@datacules/agent-identity-mcp 0.11.0 → 0.11.1

package/dist/types/types.d.ts

@@ -0,0 +1,87 @@
+/**
+ * MCP-specific type extensions for @datacules/agent-identity.
+ *
+ * McpRequestContext extends AgentRequestContext with the MCP session and
+ * client identifiers so audit logs can trace a credential resolution back
+ * to the exact MCP session that triggered it.
+ */
+import type { AgentRequestContext, MigrationContext } from '@datacules/agent-identity';
+/**
+ * AgentRequestContext enriched with MCP session metadata.
+ * Pass this to AgentIdentityMcpServer.resolve() for full audit trail.
+ */
+export interface McpRequestContext extends AgentRequestContext {
+    /** MCP session ID from the active transport session */
+    mcpSessionId: string;
+    /** MCP client identifier (e.g. 'claude-desktop', 'cursor', 'windsurf') */
+    mcpClientId?: string;
+    /** MCP protocol version negotiated during handshake */
+    mcpProtocolVersion?: string;
+}
+/**
+ * MigrationContext enriched with MCP session metadata.
+ */
+export interface McpMigrationContext extends MigrationContext {
+    mcpSessionId: string;
+    mcpClientId?: string;
+    mcpProtocolVersion?: string;
+}
+export interface ResolveCredentialInput {
+    userId: string;
+    resourceId: string;
+    resourceKind: 'shared' | 'personal';
+    provider: 'openai' | 'anthropic' | 'gemini' | 'mistral' | 'local';
+    model: string;
+    action: string;
+    traceId: string;
+    sessionId?: string;
+    requestedAt?: string;
+    parentTraceId?: string;
+    mcpSessionId?: string;
+    mcpClientId?: string;
+}
+export interface ResolveMigrationInput {
+    userId: string;
+    resourceId: string;
+    resourceKind: 'shared' | 'personal';
+    provider: 'openai' | 'anthropic' | 'gemini' | 'mistral' | 'local';
+    model: string;
+    action: string;
+    traceId: string;
+    migrationId: string;
+    phase: 'dry-run' | 'extract' | 'transform' | 'load' | 'verify' | 'rollback';
+    sourceResourceId: string;
+    targetResourceId: string;
+    batchIndex?: number;
+    totalBatches?: number;
+    dryRun: boolean;
+    requestedAt?: string;
+    mcpSessionId?: string;
+    mcpClientId?: string;
+}
+export interface AgentIdentityMcpServerOptions {
+    /**
+     * Server name sent during MCP handshake.
+     * Appears in the client's tool list as the server label.
+     */
+    name?: string;
+    /** Semantic version string reported during handshake */
+    version?: string;
+    /**
+     * Transport mode.
+     * - 'stdio'    : reads from stdin / writes to stdout (default; use for
+     *               Claude Desktop, Claude Code, Cursor, Windsurf configs)
+     * - 'http'     : HTTP + SSE transport on the specified port
+     */
+    transport?: 'stdio' | 'http';
+    /** Port for HTTP+SSE transport (default: 3002) */
+    httpPort?: number;
+    /** Host for HTTP+SSE transport (default: '127.0.0.1') */
+    httpHost?: string;
+    /**
+     * Optional bearer token required in MCP HTTP requests.
+     * Ignored for stdio transport.
+     */
+    httpAuthToken?: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/types/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAC;AAIvF;;;GAGG;AACH,MAAM,WAAW,iBAAkB,SAAQ,mBAAmB;IAC5D,uDAAuD;IACvD,YAAY,EAAE,MAAM,CAAC;IACrB,0EAA0E;IAC1E,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,uDAAuD;IACvD,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,gBAAgB;IAC3D,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAID,MAAM,WAAW,sBAAsB;IACrC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,QAAQ,GAAG,UAAU,CAAC;IACpC,QAAQ,EAAE,QAAQ,GAAG,WAAW,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;IAClE,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,qBAAqB;IACpC,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,QAAQ,GAAG,UAAU,CAAC;IACpC,QAAQ,EAAE,QAAQ,GAAG,WAAW,GAAG,QAAQ,GAAG,SAAS,GAAG,OAAO,CAAC;IAClE,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,EAAE,SAAS,GAAG,SAAS,GAAG,WAAW,GAAG,MAAM,GAAG,QAAQ,GAAG,UAAU,CAAC;IAC5E,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,MAAM,EAAE,OAAO,CAAC;IAChB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAID,MAAM,WAAW,6BAA6B;IAC5C;;;OAGG;IACH,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,wDAAwD;IACxD,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC;IAC7B,kDAAkD;IAClD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,yDAAyD;IACzD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB"}

package/package.json

@@ -1,22 +1,42 @@
 {
   "name": "@datacules/agent-identity-mcp",
-  "version": "0.11.0",
+  "version": "0.11.1",
   "private": false,
   "description": "MCP server adapter for @datacules/agent-identity — expose credential resolution as MCP tools",
+  "author": "Datacules LLC",
+  "license": "SEE LICENSE IN LICENSE",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/hvrcharon1/agent-identity.git",
+    "directory": "packages/integrations/mcp"
+  },
   "main": "./dist/cjs/index.js",
   "module": "./dist/esm/index.js",
   "types": "./dist/types/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/esm/index.js",
+      "require": "./dist/cjs/index.js",
+      "types": "./dist/types/index.d.ts"
+    }
+  },
   "bin": {
     "agent-identity-mcp": "./bin/server.js"
   },
+  "files": [
+    "dist",
+    "bin",
+    "LICENSE",
+    "README.md"
+  ],
   "scripts": {
-    "build": "tsc -p tsconfig.build.json",
+    "build": "tsc -p tsconfig.build.json && tsc -p tsconfig.cjs.json",
     "type-check": "tsc --noEmit",
     "start": "node bin/server.js",
     "start:http": "MCP_TRANSPORT=http node bin/server.js"
   },
   "peerDependencies": {
-    "@datacules/agent-identity": "^0.6.0"
+    "@datacules/agent-identity": "^0.11.1"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.10.0",

package/src/index.ts

@@ -1,221 +0,0 @@
-/**
- * @datacules/agent-identity-mcp
- *
- * Exposes agent-identity credential resolution as an MCP server.
- * Any MCP-capable client — Claude Desktop, Claude Code, Cursor,
- * Windsurf, or a custom agent — can call the following tools:
- *
- *   resolve_credential           — resolves a credential for an AgentRequestContext
- *   resolve_migration_credential — resolves source+target pair for MigrationContext
- *   list_credentials             — lists active credentials (safe metadata only)
- *   list_rules                   — lists routing rules (highest priority first)
- *   health                       — liveness + loaded credential/rule counts
- *
- * Supports two transports:
- *   stdio    — stdin/stdout, compatible with Claude Desktop / Claude Code / Cursor configs
- *   http+sse — HTTP Server-Sent Events for hosted deployments
- *
- * Quick start (stdio):
- *   import { createAgentIdentityMcpServer } from '@datacules/agent-identity-mcp';
- *   const { start } = createAgentIdentityMcpServer({ credentials, rules });
- *   await start();  // reads from stdin, writes to stdout
- *
- * Quick start (HTTP):
- *   const { start } = createAgentIdentityMcpServer({
- *     credentials, rules, transport: 'http', httpPort: 3002
- *   });
- *   await start();
- *
- * Claude Desktop config snippet (~/.claude/claude_desktop_config.json):
- *   {
- *     "mcpServers": {
- *       "agent-identity": {
- *         "command": "npx",
- *         "args": ["@datacules/agent-identity-mcp"],
- *         "env": {
- *           "AGENT_IDENTITY_CREDENTIALS": "<base64-encoded JSON>",
- *           "AGENT_IDENTITY_RULES": "<base64-encoded JSON>"
- *         }
- *       }
- *     }
- *   }
- */
-
-import { Server } from '@modelcontextprotocol/sdk/server/index.js';
-import {
-  CallToolRequestSchema,
-  ListToolsRequestSchema,
-} from '@modelcontextprotocol/sdk/types.js';
-import type { AuditLogger, Credential, CredentialStore, RoutingRule } from '@datacules/agent-identity';
-import { MemoryCredentialStore } from '@datacules/agent-identity';
-import { ALL_TOOLS, type ToolDeps } from './tools.js';
-import { StdioServerTransport, startHttpMcpTransport } from './transports.js';
-import type { AgentIdentityMcpServerOptions } from './types.js';
-
-export * from './types.js';
-export { ALL_TOOLS } from './tools.js';
-
-// ─── Server factory ───────────────────────────────────────────────────────────
-
-export interface AgentIdentityMcpServerInit {
-  /**
-   * Credential array (convenience). Wrapped in a MemoryCredentialStore
-   * unless `store` is also provided, in which case `store` takes precedence.
-   */
-  credentials?: Credential[];
-  /** Custom CredentialStore (e.g. VaultCredentialStore, AwsCredentialStore) */
-  store?: CredentialStore;
-  rules: RoutingRule[];
-  logger?: AuditLogger;
-}
-
-export type AgentIdentityMcpServerConfig = AgentIdentityMcpServerInit & AgentIdentityMcpServerOptions;
-
-export interface AgentIdentityMcpServerHandle {
-  /** MCP Server instance (use to attach additional request handlers if needed) */
-  server: Server;
-  /** Start the server and connect the configured transport. Resolves when ready. */
-  start: () => Promise<void>;
-  /** Stop / clean up (closes HTTP server for http transport; no-op for stdio) */
-  stop: () => Promise<void>;
-}
-
-/**
- * Create an agent-identity MCP server.
- *
- * @example
- * // stdio (Claude Desktop / Claude Code config)
- * const { start } = createAgentIdentityMcpServer({ credentials, rules });
- * await start();
- *
- * @example
- * // HTTP+SSE (hosted / networked)
- * const { start } = createAgentIdentityMcpServer({
- *   credentials, rules, transport: 'http', httpPort: 3002,
- * });
- * await start();
- */
-export function createAgentIdentityMcpServer(
-  config: AgentIdentityMcpServerConfig
-): AgentIdentityMcpServerHandle {
-  const {
-    credentials,
-    store: customStore,
-    rules,
-    logger,
-    name = 'agent-identity',
-    version = '0.1.0',
-    transport = 'stdio',
-    httpPort = 3002,
-    httpHost = '127.0.0.1',
-    httpAuthToken,
-  } = config;
-
-  if (!customStore && !credentials) {
-    throw new Error('[agent-identity-mcp] Provide either credentials[] or a custom store.');
-  }
-
-  const store: CredentialStore =
-    customStore ?? new MemoryCredentialStore(credentials!);
-
-  const deps: ToolDeps = { store, rules, logger };
-
-  // Build the MCP server
-  const server = new Server(
-    { name, version },
-    { capabilities: { tools: {} } }
-  );
-
-  // Register tools/list handler
-  server.setRequestHandler(ListToolsRequestSchema, async () => ({
-    tools: ALL_TOOLS.map((t) => ({
-      name: t.name,
-      description: t.description,
-      inputSchema: {
-        type: 'object' as const,
-        // Convert Zod schema to JSON Schema via .shape introspection for
-        // simple objects; complex schemas fall back to an open object.
-        properties: extractJsonSchemaProperties(t.inputSchema),
-        required: extractRequiredKeys(t.inputSchema),
-      },
-    })),
-  }));
-
-  // Register tools/call handler
-  server.setRequestHandler(CallToolRequestSchema, async (request) => {
-    const tool = ALL_TOOLS.find((t) => t.name === request.params.name);
-    if (!tool) {
-      return {
-        content: [{ type: 'text' as const, text: JSON.stringify({ error: `Unknown tool: ${request.params.name}` }) }],
-        isError: true,
-      };
-    }
-    return tool.handler(request.params.arguments ?? {}, deps);
-  });
-
-  let stopFn: (() => void) | null = null;
-
-  const start = async (): Promise<void> => {
-    if (transport === 'stdio') {
-      const stdioTransport = new StdioServerTransport();
-      await server.connect(stdioTransport);
-    } else {
-      stopFn = await startHttpMcpTransport({
-        server,
-        port: httpPort,
-        host: httpHost,
-        authToken: httpAuthToken,
-      });
-    }
-  };
-
-  const stop = async (): Promise<void> => {
-    stopFn?.();
-    await server.close();
-  };
-
-  return { server, start, stop };
-}
-
-// ─── JSON Schema helpers (lightweight — no ajv dependency) ───────────────────
-
-function extractJsonSchemaProperties(schema: any): Record<string, unknown> {
-  try {
-    const shape = schema?._def?.shape?.() ?? schema?.shape ?? {};
-    const props: Record<string, unknown> = {};
-    for (const [key, val] of Object.entries(shape)) {
-      props[key] = zodToJsonSchemaNode(val);
-    }
-    return props;
-  } catch {
-    return {};
-  }
-}
-
-function extractRequiredKeys(schema: any): string[] {
-  try {
-    const shape = schema?._def?.shape?.() ?? schema?.shape ?? {};
-    return Object.entries(shape)
-      .filter(([, v]: [string, any]) => {
-        const typeName = v?._def?.typeName;
-        return typeName !== 'ZodOptional' && typeName !== 'ZodDefault';
-      })
-      .map(([k]) => k);
-  } catch {
-    return [];
-  }
-}
-
-function zodToJsonSchemaNode(zodNode: any): Record<string, unknown> {
-  const typeName = zodNode?._def?.typeName;
-  switch (typeName) {
-    case 'ZodString':  return { type: 'string' };
-    case 'ZodNumber':  return { type: 'number' };
-    case 'ZodBoolean': return { type: 'boolean' };
-    case 'ZodEnum':    return { type: 'string', enum: zodNode._def.values };
-    case 'ZodOptional':
-    case 'ZodDefault': return zodToJsonSchemaNode(zodNode._def.innerType);
-    case 'ZodObject':  return { type: 'object', properties: extractJsonSchemaProperties(zodNode) };
-    default:           return { type: 'string' };
-  }
-}

package/src/mcp.test.ts

@@ -1,271 +0,0 @@
-/**
- * mcp.test.ts
- *
- * Vitest test suite for the MCP tool handler functions in
- * packages/integrations/mcp/src/tools.ts.
- *
- * tools.ts imports only zod and @datacules/agent-identity — it does NOT
- * import @modelcontextprotocol/sdk (that is in index.ts and transports.ts).
- * Each tool's handler function is called directly with a ToolDeps object
- * containing a MemoryCredentialStore and routing rules, so no MCP SDK runtime
- * or network connection is required.
- *
- * 14 test cases:
- *   resolve_credential (4)
- *   resolve_migration_credential (3)
- *   list_credentials (3)
- *   list_rules (2)
- *   health (2)
- */
-import { describe, it, expect } from 'vitest';
-import { ALL_TOOLS } from './tools';
-import { MemoryCredentialStore } from '@datacules/agent-identity';
-import type { Credential, RoutingRule } from '@datacules/agent-identity';
-import type { ToolDeps } from './tools';
-
-// ─── Fixtures ─────────────────────────────────────────────────────────────────
-
-const CREDENTIALS: Credential[] = [
-  {
-    id: 'cred-openai',
-    kind: 'fixed',
-    name: 'OpenAI Prod Key',
-    scope: 'read write',
-    status: 'active',
-    provider: 'openai',
-    ref: 'openai-prod-key',
-  },
-  {
-    id: 'cred-anthropic',
-    kind: 'user-delegated',
-    name: 'Anthropic User Token',
-    scope: 'read',
-    status: 'active',
-    provider: 'anthropic',
-    ref: 'anthropic-user-ref',
-  },
-];
-
-const RULES: RoutingRule[] = [
-  {
-    id: 'rule-openai-shared',
-    credentialRef: 'openai-prod-key',
-    priority: 10,
-    matchProvider: 'openai',
-    matchResourceKind: 'shared',
-  },
-  {
-    id: 'rule-anthropic-personal',
-    credentialRef: 'anthropic-user-ref',
-    priority: 20,
-    matchProvider: 'anthropic',
-    matchResourceKind: 'personal',
-  },
-];
-
-/** Shared base context that satisfies BaseContextSchema */
-const BASE_CTX = {
-  userId: 'user-abc',
-  resourceId: 'res-001',
-  resourceKind: 'shared' as const,
-  provider: 'openai' as const,
-  model: 'gpt-4',
-  action: 'complete',
-  traceId: 'trace-xyz',
-};
-
-// ─── Helpers ──────────────────────────────────────────────────────────────────
-
-function makeDeps(overrideRules?: RoutingRule[]): ToolDeps {
-  const store = new MemoryCredentialStore(CREDENTIALS);
-  return { store, rules: overrideRules ?? RULES };
-}
-
-function getTool(name: string) {
-  const tool = ALL_TOOLS.find((t) => t.name === name);
-  if (!tool) throw new Error(`Tool '${name}' not found in ALL_TOOLS`);
-  return tool;
-}
-
-// ─── resolve_credential ───────────────────────────────────────────────────────
-
-describe('resolve_credential tool', () => {
-  it('returns credentialId, kind, and resolvedFor on successful resolution', async () => {
-    const tool = getTool('resolve_credential');
-    const result = await tool.handler(BASE_CTX, makeDeps());
-
-    expect(result.isError).toBeFalsy();
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.ok).toBe(true);
-    expect(payload.credentialId).toBe('cred-openai');
-    expect(payload.kind).toBe('fixed');
-    expect(payload.resolvedFor).toBe('service');
-  });
-
-  it('never includes the raw credential ref in the response', async () => {
-    const tool = getTool('resolve_credential');
-    const result = await tool.handler(BASE_CTX, makeDeps());
-
-    const payload = JSON.parse(result.content[0].text);
-    // 'ref' must not be present — it is the raw secret reference
-    expect(payload.ref).toBeUndefined();
-  });
-
-  it('returns isError=true when no routing rule matches the context', async () => {
-    const tool = getTool('resolve_credential');
-    // gemini matches no configured rule
-    const ctx = { ...BASE_CTX, provider: 'gemini' as const };
-    const result = await tool.handler(ctx, makeDeps());
-
-    expect(result.isError).toBe(true);
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.error).toMatch(/No credential resolved/i);
-  });
-
-  it('returns isError=true with Zod validation error when input is invalid', async () => {
-    const tool = getTool('resolve_credential');
-    // userId is required (min length 1) — empty string fails Zod
-    const result = await tool.handler({ ...BASE_CTX, userId: '' }, makeDeps());
-
-    expect(result.isError).toBe(true);
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.error).toMatch(/Validation error/i);
-  });
-});
-
-// ─── resolve_migration_credential ─────────────────────────────────────────────
-
-describe('resolve_migration_credential tool', () => {
-  // Both source and target use provider:openai + resourceKind:shared,
-  // which matches rule-openai-shared → cred-openai for both contexts.
-  const MIGRATION_CTX = {
-    ...BASE_CTX,
-    migrationId: 'mig-001',
-    phase: 'extract' as const,
-    sourceResourceId: 'src-001',
-    targetResourceId: 'tgt-001',
-    dryRun: false,
-  };
-
-  it('returns source, target, and migrationId on successful pair resolution', async () => {
-    const tool = getTool('resolve_migration_credential');
-    const result = await tool.handler(MIGRATION_CTX, makeDeps());
-
-    expect(result.isError).toBeFalsy();
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.ok).toBe(true);
-    expect(payload.migrationId).toBe('mig-001');
-    expect(payload.source.credentialId).toBe('cred-openai');
-    expect(payload.target.credentialId).toBe('cred-openai');
-  });
-
-  it('returns isError=true when no credential pair can be resolved', async () => {
-    const tool = getTool('resolve_migration_credential');
-    // gemini matches no configured rule → pair returns null
-    const ctx = { ...MIGRATION_CTX, provider: 'gemini' as const };
-    const result = await tool.handler(ctx, makeDeps());
-
-    expect(result.isError).toBe(true);
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.error).toMatch(/No credential pair resolved/i);
-  });
-
-  it('returns isError=true with Zod validation error when migrationId is missing', async () => {
-    const tool = getTool('resolve_migration_credential');
-    // Destructure out migrationId so the field is absent from the input object
-    const { migrationId: _omit, ...withoutMigrationId } = MIGRATION_CTX;
-    const result = await tool.handler(withoutMigrationId, makeDeps());
-
-    expect(result.isError).toBe(true);
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.error).toMatch(/Validation error/i);
-  });
-});
-
-// ─── list_credentials ─────────────────────────────────────────────────────────
-
-describe('list_credentials tool', () => {
-  it('returns all active credentials with safe metadata (no raw ref)', async () => {
-    const tool = getTool('list_credentials');
-    const result = await tool.handler({}, makeDeps());
-
-    expect(result.isError).toBeFalsy();
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.count).toBe(2);
-    expect(payload.credentials[0]).toHaveProperty('id');
-    expect(payload.credentials[0]).toHaveProperty('kind');
-    expect(payload.credentials[0]).toHaveProperty('scope');
-    // raw ref must never appear in list output
-    expect(payload.credentials[0]).not.toHaveProperty('ref');
-  });
-
-  it('filters to only fixed credentials when kind=fixed is specified', async () => {
-    const tool = getTool('list_credentials');
-    const result = await tool.handler({ kind: 'fixed' }, makeDeps());
-
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.count).toBe(1);
-    expect(payload.credentials[0].kind).toBe('fixed');
-    expect(payload.credentials[0].id).toBe('cred-openai');
-  });
-
-  it('filters to only user-delegated credentials when kind=user-delegated is specified', async () => {
-    const tool = getTool('list_credentials');
-    const result = await tool.handler({ kind: 'user-delegated' }, makeDeps());
-
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.count).toBe(1);
-    expect(payload.credentials[0].kind).toBe('user-delegated');
-    expect(payload.credentials[0].id).toBe('cred-anthropic');
-  });
-});
-
-// ─── list_rules ───────────────────────────────────────────────────────────────
-
-describe('list_rules tool', () => {
-  it('returns all rules sorted by priority descending', async () => {
-    const tool = getTool('list_rules');
-    const result = await tool.handler({}, makeDeps());
-
-    expect(result.isError).toBeFalsy();
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.count).toBe(2);
-    // rule-anthropic-personal (priority 20) must come before rule-openai-shared (priority 10)
-    expect(payload.rules[0].priority).toBeGreaterThanOrEqual(payload.rules[1].priority);
-  });
-
-  it('includes both rule ids in the result', async () => {
-    const tool = getTool('list_rules');
-    const result = await tool.handler({}, makeDeps());
-
-    const payload = JSON.parse(result.content[0].text);
-    const ids: string[] = payload.rules.map((r: { id: string }) => r.id);
-    expect(ids).toContain('rule-openai-shared');
-    expect(ids).toContain('rule-anthropic-personal');
-  });
-});
-
-// ─── health ───────────────────────────────────────────────────────────────────
-
-describe('health tool', () => {
-  it('returns status: ok, credentialsLoaded, rulesLoaded, and a timestamp', async () => {
-    const tool = getTool('health');
-    const result = await tool.handler({}, makeDeps());
-
-    expect(result.isError).toBeFalsy();
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.status).toBe('ok');
-    expect(payload.credentialsLoaded).toBe(2);
-    expect(payload.rulesLoaded).toBe(2);
-    expect(payload.timestamp).toBeDefined();
-  });
-
-  it('timestamp in health response is a valid ISO 8601 string', async () => {
-    const tool = getTool('health');
-    const result = await tool.handler({}, makeDeps());
-
-    const payload = JSON.parse(result.content[0].text);
-    // new Date().toISOString() must not throw and must round-trip cleanly
-    expect(() => new Date(payload.timestamp).toISOString()).not.toThrow();
-  });
-});