 +1,264 @@
+require_relative "helper"
+
+# Tep::MCP -- Battery 5 chunk 5.1. Tool DSL + JSON-RPC dispatcher
+# + HTTP-direct route + llms.txt. The translator-emitted classes
+# are exercised via real HTTP against the fixture app.
+class TestMCP < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    # Grant capabilities via an X-Test-Cap header for the auth
+    # gating tests. No real auth provider needed for the dispatch
+    # paths -- we just override req.identity with a synthetic one
+    # so req.identity.may?(:admin) returns true on demand.
+    before do
+      if req.req_headers["x-test-cap-admin"].length > 0
+        req.identity = Tep::Identity.new(
+          "user:42", nil, [:admin])
+      end
+    end
+
+    mcp_tool 'greet', "Say hi to someone" do
+      param :name, String, "person to greet"
+
+      on_call do |name:|
+        if name.length == 0
+          Tep::MCP.error("name required")
+        else
+          Tep::MCP.text("hello " + name)
+        end
+      end
+    end
+
+    mcp_tool 'add', "Add two integers" do
+      param :a, Integer, "left operand"
+      param :b, Integer, "right operand"
+
+      on_call do |a:, b:|
+        Tep::MCP.text((a + b).to_s)
+      end
+    end
+
+    # Capped tool -- requires :admin in the calling identity.
+    mcp_tool 'wipe_db', "Drop everything (requires :admin)", caps: [:admin] do
+      on_call do
+        Tep::MCP.text("wiped")
+      end
+    end
+
+    mcp_resource 'server/status', "Current server status" do
+      on_read do
+        Tep::MCP.resource_text("server/status", "uptime: 42")
+      end
+    end
+
+    mcp_resource 'server/version', "Server build version" do
+      on_read do
+        Tep::MCP.resource_text("server/version", "1.0.0-test")
+      end
+    end
+  RB
+
+  # ---- HTTP-direct invocation ----
+
+  def test_http_direct_tool_call_returns_text
+    res = post("/tools/greet", "{\"name\":\"alice\"}",
+               "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_equal "hello alice", res.body
+  end
+
+  def test_http_direct_tool_error_returns_400
+    res = post("/tools/greet", "{\"name\":\"\"}",
+               "Content-Type" => "application/json")
+    assert_equal "400", res.code
+    assert_equal "name required", res.body
+  end
+
+  def test_http_direct_integer_param_round_trip
+    res = post("/tools/add", "{\"a\":2,\"b\":40}",
+               "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_equal "42", res.body
+  end
+
+  # ---- JSON-RPC dispatch over /mcp ----
+
+  def test_mcp_initialize_returns_server_info
+    body = "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"initialize\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"jsonrpc\":\"2.0\""
+    assert_includes res.body, "\"id\":1"
+    assert_includes res.body, "\"serverInfo\""
+    assert_includes res.body, "\"protocolVersion\""
+  end
+
+  def test_mcp_tools_list_returns_both_tools
+    body = "{\"jsonrpc\":\"2.0\",\"id\":2,\"method\":\"tools/list\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"name\":\"greet\""
+    assert_includes res.body, "\"name\":\"add\""
+    assert_includes res.body, "\"description\":\"Say hi to someone\""
+    assert_includes res.body, "\"inputSchema\""
+    # Schema should encode integer params as JSON Schema integer type.
+    assert_includes res.body, "\"type\":\"integer\""
+  end
+
+  def test_mcp_tools_call_round_trips_text_content
+    body = "{\"jsonrpc\":\"2.0\",\"id\":3,\"method\":\"tools/call\"," +
+           "\"params\":{\"name\":\"greet\",\"arguments\":{\"name\":\"bob\"}}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"id\":3"
+    assert_includes res.body, "\"text\":\"hello bob\""
+    assert_includes res.body, "\"isError\":false"
+  end
+
+  def test_mcp_tools_call_propagates_is_error
+    body = "{\"jsonrpc\":\"2.0\",\"id\":4,\"method\":\"tools/call\"," +
+           "\"params\":{\"name\":\"greet\",\"arguments\":{\"name\":\"\"}}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"text\":\"name required\""
+    assert_includes res.body, "\"isError\":true"
+  end
+
+  def test_mcp_tools_call_unknown_tool_returns_error_envelope
+    body = "{\"jsonrpc\":\"2.0\",\"id\":5,\"method\":\"tools/call\"," +
+           "\"params\":{\"name\":\"nope\",\"arguments\":{}}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"error\""
+    assert_includes res.body, "\"code\":-32602"
+    assert_includes res.body, "unknown tool"
+  end
+
+  def test_mcp_unknown_method_returns_method_not_found
+    body = "{\"jsonrpc\":\"2.0\",\"id\":6,\"method\":\"notreal\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"code\":-32601"
+    assert_includes res.body, "method not found"
+  end
+
+  # ---- caps gating (chunk 5.2) ----
+
+  def test_capped_tool_denies_anonymous_caller
+    res = post("/tools/wipe_db", "{}",
+               "Content-Type" => "application/json")
+    # Anonymous identity has empty caps, so :admin check fails.
+    # The tool returns an error Result; HTTP-direct surfaces it
+    # as 400 + the error text.
+    assert_equal "400", res.code
+    assert_includes res.body, "missing capability: admin"
+  end
+
+  def test_capped_tool_allows_caller_with_required_cap
+    res = post("/tools/wipe_db", "{}",
+               "Content-Type"   => "application/json",
+               "X-Test-Cap-Admin" => "1")
+    assert_equal "200", res.code
+    assert_equal "wiped", res.body
+  end
+
+  def test_capped_tool_over_mcp_returns_isError
+    # Same denial path through the JSON-RPC envelope: anonymous
+    # caller -> wipe_db -> error Result -> isError:true.
+    body = "{\"jsonrpc\":\"2.0\",\"id\":7,\"method\":\"tools/call\"," +
+           "\"params\":{\"name\":\"wipe_db\",\"arguments\":{}}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"isError\":true"
+    assert_includes res.body, "missing capability: admin"
+  end
+
+  # ---- notifications/initialized (chunk 5.2) ----
+
+  def test_notifications_initialized_returns_204_no_body
+    body = "{\"jsonrpc\":\"2.0\",\"method\":\"notifications/initialized\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "204", res.code
+    assert_equal "", res.body.to_s
+  end
+
+  # ---- mcp_resource (chunk 5.3) ----
+
+  def test_http_direct_resource_read_returns_text
+    res = get("/resources/server/status")
+    assert_equal "200", res.code
+    assert_includes res["content-type"].to_s, "text/plain"
+    assert_equal "uptime: 42", res.body
+  end
+
+  def test_mcp_initialize_advertises_resources_capability
+    body = "{\"jsonrpc\":\"2.0\",\"id\":11,\"method\":\"initialize\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"resources\":{}"
+  end
+
+  def test_mcp_resources_list_returns_both_resources
+    body = "{\"jsonrpc\":\"2.0\",\"id\":12,\"method\":\"resources/list\"}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"uri\":\"server/status\""
+    assert_includes res.body, "\"uri\":\"server/version\""
+    assert_includes res.body, "\"description\":\"Current server status\""
+    assert_includes res.body, "\"mimeType\":\"text/plain\""
+  end
+
+  def test_mcp_resources_read_round_trips_content
+    body = "{\"jsonrpc\":\"2.0\",\"id\":13,\"method\":\"resources/read\"," +
+           "\"params\":{\"uri\":\"server/status\"}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"uri\":\"server/status\""
+    assert_includes res.body, "\"mimeType\":\"text/plain\""
+    assert_includes res.body, "\"text\":\"uptime: 42\""
+  end
+
+  def test_mcp_resources_read_unknown_uri_errors
+    body = "{\"jsonrpc\":\"2.0\",\"id\":14,\"method\":\"resources/read\"," +
+           "\"params\":{\"uri\":\"nope\"}}"
+    res = post("/mcp", body, "Content-Type" => "application/json")
+    assert_equal "200", res.code
+    assert_includes res.body, "\"code\":-32602"
+    assert_includes res.body, "unknown resource"
+  end
+
+  # ---- openapi.json (chunk 5.4) ----
+
+  def test_openapi_json_lists_tool_paths
+    res = get("/openapi.json")
+    assert_equal "200", res.code
+    assert_includes res["content-type"].to_s, "application/json"
+    assert_includes res.body, "\"openapi\":\"3.0.3\""
+    assert_includes res.body, "\"/tools/greet\""
+    assert_includes res.body, "\"/tools/add\""
+    # Integer params declared as integer in the OpenAPI schema.
+    assert_includes res.body, "\"type\":\"integer\""
+  end
+
+  def test_openapi_json_lists_resource_paths
+    res = get("/openapi.json")
+    assert_includes res.body, "\"/resources/server/status\""
+    assert_includes res.body, "\"/resources/server/version\""
+  end
+
+  # ---- llms.txt discovery ----
+
+  def test_llms_txt_lists_tools_with_descriptions
+    res = get("/llms.txt")
+    assert_equal "200", res.code
+    assert_includes res["content-type"].to_s, "text/markdown"
+    assert_includes res.body, "MCP-endpoint: /mcp"
+    assert_includes res.body, "OpenAPI: /openapi.json"
+    assert_includes res.body, "## Tools"
+    assert_includes res.body, "greet -- Say hi to someone"
+    assert_includes res.body, "add -- Add two integers"
+    assert_includes res.body, "## Resources"
+    assert_includes res.body, "server/status -- Current server status"
+  end
+end

data/test/test_misc_v02.rb

@@ -0,0 +1,54 @@
+require_relative "helper"
+
+# send_file, configure, and __END__ inline templates -- the three small
+# wins added on top of the v0.2 surface.
+class TestMiscV02 < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    configure do
+      $configured = "always"
+    end
+
+    configure :production do
+      $configured = "prod"
+    end
+
+    get '/configured' do
+      "configured=" + ($configured || "nil").to_s
+    end
+
+    get '/file' do
+      send_file 'public/hello.txt'
+    end
+
+    get '/inline' do
+      erb :inline_hi, locals: { who: "world" }
+    end
+
+    __END__
+
+    @@ inline_hi
+    <h1>hi <%= locals["who"] %> from inline</h1>
+  RB
+
+  def test_configure_always_runs
+    res = get("/configured")
+    # Both the bare and :production blocks ran in dev env: "always" set first,
+    # then "prod" only if env=production. Default env is development, so the
+    # :production block is gated off and the value stays "always".
+    assert_equal "configured=always", res.body
+  end
+
+  def test_send_file_streams_static
+    res = get("/file")
+    assert_equal "200", res.code
+    assert_match(/static file serving works/, res.body)
+  end
+
+  def test_inline_template_renders
+    res = get("/inline")
+    assert_equal "200", res.code
+    assert_match(%r{hi world from inline}, res.body)
+  end
+end

data/test/test_modular.rb

@@ -0,0 +1,43 @@
+require_relative "helper"
+
+class TestModular < TepTest
+  app_source <<~RB
+    require 'sinatra/base'
+
+    class Api < Sinatra::Base
+      before do
+        response.headers["X-App"] = "Api"
+      end
+
+      get '/api/health' do
+        "ok"
+      end
+    end
+
+    class Admin < Sinatra::Base
+      get '/admin/dashboard' do
+        "admin"
+      end
+    end
+
+    Api.run!
+    Admin.run!
+  RB
+
+  def test_first_app_route
+    res = get("/api/health")
+    assert_equal "200", res.code
+    assert_equal "ok", res.body
+  end
+
+  def test_second_app_route
+    res = get("/admin/dashboard")
+    assert_equal "200", res.code
+    assert_equal "admin", res.body
+  end
+
+  def test_modular_before_filter_ran
+    res = get("/api/health")
+    assert_equal "Api", res["x-app"]
+  end
+end

data/test/test_multi_filters.rb

@@ -0,0 +1,40 @@
+require_relative "helper"
+
+# Multiple `before do` / `after do` blocks should all run, in order.
+class TestMultiFilters < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    before do
+      response.headers["X-First"] = "1"
+    end
+
+    before do
+      response.headers["X-Second"] = "2"
+    end
+
+    after do
+      response.headers["X-After-A"] = "a"
+    end
+
+    after do
+      response.headers["X-After-B"] = "b"
+    end
+
+    get '/' do
+      "ok"
+    end
+  RB
+
+  def test_both_before_filters_run
+    res = get("/")
+    assert_equal "1", res["x-first"]
+    assert_equal "2", res["x-second"]
+  end
+
+  def test_both_after_filters_run
+    res = get("/")
+    assert_equal "a", res["x-after-a"]
+    assert_equal "b", res["x-after-b"]
+  end
+end

data/test/test_mustache.rb

@@ -0,0 +1,57 @@
+require_relative "helper"
+
+# Tep's Mustache subset (build-time AOT). Documented surface:
+# `{{var}}` (escaped), `{{{var}}}` / `{{& var}}` (raw),
+# `{{@ivar}}` (escaped or raw via triple-stache), `{{!comment}}`
+# (dropped). Sections / partials / delimiter swaps are deliberately
+# unsupported and the compiler raises at build time if reached.
+class TestMustache < TepTest
+  app_source <<~RB
+    require 'sinatra'
+
+    set :views, '#{File.expand_path("views", __dir__)}'
+
+    get '/m/simple/:who' do
+      mustache :m_simple, locals: { name: params[:who], greeting: "hi", snippet: "<b>BOLD</b>" }
+    end
+
+    before do
+      @raw = "<i>I</i>"
+    end
+
+    get '/m/ivars/:who/:n' do
+      @name  = params[:who]
+      @count = params[:n]
+      mustache :m_ivars
+    end
+  RB
+
+  def test_simple_escaped_and_raw
+    res = get("/m/simple/alice")
+    assert_equal "200", res.code
+    assert_match(/hello, alice!/, res.body)
+    assert_match(/greeting: hi/, res.body)
+    # `{{{snippet}}}` (raw) keeps the live tag.
+    assert_match(/<p>raw html: <b>BOLD<\/b><\/p>/, res.body)
+    # comment line is dropped
+    refute_match(/this comment is dropped/, res.body)
+  end
+
+  def test_html_escape_dangerous_chars
+    # `<` and `>` need URL-encoding to even reach the server. The
+    # escaped `{{name}}` form must then render `&lt;script&gt;`,
+    # not the live tag.
+    res = get("/m/simple/%3Cscript%3E")
+    assert_match(/hello, &lt;script&gt;!/, res.body)
+    refute_match(/hello, <script>/, res.body)
+  end
+
+  def test_ivar_via_at_prefix
+    res = get("/m/ivars/bob/4")
+    assert_equal "200", res.code
+    assert_match(/hi, bob/, res.body)
+    assert_match(/visited: 4/, res.body)
+    # `{{{@raw}}}` (raw ivar) keeps the `<i>I</i>` literal
+    assert_match(/raw ivar: <i>I<\/i>/, res.body)
+  end
+end