@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/tests/enterprise-config.test.mjs

@@ -0,0 +1,154 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { loadEnterpriseConfig } from "../dist/core/config.js";
+
+function makeContextDir(content) {
+  const tempRoot = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-enterprise-config-"));
+  const contextDir = path.join(tempRoot, ".context");
+  fs.mkdirSync(contextDir, { recursive: true });
+  if (content !== undefined) {
+    fs.writeFileSync(path.join(contextDir, "enterprise.yml"), content);
+  }
+  return { tempRoot, contextDir };
+}
+
+test("loader: missing file returns defaults with empty api_key", () => {
+  const { tempRoot, contextDir } = makeContextDir(undefined);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.equal(cfg.enterprise.api_key, "");
+    assert.equal(cfg.govern.mode, "off");
+    assert.equal(cfg.compliance.frameworks.length, 0);
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("loader: new schema — single api_key flows to telemetry+policy, base_url derives endpoints", () => {
+  const yaml = [
+    "enterprise:",
+    "  api_key: ent_test_key_1234",
+    "  base_url: https://example.com",
+    "",
+    "compliance:",
+    "  frameworks: [iso27001, soc2]",
+    "  eu_addons: false",
+    "",
+    "govern:",
+    "  mode: advisory",
+    "  tier_claude: prevent",
+    "  tier_codex: prevent",
+    "  tier_copilot: wrap",
+    "",
+  ].join("\n");
+  const { tempRoot, contextDir } = makeContextDir(yaml);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.equal(cfg.enterprise.api_key, "ent_test_key_1234");
+    assert.equal(cfg.enterprise.base_url, "https://example.com");
+    assert.equal(cfg.telemetry.api_key, "ent_test_key_1234");
+    assert.equal(cfg.telemetry.endpoint, "https://example.com/api/v1/telemetry/push");
+    assert.equal(cfg.policy.api_key, "ent_test_key_1234");
+    assert.equal(cfg.policy.endpoint, "https://example.com/api/v1/policies/sync");
+    assert.equal(cfg.govern.govern_endpoint, "https://example.com/api/v1/govern");
+    assert.deepEqual(cfg.compliance.frameworks, ["iso27001", "soc2"]);
+    assert.equal(cfg.compliance.eu_addons, false);
+    assert.equal(cfg.govern.mode, "advisory");
+    assert.equal(cfg.govern.tier_copilot, "wrap");
+    assert.equal(cfg.govern.detect_ungoverned, true);
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("loader: eu_addons=true merges gdpr/ai_act/nis2 with default frameworks", () => {
+  const yaml = [
+    "enterprise:",
+    "  api_key: ent_test_key_1234",
+    "  base_url: https://example.com",
+    "compliance:",
+    "  eu_addons: true",
+    "",
+  ].join("\n");
+  const { tempRoot, contextDir } = makeContextDir(yaml);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.deepEqual(
+      cfg.compliance.frameworks.sort(),
+      ["ai_act", "gdpr", "iso27001", "iso42001", "nis2", "soc2"],
+    );
+    assert.equal(cfg.compliance.eu_addons, true);
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("loader: legacy schema — telemetry/policy own keys still work", () => {
+  const yaml = [
+    "enterprise:",
+    "  endpoint: https://legacy.example.com",
+    "  api_key: ent_legacy_key_1234",
+    "",
+    "telemetry:",
+    "  enabled: true",
+    "  endpoint: https://legacy.example.com/api/v1/telemetry/push",
+    "  api_key: ent_legacy_key_1234",
+    "",
+    "policy:",
+    "  endpoint: https://legacy.example.com/api/v1/policies/sync",
+    "  api_key: ent_legacy_key_1234",
+    "",
+  ].join("\n");
+  const { tempRoot, contextDir } = makeContextDir(yaml);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.equal(cfg.enterprise.api_key, "ent_legacy_key_1234");
+    assert.equal(cfg.telemetry.endpoint, "https://legacy.example.com/api/v1/telemetry/push");
+    assert.equal(cfg.policy.endpoint, "https://legacy.example.com/api/v1/policies/sync");
+    assert.equal(cfg.govern.mode, "off");
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("loader: invalid frameworks are dropped silently", () => {
+  const yaml = [
+    "enterprise:",
+    "  api_key: ent_test_key_1234",
+    "  base_url: https://example.com",
+    "compliance:",
+    "  frameworks: [iso27001, made_up_framework, soc2]",
+    "",
+  ].join("\n");
+  const { tempRoot, contextDir } = makeContextDir(yaml);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.deepEqual(cfg.compliance.frameworks, ["iso27001", "soc2"]);
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});
+
+test("loader: invalid govern mode falls back to default", () => {
+  const yaml = [
+    "enterprise:",
+    "  api_key: ent_test_key_1234",
+    "  base_url: https://example.com",
+    "govern:",
+    "  mode: bogus_mode",
+    "  tier_claude: not_a_tier",
+    "",
+  ].join("\n");
+  const { tempRoot, contextDir } = makeContextDir(yaml);
+  try {
+    const cfg = loadEnterpriseConfig(contextDir);
+    assert.equal(cfg.govern.mode, "off");
+    assert.equal(cfg.govern.tier_claude, "prevent");
+  } finally {
+    fs.rmSync(tempRoot, { recursive: true, force: true });
+  }
+});

package/scaffold/mcp/tests/govern-install.test.mjs

@@ -0,0 +1,320 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import http from "node:http";
+
+import {
+  runGovernInstall,
+  runGovernUninstall,
+  runGovernStatus,
+} from "../dist/cli/govern.js";
+
+function startMockServer(handlers) {
+  const server = http.createServer((req, res) => {
+    const url = new URL(req.url, `http://${req.headers.host}`);
+    const handler = handlers[`${req.method} ${url.pathname}`];
+    if (!handler) {
+      res.statusCode = 404;
+      res.end("not found");
+      return;
+    }
+    let body = "";
+    req.on("data", (c) => (body += c));
+    req.on("end", () => handler(req, res, url, body));
+  });
+  return new Promise((resolve) => {
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolve({ server, baseUrl: `http://127.0.0.1:${addr.port}` });
+    });
+  });
+}
+
+function makeProject({ apiKey, baseUrl, frameworks = ["iso27001"] }) {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-govern-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  const yaml = [
+    "enterprise:",
+    `  api_key: ${apiKey}`,
+    `  base_url: ${baseUrl}`,
+    "compliance:",
+    `  frameworks: [${frameworks.join(", ")}]`,
+    "",
+  ].join("\n");
+  fs.writeFileSync(path.join(ctx, "enterprise.yml"), yaml);
+  return { root, ctx };
+}
+
+test("install --cli claude writes managed-settings.json and records state", async () => {
+  let appliedCalls = 0;
+  const { server, baseUrl } = await startMockServer({
+    "GET /api/v1/govern/config": (req, res) => {
+      const config = {
+        cli: "claude",
+        managed_settings: {
+          allowManagedHooksOnly: true,
+          permissions: { deny: ["Edit(~/.claude/settings.json)"] },
+        },
+        deny_rules: [{ pattern: "Edit(~/.claude/settings.json)", source_frameworks: ["iso27001"] }],
+        tamper_config: { heartbeat_interval_seconds: 60, missing_threshold_seconds: 300 },
+        frameworks: [{ id: "iso27001", version: "0.1.0-seed" }],
+      };
+      res.setHeader("ETag", '"abc123version"');
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify(config));
+    },
+    "POST /api/v1/govern/applied": (req, res, url, body) => {
+      appliedCalls += 1;
+      const payload = JSON.parse(body);
+      assert.equal(payload.cli, "claude");
+      assert.equal(payload.success, true);
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify({ ok: true }));
+    },
+  });
+
+  const { root, ctx } = makeProject({ apiKey: "ent_test_key_12345678", baseUrl });
+  const claudeManagedPath = path.join(root, "fake-managed-settings.json");
+  try {
+    const result = await runGovernInstall({
+      cli: "claude",
+      cwd: root,
+      mode: "advisory",
+      pathOverride: { claude: claudeManagedPath },
+      skipRoot: true,
+    });
+    assert.equal(result.ok, true, result.message);
+    assert.deepEqual(result.installed, ["claude"]);
+
+    const written = JSON.parse(fs.readFileSync(claudeManagedPath, "utf8"));
+    assert.equal(written.allowManagedHooksOnly, true);
+    assert.deepEqual(written.permissions.deny, ["Edit(~/.claude/settings.json)"]);
+
+    const state = JSON.parse(fs.readFileSync(path.join(ctx, "govern.local.json"), "utf8"));
+    assert.equal(state.installs.claude.path, claudeManagedPath);
+    assert.equal(state.installs.claude.version, "abc123version");
+    assert.equal(state.installs.claude.mode, "advisory");
+    assert.equal(appliedCalls, 1);
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("install --cli codex writes requirements.toml with sandbox bounds", async () => {
+  const { server, baseUrl } = await startMockServer({
+    "GET /api/v1/govern/config": (req, res) => {
+      const config = {
+        cli: "codex",
+        managed_settings: {},
+        deny_rules: [
+          { pattern: "Edit(~/.codex/config.toml)", source_frameworks: ["iso27001"] },
+        ],
+        tamper_config: { heartbeat_interval_seconds: 60, missing_threshold_seconds: 300 },
+        frameworks: [{ id: "iso27001", version: "0.1.0-seed" }],
+      };
+      res.setHeader("ETag", '"codex_v1"');
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify(config));
+    },
+    "POST /api/v1/govern/applied": (req, res) => res.end(JSON.stringify({ ok: true })),
+  });
+
+  const { root } = makeProject({ apiKey: "ent_test_key_12345678", baseUrl });
+  const codexPath = path.join(root, "fake-codex-requirements.toml");
+  try {
+    const result = await runGovernInstall({
+      cli: "codex",
+      cwd: root,
+      pathOverride: { codex: codexPath },
+      skipRoot: true,
+    });
+    assert.equal(result.ok, true, result.message);
+
+    const toml = fs.readFileSync(codexPath, "utf8");
+    assert.match(toml, /allowed_sandbox_modes = \["read-only", "workspace-write"\]/);
+    assert.match(toml, /\[permissions\.filesystem\]/);
+    assert.match(toml, /deny_read = \["~\/.codex\/config\.toml"\]/);
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("install --all installs claude+codex managed files plus copilot Tier-2 shim", async () => {
+  const { server, baseUrl } = await startMockServer({
+    "GET /api/v1/govern/config": (req, res) => {
+      const config = {
+        cli: req.url.includes("cli=claude") ? "claude" : "codex",
+        managed_settings: {},
+        deny_rules: [],
+        tamper_config: { heartbeat_interval_seconds: 60, missing_threshold_seconds: 300 },
+        frameworks: [{ id: "iso27001", version: "0.1.0-seed" }],
+      };
+      res.setHeader("ETag", '"v1"');
+      res.setHeader("Content-Type", "application/json");
+      res.end(JSON.stringify(config));
+    },
+    "POST /api/v1/govern/applied": (req, res) => res.end(JSON.stringify({ ok: true })),
+  });
+
+  const { root } = makeProject({ apiKey: "ent_test_key_12345678", baseUrl });
+  // Stand up a fake real-copilot binary on a temp PATH so the shim install
+  // can find it; otherwise copilot is skipped for missing-binary reasons.
+  const realDir = path.join(root, "real-bin");
+  fs.mkdirSync(realDir, { recursive: true });
+  const realCopilot = path.join(realDir, "copilot");
+  fs.writeFileSync(realCopilot, "#!/bin/sh\necho real copilot\n", { mode: 0o755 });
+  const origPath = process.env.PATH;
+  process.env.PATH = `${realDir}:${origPath ?? ""}`;
+  try {
+    const result = await runGovernInstall({
+      cli: "all",
+      cwd: root,
+      pathOverride: {
+        claude: path.join(root, "claude-managed.json"),
+        codex: path.join(root, "codex-requirements.toml"),
+        copilot: path.join(root, "fake-copilot-shim"),
+      },
+      skipRoot: true,
+    });
+    assert.equal(result.ok, true, result.message);
+    assert.deepEqual(result.installed.sort(), ["claude", "codex", "copilot"]);
+    const shimContents = fs.readFileSync(path.join(root, "fake-copilot-shim"), "utf8");
+    assert.match(shimContents, /cortex-shim-v1/);
+    assert.match(shimContents, new RegExp(realCopilot));
+  } finally {
+    process.env.PATH = origPath;
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("uninstall removes managed file and updates state", async () => {
+  const { server, baseUrl } = await startMockServer({
+    "GET /api/v1/govern/config": (req, res) => {
+      res.setHeader("ETag", '"v1"');
+      res.end(
+        JSON.stringify({
+          cli: "claude",
+          managed_settings: { allowManagedHooksOnly: true },
+          deny_rules: [],
+          tamper_config: { heartbeat_interval_seconds: 60, missing_threshold_seconds: 300 },
+          frameworks: [{ id: "iso27001", version: "0.1.0-seed" }],
+        }),
+      );
+    },
+    "POST /api/v1/govern/applied": (req, res) => res.end(JSON.stringify({ ok: true })),
+  });
+
+  const { root, ctx } = makeProject({ apiKey: "ent_test_key_12345678", baseUrl });
+  const target = path.join(root, "claude-managed.json");
+  try {
+    await runGovernInstall({
+      cli: "claude",
+      cwd: root,
+      mode: "advisory",
+      pathOverride: { claude: target },
+      skipRoot: true,
+    });
+    assert.equal(fs.existsSync(target), true);
+
+    const result = await runGovernUninstall({ cli: "claude", cwd: root, skipRoot: true });
+    assert.equal(result.ok, true, result.message);
+    assert.equal(fs.existsSync(target), false);
+
+    const state = JSON.parse(fs.readFileSync(path.join(ctx, "govern.local.json"), "utf8"));
+    assert.equal(state.installs.claude, undefined);
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("uninstall in enforced mode requires --break-glass + --reason", async () => {
+  const { server, baseUrl } = await startMockServer({
+    "GET /api/v1/govern/config": (req, res) => {
+      res.setHeader("ETag", '"v1"');
+      res.end(
+        JSON.stringify({
+          cli: "claude",
+          managed_settings: { allowManagedHooksOnly: true },
+          deny_rules: [],
+          tamper_config: { heartbeat_interval_seconds: 60, missing_threshold_seconds: 300 },
+          frameworks: [{ id: "iso27001", version: "0.1.0-seed" }],
+        }),
+      );
+    },
+    "POST /api/v1/govern/applied": (req, res) => res.end(JSON.stringify({ ok: true })),
+  });
+
+  const { root } = makeProject({ apiKey: "ent_test_key_12345678", baseUrl });
+  const target = path.join(root, "claude-managed.json");
+  try {
+    await runGovernInstall({
+      cli: "claude",
+      cwd: root,
+      mode: "enforced",
+      pathOverride: { claude: target },
+      skipRoot: true,
+    });
+
+    const blocked = await runGovernUninstall({ cli: "claude", cwd: root, skipRoot: true });
+    assert.equal(blocked.ok, false);
+    assert.match(blocked.message, /enforced mode/);
+    assert.equal(fs.existsSync(target), true);
+
+    const noReason = await runGovernUninstall({
+      cli: "claude",
+      cwd: root,
+      breakGlass: true,
+      skipRoot: true,
+    });
+    assert.equal(noReason.ok, false);
+    assert.match(noReason.message, /requires --reason/);
+
+    const allowed = await runGovernUninstall({
+      cli: "claude",
+      cwd: root,
+      breakGlass: true,
+      reason: "Incident response",
+      skipRoot: true,
+    });
+    assert.equal(allowed.ok, true, allowed.message);
+    assert.equal(fs.existsSync(target), false);
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("install with no api_key returns helpful error", async () => {
+  const { root } = makeProject({ apiKey: "", baseUrl: "http://example.com" });
+  try {
+    const result = await runGovernInstall({ cli: "claude", cwd: root, skipRoot: true });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /No enterprise.api_key/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("status with no installs prints the empty-state hint", () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-govern-status-"));
+  fs.mkdirSync(path.join(root, ".context"));
+  const lines = [];
+  const origLog = console.log;
+  console.log = (...args) => lines.push(args.join(" "));
+  try {
+    runGovernStatus({ cwd: root });
+  } finally {
+    console.log = origLog;
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+  const output = lines.join("\n");
+  assert.match(output, /No CLIs governed/);
+  assert.match(output, /sudo cortex enterprise/);
+});

package/scaffold/mcp/tests/govern-repair.test.mjs

@@ -0,0 +1,157 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import { runGovernRepair } from "../dist/cli/govern.js";
+import { writeTamperLock } from "../dist/daemon/heartbeat-tracker.js";
+
+function makeWorkspace({ installs }) {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-repair-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  fs.writeFileSync(
+    path.join(ctx, "govern.local.json"),
+    JSON.stringify({ installs }, null, 2),
+  );
+  return { root, ctx };
+}
+
+test("repair: errors when nothing is governed yet", async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-repair-empty-"));
+  fs.mkdirSync(path.join(root, ".context"), { recursive: true });
+  try {
+    const result = await runGovernRepair({ cwd: root, skipRoot: true });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /nothing to repair/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("repair: errors when managed file is missing", async () => {
+  const { root } = makeWorkspace({
+    installs: {
+      claude: {
+        path: path.join(os.tmpdir(), "definitely-not-here-claude-managed.json"),
+        version: "v1",
+        frameworks: [{ id: "iso27001", version: "0.1" }],
+        installed_at: new Date().toISOString(),
+        mode: "advisory",
+      },
+    },
+  });
+  try {
+    const result = await runGovernRepair({ cwd: root, skipRoot: true });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /missing/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("repair: errors when copilot shim has been replaced", async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-repair-shim-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  const fakeShim = path.join(root, "fake-copilot");
+  fs.writeFileSync(fakeShim, "#!/bin/sh\necho NOT a cortex shim\n", { mode: 0o755 });
+  fs.writeFileSync(
+    path.join(ctx, "govern.local.json"),
+    JSON.stringify({
+      installs: {
+        copilot: {
+          path: fakeShim,
+          version: "shim-v1",
+          frameworks: [],
+          installed_at: new Date().toISOString(),
+          mode: "advisory",
+        },
+      },
+    }),
+  );
+  try {
+    const result = await runGovernRepair({ cwd: root, skipRoot: true });
+    assert.equal(result.ok, false);
+    assert.match(result.message, /no longer a cortex shim/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("repair: clears tamper lock when managed paths verify clean", async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-repair-ok-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  const claudeManaged = path.join(root, "managed.json");
+  fs.writeFileSync(claudeManaged, '{"allowManagedHooksOnly":true}');
+  fs.writeFileSync(
+    path.join(ctx, "govern.local.json"),
+    JSON.stringify({
+      installs: {
+        claude: {
+          path: claudeManaged,
+          version: "v1",
+          frameworks: [],
+          installed_at: new Date().toISOString(),
+          mode: "enforced",
+        },
+      },
+    }),
+  );
+  writeTamperLock(root, {
+    version: 1,
+    detected_at: new Date().toISOString(),
+    cli: "claude",
+    session_id: "s",
+    hook_name: "any",
+    last_seen: new Date(Date.now() - 60_000).toISOString(),
+    missing_seconds: 60,
+    host_id: "h",
+    cwd: root,
+  });
+  try {
+    const result = await runGovernRepair({
+      cwd: root,
+      skipRoot: true,
+      reason: "Operator reviewed and cleared",
+    });
+    assert.equal(result.ok, true, result.message);
+    assert.equal(result.removed_lock, true);
+    assert.deepEqual(result.reverified, ["claude"]);
+    assert.equal(fs.existsSync(path.join(ctx, ".cortex-tamper.lock")), false);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("repair: success even when there is no lock — paths still verified", async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-repair-clean-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  const claudeManaged = path.join(root, "managed.json");
+  fs.writeFileSync(claudeManaged, "{}");
+  fs.writeFileSync(
+    path.join(ctx, "govern.local.json"),
+    JSON.stringify({
+      installs: {
+        claude: {
+          path: claudeManaged,
+          version: "v1",
+          frameworks: [],
+          installed_at: new Date().toISOString(),
+          mode: "advisory",
+        },
+      },
+    }),
+  );
+  try {
+    const result = await runGovernRepair({ cwd: root, skipRoot: true });
+    assert.equal(result.ok, true, result.message);
+    assert.equal(result.removed_lock, false);
+    assert.match(result.message, /No tamper lock present/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});