@gethmy/mcp 2.5.0 → 2.5.2

package/src/__tests__/remote-routing.test.ts

@@ -1,285 +0,0 @@
-/**
- * Routing/auth tests for the remote MCP server (`src/remote.ts`).
- *
- * Covers the four session-routing branches mandated by the MCP Streamable
- * HTTP spec — the regression that surfaced as "Harmony MCP not responding"
- * after a server restart, OAuth refresh, or stale-session GC was a missing
- * 404 branch for unknown `Mcp-Session-Id` values.
- *
- * These tests stub `globalThis.fetch` so we don't depend on harmony-api
- * being reachable.
- *
- * Run with: bun test packages/mcp-server/src/__tests__/remote-routing.test.ts
- */
-
-import {
-  afterAll,
-  afterEach,
-  beforeAll,
-  beforeEach,
-  describe,
-  expect,
-  test,
-} from "bun:test";
-
-const ORIGINAL_FETCH = globalThis.fetch;
-
-// Fixed values used across tests
-const TEST_USER = "user-alpha";
-const OTHER_USER = "user-beta";
-const TEST_WORKSPACE = "ws-1";
-const VALID_TOKEN = "hmy_at_alpha_valid";
-const REFRESHED_TOKEN = "hmy_at_alpha_refreshed";
-const OTHER_USER_TOKEN = "hmy_at_beta_valid";
-const REVOKED_TOKEN = "hmy_at_revoked";
-
-function makeFetchStub() {
-  return async (
-    input: string | URL | Request,
-    init?: RequestInit,
-  ): Promise<Response> => {
-    const url = typeof input === "string" ? input : input.toString();
-    const apiKey =
-      (init?.headers as Record<string, string> | undefined)?.["X-API-Key"] ??
-      "";
-
-    if (url.endsWith("/v1/auth/context")) {
-      const map: Record<
-        string,
-        { userId: string; workspaceId: string | null; source: string } | null
-      > = {
-        [VALID_TOKEN]: {
-          userId: TEST_USER,
-          workspaceId: TEST_WORKSPACE,
-          source: "oauth",
-        },
-        [REFRESHED_TOKEN]: {
-          userId: TEST_USER,
-          workspaceId: TEST_WORKSPACE,
-          source: "oauth",
-        },
-        [OTHER_USER_TOKEN]: {
-          userId: OTHER_USER,
-          workspaceId: "ws-2",
-          source: "oauth",
-        },
-      };
-      const ctx = map[apiKey];
-      if (!ctx) {
-        return new Response(JSON.stringify({ error: "unauthorized" }), {
-          status: 401,
-          headers: { "Content-Type": "application/json" },
-        });
-      }
-      return new Response(JSON.stringify(ctx), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-    }
-
-    // Anything else — return a benign 404 so unrelated lookups don't blow up.
-    return new Response("{}", {
-      status: 404,
-      headers: { "Content-Type": "application/json" },
-    });
-  };
-}
-
-let fetchHandler: (req: Request) => Promise<Response>;
-let _sessionsForTests: Map<string, unknown>;
-
-beforeAll(async () => {
-  globalThis.fetch = makeFetchStub() as unknown as typeof fetch;
-  // Import after the stub is in place (module init is synchronous-only.)
-  const mod = await import("../remote.js");
-  fetchHandler = mod.fetchHandler as (req: Request) => Promise<Response>;
-  _sessionsForTests = mod._sessionsForTests as Map<string, unknown>;
-});
-
-afterAll(() => {
-  globalThis.fetch = ORIGINAL_FETCH;
-});
-
-beforeEach(() => {
-  // Refresh the fetch stub each test (preserves across the cache TTL).
-  globalThis.fetch = makeFetchStub() as unknown as typeof fetch;
-});
-
-afterEach(() => {
-  // Wipe sessions between tests so state doesn't leak.
-  _sessionsForTests.clear();
-});
-
-const INIT_BODY = {
-  jsonrpc: "2.0",
-  id: 1,
-  method: "initialize",
-  params: {
-    protocolVersion: "2025-06-18",
-    capabilities: {},
-    clientInfo: { name: "test", version: "0.0.1" },
-  },
-};
-
-const TOOLS_LIST_BODY = {
-  jsonrpc: "2.0",
-  id: 2,
-  method: "tools/list",
-  params: {},
-};
-
-function makePost(
-  body: unknown,
-  opts: { token?: string; sessionId?: string } = {},
-): Request {
-  const headers: Record<string, string> = {
-    "Content-Type": "application/json",
-    Accept: "application/json, text/event-stream",
-  };
-  if (opts.token) headers.Authorization = `Bearer ${opts.token}`;
-  if (opts.sessionId) headers["Mcp-Session-Id"] = opts.sessionId;
-  return new Request("http://localhost/mcp", {
-    method: "POST",
-    headers,
-    body: JSON.stringify(body),
-  });
-}
-
-describe("remote MCP routing", () => {
-  test("no Authorization header → 401 + WWW-Authenticate", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", { method: "POST" }),
-    );
-    expect(res.status).toBe(401);
-    const wwwAuth = res.headers.get("WWW-Authenticate") ?? "";
-    expect(wwwAuth).toContain("Bearer");
-    expect(wwwAuth).toContain("resource_metadata=");
-  });
-
-  test("invalid bearer on initialize → 401 invalid_token", async () => {
-    const res = await fetchHandler(
-      makePost(INIT_BODY, { token: REVOKED_TOKEN }),
-    );
-    expect(res.status).toBe(401);
-    expect(res.headers.get("WWW-Authenticate") ?? "").toContain(
-      "invalid_token",
-    );
-  });
-
-  test("POST without session id and not initialize → 400", async () => {
-    const res = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, { token: VALID_TOKEN }),
-    );
-    expect(res.status).toBe(400);
-    const body = (await res.json()) as { error: { message: string } };
-    expect(body.error.message).toMatch(/Mcp-Session-Id header required/i);
-  });
-
-  test("POST with unknown session id → 404 (forces client re-init)", async () => {
-    const res = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: VALID_TOKEN,
-        sessionId: "ghost-session-id",
-      }),
-    );
-    // This is the spec-mandated behavior that fixes "Harmony MCP not responding".
-    expect(res.status).toBe(404);
-    const body = (await res.json()) as { error: { code: number } };
-    expect(body.error.code).toBe(-32001);
-    expect(res.headers.get("Mcp-Session-Id")).toBe("ghost-session-id");
-  });
-
-  test("initialize succeeds and registers a session", async () => {
-    const res = await fetchHandler(makePost(INIT_BODY, { token: VALID_TOKEN }));
-    expect(res.status).toBe(200);
-    const sid = res.headers.get("mcp-session-id");
-    expect(sid).toBeTruthy();
-    expect(_sessionsForTests.has(sid!)).toBe(true);
-  });
-
-  test("rotated token (same user) is accepted on hot-swap", async () => {
-    // Bootstrap a session.
-    const initRes = await fetchHandler(
-      makePost(INIT_BODY, { token: VALID_TOKEN }),
-    );
-    const sid = initRes.headers.get("mcp-session-id")!;
-
-    // Send a follow-up with the *new* token + same session id.
-    // We're not asserting on the body — just that the rotation didn't
-    // produce a 401/404, which it would if hot-swap were broken.
-    const follow = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: REFRESHED_TOKEN,
-        sessionId: sid,
-      }),
-    );
-    expect(follow.status).not.toBe(401);
-    expect(follow.status).not.toBe(404);
-  });
-
-  test("token from a different user is REJECTED on hot-swap", async () => {
-    const initRes = await fetchHandler(
-      makePost(INIT_BODY, { token: VALID_TOKEN }),
-    );
-    const sid = initRes.headers.get("mcp-session-id")!;
-
-    // Attempt to ride the session with another user's bearer.
-    const hijack = await fetchHandler(
-      makePost(TOOLS_LIST_BODY, {
-        token: OTHER_USER_TOKEN,
-        sessionId: sid,
-      }),
-    );
-    expect(hijack.status).toBe(401);
-    const wwwAuth = hijack.headers.get("WWW-Authenticate") ?? "";
-    expect(wwwAuth).toContain("invalid_token");
-  });
-
-  test("GET without valid session id → 400", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", {
-        method: "GET",
-        headers: {
-          Authorization: `Bearer ${VALID_TOKEN}`,
-          Accept: "text/event-stream",
-        },
-      }),
-    );
-    // GET without a session id falls into "session required" — 400.
-    expect(res.status).toBe(400);
-  });
-
-  test("GET with unknown session id → 404", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/mcp", {
-        method: "GET",
-        headers: {
-          Authorization: `Bearer ${VALID_TOKEN}`,
-          Accept: "text/event-stream",
-          "Mcp-Session-Id": "ghost",
-        },
-      }),
-    );
-    expect(res.status).toBe(404);
-  });
-
-  test("/.well-known/oauth-protected-resource is unauthenticated", async () => {
-    const res = await fetchHandler(
-      new Request("http://localhost/.well-known/oauth-protected-resource"),
-    );
-    expect(res.status).toBe(200);
-    const body = (await res.json()) as {
-      authorization_servers: string[];
-      bearer_methods_supported: string[];
-    };
-    expect(body.authorization_servers.length).toBeGreaterThan(0);
-    expect(body.bearer_methods_supported).toContain("header");
-  });
-
-  test("/health is unauthenticated", async () => {
-    const res = await fetchHandler(new Request("http://localhost/health"));
-    expect(res.status).toBe(200);
-    const body = (await res.json()) as { status: string };
-    expect(body.status).toBe("ok");
-  });
-});

package/src/__tests__/skills.test.ts

@@ -1,111 +0,0 @@
-/**
- * Verification harness for skill rendering. Card #182.
- *
- * Pins the contract that backs `~/.claude/skills/` delivery: frontmatter shape,
- * version-marker injection, agent-id substitution. If any of these drift the
- * MCP bridge installs broken skills silently, so this file is the floor.
- *
- * Run with: bun test packages/mcp-server/src/__tests__/skills.test.ts
- */
-
-import { describe, expect, test } from "bun:test";
-import {
-  buildSkillFile,
-  SKILL_DEFINITIONS,
-  SKILLS_VERSION,
-} from "../skills.js";
-
-const SKILL_IDS = Object.keys(SKILL_DEFINITIONS);
-const VERSION_MARKER_RE = /<!-- skills-version:(\d+) -->\s*$/;
-
-describe("SKILL_DEFINITIONS", () => {
-  test("registry is non-empty", () => {
-    expect(SKILL_IDS.length).toBeGreaterThan(0);
-  });
-
-  test("SKILLS_VERSION is a numeric string", () => {
-    expect(SKILLS_VERSION).toMatch(/^\d+$/);
-  });
-
-  test.each(SKILL_IDS)("definition %s has required fields", (skillId) => {
-    const skill = SKILL_DEFINITIONS[skillId];
-    expect(skill.name).toBe(skillId);
-    expect(skill.description.length).toBeGreaterThan(0);
-    expect(skill.argumentHint.length).toBeGreaterThan(0);
-    expect(skill.content.length).toBeGreaterThan(0);
-  });
-
-  test("all skill names are unique", () => {
-    const names = SKILL_IDS.map((id) => SKILL_DEFINITIONS[id].name);
-    expect(new Set(names).size).toBe(names.length);
-  });
-});
-
-describe("buildSkillFile()", () => {
-  test.each(SKILL_IDS)("renders %s with valid frontmatter", (skillId) => {
-    const out = buildSkillFile(skillId);
-    const skill = SKILL_DEFINITIONS[skillId];
-
-    expect(out.startsWith("---\n")).toBe(true);
-    expect(out).toContain(`\nname: ${skill.name}\n`);
-    expect(out).toContain(`\ndescription: ${skill.description}\n`);
-    expect(out).toContain(`\nargument-hint: ${skill.argumentHint}\n`);
-    expect(out).toContain("---\n\n");
-  });
-
-  test.each(SKILL_IDS)("appends version marker for %s", (skillId) => {
-    const out = buildSkillFile(skillId);
-    const match = out.match(VERSION_MARKER_RE);
-
-    expect(match).not.toBeNull();
-    expect(match?.[1]).toBe(SKILLS_VERSION);
-  });
-
-  test.each(SKILL_IDS)("embeds skill content for %s", (skillId) => {
-    const out = buildSkillFile(skillId);
-    const content = SKILL_DEFINITIONS[skillId].content;
-
-    expect(out).toContain(content.split("\n")[0]);
-    const lastLine = content.trim().split("\n").at(-1) ?? "";
-    expect(out).toContain(lastLine);
-  });
-
-  test("is deterministic — same input yields same output", () => {
-    const a = buildSkillFile("hmy");
-    const b = buildSkillFile("hmy");
-    expect(a).toBe(b);
-  });
-
-  test("throws on unknown skill id", () => {
-    expect(() => buildSkillFile("does-not-exist")).toThrow(/Unknown skill/);
-  });
-
-  describe("agent-id substitution", () => {
-    test("agentId='claude' replaces placeholder phrases in hmy", () => {
-      const withAgent = buildSkillFile("hmy", "claude");
-      expect(withAgent).not.toContain("Your agent identifier");
-      expect(withAgent).not.toContain("Your agent name");
-      expect(withAgent).toContain("claude-code");
-      expect(withAgent).toContain("Claude Code");
-    });
-
-    test("agentId omitted leaves placeholders untouched", () => {
-      const raw = buildSkillFile("hmy");
-      const hasPlaceholder =
-        raw.includes("Your agent identifier") ||
-        raw.includes("Your agent name");
-      const skillContent = SKILL_DEFINITIONS.hmy.content;
-      const sourceHasPlaceholder =
-        skillContent.includes("Your agent identifier") ||
-        skillContent.includes("Your agent name");
-
-      expect(hasPlaceholder).toBe(sourceHasPlaceholder);
-    });
-
-    test("unknown agentId is treated as no-op", () => {
-      const raw = buildSkillFile("hmy");
-      const unknownAgent = buildSkillFile("hmy", "some-other-agent");
-      expect(unknownAgent).toBe(raw);
-    });
-  });
-});

package/src/__tests__/tool-dispatch.test.ts

@@ -1,260 +0,0 @@
-/**
- * Verification harness for MCP tool dispatch. Card #182.
- *
- * Pins the contract between Harmony's MCP server and any MCP client (Claude
- * Code, Codex, Cursor, etc.). If the dispatch shape drifts, agents lose tools
- * silently, so this is the floor:
- *
- *   1. TOOLS registry is well-formed (shape, names, schemas).
- *   2. ListTools handler emits the same set TOOLS declares.
- *   3. CallTool handler routes valid names and isErrors unknown ones.
- *   4. ListResources / ReadResource cover the published URIs.
- *   5. Tool ↔ skill name spaces are disjoint.
- *
- * Run with: bun test packages/mcp-server/src/__tests__/tool-dispatch.test.ts
- */
-
-import { beforeAll, describe, expect, test } from "bun:test";
-import {
-  CallToolRequestSchema,
-  ListResourcesRequestSchema,
-  ListToolsRequestSchema,
-  ReadResourceRequestSchema,
-} from "@modelcontextprotocol/sdk/types.js";
-import {
-  RESOURCES,
-  registerHandlers,
-  TOOLS,
-  type ToolDeps,
-} from "../server.js";
-import { SKILL_DEFINITIONS } from "../skills.js";
-
-const TOOL_NAMES = Object.keys(TOOLS);
-
-// ── Fake transport ────────────────────────────────────────────────────────
-
-type Schema = unknown;
-type Handler = (req: unknown) => Promise<unknown>;
-
-class FakeServer {
-  handlers = new Map<Schema, Handler>();
-  setRequestHandler(schema: Schema, handler: Handler): void {
-    this.handlers.set(schema, handler);
-  }
-  call<T = unknown>(schema: Schema, request: unknown): Promise<T> {
-    const handler = this.handlers.get(schema);
-    if (!handler) throw new Error("Handler not registered");
-    return handler(request) as Promise<T>;
-  }
-}
-
-function makeDeps(overrides: Partial<ToolDeps> = {}): ToolDeps {
-  return {
-    getClient: () => ({}) as never,
-    isConfigured: () => true,
-    getActiveProjectId: () => "11111111-1111-1111-1111-111111111111",
-    getActiveWorkspaceId: () => "22222222-2222-2222-2222-222222222222",
-    setActiveProject: () => {},
-    setActiveWorkspace: () => {},
-    getApiUrl: () => "http://localhost",
-    getMemoryDir: () => null,
-    getUserEmail: () => null,
-    saveConfig: () => {},
-    resetClient: () => {},
-    ...overrides,
-  };
-}
-
-// ── Static registry shape ────────────────────────────────────────────────
-
-describe("TOOLS registry", () => {
-  test("is non-empty", () => {
-    expect(TOOL_NAMES.length).toBeGreaterThan(0);
-  });
-
-  test("every name is unique", () => {
-    expect(new Set(TOOL_NAMES).size).toBe(TOOL_NAMES.length);
-  });
-
-  test.each(TOOL_NAMES)("%s is namespaced under harmony_", (name) => {
-    expect(name).toMatch(/^harmony_[a-z0-9_]+$/);
-  });
-
-  test.each(TOOL_NAMES)("%s has description and inputSchema", (name) => {
-    const tool = (
-      TOOLS as Record<string, { description?: unknown; inputSchema?: unknown }>
-    )[name];
-    expect(typeof tool.description).toBe("string");
-    expect((tool.description as string).length).toBeGreaterThan(0);
-    expect(typeof tool.inputSchema).toBe("object");
-    expect(tool.inputSchema).not.toBeNull();
-  });
-
-  test.each(TOOL_NAMES)("%s inputSchema is a JSON Schema object", (name) => {
-    const schema = (
-      TOOLS as Record<
-        string,
-        { inputSchema: { type?: string; properties?: unknown } }
-      >
-    )[name].inputSchema;
-    expect(schema.type).toBe("object");
-    if ("properties" in schema && schema.properties !== undefined) {
-      expect(typeof schema.properties).toBe("object");
-    }
-  });
-});
-
-// ── Skill ↔ tool boundary ────────────────────────────────────────────────
-
-describe("skill ↔ tool namespace boundary", () => {
-  test("skill names and tool names are disjoint", () => {
-    const skillNames = new Set(Object.keys(SKILL_DEFINITIONS));
-    const collisions = TOOL_NAMES.filter((name) => skillNames.has(name));
-    expect(collisions).toEqual([]);
-  });
-});
-
-// ── Dispatch round-trip ──────────────────────────────────────────────────
-
-describe("registerHandlers — ListTools", () => {
-  let server: FakeServer;
-
-  beforeAll(() => {
-    server = new FakeServer();
-    registerHandlers(server as never, makeDeps());
-  });
-
-  test("registers all four request handlers", () => {
-    expect(server.handlers.has(ListToolsRequestSchema)).toBe(true);
-    expect(server.handlers.has(CallToolRequestSchema)).toBe(true);
-    expect(server.handlers.has(ListResourcesRequestSchema)).toBe(true);
-    expect(server.handlers.has(ReadResourceRequestSchema)).toBe(true);
-  });
-
-  test("emits one entry per TOOLS row, with name+description+inputSchema", async () => {
-    const result = await server.call<{
-      tools: Array<{ name: string; description: string; inputSchema: unknown }>;
-    }>(ListToolsRequestSchema, { method: "tools/list" });
-
-    expect(result.tools.length).toBe(TOOL_NAMES.length);
-
-    const emittedNames = result.tools.map((t) => t.name).sort();
-    expect(emittedNames).toEqual([...TOOL_NAMES].sort());
-
-    for (const tool of result.tools) {
-      expect(typeof tool.name).toBe("string");
-      expect(typeof tool.description).toBe("string");
-      expect(typeof tool.inputSchema).toBe("object");
-    }
-  });
-});
-
-describe("registerHandlers — CallTool", () => {
-  let server: FakeServer;
-  let workspaceId: string | null;
-  let projectId: string | null;
-
-  beforeAll(() => {
-    server = new FakeServer();
-    workspaceId = "22222222-2222-2222-2222-222222222222";
-    projectId = "11111111-1111-1111-1111-111111111111";
-    const deps = makeDeps({
-      getActiveWorkspaceId: () => workspaceId,
-      getActiveProjectId: () => projectId,
-    });
-    registerHandlers(server as never, deps);
-  });
-
-  test("routes harmony_get_context and returns active ids", async () => {
-    const result = await server.call<{
-      content: Array<{ type: string; text: string }>;
-      isError?: boolean;
-    }>(CallToolRequestSchema, {
-      method: "tools/call",
-      params: { name: "harmony_get_context", arguments: {} },
-    });
-
-    expect(result.isError).toBeUndefined();
-    expect(result.content[0].type).toBe("text");
-    const payload = JSON.parse(result.content[0].text);
-    expect(payload.success).toBe(true);
-    expect(payload.context.activeWorkspaceId).toBe(workspaceId);
-    expect(payload.context.activeProjectId).toBe(projectId);
-  });
-
-  test("unknown tool name returns isError without throwing", async () => {
-    const result = await server.call<{
-      content: Array<{ type: string; text: string }>;
-      isError?: boolean;
-    }>(CallToolRequestSchema, {
-      method: "tools/call",
-      params: { name: "harmony_does_not_exist", arguments: {} },
-    });
-
-    expect(result.isError).toBe(true);
-    expect(result.content[0].text.toLowerCase()).toContain("error");
-  });
-
-  test("not-configured rejects authenticated tools", async () => {
-    const unconfigured = new FakeServer();
-    registerHandlers(
-      unconfigured as never,
-      makeDeps({ isConfigured: () => false }),
-    );
-
-    const result = await unconfigured.call<{
-      content: Array<{ type: string; text: string }>;
-      isError?: boolean;
-    }>(CallToolRequestSchema, {
-      method: "tools/call",
-      params: { name: "harmony_get_context", arguments: {} },
-    });
-
-    expect(result.isError).toBe(true);
-    expect(result.content[0].text).toContain("Not configured");
-  });
-});
-
-// ── Resources ────────────────────────────────────────────────────────────
-
-describe("registerHandlers — Resources", () => {
-  let server: FakeServer;
-
-  beforeAll(() => {
-    server = new FakeServer();
-    registerHandlers(server as never, makeDeps());
-  });
-
-  test("ListResources mirrors the static RESOURCES array", async () => {
-    const result = await server.call<{ resources: typeof RESOURCES }>(
-      ListResourcesRequestSchema,
-      { method: "resources/list" },
-    );
-    expect(result.resources).toEqual(RESOURCES);
-  });
-
-  test("ReadResource serves harmony://context as JSON", async () => {
-    const result = await server.call<{
-      contents: Array<{ uri: string; mimeType: string; text: string }>;
-    }>(ReadResourceRequestSchema, {
-      method: "resources/read",
-      params: { uri: "harmony://context" },
-    });
-
-    expect(result.contents[0].uri).toBe("harmony://context");
-    expect(result.contents[0].mimeType).toBe("application/json");
-    const parsed = JSON.parse(result.contents[0].text);
-    expect(parsed).toHaveProperty("configured");
-    expect(parsed).toHaveProperty("activeWorkspaceId");
-    expect(parsed).toHaveProperty("activeProjectId");
-  });
-
-  test("ReadResource on unknown URI throws", async () => {
-    await expect(
-      server.call(ReadResourceRequestSchema, {
-        method: "resources/read",
-        params: { uri: "harmony://nope" },
-      }),
-    ).rejects.toThrow(/Unknown resource/);
-  });
-});