@complior/engine 0.9.0

package/src/domain/proxy/proxy-interceptor.test.ts

@@ -0,0 +1,184 @@
+import { describe, it, expect, vi } from 'vitest';
+import { createInterceptor } from './proxy-interceptor.js';
+import { createPolicyEngine } from './policy-engine.js';
+import type { JsonRpcRequest } from './json-rpc.js';
+
+const makeToolCall = (name: string, args?: Record<string, unknown>): JsonRpcRequest => ({
+  jsonrpc: '2.0',
+  id: 1,
+  method: 'tools/call',
+  params: { name, arguments: args },
+});
+
+const makeListTools = (): JsonRpcRequest => ({
+  jsonrpc: '2.0',
+  id: 1,
+  method: 'tools/list',
+});
+
+describe('createInterceptor', () => {
+  it('allows all requests by default', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    const result = interceptor.interceptRequest(makeToolCall('read_file'));
+    expect(result.allow).toBe(true);
+  });
+
+  it('records tool calls', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('read_file'), 50, true);
+    const log = interceptor.getCallLog();
+    expect(log.length).toBe(1);
+    expect(log[0].method).toBe('tools/call');
+    expect(log[0].toolName).toBe('read_file');
+    expect(log[0].durationMs).toBe(50);
+    expect(log[0].success).toBe(true);
+  });
+
+  it('tracks unique tools', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('read_file'), 10, true);
+    interceptor.recordCall(makeToolCall('write_file'), 20, true);
+    interceptor.recordCall(makeToolCall('read_file'), 15, true);
+    const stats = interceptor.getStats();
+    expect(stats.uniqueTools).toHaveLength(2);
+    expect(stats.uniqueTools).toContain('read_file');
+    expect(stats.uniqueTools).toContain('write_file');
+  });
+
+  it('computes stats correctly', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('a'), 100, true);
+    interceptor.recordCall(makeToolCall('b'), 200, false, 'timeout');
+    const stats = interceptor.getStats();
+    expect(stats.totalCalls).toBe(2);
+    expect(stats.successfulCalls).toBe(1);
+    expect(stats.failedCalls).toBe(1);
+    expect(stats.avgDurationMs).toBe(150);
+    expect(stats.isRunning).toBe(true);
+  });
+
+  it('calls logCall callback', () => {
+    const logCall = vi.fn();
+    const interceptor = createInterceptor({ logCall }, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('test'), 10, true);
+    expect(logCall).toHaveBeenCalledTimes(1);
+    expect(logCall.mock.calls[0][0].toolName).toBe('test');
+  });
+
+  it('calls recordEvidence callback for tool calls', () => {
+    const recordEvidence = vi.fn();
+    const interceptor = createInterceptor({ recordEvidence }, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('read_file', { path: '/test' }), 10, true);
+    expect(recordEvidence).toHaveBeenCalledTimes(1);
+    expect(recordEvidence).toHaveBeenCalledWith('read_file', { path: '/test' });
+  });
+
+  it('does not call recordEvidence for non-tool methods', () => {
+    const recordEvidence = vi.fn();
+    const interceptor = createInterceptor({ recordEvidence }, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeListTools(), 10, true);
+    expect(recordEvidence).not.toHaveBeenCalled();
+  });
+
+  it('enrichPassportFields returns observed tools', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('read_file'), 10, true);
+    interceptor.recordCall(makeToolCall('exec'), 20, true);
+    const fields = interceptor.enrichPassportFields();
+    expect(fields.tools_observed).toContain('read_file');
+    expect(fields.tools_observed).toContain('exec');
+    expect(fields.total_calls).toBe(2);
+  });
+
+  it('assigns sequential call IDs', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('a'), 10, true);
+    interceptor.recordCall(makeToolCall('b'), 10, true);
+    const log = interceptor.getCallLog();
+    expect(log[0].id).toBe('call-1');
+    expect(log[1].id).toBe('call-2');
+  });
+
+  it('records error message on failed calls', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    interceptor.recordCall(makeToolCall('fail'), 10, false, 'Connection refused');
+    const log = interceptor.getCallLog();
+    expect(log[0].error).toBe('Connection refused');
+  });
+
+  it('getStats returns zero avg for empty log', () => {
+    const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+    const stats = interceptor.getStats();
+    expect(stats.avgDurationMs).toBe(0);
+    expect(stats.totalCalls).toBe(0);
+  });
+
+  it('startedAt is preserved in stats', () => {
+    const interceptor = createInterceptor({}, '2026-03-13T12:00:00Z');
+    expect(interceptor.getStats().startedAt).toBe('2026-03-13T12:00:00Z');
+  });
+
+  describe('with policy engine (US-S06-02)', () => {
+    it('allows non-tool-call requests even with policy engine', () => {
+      const policyEngine = createPolicyEngine({
+        version: '1.0',
+        default_action: 'deny',
+        rules: [],
+      });
+      const interceptor = createInterceptor({ policyEngine }, '2026-01-01T00:00:00Z');
+      const result = interceptor.interceptRequest(makeListTools());
+      expect(result.allow).toBe(true);
+    });
+
+    it('denies tool calls when policy engine denies', () => {
+      const policyEngine = createPolicyEngine({
+        version: '1.0',
+        default_action: 'deny',
+        rules: [],
+      });
+      const interceptor = createInterceptor({ policyEngine }, '2026-01-01T00:00:00Z');
+      const result = interceptor.interceptRequest(makeToolCall('dangerous_tool'));
+      expect(result.allow).toBe(false);
+    });
+
+    it('allows tool calls when policy engine allows', () => {
+      const policyEngine = createPolicyEngine({
+        version: '1.0',
+        default_action: 'allow',
+        rules: [],
+      });
+      const interceptor = createInterceptor({ policyEngine }, '2026-01-01T00:00:00Z');
+      const result = interceptor.interceptRequest(makeToolCall('safe_tool'));
+      expect(result.allow).toBe(true);
+    });
+
+    it('passes args to policy engine for evaluation', () => {
+      const policyEngine = createPolicyEngine({
+        version: '1.0',
+        default_action: 'allow',
+        rules: [{
+          name: 'no-etc',
+          action: 'deny',
+          tool: 'write_file',
+          arg_pattern: { path: '^\\/etc\\/' },
+          reason: 'Cannot write to /etc/',
+        }],
+      });
+      const interceptor = createInterceptor({ policyEngine }, '2026-01-01T00:00:00Z');
+      const denied = interceptor.interceptRequest(makeToolCall('write_file', { path: '/etc/passwd' }));
+      expect(denied.allow).toBe(false);
+      if (!denied.allow) {
+        expect(denied.reason).toBe('Cannot write to /etc/');
+      }
+
+      const allowed = interceptor.interceptRequest(makeToolCall('write_file', { path: '/home/user/file' }));
+      expect(allowed.allow).toBe(true);
+    });
+
+    it('allows all when no policy engine is provided', () => {
+      const interceptor = createInterceptor({}, '2026-01-01T00:00:00Z');
+      const result = interceptor.interceptRequest(makeToolCall('any_tool'));
+      expect(result.allow).toBe(true);
+    });
+  });
+});

package/src/domain/proxy/proxy-interceptor.ts

@@ -0,0 +1,120 @@
+import type { McpCallLog, ProxyStats } from './proxy-types.js';
+import type { JsonRpcRequest } from './json-rpc.js';
+import type { PolicyEngine } from './policy-engine.js';
+
+export interface InterceptorDeps {
+  readonly logCall?: (log: McpCallLog) => void;
+  readonly recordEvidence?: (toolName: string, args: unknown) => void;
+  readonly policyEngine?: PolicyEngine;
+}
+
+export interface ProxyInterceptor {
+  readonly interceptRequest: (req: JsonRpcRequest) => { allow: true } | { allow: false; reason: string };
+  readonly recordCall: (req: JsonRpcRequest, durationMs: number, success: boolean, error?: string) => void;
+  readonly getStats: () => ProxyStats;
+  readonly getCallLog: () => readonly McpCallLog[];
+  readonly enrichPassportFields: () => { tools_observed: readonly string[]; total_calls: number };
+}
+
+export const createInterceptor = (deps: InterceptorDeps, startedAt: string): ProxyInterceptor => {
+  const callLog: McpCallLog[] = [];
+  const toolsObserved = new Set<string>();
+  let callCounter = 0;
+
+  const asRecord = (val: unknown): Record<string, unknown> | undefined =>
+    val !== null && typeof val === 'object' && !Array.isArray(val)
+      ? val as Record<string, unknown>
+      : undefined;
+
+  const extractToolName = (req: JsonRpcRequest): string | undefined => {
+    if (req.method !== 'tools/call') return undefined;
+    const params = asRecord(req.params);
+    const name = params?.name;
+    return typeof name === 'string' ? name : undefined;
+  };
+
+  const extractArgs = (req: JsonRpcRequest): Record<string, unknown> | undefined => {
+    if (req.method !== 'tools/call') return undefined;
+    const params = asRecord(req.params);
+    return asRecord(params?.arguments);
+  };
+
+  const interceptRequest = (req: JsonRpcRequest): { allow: true } | { allow: false; reason: string } => {
+    // If not a tool call, always allow
+    if (req.method !== 'tools/call') return { allow: true };
+
+    // If no policy engine, allow all
+    if (!deps.policyEngine) return { allow: true };
+
+    const toolName = extractToolName(req);
+    if (!toolName) return { allow: true };
+
+    const args = extractArgs(req);
+    const decision = deps.policyEngine.evaluate(toolName, args);
+
+    if (!decision.allowed) {
+      return { allow: false, reason: decision.reason ?? `Denied by policy rule: ${decision.rule}` };
+    }
+
+    return { allow: true };
+  };
+
+  const recordCall = (req: JsonRpcRequest, durationMs: number, success: boolean, error?: string): void => {
+    callCounter++;
+    const toolName = extractToolName(req);
+    const args = extractArgs(req);
+
+    if (toolName) toolsObserved.add(toolName);
+
+    const log: McpCallLog = {
+      id: `call-${callCounter}`,
+      timestamp: new Date().toISOString(),
+      method: req.method,
+      toolName,
+      args,
+      durationMs,
+      success,
+      error,
+    };
+
+    callLog.push(log);
+    deps.logCall?.(log);
+
+    if (toolName) {
+      deps.recordEvidence?.(toolName, args);
+    }
+  };
+
+  const getStats = (): ProxyStats => {
+    const successful = callLog.filter(c => c.success).length;
+    const failed = callLog.filter(c => !c.success).length;
+    const avgDuration = callLog.length > 0
+      ? callLog.reduce((sum, c) => sum + c.durationMs, 0) / callLog.length
+      : 0;
+
+    return {
+      startedAt,
+      totalCalls: callLog.length,
+      successfulCalls: successful,
+      failedCalls: failed,
+      uniqueTools: [...toolsObserved],
+      avgDurationMs: Math.round(avgDuration),
+      isRunning: true,
+    };
+  };
+
+  const getCallLog = (): readonly McpCallLog[] => callLog;
+
+  const enrichPassportFields = () => ({
+    tools_observed: [...toolsObserved],
+    total_calls: callLog.length,
+  });
+
+  return Object.freeze({
+    interceptRequest,
+    recordCall,
+    getStats,
+    getCallLog,
+    enrichPassportFields,
+  });
+};

package/src/domain/proxy/proxy-types.ts

@@ -0,0 +1,35 @@
+import { z } from 'zod';
+
+export const ProxyConfigSchema = z.object({
+  upstream: z.object({
+    command: z.string(),
+    args: z.array(z.string()).default([]),
+    env: z.record(z.string()).optional(),
+  }),
+  logCalls: z.boolean().default(true),
+  enrichPassport: z.boolean().default(true),
+  maxConcurrentCalls: z.number().int().min(1).default(10),
+});
+
+export type ProxyConfig = z.infer<typeof ProxyConfigSchema>;
+
+export interface McpCallLog {
+  readonly id: string;
+  readonly timestamp: string;
+  readonly method: string;
+  readonly toolName?: string;
+  readonly args?: Record<string, unknown>;
+  readonly durationMs: number;
+  readonly success: boolean;
+  readonly error?: string;
+}
+
+export interface ProxyStats {
+  readonly startedAt: string;
+  readonly totalCalls: number;
+  readonly successfulCalls: number;
+  readonly failedCalls: number;
+  readonly uniqueTools: readonly string[];
+  readonly avgDurationMs: number;
+  readonly isRunning: boolean;
+}

package/src/domain/registry/compute-agent-score.test.ts

@@ -0,0 +1,279 @@
+import { describe, it, expect } from 'vitest';
+import { computeAgentScore } from './compute-agent-score.js';
+import type { AgentRegistryInput } from './compute-agent-score.js';
+import { createMockPassport } from '../../test-helpers/factories.js';
+import type { CompletenessResult } from '../passport/passport-validator.js';
+import type { ScanResult } from '../../types/common.types.js';
+import type { EvidenceChainSummary } from '../scanner/evidence-store.js';
+
+// --- Helpers ---
+
+const mockCompleteness = (score: number): CompletenessResult => ({
+  score,
+  filledCount: Math.round(score * 0.36),
+  totalRequired: 36,
+  filledFields: [],
+  missingFields: [],
+});
+
+const mockScanResult = (totalScore: number, findings: ScanResult['findings'] = []): ScanResult => ({
+  score: {
+    totalScore,
+    zone: totalScore >= 75 ? 'green' : totalScore >= 50 ? 'yellow' : 'red',
+    categoryScores: [],
+    criticalCapApplied: false,
+    totalChecks: 10,
+    passedChecks: Math.round(totalScore / 10),
+    failedChecks: 10 - Math.round(totalScore / 10),
+    skippedChecks: 0,
+  },
+  findings,
+  projectPath: '/test/project',
+  scannedAt: '2026-03-08T00:00:00Z',
+  duration: 100,
+  filesScanned: 20,
+});
+
+const mockEvidence = (entries: number, valid: boolean): EvidenceChainSummary => ({
+  totalEntries: entries,
+  scanCount: entries,
+  firstEntry: entries > 0 ? '2026-01-01T00:00:00Z' : '',
+  lastEntry: entries > 0 ? '2026-03-08T00:00:00Z' : '',
+  chainValid: valid,
+  uniqueFindings: entries * 2,
+});
+
+const passportWithFria = () =>
+  createMockPassport({ compliance: { ...createMockPassport().compliance, fria_completed: true } });
+
+const makeInput = (overrides: Partial<AgentRegistryInput> = {}): AgentRegistryInput => ({
+  passport: createMockPassport(),
+  completeness: mockCompleteness(100),
+  scanResult: mockScanResult(85),
+  evidenceSummary: mockEvidence(10, true),
+  ...overrides,
+});
+
+// --- Tests ---
+
+describe('computeAgentScore', () => {
+  it('computes grade A for full score, FRIA done, evidence valid, completeness 100%', () => {
+    const input = makeInput({
+      passport: passportWithFria(),
+      completeness: mockCompleteness(100),
+      scanResult: mockScanResult(95),
+      evidenceSummary: mockEvidence(10, true),
+    });
+    const result = computeAgentScore(input);
+    // 95*0.4 + 100*0.3 + 15 + 15 = 38 + 30 + 15 + 15 = 98
+    expect(result.grade).toBe('A');
+    expect(result.complianceScore).toBe(95);
+    expect(result.passportCompleteness).toBe(100);
+    expect(result.friaStatus).toBe('completed');
+    expect(result.evidenceChain.valid).toBe(true);
+  });
+
+  it('computes grade B with high completeness but no FRIA', () => {
+    const input = makeInput({
+      completeness: mockCompleteness(90),
+      scanResult: mockScanResult(85),
+      evidenceSummary: mockEvidence(5, true),
+    });
+    const result = computeAgentScore(input);
+    // 85*0.4 + 90*0.3 + 0 + 15 = 34 + 27 + 0 + 15 = 76
+    expect(result.grade).toBe('B');
+    expect(result.friaStatus).toBe('pending');
+  });
+
+  it('computes grade C for medium scores', () => {
+    const input = makeInput({
+      completeness: mockCompleteness(70),
+      scanResult: mockScanResult(70),
+      evidenceSummary: mockEvidence(3, true),
+    });
+    const result = computeAgentScore(input);
+    // 70*0.4 + 70*0.3 + 0 + 15 = 28 + 21 + 0 + 15 = 64
+    expect(result.grade).toBe('C');
+  });
+
+  it('computes grade F for low completeness with no evidence', () => {
+    const input = makeInput({
+      completeness: mockCompleteness(40),
+      scanResult: mockScanResult(50),
+      evidenceSummary: mockEvidence(0, true),
+    });
+    const result = computeAgentScore(input);
+    // 50*0.4 + 40*0.3 + 0 + 0 = 20 + 12 = 32
+    expect(result.grade).toBe('F');
+  });
+
+  it('computes grade D at boundary', () => {
+    const input = makeInput({
+      passport: passportWithFria(),
+      completeness: mockCompleteness(50),
+      scanResult: mockScanResult(40),
+      evidenceSummary: mockEvidence(0, true),
+    });
+    const result = computeAgentScore(input);
+    // 40*0.4 + 50*0.3 + 15 + 0 = 16 + 15 + 15 + 0 = 46
+    expect(result.grade).toBe('D');
+  });
+
+  it('computes grade F for zero scan, no passport fields', () => {
+    const input = makeInput({
+      completeness: mockCompleteness(10),
+      scanResult: null,
+      evidenceSummary: mockEvidence(0, true),
+    });
+    const result = computeAgentScore(input);
+    // 0*0.4 + 10*0.3 + 0 + 0 = 3
+    expect(result.grade).toBe('F');
+    expect(result.complianceScore).toBe(0);
+  });
+
+  it('generates issue when FRIA is pending', () => {
+    const result = computeAgentScore(makeInput());
+    expect(result.issues).toContainEqual(expect.stringContaining('FRIA not completed'));
+  });
+
+  it('generates no FRIA issue when FRIA is completed', () => {
+    const result = computeAgentScore(makeInput({ passport: passportWithFria() }));
+    expect(result.issues.some((i) => i.includes('FRIA not completed'))).toBe(false);
+  });
+
+  it('generates issue for risk mismatch (high-risk industry but limited risk_class)', () => {
+    const passport = createMockPassport({
+      compliance: {
+        ...createMockPassport().compliance,
+        eu_ai_act: {
+          ...createMockPassport().compliance.eu_ai_act,
+          risk_class: 'limited',
+        },
+      },
+    });
+    const input = makeInput({
+      passport,
+      scanResult: mockScanResult(60, [
+        { checkId: 'industry-hr', type: 'fail', message: 'HR match', severity: 'high' },
+      ]),
+    });
+    const result = computeAgentScore(input);
+    expect(result.issues).toContainEqual(
+      expect.stringContaining("High-risk industry detected (hr) but risk_class is 'limited'"),
+    );
+  });
+
+  it('does not generate risk mismatch issue when risk_class is high', () => {
+    const input = makeInput({
+      scanResult: mockScanResult(60, [
+        { checkId: 'industry-hr', type: 'fail', message: 'HR match', severity: 'high' },
+      ]),
+    });
+    // Default mock passport has risk_class 'high'
+    const result = computeAgentScore(input);
+    expect(result.issues.some((i) => i.includes('High-risk industry'))).toBe(false);
+  });
+
+  it('generates issue for broken evidence chain', () => {
+    const input = makeInput({ evidenceSummary: mockEvidence(5, false) });
+    const result = computeAgentScore(input);
+    expect(result.issues).toContainEqual(expect.stringContaining('Evidence chain broken'));
+  });
+
+  it('generates issue for zero evidence entries', () => {
+    const input = makeInput({ evidenceSummary: mockEvidence(0, true) });
+    const result = computeAgentScore(input);
+    expect(result.issues).toContainEqual(expect.stringContaining('No evidence chain entries'));
+  });
+
+  it('generates issue for low passport completeness', () => {
+    const input = makeInput({ completeness: mockCompleteness(65) });
+    const result = computeAgentScore(input);
+    expect(result.issues).toContainEqual(expect.stringContaining('Passport only 65% complete'));
+  });
+
+  it('extracts industries from scan findings', () => {
+    const input = makeInput({
+      scanResult: mockScanResult(70, [
+        { checkId: 'industry-hr', type: 'fail', message: 'HR match', severity: 'high' },
+        { checkId: 'industry-finance', type: 'fail', message: 'Finance match', severity: 'high' },
+        { checkId: 'l1-readme', type: 'pass', message: 'ok', severity: 'low' },
+      ]),
+    });
+    const result = computeAgentScore(input);
+    expect(result.detectedIndustries).toContain('hr');
+    expect(result.detectedIndustries).toContain('finance');
+    expect(result.detectedIndustries).not.toContain('l1-readme');
+  });
+
+  it('handles null scanResult — complianceScore = 0', () => {
+    const result = computeAgentScore(makeInput({ scanResult: null }));
+    expect(result.complianceScore).toBe(0);
+    expect(result.detectedIndustries).toEqual([]);
+  });
+
+  it('handles empty evidenceSummary', () => {
+    const input = makeInput({
+      evidenceSummary: {
+        totalEntries: 0,
+        scanCount: 0,
+        firstEntry: '',
+        lastEntry: '',
+        chainValid: true,
+        uniqueFindings: 0,
+      },
+    });
+    const result = computeAgentScore(input);
+    expect(result.evidenceChain.entries).toBe(0);
+    expect(result.evidenceChain.valid).toBe(true);
+  });
+
+  it('populates all identity fields from passport', () => {
+    const passport = createMockPassport({
+      name: 'my-bot',
+      display_name: 'My Bot',
+      agent_id: 'agent-42',
+      framework: 'langchain',
+      autonomy_level: 'L3',
+    });
+    const result = computeAgentScore(makeInput({ passport }));
+    expect(result.name).toBe('my-bot');
+    expect(result.displayName).toBe('My Bot');
+    expect(result.agentId).toBe('agent-42');
+    expect(result.framework).toBe('langchain');
+    expect(result.autonomyLevel).toBe('L3');
+  });
+
+  it('deduplicates industry findings', () => {
+    const input = makeInput({
+      scanResult: mockScanResult(70, [
+        { checkId: 'industry-hr', type: 'fail', message: 'HR match 1', severity: 'high', file: 'a.ts' },
+        { checkId: 'industry-hr', type: 'fail', message: 'HR match 2', severity: 'high', file: 'b.ts' },
+      ]),
+    });
+    const result = computeAgentScore(input);
+    expect(result.detectedIndustries).toEqual(['hr']);
+  });
+
+  it('ignores pass-type industry findings (industry-detection)', () => {
+    const input = makeInput({
+      scanResult: mockScanResult(70, [
+        { checkId: 'industry-detection', type: 'pass', message: 'No patterns detected', severity: 'low' },
+      ]),
+    });
+    const result = computeAgentScore(input);
+    expect(result.detectedIndustries).toEqual([]);
+  });
+
+  it('evidence bonus is 0 when chain is broken', () => {
+    const input = makeInput({
+      passport: passportWithFria(),
+      completeness: mockCompleteness(100),
+      scanResult: mockScanResult(100),
+      evidenceSummary: mockEvidence(10, false),
+    });
+    const result = computeAgentScore(input);
+    // 100*0.4 + 100*0.3 + 15 + 0 = 40 + 30 + 15 + 0 = 85
+    expect(result.grade).toBe('B');
+  });
+});