@danielblomma/cortex-mcp 1.7.1 → 2.0.2

package/scaffold/mcp/tests/heartbeat-pusher.test.mjs

@@ -0,0 +1,154 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import http from "node:http";
+
+import {
+  buildHeartbeatPayload,
+  pushHeartbeat,
+} from "../dist/daemon/heartbeat-pusher.js";
+
+function startMockServer(handler) {
+  const server = http.createServer((req, res) => {
+    let body = "";
+    req.on("data", (c) => (body += c));
+    req.on("end", () => handler(req, res, body));
+  });
+  return new Promise((resolve) => {
+    server.listen(0, "127.0.0.1", () => {
+      const addr = server.address();
+      resolve({ server, baseUrl: `http://127.0.0.1:${addr.port}` });
+    });
+  });
+}
+
+function makeProject({ baseUrl = "https://example.com", apiKey = "ent_test_key_12345678", installs = {}, frameworks = ["iso27001"] } = {}) {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-heartbeat-"));
+  const ctx = path.join(root, ".context");
+  fs.mkdirSync(ctx, { recursive: true });
+  fs.writeFileSync(
+    path.join(ctx, "enterprise.yml"),
+    [
+      "enterprise:",
+      `  api_key: ${apiKey}`,
+      `  base_url: ${baseUrl}`,
+      "compliance:",
+      `  frameworks: [${frameworks.join(", ")}]`,
+      "",
+    ].join("\n"),
+  );
+  if (Object.keys(installs).length > 0) {
+    fs.writeFileSync(path.join(ctx, "govern.local.json"), JSON.stringify({ installs }));
+  }
+  return { root, ctx };
+}
+
+test("buildHeartbeatPayload: empty installs → mode off, empty ai_clis", () => {
+  const { root } = makeProject();
+  try {
+    const payload = buildHeartbeatPayload(root, "test-host");
+    assert.equal(payload.host_id, "test-host");
+    assert.equal(payload.govern_mode, "off");
+    assert.deepEqual(payload.ai_clis_detected, []);
+    assert.deepEqual(payload.active_frameworks, ["iso27001"]);
+    assert.equal(payload.config_version, null);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("buildHeartbeatPayload: enforced wins over advisory across multiple installs", () => {
+  const { root } = makeProject({
+    installs: {
+      claude: { mode: "advisory", version: "v1", frameworks: [] },
+      codex: { mode: "enforced", version: "v2", frameworks: [] },
+    },
+  });
+  try {
+    const payload = buildHeartbeatPayload(root);
+    assert.equal(payload.govern_mode, "enforced");
+    assert.equal(payload.ai_clis_detected.length, 2);
+    assert.equal(payload.ai_clis_detected.find((c) => c.name === "claude").tier, "prevent");
+    assert.equal(payload.ai_clis_detected.find((c) => c.name === "codex").tier, "prevent");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("buildHeartbeatPayload: copilot maps to wrap tier", () => {
+  const { root } = makeProject({
+    installs: {
+      copilot: { mode: "advisory", version: "shim-v1", frameworks: [] },
+    },
+  });
+  try {
+    const payload = buildHeartbeatPayload(root);
+    assert.equal(payload.ai_clis_detected[0].name, "copilot");
+    assert.equal(payload.ai_clis_detected[0].tier, "wrap");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("pushHeartbeat: posts canonical payload to /api/v1/govern/heartbeat", async () => {
+  let received = null;
+  let receivedAuth = null;
+  const { server, baseUrl } = await startMockServer((req, res, body) => {
+    if (req.url === "/api/v1/govern/heartbeat" && req.method === "POST") {
+      received = JSON.parse(body);
+      receivedAuth = req.headers["authorization"];
+      res.statusCode = 200;
+      res.setHeader("content-type", "application/json");
+      res.end(JSON.stringify({ ok: true, server_time: new Date().toISOString() }));
+      return;
+    }
+    res.statusCode = 404;
+    res.end();
+  });
+  const { root } = makeProject({
+    baseUrl,
+    installs: { claude: { mode: "enforced", version: "v1", frameworks: [] } },
+  });
+  try {
+    const result = await pushHeartbeat(root);
+    assert.equal(result.ok, true);
+    assert.equal(receivedAuth, "Bearer ent_test_key_12345678");
+    assert.equal(received.govern_mode, "enforced");
+    assert.equal(received.config_version, "v1");
+    assert.ok(received.host_id.length > 0);
+    assert.ok(["darwin", "linux", "windows"].includes(received.os));
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("pushHeartbeat: returns error when enterprise not configured", async () => {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-heartbeat-bare-"));
+  fs.mkdirSync(path.join(root, ".context"));
+  try {
+    const result = await pushHeartbeat(root);
+    assert.equal(result.ok, false);
+    assert.match(result.error, /enterprise not configured/);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("pushHeartbeat: server 500 surfaces error string", async () => {
+  const { server, baseUrl } = await startMockServer((req, res) => {
+    res.statusCode = 500;
+    res.end("boom");
+  });
+  const { root } = makeProject({ baseUrl });
+  try {
+    const result = await pushHeartbeat(root);
+    assert.equal(result.ok, false);
+    assert.match(result.error, /HTTP 500/);
+  } finally {
+    server.close();
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});

package/scaffold/mcp/tests/heartbeat-tracker.test.mjs

@@ -0,0 +1,237 @@
+import test from "node:test";
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+
+import {
+  HeartbeatTracker,
+  TAMPER_LOCK_FILENAME,
+  writeTamperLock,
+  readTamperLock,
+  removeTamperLock,
+} from "../dist/daemon/heartbeat-tracker.js";
+
+function makeWorkspace() {
+  const root = fs.mkdtempSync(path.join(os.tmpdir(), "cortex-heartbeat-"));
+  fs.mkdirSync(path.join(root, ".context"), { recursive: true });
+  return root;
+}
+
+function ts(offsetMs = 0) {
+  return new Date(Date.now() + offsetMs).toISOString();
+}
+
+test("recordHeartbeat: SessionStart registers an active session", () => {
+  const tracker = new HeartbeatTracker({ hostId: "test-host" });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-1",
+    cwd: "/p",
+    ts: ts(),
+  });
+  assert.equal(tracker.getActiveSessions().length, 1);
+});
+
+test("recordHeartbeat: SessionEnd marks session ended", () => {
+  const tracker = new HeartbeatTracker();
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-1",
+    cwd: "/p",
+    ts: ts(),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionEnd",
+    session_id: "sess-1",
+    cwd: "/p",
+    ts: ts(),
+  });
+  assert.equal(tracker.getActiveSessions().length, 0);
+});
+
+test("detectTamper: pure idle (only SessionStart) is NOT flagged", () => {
+  const tracker = new HeartbeatTracker();
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-idle",
+    cwd: "/p",
+    ts: ts(-10 * 60 * 1000), // 10 min ago
+  });
+  const findings = tracker.detectTamper({
+    cwds: ["/p"],
+    missingThresholdSeconds: 60,
+  });
+  assert.equal(findings.length, 0);
+});
+
+test("detectTamper: had-activity-then-silence IS flagged", () => {
+  const tracker = new HeartbeatTracker({ hostId: "h" });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-tamper",
+    cwd: "/p",
+    ts: ts(-10 * 60 * 1000),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "PreToolUse",
+    session_id: "sess-tamper",
+    cwd: "/p",
+    ts: ts(-9 * 60 * 1000), // last activity 9 min ago
+  });
+  const findings = tracker.detectTamper({
+    cwds: ["/p"],
+    missingThresholdSeconds: 60, // 1 min threshold → 9 min silence is tamper
+  });
+  assert.equal(findings.length, 1);
+  assert.equal(findings[0].cli, "claude");
+  assert.equal(findings[0].session_id, "sess-tamper");
+  assert.equal(findings[0].cwd, "/p");
+  assert.ok(findings[0].missing_seconds >= 60);
+});
+
+test("detectTamper: same session is not flagged twice", () => {
+  const tracker = new HeartbeatTracker();
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-once",
+    cwd: "/p",
+    ts: ts(-10 * 60 * 1000),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "PreToolUse",
+    session_id: "sess-once",
+    cwd: "/p",
+    ts: ts(-9 * 60 * 1000),
+  });
+  const first = tracker.detectTamper({ cwds: ["/p"], missingThresholdSeconds: 60 });
+  assert.equal(first.length, 1);
+  const second = tracker.detectTamper({ cwds: ["/p"], missingThresholdSeconds: 60 });
+  assert.equal(second.length, 0, "session marked ended after first detection");
+});
+
+test("detectTamper: ended session is not flagged", () => {
+  const tracker = new HeartbeatTracker();
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-ended",
+    cwd: "/p",
+    ts: ts(-15 * 60 * 1000),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "PreToolUse",
+    session_id: "sess-ended",
+    cwd: "/p",
+    ts: ts(-14 * 60 * 1000),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionEnd",
+    session_id: "sess-ended",
+    cwd: "/p",
+    ts: ts(-13 * 60 * 1000),
+  });
+  const findings = tracker.detectTamper({
+    cwds: ["/p"],
+    missingThresholdSeconds: 60,
+  });
+  assert.equal(findings.length, 0);
+});
+
+test("detectTamper: stale session beyond cleanupAfterMs is auto-removed", () => {
+  const tracker = new HeartbeatTracker({ cleanupAfterMs: 1000 });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "SessionStart",
+    session_id: "sess-stale",
+    cwd: "/p",
+    ts: ts(-10 * 1000),
+  });
+  tracker.recordHeartbeat({
+    cli: "claude",
+    hook: "PreToolUse",
+    session_id: "sess-stale",
+    cwd: "/p",
+    ts: ts(-9 * 1000),
+  });
+  assert.equal(tracker._size(), 1);
+  tracker.detectTamper({ cwds: ["/p"], missingThresholdSeconds: 60 });
+  assert.equal(tracker._size(), 0, "stale session removed");
+});
+
+test("writeTamperLock + readTamperLock + removeTamperLock round-trip", () => {
+  const root = makeWorkspace();
+  try {
+    const entry = {
+      version: 1,
+      detected_at: ts(),
+      cli: "claude",
+      session_id: "sess-1",
+      hook_name: "any",
+      last_seen: ts(-60_000),
+      missing_seconds: 60,
+      host_id: "h",
+      cwd: root,
+    };
+    const written = writeTamperLock(root, entry);
+    assert.match(written, new RegExp(TAMPER_LOCK_FILENAME));
+
+    const read = readTamperLock(root);
+    assert.deepEqual(read, entry);
+
+    const removed = removeTamperLock(root);
+    assert.equal(removed, true);
+    assert.equal(readTamperLock(root), null);
+    assert.equal(removeTamperLock(root), false, "no-op on second remove");
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});
+
+test("recordHeartbeat: response includes tamper_lock_active flag", () => {
+  const root = makeWorkspace();
+  try {
+    const tracker = new HeartbeatTracker();
+    const before = tracker.recordHeartbeat({
+      cli: "claude",
+      hook: "SessionStart",
+      session_id: "s",
+      cwd: root,
+      ts: ts(),
+    });
+    assert.equal(before.tamper_lock_active, false);
+
+    writeTamperLock(root, {
+      version: 1,
+      detected_at: ts(),
+      cli: "claude",
+      session_id: "s",
+      hook_name: "any",
+      last_seen: ts(),
+      missing_seconds: 0,
+      host_id: "h",
+      cwd: root,
+    });
+
+    const after = tracker.recordHeartbeat({
+      cli: "claude",
+      hook: "PreToolUse",
+      session_id: "s",
+      cwd: root,
+      ts: ts(),
+    });
+    assert.equal(after.tamper_lock_active, true);
+  } finally {
+    fs.rmSync(root, { recursive: true, force: true });
+  }
+});