@dxheroes/local-mcp-backend 0.8.0 → 0.9.0

package/.turbo/turbo-build.log

@@ -1,9 +1,9 @@
 
-> @dxheroes/local-mcp-backend@0.8.0 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
+> @dxheroes/local-mcp-backend@0.9.0 build /home/runner/work/local-mcp-gateway/local-mcp-gateway/apps/backend
 > nest build
 
 -  TSC  Initializing type checker...
 ✔  TSC  Initializing type checker...
 >  TSC  Found 0 issues.
 >  SWC  Running...
-Successfully compiled: 36 files with swc (76.61ms)
+Successfully compiled: 56 files with swc (92.5ms)

package/CHANGELOG.md

@@ -1,5 +1,25 @@
 # Changelog
 
+## [0.9.0](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.8.0...backend-v0.9.0) (2026-03-10)
+
+
+### Features
+
+* add mandatory org context, Better Auth, and MCP preset gallery ([18ddf94](https://github.com/DXHeroes/local-mcp-gateway/commit/18ddf94d5269a9b77e9e251b96b6fc56bd496ad1))
+
+
+### Dependencies
+
+* The following workspace dependencies were updated
+  * dependencies
+    * @dxheroes/local-mcp-core bumped to 0.7.0
+    * @dxheroes/local-mcp-database bumped to 0.5.0
+    * @dxheroes/mcp-gemini-deep-research bumped to 0.5.3
+    * @dxheroes/mcp-merk bumped to 0.3.3
+    * @dxheroes/mcp-toggl bumped to 0.3.3
+  * devDependencies
+    * @dxheroes/local-mcp-config bumped to 0.4.8
+
 ## [0.8.0](https://github.com/DXHeroes/local-mcp-gateway/compare/backend-v0.7.1...backend-v0.8.0) (2026-03-10)
 
 

package/dist/__tests__/integration/auth-flow.test.js

@@ -0,0 +1,181 @@
+/**
+ * Integration Tests: Auth guard flow
+ *
+ * Verifies the AuthGuard + AuthService interaction for:
+ * - Unauthenticated requests are rejected
+ * - Authenticated requests attach user and session
+ * - @Public() routes bypass auth
+ * - Session data attached to request
+ */ import { UnauthorizedException } from "@nestjs/common";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+import { AuthGuard } from "../../modules/auth/auth.guard.js";
+// ────────────────────────────────────────────────
+// Helper: create mock ExecutionContext from Express-like request
+// ────────────────────────────────────────────────
+function createMockContext(headers = {}, overrides = {}) {
+    const request = {
+        headers,
+        user: undefined,
+        sessionData: undefined,
+        ...overrides
+    };
+    const ctx = {
+        switchToHttp: ()=>({
+                getRequest: ()=>request
+            }),
+        getHandler: ()=>({}),
+        getClass: ()=>({})
+    };
+    return {
+        ctx,
+        getRequest: ()=>request
+    };
+}
+// ────────────────────────────────────────────────
+// Helper: create an AuthService mock
+// ────────────────────────────────────────────────
+function createAuthServiceMock() {
+    return {
+        getSession: vi.fn().mockResolvedValue(null),
+        validateMcpToken: vi.fn().mockResolvedValue(null),
+        getUserOrganizations: vi.fn().mockResolvedValue([])
+    };
+}
+describe('Auth guard flow', ()=>{
+    // ────────────────────────────────────────────────
+    // Auth always enabled
+    // ────────────────────────────────────────────────
+    describe('auth validation', ()=>{
+        let guard;
+        let authService;
+        let reflector;
+        beforeEach(()=>{
+            authService = createAuthServiceMock();
+            reflector = {
+                getAllAndOverride: vi.fn().mockReturnValue(false)
+            };
+            guard = new AuthGuard(authService, reflector);
+        });
+        it('rejects unauthenticated requests with UnauthorizedException', async ()=>{
+            authService.getSession.mockResolvedValue(null);
+            const { ctx } = createMockContext();
+            await expect(guard.canActivate(ctx)).rejects.toThrow(UnauthorizedException);
+        });
+        it('authenticated request attaches user and session to req', async ()=>{
+            const mockUser = {
+                id: 'user-1',
+                name: 'Test User',
+                email: 'test@example.com',
+                image: null
+            };
+            const mockSession = {
+                id: 'sess-1',
+                userId: 'user-1',
+                activeOrganizationId: 'org-1'
+            };
+            authService.getSession.mockResolvedValue({
+                user: mockUser,
+                session: mockSession
+            });
+            const { ctx, getRequest } = createMockContext({
+                cookie: 'better-auth.session_token=valid-token'
+            });
+            const result = await guard.canActivate(ctx);
+            expect(result).toBe(true);
+            expect(getRequest().user).toEqual(mockUser);
+            expect(getRequest().sessionData).toEqual(mockSession);
+        });
+        it('converts Express headers to Web API Headers for Better Auth', async ()=>{
+            authService.getSession.mockResolvedValue(null);
+            const { ctx } = createMockContext({
+                cookie: 'better-auth.session_token=abc123',
+                'user-agent': 'test-agent'
+            });
+            try {
+                await guard.canActivate(ctx);
+            } catch  {
+            // Expected UnauthorizedException
+            }
+            // Verify getSession was called with a Headers object
+            expect(authService.getSession).toHaveBeenCalledTimes(1);
+            const passedHeaders = authService.getSession.mock.calls[0][0];
+            expect(passedHeaders).toBeInstanceOf(Headers);
+            expect(passedHeaders.get('cookie')).toBe('better-auth.session_token=abc123');
+        });
+        it('session with activeOrganizationId is preserved on request', async ()=>{
+            const mockUser = {
+                id: 'user-1',
+                name: 'Org User',
+                email: 'org@example.com'
+            };
+            const mockSession = {
+                id: 'sess-2',
+                userId: 'user-1',
+                activeOrganizationId: 'org-abc'
+            };
+            authService.getSession.mockResolvedValue({
+                user: mockUser,
+                session: mockSession
+            });
+            const { ctx, getRequest } = createMockContext({
+                cookie: 'session=valid'
+            });
+            await guard.canActivate(ctx);
+            const sessionData = getRequest().sessionData;
+            expect(sessionData.activeOrganizationId).toBe('org-abc');
+        });
+    });
+    // ────────────────────────────────────────────────
+    // @Public() decorator
+    // ────────────────────────────────────────────────
+    describe('@Public() routes', ()=>{
+        let guard;
+        let authService;
+        let reflector;
+        beforeEach(()=>{
+            authService = createAuthServiceMock();
+            reflector = {
+                getAllAndOverride: vi.fn().mockReturnValue(true)
+            }; // @Public() returns true
+            guard = new AuthGuard(authService, reflector);
+        });
+        it('@Public() route bypasses auth entirely', async ()=>{
+            const { ctx } = createMockContext();
+            const result = await guard.canActivate(ctx);
+            expect(result).toBe(true);
+            expect(authService.getSession).not.toHaveBeenCalled();
+        });
+        it('@Public() route does not attach user to request', async ()=>{
+            const { ctx, getRequest } = createMockContext();
+            await guard.canActivate(ctx);
+            // User is not set by guard on public routes
+            expect(getRequest().user).toBeUndefined();
+        });
+    });
+    // ────────────────────────────────────────────────
+    // AuthService.validateMcpToken
+    // ────────────────────────────────────────────────
+    describe('AuthService.validateMcpToken (mock)', ()=>{
+        let authService;
+        beforeEach(()=>{
+            authService = createAuthServiceMock();
+        });
+        it('returns user when token is valid', async ()=>{
+            const mockUser = {
+                id: 'user-1',
+                name: 'Token User',
+                email: 'token@example.com'
+            };
+            authService.validateMcpToken.mockResolvedValue(mockUser);
+            const result = await authService.validateMcpToken('valid-bearer-token');
+            expect(result).toEqual(mockUser);
+        });
+        it('returns null for expired or invalid token', async ()=>{
+            authService.validateMcpToken.mockResolvedValue(null);
+            const result = await authService.validateMcpToken('expired-token');
+            expect(result).toBeNull();
+        });
+    });
+});
+
+//# sourceMappingURL=auth-flow.test.js.map

package/dist/__tests__/integration/auth-flow.test.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/__tests__/integration/auth-flow.test.ts"],"sourcesContent":["/**\n * Integration Tests: Auth guard flow\n *\n * Verifies the AuthGuard + AuthService interaction for:\n * - Unauthenticated requests are rejected\n * - Authenticated requests attach user and session\n * - @Public() routes bypass auth\n * - Session data attached to request\n */\n\nimport { ExecutionContext, UnauthorizedException } from '@nestjs/common';\nimport { Reflector } from '@nestjs/core';\nimport { beforeEach, describe, expect, it, vi } from 'vitest';\nimport { AuthGuard } from '../../modules/auth/auth.guard.js';\nimport { AuthService, type AuthUser } from '../../modules/auth/auth.service.js';\n\n// ────────────────────────────────────────────────\n// Helper: create mock ExecutionContext from Express-like request\n// ────────────────────────────────────────────────\n\nfunction createMockContext(\n  headers: Record<string, string> = {},\n  overrides: Record<string, unknown> = {}\n): { ctx: ExecutionContext; getRequest: () => Record<string, unknown> } {\n  const request: Record<string, unknown> = {\n    headers,\n    user: undefined,\n    sessionData: undefined,\n    ...overrides,\n  };\n\n  const ctx = {\n    switchToHttp: () => ({\n      getRequest: () => request,\n    }),\n    getHandler: () => ({}),\n    getClass: () => ({}),\n  } as unknown as ExecutionContext;\n\n  return { ctx, getRequest: () => request };\n}\n\n// ────────────────────────────────────────────────\n// Helper: create an AuthService mock\n// ────────────────────────────────────────────────\n\nfunction createAuthServiceMock() {\n  return {\n    getSession: vi.fn().mockResolvedValue(null),\n    validateMcpToken: vi.fn().mockResolvedValue(null),\n    getUserOrganizations: vi.fn().mockResolvedValue([]),\n  };\n}\n\ndescribe('Auth guard flow', () => {\n  // ────────────────────────────────────────────────\n  // Auth always enabled\n  // ────────────────────────────────────────────────\n\n  describe('auth validation', () => {\n    let guard: AuthGuard;\n    let authService: ReturnType<typeof createAuthServiceMock>;\n    let reflector: { getAllAndOverride: ReturnType<typeof vi.fn> };\n\n    beforeEach(() => {\n      authService = createAuthServiceMock();\n      reflector = { getAllAndOverride: vi.fn().mockReturnValue(false) };\n      guard = new AuthGuard(\n        authService as unknown as AuthService,\n        reflector as unknown as Reflector\n      );\n    });\n\n    it('rejects unauthenticated requests with UnauthorizedException', async () => {\n      authService.getSession.mockResolvedValue(null);\n      const { ctx } = createMockContext();\n\n      await expect(guard.canActivate(ctx)).rejects.toThrow(UnauthorizedException);\n    });\n\n    it('authenticated request attaches user and session to req', async () => {\n      const mockUser: AuthUser = {\n        id: 'user-1',\n        name: 'Test User',\n        email: 'test@example.com',\n        image: null,\n      };\n      const mockSession = {\n        id: 'sess-1',\n        userId: 'user-1',\n        activeOrganizationId: 'org-1',\n      };\n      authService.getSession.mockResolvedValue({ user: mockUser, session: mockSession });\n\n      const { ctx, getRequest } = createMockContext({\n        cookie: 'better-auth.session_token=valid-token',\n      });\n\n      const result = await guard.canActivate(ctx);\n\n      expect(result).toBe(true);\n      expect(getRequest().user).toEqual(mockUser);\n      expect(getRequest().sessionData).toEqual(mockSession);\n    });\n\n    it('converts Express headers to Web API Headers for Better Auth', async () => {\n      authService.getSession.mockResolvedValue(null);\n\n      const { ctx } = createMockContext({\n        cookie: 'better-auth.session_token=abc123',\n        'user-agent': 'test-agent',\n      });\n\n      try {\n        await guard.canActivate(ctx);\n      } catch {\n        // Expected UnauthorizedException\n      }\n\n      // Verify getSession was called with a Headers object\n      expect(authService.getSession).toHaveBeenCalledTimes(1);\n      const passedHeaders = authService.getSession.mock.calls[0][0];\n      expect(passedHeaders).toBeInstanceOf(Headers);\n      expect(passedHeaders.get('cookie')).toBe('better-auth.session_token=abc123');\n    });\n\n    it('session with activeOrganizationId is preserved on request', async () => {\n      const mockUser: AuthUser = {\n        id: 'user-1',\n        name: 'Org User',\n        email: 'org@example.com',\n      };\n      const mockSession = {\n        id: 'sess-2',\n        userId: 'user-1',\n        activeOrganizationId: 'org-abc',\n      };\n      authService.getSession.mockResolvedValue({ user: mockUser, session: mockSession });\n\n      const { ctx, getRequest } = createMockContext({ cookie: 'session=valid' });\n\n      await guard.canActivate(ctx);\n\n      const sessionData = getRequest().sessionData as typeof mockSession;\n      expect(sessionData.activeOrganizationId).toBe('org-abc');\n    });\n  });\n\n  // ────────────────────────────────────────────────\n  // @Public() decorator\n  // ────────────────────────────────────────────────\n\n  describe('@Public() routes', () => {\n    let guard: AuthGuard;\n    let authService: ReturnType<typeof createAuthServiceMock>;\n    let reflector: { getAllAndOverride: ReturnType<typeof vi.fn> };\n\n    beforeEach(() => {\n      authService = createAuthServiceMock();\n      reflector = { getAllAndOverride: vi.fn().mockReturnValue(true) }; // @Public() returns true\n      guard = new AuthGuard(\n        authService as unknown as AuthService,\n        reflector as unknown as Reflector\n      );\n    });\n\n    it('@Public() route bypasses auth entirely', async () => {\n      const { ctx } = createMockContext();\n\n      const result = await guard.canActivate(ctx);\n\n      expect(result).toBe(true);\n      expect(authService.getSession).not.toHaveBeenCalled();\n    });\n\n    it('@Public() route does not attach user to request', async () => {\n      const { ctx, getRequest } = createMockContext();\n\n      await guard.canActivate(ctx);\n\n      // User is not set by guard on public routes\n      expect(getRequest().user).toBeUndefined();\n    });\n  });\n\n  // ────────────────────────────────────────────────\n  // AuthService.validateMcpToken\n  // ────────────────────────────────────────────────\n\n  describe('AuthService.validateMcpToken (mock)', () => {\n    let authService: ReturnType<typeof createAuthServiceMock>;\n\n    beforeEach(() => {\n      authService = createAuthServiceMock();\n    });\n\n    it('returns user when token is valid', async () => {\n      const mockUser: AuthUser = {\n        id: 'user-1',\n        name: 'Token User',\n        email: 'token@example.com',\n      };\n      authService.validateMcpToken.mockResolvedValue(mockUser);\n\n      const result = await authService.validateMcpToken('valid-bearer-token');\n      expect(result).toEqual(mockUser);\n    });\n\n    it('returns null for expired or invalid token', async () => {\n      authService.validateMcpToken.mockResolvedValue(null);\n\n      const result = await authService.validateMcpToken('expired-token');\n      expect(result).toBeNull();\n    });\n  });\n});\n"],"names":["UnauthorizedException","beforeEach","describe","expect","it","vi","AuthGuard","createMockContext","headers","overrides","request","user","undefined","sessionData","ctx","switchToHttp","getRequest","getHandler","getClass","createAuthServiceMock","getSession","fn","mockResolvedValue","validateMcpToken","getUserOrganizations","guard","authService","reflector","getAllAndOverride","mockReturnValue","canActivate","rejects","toThrow","mockUser","id","name","email","image","mockSession","userId","activeOrganizationId","session","cookie","result","toBe","toEqual","toHaveBeenCalledTimes","passedHeaders","mock","calls","toBeInstanceOf","Headers","get","not","toHaveBeenCalled","toBeUndefined","toBeNull"],"mappings":"AAAA;;;;;;;;CAQC,GAED,SAA2BA,qBAAqB,QAAQ,iBAAiB;AAEzE,SAASC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AAC9D,SAASC,SAAS,QAAQ,mCAAmC;AAG7D,mDAAmD;AACnD,iEAAiE;AACjE,mDAAmD;AAEnD,SAASC,kBACPC,UAAkC,CAAC,CAAC,EACpCC,YAAqC,CAAC,CAAC;IAEvC,MAAMC,UAAmC;QACvCF;QACAG,MAAMC;QACNC,aAAaD;QACb,GAAGH,SAAS;IACd;IAEA,MAAMK,MAAM;QACVC,cAAc,IAAO,CAAA;gBACnBC,YAAY,IAAMN;YACpB,CAAA;QACAO,YAAY,IAAO,CAAA,CAAC,CAAA;QACpBC,UAAU,IAAO,CAAA,CAAC,CAAA;IACpB;IAEA,OAAO;QAAEJ;QAAKE,YAAY,IAAMN;IAAQ;AAC1C;AAEA,mDAAmD;AACnD,qCAAqC;AACrC,mDAAmD;AAEnD,SAASS;IACP,OAAO;QACLC,YAAYf,GAAGgB,EAAE,GAAGC,iBAAiB,CAAC;QACtCC,kBAAkBlB,GAAGgB,EAAE,GAAGC,iBAAiB,CAAC;QAC5CE,sBAAsBnB,GAAGgB,EAAE,GAAGC,iBAAiB,CAAC,EAAE;IACpD;AACF;AAEApB,SAAS,mBAAmB;IAC1B,mDAAmD;IACnD,sBAAsB;IACtB,mDAAmD;IAEnDA,SAAS,mBAAmB;QAC1B,IAAIuB;QACJ,IAAIC;QACJ,IAAIC;QAEJ1B,WAAW;YACTyB,cAAcP;YACdQ,YAAY;gBAAEC,mBAAmBvB,GAAGgB,EAAE,GAAGQ,eAAe,CAAC;YAAO;YAChEJ,QAAQ,IAAInB,UACVoB,aACAC;QAEJ;QAEAvB,GAAG,+DAA+D;YAChEsB,YAAYN,UAAU,CAACE,iBAAiB,CAAC;YACzC,MAAM,EAAER,GAAG,EAAE,GAAGP;YAEhB,MAAMJ,OAAOsB,MAAMK,WAAW,CAAChB,MAAMiB,OAAO,CAACC,OAAO,CAAChC;QACvD;QAEAI,GAAG,0DAA0D;YAC3D,MAAM6B,WAAqB;gBACzBC,IAAI;gBACJC,MAAM;gBACNC,OAAO;gBACPC,OAAO;YACT;YACA,MAAMC,cAAc;gBAClBJ,IAAI;gBACJK,QAAQ;gBACRC,sBAAsB;YACxB;YACAd,YAAYN,UAAU,CAACE,iBAAiB,CAAC;gBAAEX,MAAMsB;gBAAUQ,SAASH;YAAY;YAEhF,MAAM,EAAExB,GAAG,EAAEE,UAAU,EAAE,GAAGT,kBAAkB;gBAC5CmC,QAAQ;YACV;YAEA,MAAMC,SAAS,MAAMlB,MAAMK,WAAW,CAAChB;YAEvCX,OAAOwC,QAAQC,IAAI,CAAC;YACpBzC,OAAOa,aAAaL,IAAI,EAAEkC,OAAO,CAACZ;YAClC9B,OAAOa,aAAaH,WAAW,EAAEgC,OAAO,CAACP;QAC3C;QAEAlC,GAAG,+DAA+D;YAChEsB,YAAYN,UAAU,CAACE,iBAAiB,CAAC;YAEzC,MAAM,EAAER,GAAG,EAAE,GAAGP,kBAAkB;gBAChCmC,QAAQ;gBACR,cAAc;YAChB;YAEA,IAAI;gBACF,MAAMjB,MAAMK,WAAW,CAAChB;YAC1B,EAAE,OAAM;YACN,iCAAiC;YACnC;YAEA,qDAAqD;YACrDX,OAAOuB,YAAYN,UAAU,EAAE0B,qBAAqB,CAAC;YACrD,MAAMC,gBAAgBrB,YAAYN,UAAU,CAAC4B,IAAI,CAACC,KAAK,CAAC,EAAE,CAAC,EAAE;YAC7D9C,OAAO4C,eAAeG,cAAc,CAACC;YACrChD,OAAO4C,cAAcK,GAAG,CAAC,WAAWR,IAAI,CAAC;QAC3C;QAEAxC,GAAG,6DAA6D;YAC9D,MAAM6B,WAAqB;gBACzBC,IAAI;gBACJC,MAAM;gBACNC,OAAO;YACT;YACA,MAAME,cAAc;gBAClBJ,IAAI;gBACJK,QAAQ;gBACRC,sBAAsB;YACxB;YACAd,YAAYN,UAAU,CAACE,iBAAiB,CAAC;gBAAEX,MAAMsB;gBAAUQ,SAASH;YAAY;YAEhF,MAAM,EAAExB,GAAG,EAAEE,UAAU,EAAE,GAAGT,kBAAkB;gBAAEmC,QAAQ;YAAgB;YAExE,MAAMjB,MAAMK,WAAW,CAAChB;YAExB,MAAMD,cAAcG,aAAaH,WAAW;YAC5CV,OAAOU,YAAY2B,oBAAoB,EAAEI,IAAI,CAAC;QAChD;IACF;IAEA,mDAAmD;IACnD,sBAAsB;IACtB,mDAAmD;IAEnD1C,SAAS,oBAAoB;QAC3B,IAAIuB;QACJ,IAAIC;QACJ,IAAIC;QAEJ1B,WAAW;YACTyB,cAAcP;YACdQ,YAAY;gBAAEC,mBAAmBvB,GAAGgB,EAAE,GAAGQ,eAAe,CAAC;YAAM,GAAG,yBAAyB;YAC3FJ,QAAQ,IAAInB,UACVoB,aACAC;QAEJ;QAEAvB,GAAG,0CAA0C;YAC3C,MAAM,EAAEU,GAAG,EAAE,GAAGP;YAEhB,MAAMoC,SAAS,MAAMlB,MAAMK,WAAW,CAAChB;YAEvCX,OAAOwC,QAAQC,IAAI,CAAC;YACpBzC,OAAOuB,YAAYN,UAAU,EAAEiC,GAAG,CAACC,gBAAgB;QACrD;QAEAlD,GAAG,mDAAmD;YACpD,MAAM,EAAEU,GAAG,EAAEE,UAAU,EAAE,GAAGT;YAE5B,MAAMkB,MAAMK,WAAW,CAAChB;YAExB,4CAA4C;YAC5CX,OAAOa,aAAaL,IAAI,EAAE4C,aAAa;QACzC;IACF;IAEA,mDAAmD;IACnD,+BAA+B;IAC/B,mDAAmD;IAEnDrD,SAAS,uCAAuC;QAC9C,IAAIwB;QAEJzB,WAAW;YACTyB,cAAcP;QAChB;QAEAf,GAAG,oCAAoC;YACrC,MAAM6B,WAAqB;gBACzBC,IAAI;gBACJC,MAAM;gBACNC,OAAO;YACT;YACAV,YAAYH,gBAAgB,CAACD,iBAAiB,CAACW;YAE/C,MAAMU,SAAS,MAAMjB,YAAYH,gBAAgB,CAAC;YAClDpB,OAAOwC,QAAQE,OAAO,CAACZ;QACzB;QAEA7B,GAAG,6CAA6C;YAC9CsB,YAAYH,gBAAgB,CAACD,iBAAiB,CAAC;YAE/C,MAAMqB,SAAS,MAAMjB,YAAYH,gBAAgB,CAAC;YAClDpB,OAAOwC,QAAQa,QAAQ;QACzB;IACF;AACF"}

package/dist/__tests__/integration/multi-tenant.test.js

@@ -0,0 +1,323 @@
+/**
+ * Integration Tests: Multi-tenant data isolation
+ *
+ * Verifies that ProfilesService and McpService correctly isolate data
+ * between organizations while allowing access to system records.
+ */ import { ForbiddenException } from "@nestjs/common";
+import { beforeEach, describe, expect, it, vi } from "vitest";
+/** Sentinel value for unauthenticated MCP access */ const UNAUTHENTICATED_ID = '__unauthenticated__';
+import { McpService } from "../../modules/mcp/mcp.service.js";
+import { McpRegistry } from "../../modules/mcp/mcp-registry.js";
+import { ProfilesService } from "../../modules/profiles/profiles.service.js";
+const PROFILES = [];
+const SERVERS = [];
+// ────────────────────────────────────────────────
+// Helper: build a mock PrismaService over in-memory data
+// ────────────────────────────────────────────────
+function buildMockPrisma() {
+    return {
+        profile: {
+            findMany: vi.fn().mockImplementation(({ where } = {})=>{
+                let result = [
+                    ...PROFILES
+                ];
+                const whereObj = where;
+                if (whereObj?.OR) {
+                    const orConds = whereObj.OR;
+                    result = result.filter((p)=>orConds.some((cond)=>{
+                            if ('organizationId' in cond) {
+                                return cond.organizationId === null ? p.organizationId === null : p.organizationId === cond.organizationId;
+                            }
+                            if ('id' in cond && cond.id?.in) {
+                                return cond.id.in.includes(p.id);
+                            }
+                            return false;
+                        }));
+                }
+                return Promise.resolve(result);
+            }),
+            findUnique: vi.fn().mockImplementation(({ where })=>{
+                const found = PROFILES.find((p)=>where.id && p.id === where.id || where.name && p.name === where.name);
+                return Promise.resolve(found ?? null);
+            }),
+            create: vi.fn().mockImplementation(({ data })=>{
+                const profile = {
+                    id: `profile-${Date.now()}`,
+                    name: data.name,
+                    description: data.description ?? null,
+                    userId: data.userId ?? null,
+                    organizationId: data.organizationId ?? null,
+                    mcpServers: []
+                };
+                PROFILES.push(profile);
+                return Promise.resolve(profile);
+            }),
+            delete: vi.fn().mockResolvedValue(undefined),
+            update: vi.fn().mockResolvedValue({})
+        },
+        mcpServer: {
+            findMany: vi.fn().mockImplementation(({ where } = {})=>{
+                let result = [
+                    ...SERVERS
+                ];
+                const whereObj = where;
+                if (whereObj?.OR) {
+                    const orConds = whereObj.OR;
+                    result = result.filter((s)=>orConds.some((cond)=>{
+                            if ('organizationId' in cond) {
+                                return cond.organizationId === null ? s.organizationId === null : s.organizationId === cond.organizationId;
+                            }
+                            if ('id' in cond && cond.id?.in) {
+                                return cond.id.in.includes(s.id);
+                            }
+                            return false;
+                        }));
+                }
+                return Promise.resolve(result);
+            }),
+            findUnique: vi.fn().mockImplementation(({ where })=>{
+                const found = SERVERS.find((s)=>s.id === where.id);
+                return Promise.resolve(found ?? null);
+            }),
+            create: vi.fn().mockImplementation(({ data })=>{
+                const server = {
+                    id: `server-${Date.now()}`,
+                    name: data.name,
+                    type: data.type,
+                    config: data.config,
+                    apiKeyConfig: data.apiKeyConfig ?? null,
+                    oauthConfig: data.oauthConfig ?? null,
+                    userId: data.userId ?? null,
+                    organizationId: data.organizationId ?? null,
+                    profiles: [],
+                    oauthToken: null,
+                    toolsCache: []
+                };
+                SERVERS.push(server);
+                return Promise.resolve(server);
+            }),
+            delete: vi.fn().mockResolvedValue(undefined),
+            update: vi.fn().mockResolvedValue({})
+        },
+        member: {
+            findMany: vi.fn().mockResolvedValue([])
+        },
+        mcpServerToolsCache: {
+            findMany: vi.fn().mockResolvedValue([])
+        },
+        gatewaySetting: {
+            upsert: vi.fn().mockResolvedValue({})
+        }
+    };
+}
+// ────────────────────────────────────────────────
+// Tests: ProfilesService data isolation
+// ────────────────────────────────────────────────
+describe('Multi-tenant data isolation', ()=>{
+    describe('ProfilesService', ()=>{
+        let profilesService;
+        let prisma;
+        let proxyService;
+        beforeEach(()=>{
+            // Reset in-memory data
+            PROFILES.length = 0;
+            PROFILES.push({
+                id: 'sys-profile',
+                name: 'default',
+                description: 'System default profile',
+                userId: null,
+                organizationId: null,
+                mcpServers: []
+            }, {
+                id: 'org-a-profile',
+                name: 'org-a-dev',
+                description: 'Org A dev profile',
+                userId: 'user-a',
+                organizationId: 'org-a',
+                mcpServers: []
+            }, {
+                id: 'org-b-profile',
+                name: 'org-b-prod',
+                description: 'Org B prod profile',
+                userId: 'user-b',
+                organizationId: 'org-b',
+                mcpServers: []
+            });
+            prisma = buildMockPrisma();
+            proxyService = {
+                getToolsForServer: vi.fn().mockResolvedValue([])
+            };
+            profilesService = new ProfilesService(prisma, proxyService);
+        });
+        it('Org A sees org A profiles + system profiles, not Org B profiles', async ()=>{
+            const result = await profilesService.findAll('user-a', 'org-a');
+            const ids = result.map((p)=>p.id);
+            expect(ids).toContain('sys-profile');
+            expect(ids).toContain('org-a-profile');
+            expect(ids).not.toContain('org-b-profile');
+        });
+        it('Org B sees org B profiles + system profiles, not Org A profiles', async ()=>{
+            const result = await profilesService.findAll('user-b', 'org-b');
+            const ids = result.map((p)=>p.id);
+            expect(ids).toContain('sys-profile');
+            expect(ids).toContain('org-b-profile');
+            expect(ids).not.toContain('org-a-profile');
+        });
+        it('system profiles (organizationId=null) are visible to all orgs', async ()=>{
+            const resultA = await profilesService.findAll('user-a', 'org-a');
+            const resultB = await profilesService.findAll('user-b', 'org-b');
+            expect(resultA.some((p)=>p.id === 'sys-profile')).toBe(true);
+            expect(resultB.some((p)=>p.id === 'sys-profile')).toBe(true);
+        });
+        it('creating a profile sets userId and organizationId', async ()=>{
+            const created = await profilesService.create({
+                name: 'a-new'
+            }, 'user-a', 'org-a');
+            expect(created.userId).toBe('user-a');
+            expect(created.organizationId).toBe('org-a');
+        });
+        it('Org A cannot access Org B profile by ID', async ()=>{
+            await expect(profilesService.findById('org-b-profile', 'user-a', 'org-a')).rejects.toThrow(ForbiddenException);
+        });
+        it('Org A can access system profile by ID', async ()=>{
+            const profile = await profilesService.findById('sys-profile', 'user-a', 'org-a');
+            expect(profile).toBeDefined();
+            expect(profile.id).toBe('sys-profile');
+        });
+        it('unauthenticated user sees all profiles', async ()=>{
+            const result = await profilesService.findAll(UNAUTHENTICATED_ID);
+            // Unauthenticated findAll queries without WHERE filter
+            expect(prisma.profile.findMany).toHaveBeenCalledWith(expect.objectContaining({
+                orderBy: {
+                    name: 'asc'
+                }
+            }));
+            // The mock returns all profiles for filterless queries
+            expect(result.length).toBeGreaterThanOrEqual(1);
+        });
+    });
+    // ────────────────────────────────────────────────
+    // Tests: McpService data isolation
+    // ────────────────────────────────────────────────
+    describe('McpService', ()=>{
+        let mcpService;
+        let prisma;
+        let registry;
+        let debugService;
+        beforeEach(()=>{
+            // Reset in-memory data
+            SERVERS.length = 0;
+            SERVERS.push({
+                id: 'sys-server',
+                name: 'System Builtin',
+                type: 'builtin',
+                config: '{"builtinId":"fetch"}',
+                apiKeyConfig: null,
+                oauthConfig: null,
+                userId: null,
+                organizationId: null,
+                profiles: [],
+                oauthToken: null,
+                toolsCache: []
+            }, {
+                id: 'org-a-server',
+                name: 'A Custom',
+                type: 'external',
+                config: '{"command":"node"}',
+                apiKeyConfig: '{"apiKey":"a-key"}',
+                oauthConfig: null,
+                userId: 'user-a',
+                organizationId: 'org-a',
+                profiles: [],
+                oauthToken: null,
+                toolsCache: []
+            }, {
+                id: 'org-b-server',
+                name: 'B Custom',
+                type: 'external',
+                config: '{"command":"node"}',
+                apiKeyConfig: '{"apiKey":"b-key"}',
+                oauthConfig: null,
+                userId: 'user-b',
+                organizationId: 'org-b',
+                profiles: [],
+                oauthToken: null,
+                toolsCache: []
+            });
+            prisma = buildMockPrisma();
+            registry = new McpRegistry();
+            debugService = {
+                createLog: vi.fn().mockResolvedValue({
+                    id: 'log-1'
+                }),
+                updateLog: vi.fn().mockResolvedValue({})
+            };
+            mcpService = new McpService(prisma, registry, debugService);
+        });
+        it('Org A sees org A servers + system servers, not Org B servers', async ()=>{
+            const result = await mcpService.findAll('user-a', 'org-a');
+            const ids = result.map((s)=>s.id);
+            expect(ids).toContain('sys-server');
+            expect(ids).toContain('org-a-server');
+            expect(ids).not.toContain('org-b-server');
+        });
+        it('Org B sees org B servers + system servers, not Org A servers', async ()=>{
+            const result = await mcpService.findAll('user-b', 'org-b');
+            const ids = result.map((s)=>s.id);
+            expect(ids).toContain('sys-server');
+            expect(ids).toContain('org-b-server');
+            expect(ids).not.toContain('org-a-server');
+        });
+        it('builtin/system servers (organizationId=null) are visible to all orgs', async ()=>{
+            const resultA = await mcpService.findAll('user-a', 'org-a');
+            const resultB = await mcpService.findAll('user-b', 'org-b');
+            expect(resultA.some((s)=>s.id === 'sys-server')).toBe(true);
+            expect(resultB.some((s)=>s.id === 'sys-server')).toBe(true);
+        });
+        it('Org A cannot access Org B server by ID', async ()=>{
+            await expect(mcpService.findById('org-b-server', 'user-a', 'org-a')).rejects.toThrow(ForbiddenException);
+        });
+        it('Org A can access system server by ID', async ()=>{
+            const server = await mcpService.findById('sys-server', 'user-a', 'org-a');
+            expect(server).toBeDefined();
+            expect(server.id).toBe('sys-server');
+        });
+        it('Creating a server in Org A sets organizationId to org-a', async ()=>{
+            await mcpService.create({
+                name: 'New',
+                type: 'external',
+                config: {
+                    command: 'node'
+                }
+            }, 'user-a', 'org-a');
+            expect(prisma.mcpServer.create).toHaveBeenCalledWith(expect.objectContaining({
+                data: expect.objectContaining({
+                    userId: 'user-a',
+                    organizationId: 'org-a'
+                })
+            }));
+        });
+        it('unauthenticated user sees all servers without filtering', async ()=>{
+            await mcpService.findAll(UNAUTHENTICATED_ID);
+            // Anonymous uses the unfiltered findMany path
+            expect(prisma.mcpServer.findMany).toHaveBeenCalledWith(expect.objectContaining({
+                orderBy: {
+                    name: 'asc'
+                }
+            }));
+        });
+        it('Org A cannot delete Org B server', async ()=>{
+            await expect(mcpService.delete('org-b-server', 'user-a', 'org-a')).rejects.toThrow(ForbiddenException);
+        });
+        it('Org A can delete own org server', async ()=>{
+            await mcpService.delete('org-a-server', 'user-a', 'org-a');
+            expect(prisma.mcpServer.delete).toHaveBeenCalledWith({
+                where: {
+                    id: 'org-a-server'
+                }
+            });
+        });
+    });
+});
+
+//# sourceMappingURL=multi-tenant.test.js.map

package/dist/__tests__/integration/multi-tenant.test.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../src/__tests__/integration/multi-tenant.test.ts"],"sourcesContent":["/**\n * Integration Tests: Multi-tenant data isolation\n *\n * Verifies that ProfilesService and McpService correctly isolate data\n * between organizations while allowing access to system records.\n */\n\nimport { ForbiddenException } from '@nestjs/common';\nimport { beforeEach, describe, expect, it, vi } from 'vitest';\n\n/** Sentinel value for unauthenticated MCP access */\nconst UNAUTHENTICATED_ID = '__unauthenticated__';\n\nimport type { PrismaService } from '../../modules/database/prisma.service.js';\nimport type { DebugService } from '../../modules/debug/debug.service.js';\nimport { McpService } from '../../modules/mcp/mcp.service.js';\nimport { McpRegistry } from '../../modules/mcp/mcp-registry.js';\nimport { ProfilesService } from '../../modules/profiles/profiles.service.js';\nimport type { ProxyService } from '../../modules/proxy/proxy.service.js';\n\n// ────────────────────────────────────────────────\n// In-memory data store simulating Prisma\n// ────────────────────────────────────────────────\n\ninterface InMemoryProfile {\n  id: string;\n  name: string;\n  description: string | null;\n  userId: string | null;\n  organizationId: string | null;\n  mcpServers: unknown[];\n}\n\ninterface InMemoryMcpServer {\n  id: string;\n  name: string;\n  type: string;\n  config: string;\n  apiKeyConfig: string | null;\n  oauthConfig: string | null;\n  userId: string | null;\n  organizationId: string | null;\n  profiles: unknown[];\n  oauthToken: null;\n  toolsCache: unknown[];\n}\n\nconst PROFILES: InMemoryProfile[] = [];\n\nconst SERVERS: InMemoryMcpServer[] = [];\n\n// ────────────────────────────────────────────────\n// Helper: build a mock PrismaService over in-memory data\n// ────────────────────────────────────────────────\n\nfunction buildMockPrisma() {\n  return {\n    profile: {\n      findMany: vi.fn().mockImplementation(({ where }: Record<string, unknown> = {}) => {\n        let result = [...PROFILES];\n        const whereObj = where as Record<string, unknown> | undefined;\n        if (whereObj?.OR) {\n          const orConds = whereObj.OR as Record<string, unknown>[];\n          result = result.filter((p) =>\n            orConds.some((cond: Record<string, unknown>) => {\n              if ('organizationId' in cond) {\n                return cond.organizationId === null\n                  ? p.organizationId === null\n                  : p.organizationId === cond.organizationId;\n              }\n              if ('id' in cond && (cond.id as Record<string, unknown>)?.in) {\n                return ((cond.id as Record<string, unknown>).in as string[]).includes(p.id);\n              }\n              return false;\n            })\n          );\n        }\n        return Promise.resolve(result);\n      }),\n      findUnique: vi\n        .fn()\n        .mockImplementation(({ where }: Record<string, Record<string, unknown>>) => {\n          const found = PROFILES.find(\n            (p) => (where.id && p.id === where.id) || (where.name && p.name === where.name)\n          );\n          return Promise.resolve(found ?? null);\n        }),\n      create: vi.fn().mockImplementation(({ data }: Record<string, Record<string, unknown>>) => {\n        const profile: InMemoryProfile = {\n          id: `profile-${Date.now()}`,\n          name: data.name as string,\n          description: (data.description as string) ?? null,\n          userId: (data.userId as string) ?? null,\n          organizationId: (data.organizationId as string) ?? null,\n          mcpServers: [],\n        };\n        PROFILES.push(profile);\n        return Promise.resolve(profile);\n      }),\n      delete: vi.fn().mockResolvedValue(undefined),\n      update: vi.fn().mockResolvedValue({}),\n    },\n    mcpServer: {\n      findMany: vi.fn().mockImplementation(({ where }: Record<string, unknown> = {}) => {\n        let result = [...SERVERS];\n        const whereObj = where as Record<string, unknown> | undefined;\n        if (whereObj?.OR) {\n          const orConds = whereObj.OR as Record<string, unknown>[];\n          result = result.filter((s) =>\n            orConds.some((cond: Record<string, unknown>) => {\n              if ('organizationId' in cond) {\n                return cond.organizationId === null\n                  ? s.organizationId === null\n                  : s.organizationId === cond.organizationId;\n              }\n              if ('id' in cond && (cond.id as Record<string, unknown>)?.in) {\n                return ((cond.id as Record<string, unknown>).in as string[]).includes(s.id);\n              }\n              return false;\n            })\n          );\n        }\n        return Promise.resolve(result);\n      }),\n      findUnique: vi\n        .fn()\n        .mockImplementation(({ where }: Record<string, Record<string, unknown>>) => {\n          const found = SERVERS.find((s) => s.id === where.id);\n          return Promise.resolve(found ?? null);\n        }),\n      create: vi.fn().mockImplementation(({ data }: Record<string, Record<string, unknown>>) => {\n        const server: InMemoryMcpServer = {\n          id: `server-${Date.now()}`,\n          name: data.name as string,\n          type: data.type as string,\n          config: data.config as string,\n          apiKeyConfig: (data.apiKeyConfig as string) ?? null,\n          oauthConfig: (data.oauthConfig as string) ?? null,\n          userId: (data.userId as string) ?? null,\n          organizationId: (data.organizationId as string) ?? null,\n          profiles: [],\n          oauthToken: null,\n          toolsCache: [],\n        };\n        SERVERS.push(server);\n        return Promise.resolve(server);\n      }),\n      delete: vi.fn().mockResolvedValue(undefined),\n      update: vi.fn().mockResolvedValue({}),\n    },\n    member: {\n      findMany: vi.fn().mockResolvedValue([]),\n    },\n    mcpServerToolsCache: {\n      findMany: vi.fn().mockResolvedValue([]),\n    },\n    gatewaySetting: {\n      upsert: vi.fn().mockResolvedValue({}),\n    },\n  };\n}\n\n// ────────────────────────────────────────────────\n// Tests: ProfilesService data isolation\n// ────────────────────────────────────────────────\n\ndescribe('Multi-tenant data isolation', () => {\n  describe('ProfilesService', () => {\n    let profilesService: ProfilesService;\n    let prisma: ReturnType<typeof buildMockPrisma>;\n    let proxyService: Record<string, ReturnType<typeof vi.fn>>;\n\n    beforeEach(() => {\n      // Reset in-memory data\n      PROFILES.length = 0;\n      PROFILES.push(\n        {\n          id: 'sys-profile',\n          name: 'default',\n          description: 'System default profile',\n          userId: null,\n          organizationId: null,\n          mcpServers: [],\n        },\n        {\n          id: 'org-a-profile',\n          name: 'org-a-dev',\n          description: 'Org A dev profile',\n          userId: 'user-a',\n          organizationId: 'org-a',\n          mcpServers: [],\n        },\n        {\n          id: 'org-b-profile',\n          name: 'org-b-prod',\n          description: 'Org B prod profile',\n          userId: 'user-b',\n          organizationId: 'org-b',\n          mcpServers: [],\n        }\n      );\n\n      prisma = buildMockPrisma();\n      proxyService = {\n        getToolsForServer: vi.fn().mockResolvedValue([]),\n      };\n\n      profilesService = new ProfilesService(\n        prisma as unknown as PrismaService,\n        proxyService as unknown as ProxyService\n      );\n    });\n\n    it('Org A sees org A profiles + system profiles, not Org B profiles', async () => {\n      const result = await profilesService.findAll('user-a', 'org-a');\n\n      const ids = result.map((p: { id: string }) => p.id);\n      expect(ids).toContain('sys-profile');\n      expect(ids).toContain('org-a-profile');\n      expect(ids).not.toContain('org-b-profile');\n    });\n\n    it('Org B sees org B profiles + system profiles, not Org A profiles', async () => {\n      const result = await profilesService.findAll('user-b', 'org-b');\n\n      const ids = result.map((p: { id: string }) => p.id);\n      expect(ids).toContain('sys-profile');\n      expect(ids).toContain('org-b-profile');\n      expect(ids).not.toContain('org-a-profile');\n    });\n\n    it('system profiles (organizationId=null) are visible to all orgs', async () => {\n      const resultA = await profilesService.findAll('user-a', 'org-a');\n      const resultB = await profilesService.findAll('user-b', 'org-b');\n\n      expect(resultA.some((p: { id: string }) => p.id === 'sys-profile')).toBe(true);\n      expect(resultB.some((p: { id: string }) => p.id === 'sys-profile')).toBe(true);\n    });\n\n    it('creating a profile sets userId and organizationId', async () => {\n      const created = await profilesService.create({ name: 'a-new' }, 'user-a', 'org-a');\n      expect(created.userId).toBe('user-a');\n      expect(created.organizationId).toBe('org-a');\n    });\n\n    it('Org A cannot access Org B profile by ID', async () => {\n      await expect(profilesService.findById('org-b-profile', 'user-a', 'org-a')).rejects.toThrow(\n        ForbiddenException\n      );\n    });\n\n    it('Org A can access system profile by ID', async () => {\n      const profile = await profilesService.findById('sys-profile', 'user-a', 'org-a');\n      expect(profile).toBeDefined();\n      expect(profile.id).toBe('sys-profile');\n    });\n\n    it('unauthenticated user sees all profiles', async () => {\n      const result = await profilesService.findAll(UNAUTHENTICATED_ID);\n\n      // Unauthenticated findAll queries without WHERE filter\n      expect(prisma.profile.findMany).toHaveBeenCalledWith(\n        expect.objectContaining({\n          orderBy: { name: 'asc' },\n        })\n      );\n      // The mock returns all profiles for filterless queries\n      expect(result.length).toBeGreaterThanOrEqual(1);\n    });\n  });\n\n  // ────────────────────────────────────────────────\n  // Tests: McpService data isolation\n  // ────────────────────────────────────────────────\n\n  describe('McpService', () => {\n    let mcpService: McpService;\n    let prisma: ReturnType<typeof buildMockPrisma>;\n    let registry: McpRegistry;\n    let debugService: Record<string, ReturnType<typeof vi.fn>>;\n\n    beforeEach(() => {\n      // Reset in-memory data\n      SERVERS.length = 0;\n      SERVERS.push(\n        {\n          id: 'sys-server',\n          name: 'System Builtin',\n          type: 'builtin',\n          config: '{\"builtinId\":\"fetch\"}',\n          apiKeyConfig: null,\n          oauthConfig: null,\n          userId: null,\n          organizationId: null,\n          profiles: [],\n          oauthToken: null,\n          toolsCache: [],\n        },\n        {\n          id: 'org-a-server',\n          name: 'A Custom',\n          type: 'external',\n          config: '{\"command\":\"node\"}',\n          apiKeyConfig: '{\"apiKey\":\"a-key\"}',\n          oauthConfig: null,\n          userId: 'user-a',\n          organizationId: 'org-a',\n          profiles: [],\n          oauthToken: null,\n          toolsCache: [],\n        },\n        {\n          id: 'org-b-server',\n          name: 'B Custom',\n          type: 'external',\n          config: '{\"command\":\"node\"}',\n          apiKeyConfig: '{\"apiKey\":\"b-key\"}',\n          oauthConfig: null,\n          userId: 'user-b',\n          organizationId: 'org-b',\n          profiles: [],\n          oauthToken: null,\n          toolsCache: [],\n        }\n      );\n\n      prisma = buildMockPrisma();\n      registry = new McpRegistry();\n      debugService = {\n        createLog: vi.fn().mockResolvedValue({ id: 'log-1' }),\n        updateLog: vi.fn().mockResolvedValue({}),\n      };\n\n      mcpService = new McpService(\n        prisma as unknown as PrismaService,\n        registry,\n        debugService as unknown as DebugService\n      );\n    });\n\n    it('Org A sees org A servers + system servers, not Org B servers', async () => {\n      const result = await mcpService.findAll('user-a', 'org-a');\n\n      const ids = result.map((s: { id: string }) => s.id);\n      expect(ids).toContain('sys-server');\n      expect(ids).toContain('org-a-server');\n      expect(ids).not.toContain('org-b-server');\n    });\n\n    it('Org B sees org B servers + system servers, not Org A servers', async () => {\n      const result = await mcpService.findAll('user-b', 'org-b');\n\n      const ids = result.map((s: { id: string }) => s.id);\n      expect(ids).toContain('sys-server');\n      expect(ids).toContain('org-b-server');\n      expect(ids).not.toContain('org-a-server');\n    });\n\n    it('builtin/system servers (organizationId=null) are visible to all orgs', async () => {\n      const resultA = await mcpService.findAll('user-a', 'org-a');\n      const resultB = await mcpService.findAll('user-b', 'org-b');\n\n      expect(resultA.some((s: { id: string }) => s.id === 'sys-server')).toBe(true);\n      expect(resultB.some((s: { id: string }) => s.id === 'sys-server')).toBe(true);\n    });\n\n    it('Org A cannot access Org B server by ID', async () => {\n      await expect(mcpService.findById('org-b-server', 'user-a', 'org-a')).rejects.toThrow(\n        ForbiddenException\n      );\n    });\n\n    it('Org A can access system server by ID', async () => {\n      const server = await mcpService.findById('sys-server', 'user-a', 'org-a');\n      expect(server).toBeDefined();\n      expect(server.id).toBe('sys-server');\n    });\n\n    it('Creating a server in Org A sets organizationId to org-a', async () => {\n      await mcpService.create(\n        { name: 'New', type: 'external', config: { command: 'node' } },\n        'user-a',\n        'org-a'\n      );\n\n      expect(prisma.mcpServer.create).toHaveBeenCalledWith(\n        expect.objectContaining({\n          data: expect.objectContaining({ userId: 'user-a', organizationId: 'org-a' }),\n        })\n      );\n    });\n\n    it('unauthenticated user sees all servers without filtering', async () => {\n      await mcpService.findAll(UNAUTHENTICATED_ID);\n\n      // Anonymous uses the unfiltered findMany path\n      expect(prisma.mcpServer.findMany).toHaveBeenCalledWith(\n        expect.objectContaining({\n          orderBy: { name: 'asc' },\n        })\n      );\n    });\n\n    it('Org A cannot delete Org B server', async () => {\n      await expect(mcpService.delete('org-b-server', 'user-a', 'org-a')).rejects.toThrow(\n        ForbiddenException\n      );\n    });\n\n    it('Org A can delete own org server', async () => {\n      await mcpService.delete('org-a-server', 'user-a', 'org-a');\n      expect(prisma.mcpServer.delete).toHaveBeenCalledWith({ where: { id: 'org-a-server' } });\n    });\n  });\n});\n"],"names":["ForbiddenException","beforeEach","describe","expect","it","vi","UNAUTHENTICATED_ID","McpService","McpRegistry","ProfilesService","PROFILES","SERVERS","buildMockPrisma","profile","findMany","fn","mockImplementation","where","result","whereObj","OR","orConds","filter","p","some","cond","organizationId","id","in","includes","Promise","resolve","findUnique","found","find","name","create","data","Date","now","description","userId","mcpServers","push","delete","mockResolvedValue","undefined","update","mcpServer","s","server","type","config","apiKeyConfig","oauthConfig","profiles","oauthToken","toolsCache","member","mcpServerToolsCache","gatewaySetting","upsert","profilesService","prisma","proxyService","length","getToolsForServer","findAll","ids","map","toContain","not","resultA","resultB","toBe","created","findById","rejects","toThrow","toBeDefined","toHaveBeenCalledWith","objectContaining","orderBy","toBeGreaterThanOrEqual","mcpService","registry","debugService","createLog","updateLog","command"],"mappings":"AAAA;;;;;CAKC,GAED,SAASA,kBAAkB,QAAQ,iBAAiB;AACpD,SAASC,UAAU,EAAEC,QAAQ,EAAEC,MAAM,EAAEC,EAAE,EAAEC,EAAE,QAAQ,SAAS;AAE9D,kDAAkD,GAClD,MAAMC,qBAAqB;AAI3B,SAASC,UAAU,QAAQ,mCAAmC;AAC9D,SAASC,WAAW,QAAQ,oCAAoC;AAChE,SAASC,eAAe,QAAQ,6CAA6C;AA8B7E,MAAMC,WAA8B,EAAE;AAEtC,MAAMC,UAA+B,EAAE;AAEvC,mDAAmD;AACnD,yDAAyD;AACzD,mDAAmD;AAEnD,SAASC;IACP,OAAO;QACLC,SAAS;YACPC,UAAUT,GAAGU,EAAE,GAAGC,kBAAkB,CAAC,CAAC,EAAEC,KAAK,EAA2B,GAAG,CAAC,CAAC;gBAC3E,IAAIC,SAAS;uBAAIR;iBAAS;gBAC1B,MAAMS,WAAWF;gBACjB,IAAIE,UAAUC,IAAI;oBAChB,MAAMC,UAAUF,SAASC,EAAE;oBAC3BF,SAASA,OAAOI,MAAM,CAAC,CAACC,IACtBF,QAAQG,IAAI,CAAC,CAACC;4BACZ,IAAI,oBAAoBA,MAAM;gCAC5B,OAAOA,KAAKC,cAAc,KAAK,OAC3BH,EAAEG,cAAc,KAAK,OACrBH,EAAEG,cAAc,KAAKD,KAAKC,cAAc;4BAC9C;4BACA,IAAI,QAAQD,QAASA,KAAKE,EAAE,EAA8BC,IAAI;gCAC5D,OAAO,AAAC,AAACH,KAAKE,EAAE,CAA6BC,EAAE,CAAcC,QAAQ,CAACN,EAAEI,EAAE;4BAC5E;4BACA,OAAO;wBACT;gBAEJ;gBACA,OAAOG,QAAQC,OAAO,CAACb;YACzB;YACAc,YAAY3B,GACTU,EAAE,GACFC,kBAAkB,CAAC,CAAC,EAAEC,KAAK,EAA2C;gBACrE,MAAMgB,QAAQvB,SAASwB,IAAI,CACzB,CAACX,IAAM,AAACN,MAAMU,EAAE,IAAIJ,EAAEI,EAAE,KAAKV,MAAMU,EAAE,IAAMV,MAAMkB,IAAI,IAAIZ,EAAEY,IAAI,KAAKlB,MAAMkB,IAAI;gBAEhF,OAAOL,QAAQC,OAAO,CAACE,SAAS;YAClC;YACFG,QAAQ/B,GAAGU,EAAE,GAAGC,kBAAkB,CAAC,CAAC,EAAEqB,IAAI,EAA2C;gBACnF,MAAMxB,UAA2B;oBAC/Bc,IAAI,CAAC,QAAQ,EAAEW,KAAKC,GAAG,IAAI;oBAC3BJ,MAAME,KAAKF,IAAI;oBACfK,aAAa,AAACH,KAAKG,WAAW,IAAe;oBAC7CC,QAAQ,AAACJ,KAAKI,MAAM,IAAe;oBACnCf,gBAAgB,AAACW,KAAKX,cAAc,IAAe;oBACnDgB,YAAY,EAAE;gBAChB;gBACAhC,SAASiC,IAAI,CAAC9B;gBACd,OAAOiB,QAAQC,OAAO,CAAClB;YACzB;YACA+B,QAAQvC,GAAGU,EAAE,GAAG8B,iBAAiB,CAACC;YAClCC,QAAQ1C,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,CAAC;QACrC;QACAG,WAAW;YACTlC,UAAUT,GAAGU,EAAE,GAAGC,kBAAkB,CAAC,CAAC,EAAEC,KAAK,EAA2B,GAAG,CAAC,CAAC;gBAC3E,IAAIC,SAAS;uBAAIP;iBAAQ;gBACzB,MAAMQ,WAAWF;gBACjB,IAAIE,UAAUC,IAAI;oBAChB,MAAMC,UAAUF,SAASC,EAAE;oBAC3BF,SAASA,OAAOI,MAAM,CAAC,CAAC2B,IACtB5B,QAAQG,IAAI,CAAC,CAACC;4BACZ,IAAI,oBAAoBA,MAAM;gCAC5B,OAAOA,KAAKC,cAAc,KAAK,OAC3BuB,EAAEvB,cAAc,KAAK,OACrBuB,EAAEvB,cAAc,KAAKD,KAAKC,cAAc;4BAC9C;4BACA,IAAI,QAAQD,QAASA,KAAKE,EAAE,EAA8BC,IAAI;gCAC5D,OAAO,AAAC,AAACH,KAAKE,EAAE,CAA6BC,EAAE,CAAcC,QAAQ,CAACoB,EAAEtB,EAAE;4BAC5E;4BACA,OAAO;wBACT;gBAEJ;gBACA,OAAOG,QAAQC,OAAO,CAACb;YACzB;YACAc,YAAY3B,GACTU,EAAE,GACFC,kBAAkB,CAAC,CAAC,EAAEC,KAAK,EAA2C;gBACrE,MAAMgB,QAAQtB,QAAQuB,IAAI,CAAC,CAACe,IAAMA,EAAEtB,EAAE,KAAKV,MAAMU,EAAE;gBACnD,OAAOG,QAAQC,OAAO,CAACE,SAAS;YAClC;YACFG,QAAQ/B,GAAGU,EAAE,GAAGC,kBAAkB,CAAC,CAAC,EAAEqB,IAAI,EAA2C;gBACnF,MAAMa,SAA4B;oBAChCvB,IAAI,CAAC,OAAO,EAAEW,KAAKC,GAAG,IAAI;oBAC1BJ,MAAME,KAAKF,IAAI;oBACfgB,MAAMd,KAAKc,IAAI;oBACfC,QAAQf,KAAKe,MAAM;oBACnBC,cAAc,AAAChB,KAAKgB,YAAY,IAAe;oBAC/CC,aAAa,AAACjB,KAAKiB,WAAW,IAAe;oBAC7Cb,QAAQ,AAACJ,KAAKI,MAAM,IAAe;oBACnCf,gBAAgB,AAACW,KAAKX,cAAc,IAAe;oBACnD6B,UAAU,EAAE;oBACZC,YAAY;oBACZC,YAAY,EAAE;gBAChB;gBACA9C,QAAQgC,IAAI,CAACO;gBACb,OAAOpB,QAAQC,OAAO,CAACmB;YACzB;YACAN,QAAQvC,GAAGU,EAAE,GAAG8B,iBAAiB,CAACC;YAClCC,QAAQ1C,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,CAAC;QACrC;QACAa,QAAQ;YACN5C,UAAUT,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,EAAE;QACxC;QACAc,qBAAqB;YACnB7C,UAAUT,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,EAAE;QACxC;QACAe,gBAAgB;YACdC,QAAQxD,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,CAAC;QACrC;IACF;AACF;AAEA,mDAAmD;AACnD,wCAAwC;AACxC,mDAAmD;AAEnD3C,SAAS,+BAA+B;IACtCA,SAAS,mBAAmB;QAC1B,IAAI4D;QACJ,IAAIC;QACJ,IAAIC;QAEJ/D,WAAW;YACT,uBAAuB;YACvBS,SAASuD,MAAM,GAAG;YAClBvD,SAASiC,IAAI,CACX;gBACEhB,IAAI;gBACJQ,MAAM;gBACNK,aAAa;gBACbC,QAAQ;gBACRf,gBAAgB;gBAChBgB,YAAY,EAAE;YAChB,GACA;gBACEf,IAAI;gBACJQ,MAAM;gBACNK,aAAa;gBACbC,QAAQ;gBACRf,gBAAgB;gBAChBgB,YAAY,EAAE;YAChB,GACA;gBACEf,IAAI;gBACJQ,MAAM;gBACNK,aAAa;gBACbC,QAAQ;gBACRf,gBAAgB;gBAChBgB,YAAY,EAAE;YAChB;YAGFqB,SAASnD;YACToD,eAAe;gBACbE,mBAAmB7D,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,EAAE;YACjD;YAEAiB,kBAAkB,IAAIrD,gBACpBsD,QACAC;QAEJ;QAEA5D,GAAG,mEAAmE;YACpE,MAAMc,SAAS,MAAM4C,gBAAgBK,OAAO,CAAC,UAAU;YAEvD,MAAMC,MAAMlD,OAAOmD,GAAG,CAAC,CAAC9C,IAAsBA,EAAEI,EAAE;YAClDxB,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKG,GAAG,CAACD,SAAS,CAAC;QAC5B;QAEAlE,GAAG,mEAAmE;YACpE,MAAMc,SAAS,MAAM4C,gBAAgBK,OAAO,CAAC,UAAU;YAEvD,MAAMC,MAAMlD,OAAOmD,GAAG,CAAC,CAAC9C,IAAsBA,EAAEI,EAAE;YAClDxB,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKG,GAAG,CAACD,SAAS,CAAC;QAC5B;QAEAlE,GAAG,iEAAiE;YAClE,MAAMoE,UAAU,MAAMV,gBAAgBK,OAAO,CAAC,UAAU;YACxD,MAAMM,UAAU,MAAMX,gBAAgBK,OAAO,CAAC,UAAU;YAExDhE,OAAOqE,QAAQhD,IAAI,CAAC,CAACD,IAAsBA,EAAEI,EAAE,KAAK,gBAAgB+C,IAAI,CAAC;YACzEvE,OAAOsE,QAAQjD,IAAI,CAAC,CAACD,IAAsBA,EAAEI,EAAE,KAAK,gBAAgB+C,IAAI,CAAC;QAC3E;QAEAtE,GAAG,qDAAqD;YACtD,MAAMuE,UAAU,MAAMb,gBAAgB1B,MAAM,CAAC;gBAAED,MAAM;YAAQ,GAAG,UAAU;YAC1EhC,OAAOwE,QAAQlC,MAAM,EAAEiC,IAAI,CAAC;YAC5BvE,OAAOwE,QAAQjD,cAAc,EAAEgD,IAAI,CAAC;QACtC;QAEAtE,GAAG,2CAA2C;YAC5C,MAAMD,OAAO2D,gBAAgBc,QAAQ,CAAC,iBAAiB,UAAU,UAAUC,OAAO,CAACC,OAAO,CACxF9E;QAEJ;QAEAI,GAAG,yCAAyC;YAC1C,MAAMS,UAAU,MAAMiD,gBAAgBc,QAAQ,CAAC,eAAe,UAAU;YACxEzE,OAAOU,SAASkE,WAAW;YAC3B5E,OAAOU,QAAQc,EAAE,EAAE+C,IAAI,CAAC;QAC1B;QAEAtE,GAAG,0CAA0C;YAC3C,MAAMc,SAAS,MAAM4C,gBAAgBK,OAAO,CAAC7D;YAE7C,uDAAuD;YACvDH,OAAO4D,OAAOlD,OAAO,CAACC,QAAQ,EAAEkE,oBAAoB,CAClD7E,OAAO8E,gBAAgB,CAAC;gBACtBC,SAAS;oBAAE/C,MAAM;gBAAM;YACzB;YAEF,uDAAuD;YACvDhC,OAAOe,OAAO+C,MAAM,EAAEkB,sBAAsB,CAAC;QAC/C;IACF;IAEA,mDAAmD;IACnD,mCAAmC;IACnC,mDAAmD;IAEnDjF,SAAS,cAAc;QACrB,IAAIkF;QACJ,IAAIrB;QACJ,IAAIsB;QACJ,IAAIC;QAEJrF,WAAW;YACT,uBAAuB;YACvBU,QAAQsD,MAAM,GAAG;YACjBtD,QAAQgC,IAAI,CACV;gBACEhB,IAAI;gBACJQ,MAAM;gBACNgB,MAAM;gBACNC,QAAQ;gBACRC,cAAc;gBACdC,aAAa;gBACbb,QAAQ;gBACRf,gBAAgB;gBAChB6B,UAAU,EAAE;gBACZC,YAAY;gBACZC,YAAY,EAAE;YAChB,GACA;gBACE9B,IAAI;gBACJQ,MAAM;gBACNgB,MAAM;gBACNC,QAAQ;gBACRC,cAAc;gBACdC,aAAa;gBACbb,QAAQ;gBACRf,gBAAgB;gBAChB6B,UAAU,EAAE;gBACZC,YAAY;gBACZC,YAAY,EAAE;YAChB,GACA;gBACE9B,IAAI;gBACJQ,MAAM;gBACNgB,MAAM;gBACNC,QAAQ;gBACRC,cAAc;gBACdC,aAAa;gBACbb,QAAQ;gBACRf,gBAAgB;gBAChB6B,UAAU,EAAE;gBACZC,YAAY;gBACZC,YAAY,EAAE;YAChB;YAGFM,SAASnD;YACTyE,WAAW,IAAI7E;YACf8E,eAAe;gBACbC,WAAWlF,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC;oBAAElB,IAAI;gBAAQ;gBACnD6D,WAAWnF,GAAGU,EAAE,GAAG8B,iBAAiB,CAAC,CAAC;YACxC;YAEAuC,aAAa,IAAI7E,WACfwD,QACAsB,UACAC;QAEJ;QAEAlF,GAAG,gEAAgE;YACjE,MAAMc,SAAS,MAAMkE,WAAWjB,OAAO,CAAC,UAAU;YAElD,MAAMC,MAAMlD,OAAOmD,GAAG,CAAC,CAACpB,IAAsBA,EAAEtB,EAAE;YAClDxB,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKG,GAAG,CAACD,SAAS,CAAC;QAC5B;QAEAlE,GAAG,gEAAgE;YACjE,MAAMc,SAAS,MAAMkE,WAAWjB,OAAO,CAAC,UAAU;YAElD,MAAMC,MAAMlD,OAAOmD,GAAG,CAAC,CAACpB,IAAsBA,EAAEtB,EAAE;YAClDxB,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKE,SAAS,CAAC;YACtBnE,OAAOiE,KAAKG,GAAG,CAACD,SAAS,CAAC;QAC5B;QAEAlE,GAAG,wEAAwE;YACzE,MAAMoE,UAAU,MAAMY,WAAWjB,OAAO,CAAC,UAAU;YACnD,MAAMM,UAAU,MAAMW,WAAWjB,OAAO,CAAC,UAAU;YAEnDhE,OAAOqE,QAAQhD,IAAI,CAAC,CAACyB,IAAsBA,EAAEtB,EAAE,KAAK,eAAe+C,IAAI,CAAC;YACxEvE,OAAOsE,QAAQjD,IAAI,CAAC,CAACyB,IAAsBA,EAAEtB,EAAE,KAAK,eAAe+C,IAAI,CAAC;QAC1E;QAEAtE,GAAG,0CAA0C;YAC3C,MAAMD,OAAOiF,WAAWR,QAAQ,CAAC,gBAAgB,UAAU,UAAUC,OAAO,CAACC,OAAO,CAClF9E;QAEJ;QAEAI,GAAG,wCAAwC;YACzC,MAAM8C,SAAS,MAAMkC,WAAWR,QAAQ,CAAC,cAAc,UAAU;YACjEzE,OAAO+C,QAAQ6B,WAAW;YAC1B5E,OAAO+C,OAAOvB,EAAE,EAAE+C,IAAI,CAAC;QACzB;QAEAtE,GAAG,2DAA2D;YAC5D,MAAMgF,WAAWhD,MAAM,CACrB;gBAAED,MAAM;gBAAOgB,MAAM;gBAAYC,QAAQ;oBAAEqC,SAAS;gBAAO;YAAE,GAC7D,UACA;YAGFtF,OAAO4D,OAAOf,SAAS,CAACZ,MAAM,EAAE4C,oBAAoB,CAClD7E,OAAO8E,gBAAgB,CAAC;gBACtB5C,MAAMlC,OAAO8E,gBAAgB,CAAC;oBAAExC,QAAQ;oBAAUf,gBAAgB;gBAAQ;YAC5E;QAEJ;QAEAtB,GAAG,2DAA2D;YAC5D,MAAMgF,WAAWjB,OAAO,CAAC7D;YAEzB,8CAA8C;YAC9CH,OAAO4D,OAAOf,SAAS,CAAClC,QAAQ,EAAEkE,oBAAoB,CACpD7E,OAAO8E,gBAAgB,CAAC;gBACtBC,SAAS;oBAAE/C,MAAM;gBAAM;YACzB;QAEJ;QAEA/B,GAAG,oCAAoC;YACrC,MAAMD,OAAOiF,WAAWxC,MAAM,CAAC,gBAAgB,UAAU,UAAUiC,OAAO,CAACC,OAAO,CAChF9E;QAEJ;QAEAI,GAAG,mCAAmC;YACpC,MAAMgF,WAAWxC,MAAM,CAAC,gBAAgB,UAAU;YAClDzC,OAAO4D,OAAOf,SAAS,CAACJ,MAAM,EAAEoC,oBAAoB,CAAC;gBAAE/D,OAAO;oBAAEU,IAAI;gBAAe;YAAE;QACvF;IACF;AACF"}