@kya-os/create-mcpi-app 1.7.38-canary.2 → 1.7.38

package/test-cloudflare/tests/cors-security.test.ts

@@ -1,349 +0,0 @@
-import { describe, test, expect, beforeEach } from 'vitest';
-
-/**
- * CORS Security Tests
- * Tests that CORS is properly configured to prevent unauthorized access
- */
-describe('CORS Security Configuration', () => {
-
-  /**
-   * Mock CORS middleware logic from the scaffolder
-   * This replicates the CORS configuration in the generated code
-   */
-  function getCorsOrigin(requestOrigin: string | null, env: any): string | null {
-    // Handle undefined env
-    const safeEnv = env || {};
-
-    // Get allowed origins, filtering out empty strings
-    let allowedOrigins = safeEnv.ALLOWED_ORIGINS?.split(',').map((o: string) => o.trim()).filter((o: string) => o.length > 0);
-
-    // If no valid origins, use defaults
-    if (!allowedOrigins || allowedOrigins.length === 0) {
-      allowedOrigins = [
-        'https://claude.ai',
-        'https://app.anthropic.com'
-      ];
-    }
-
-    // Add localhost for development if not in production
-    if (safeEnv.MCPI_ENV !== 'production' && !allowedOrigins.includes('http://localhost:3000')) {
-      allowedOrigins.push('http://localhost:3000');
-    }
-
-    const origin = requestOrigin || '';
-    const isAllowed = allowedOrigins.includes(origin);
-
-    return isAllowed ? origin : allowedOrigins[0];
-  }
-
-  describe('Default Configuration', () => {
-    const defaultEnv = {};
-
-    test('should allow Claude.ai by default', () => {
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, defaultEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should allow Anthropic app by default', () => {
-      const origin = 'https://app.anthropic.com';
-      const result = getCorsOrigin(origin, defaultEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should reject random origins', () => {
-      const origin = 'https://evil.com';
-      const result = getCorsOrigin(origin, defaultEnv);
-
-      // Should default to first allowed origin
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should reject null origin', () => {
-      const result = getCorsOrigin(null, defaultEnv);
-
-      expect(result).toBe('https://claude.ai');
-    });
-
-    test('should reject empty string origin', () => {
-      const result = getCorsOrigin('', defaultEnv);
-
-      expect(result).toBe('https://claude.ai');
-    });
-  });
-
-  describe('Development Mode', () => {
-    const devEnv = {
-      MCPI_ENV: 'development'
-    };
-
-    test('should allow localhost:3000 in development', () => {
-      const origin = 'http://localhost:3000';
-      const result = getCorsOrigin(origin, devEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should still allow Claude.ai in development', () => {
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, devEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should not allow other localhost ports', () => {
-      const origin = 'http://localhost:8080';
-      const result = getCorsOrigin(origin, devEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should reject other local domains', () => {
-      const origin = 'http://127.0.0.1:3000';
-      const result = getCorsOrigin(origin, devEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-  });
-
-  describe('Production Mode', () => {
-    const prodEnv = {
-      MCPI_ENV: 'production'
-    };
-
-    test('should NOT allow localhost in production', () => {
-      const origin = 'http://localhost:3000';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should still allow Claude.ai in production', () => {
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should enforce HTTPS in production', () => {
-      const httpOrigin = 'http://claude.ai';
-      const result = getCorsOrigin(httpOrigin, prodEnv);
-
-      // Should not match (HTTP vs HTTPS)
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(httpOrigin);
-    });
-  });
-
-  describe('Custom Allowed Origins', () => {
-    const customEnv = {
-      ALLOWED_ORIGINS: 'https://my-app.com,https://staging.my-app.com',
-      MCPI_ENV: 'production'
-    };
-
-    test('should respect custom origins configuration', () => {
-      const origin = 'https://my-app.com';
-      const result = getCorsOrigin(origin, customEnv);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should allow multiple custom origins', () => {
-      const origin1 = 'https://my-app.com';
-      const origin2 = 'https://staging.my-app.com';
-
-      const result1 = getCorsOrigin(origin1, customEnv);
-      const result2 = getCorsOrigin(origin2, customEnv);
-
-      expect(result1).toBe(origin1);
-      expect(result2).toBe(origin2);
-    });
-
-    test('should not allow default origins when custom ones set', () => {
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, customEnv);
-
-      // Should default to first custom origin
-      expect(result).toBe('https://my-app.com');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should handle whitespace in origin list', () => {
-      const envWithSpaces = {
-        ALLOWED_ORIGINS: ' https://app1.com , https://app2.com ',
-        MCPI_ENV: 'production'
-      };
-
-      const origin = 'https://app1.com';
-      const result = getCorsOrigin(origin, envWithSpaces);
-
-      expect(result).toBe(origin);
-    });
-  });
-
-  describe('Security Attack Vectors', () => {
-    const prodEnv = {
-      MCPI_ENV: 'production'
-    };
-
-    test('should prevent subdomain attacks', () => {
-      const origin = 'https://evil.claude.ai';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should prevent similar domain attacks', () => {
-      const origin = 'https://claude-ai.com';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should prevent protocol downgrade attacks', () => {
-      const origin = 'http://app.anthropic.com';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should prevent port-based attacks', () => {
-      const origin = 'https://claude.ai:8080';
-      const result = getCorsOrigin(origin, prodEnv);
-
-      expect(result).toBe('https://claude.ai');
-      expect(result).not.toBe(origin);
-    });
-
-    test('should handle malformed origins safely', () => {
-      const malformedOrigins = [
-        'javascript:alert(1)',
-        'data:text/html,<script>alert(1)</script>',
-        '../../../etc/passwd',
-        'https://',
-        '//evil.com',
-        'https:claude.ai'
-      ];
-
-      for (const origin of malformedOrigins) {
-        const result = getCorsOrigin(origin, prodEnv);
-        expect(result).toBe('https://claude.ai');
-        expect(result).not.toBe(origin);
-      }
-    });
-
-    test('should prevent wildcard bypass attempts', () => {
-      const wildcardEnv = {
-        ALLOWED_ORIGINS: '*',
-        MCPI_ENV: 'production'
-      };
-
-      // Even if someone sets wildcard, should not match all
-      const origin = 'https://evil.com';
-      const result = getCorsOrigin(origin, wildcardEnv);
-
-      // Wildcard as literal string won't match
-      expect(result).toBe('*'); // Defaults to first "allowed" origin
-      expect(result).not.toBe(origin);
-    });
-  });
-
-  describe('Edge Cases', () => {
-    test('should handle empty allowed origins list', () => {
-      const emptyEnv = {
-        ALLOWED_ORIGINS: '',
-        MCPI_ENV: 'production'
-      };
-
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, emptyEnv);
-
-      // Should fall back to defaults
-      expect(result).toBe(origin);
-    });
-
-    test('should handle undefined environment', () => {
-      const origin = 'https://claude.ai';
-      const result = getCorsOrigin(origin, undefined);
-
-      // Should use defaults
-      expect(result).toBe(origin);
-    });
-
-    test('should handle very long origin lists', () => {
-      const longList = Array(100)
-        .fill(0)
-        .map((_, i) => `https://app${i}.com`)
-        .join(',');
-
-      const env = {
-        ALLOWED_ORIGINS: longList,
-        MCPI_ENV: 'production'
-      };
-
-      const origin = 'https://app50.com';
-      const result = getCorsOrigin(origin, env);
-
-      expect(result).toBe(origin);
-    });
-
-    test('should be case-sensitive for origins', () => {
-      const env = {
-        ALLOWED_ORIGINS: 'https://MyApp.com',
-        MCPI_ENV: 'production'
-      };
-
-      const lowerOrigin = 'https://myapp.com';
-      const correctOrigin = 'https://MyApp.com';
-
-      const result1 = getCorsOrigin(lowerOrigin, env);
-      const result2 = getCorsOrigin(correctOrigin, env);
-
-      expect(result1).toBe('https://MyApp.com'); // Default
-      expect(result2).toBe(correctOrigin); // Match
-    });
-  });
-
-  describe('Headers Configuration', () => {
-    test('should include MCP protocol headers', () => {
-      // These headers should be allowed
-      const expectedHeaders = [
-        'Content-Type',
-        'Authorization',
-        'mcp-session-id',
-        'Mcp-Session-Id',
-        'mcp-protocol-version'
-      ];
-
-      // Test configuration includes all required headers
-      expect(expectedHeaders).toContain('mcp-session-id');
-      expect(expectedHeaders).toContain('Mcp-Session-Id');
-    });
-
-    test('should expose session headers', () => {
-      // These headers should be exposed to client
-      const exposedHeaders = [
-        'mcp-session-id',
-        'Mcp-Session-Id'
-      ];
-
-      expect(exposedHeaders).toContain('mcp-session-id');
-      expect(exposedHeaders).toContain('Mcp-Session-Id');
-    });
-
-    test('should enable credentials', () => {
-      // Credentials should be enabled for cookie/auth support
-      const credentialsEnabled = true;
-      expect(credentialsEnabled).toBe(true);
-    });
-  });
-});

package/test-cloudflare/tests/delegation.test.ts

@@ -1,335 +0,0 @@
-import { describe, test, expect, vi, beforeEach, afterEach } from 'vitest';
-
-/**
- * Delegation Management Tests
- * Tests the delegation verification, caching, and invalidation logic
- */
-describe('Delegation Management', () => {
-  // Mock KV namespaces
-  const mockDelegationStorage = {
-    get: vi.fn(),
-    put: vi.fn(),
-    delete: vi.fn(),
-    list: vi.fn()
-  };
-
-  const mockVerificationCache = {
-    get: vi.fn(),
-    put: vi.fn(),
-    delete: vi.fn()
-  };
-
-  const mockEnv = {
-    MCPIHOBBSMCP_DELEGATION_STORAGE: mockDelegationStorage,
-    TOOL_PROTECTION_KV: mockVerificationCache,
-    AGENTSHIELD_API_KEY: 'test-key',
-    AGENTSHIELD_API_URL: 'https://test.agentshield.ai'
-  };
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    // Reset mock return values
-    mockVerificationCache.get.mockReset();
-    mockDelegationStorage.get.mockReset();
-    // Reset fetch mock
-    global.fetch = vi.fn();
-  });
-
-  afterEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  describe('Delegation Token Retrieval', () => {
-    test('should retrieve and verify token from session cache', async () => {
-      const sessionId = 'test-session-123';
-      const token = 'valid-delegation-token';
-
-      // Mock session cache hit
-      mockDelegationStorage.get.mockResolvedValueOnce(token);
-
-      // Mock verification cache miss then API success
-      mockVerificationCache.get.mockResolvedValueOnce(null);
-      global.fetch = vi.fn().mockResolvedValueOnce({
-        ok: true,
-        json: async () => ({ valid: true })
-      });
-
-      // Actually call the mock
-      await mockDelegationStorage.get(`session:${sessionId}`);
-
-      // Verify it was called
-      expect(mockDelegationStorage.get).toHaveBeenCalledWith(`session:${sessionId}`);
-    });
-
-    test('should fall back to agent DID when session cache misses', async () => {
-      const sessionId = 'test-session-456';
-      const agentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-      const token = 'agent-delegation-token';
-
-      // Mock session cache miss
-      mockDelegationStorage.get.mockResolvedValueOnce(null);
-
-      // Mock agent cache hit
-      mockDelegationStorage.get.mockResolvedValueOnce(token);
-
-      // Mock successful verification
-      mockVerificationCache.get.mockResolvedValueOnce('1');
-
-      // Actually call the mocks
-      const sessionResult = await mockDelegationStorage.get(`session:${sessionId}`);
-      expect(sessionResult).toBeNull();
-
-      const agentKey = `agent:${agentDid}:delegation`;
-      const agentResult = await mockDelegationStorage.get(agentKey);
-      expect(agentResult).toBe(token);
-    });
-
-    test('should invalidate cache when token verification fails', async () => {
-      const sessionId = 'test-session-789';
-      const token = 'invalid-token';
-
-      // Mock cache hit with invalid token
-      mockDelegationStorage.get.mockResolvedValueOnce(token);
-
-      // Mock verification failure
-      mockVerificationCache.get.mockResolvedValueOnce(null);
-      global.fetch = vi.fn().mockResolvedValueOnce({
-        ok: false,
-        status: 401
-      });
-
-      // Simulate invalidation by calling delete
-      await mockDelegationStorage.delete(`session:${sessionId}`);
-      await mockVerificationCache.delete(`verified:${token.substring(0, 16)}`);
-
-      // Verify deletes were called
-      expect(mockDelegationStorage.delete).toHaveBeenCalled();
-      expect(mockVerificationCache.delete).toHaveBeenCalled();
-    });
-  });
-
-  describe('Delegation Verification', () => {
-    test('should use cached verification for 1 minute', async () => {
-      const token = 'cached-valid-token';
-
-      // Mock verification cache hit
-      mockVerificationCache.get.mockResolvedValueOnce('1');
-
-      // Actually call the mock
-      const cachedValue = await mockVerificationCache.get(`verified:${token.substring(0, 16)}`);
-
-      // Should get cached value and not call API
-      expect(cachedValue).toBe('1');
-      expect(global.fetch).not.toHaveBeenCalled();
-    });
-
-    test('should verify with AgentShield API when not cached', async () => {
-      const token = 'uncached-token';
-
-      // Mock cache miss
-      mockVerificationCache.get.mockResolvedValueOnce(null);
-
-      // Mock API success
-      global.fetch = vi.fn().mockResolvedValueOnce({
-        ok: true,
-        json: async () => ({ valid: true })
-      });
-
-      // Simulate the verification flow
-      const cached = await mockVerificationCache.get(`verified:${token.substring(0, 16)}`);
-      expect(cached).toBeNull();
-
-      // Call API
-      await global.fetch(
-        `${mockEnv.AGENTSHIELD_API_URL}/api/v1/bouncer/delegations/verify`,
-        {
-          method: 'POST',
-          headers: {
-            'Authorization': `Bearer ${mockEnv.AGENTSHIELD_API_KEY}`,
-            'Content-Type': 'application/json'
-          },
-          body: JSON.stringify({ token })
-        }
-      );
-
-      // Cache the result
-      await mockVerificationCache.put(
-        `verified:${token.substring(0, 16)}`,
-        '1',
-        { expirationTtl: 60 }
-      );
-
-      // Verify API was called
-      expect(global.fetch).toHaveBeenCalledWith(
-        `${mockEnv.AGENTSHIELD_API_URL}/api/v1/bouncer/delegations/verify`,
-        expect.objectContaining({
-          method: 'POST',
-          headers: expect.objectContaining({
-            'Authorization': `Bearer ${mockEnv.AGENTSHIELD_API_KEY}`
-          }),
-          body: JSON.stringify({ token })
-        })
-      );
-
-      // Verify cache was updated
-      expect(mockVerificationCache.put).toHaveBeenCalledWith(
-        expect.stringContaining('verified:'),
-        '1',
-        { expirationTtl: 60 }
-      );
-    });
-
-    test('should fail closed on API errors', async () => {
-      const token = 'error-token';
-
-      // Mock cache miss
-      mockVerificationCache.get.mockResolvedValueOnce(null);
-
-      // Mock API error
-      global.fetch = vi.fn().mockRejectedValueOnce(new Error('Network error'));
-
-      // Should return false on error
-      const isValid = false; // Would be result of verifyDelegationWithAgentShield
-      expect(isValid).toBe(false);
-    });
-
-    test('should allow delegation in dev without API key', async () => {
-      const token = 'dev-token';
-      const devEnv = { ...mockEnv, AGENTSHIELD_API_KEY: undefined };
-
-      // Should return true without API key (dev mode)
-      const isValid = true; // Would be result in dev mode
-      expect(isValid).toBe(true);
-      expect(global.fetch).not.toHaveBeenCalled();
-    });
-  });
-
-  describe('Cache TTL Security', () => {
-    test('should use 5-minute TTL for delegation cache, not 30 minutes', async () => {
-      const sessionId = 'ttl-test-session';
-      const token = 'ttl-test-token';
-
-      // Mock successful retrieval and re-cache
-      mockDelegationStorage.get.mockResolvedValueOnce(null); // Session miss
-      mockDelegationStorage.get.mockResolvedValueOnce(token); // Agent hit
-      mockVerificationCache.get.mockResolvedValueOnce('1'); // Verified
-
-      // Simulate caching with correct TTL
-      await mockDelegationStorage.put(
-        `session:${sessionId}`,
-        token,
-        { expirationTtl: 300 }
-      );
-
-      // Verify cache was called with 5-minute TTL
-      expect(mockDelegationStorage.put).toHaveBeenCalledWith(
-        `session:${sessionId}`,
-        token,
-        { expirationTtl: 300 } // 5 minutes, not 1800 (30 minutes)
-      );
-    });
-
-    test('should use 1-minute TTL for verification cache', async () => {
-      const token = 'verification-ttl-token';
-
-      // Mock verification success
-      mockVerificationCache.get.mockResolvedValueOnce(null);
-      global.fetch = vi.fn().mockResolvedValueOnce({
-        ok: true
-      });
-
-      // Simulate verification and caching
-      await mockVerificationCache.put(
-        `verified:${token.substring(0, 16)}`,
-        '1',
-        { expirationTtl: 60 }
-      );
-
-      // Verify cache was called with 1-minute TTL
-      expect(mockVerificationCache.put).toHaveBeenCalledWith(
-        expect.stringContaining('verified:'),
-        '1',
-        { expirationTtl: 60 } // 1 minute
-      );
-    });
-  });
-
-  describe('Cache Invalidation', () => {
-    test('should clear all caches when token is revoked', async () => {
-      const sessionId = 'revoked-session';
-      const agentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-      const token = 'revoked-token';
-
-      // Call invalidateDelegationCache
-      const deletions = [
-        mockDelegationStorage.delete(`session:${sessionId}`),
-        mockDelegationStorage.delete(`agent:${agentDid}:delegation`),
-        mockVerificationCache.delete(`verified:${token.substring(0, 16)}`)
-      ];
-
-      await Promise.all(deletions);
-
-      // Verify all caches are cleared
-      expect(mockDelegationStorage.delete).toHaveBeenCalledTimes(2);
-      expect(mockVerificationCache.delete).toHaveBeenCalledTimes(1);
-    });
-
-    test('should handle concurrent verification requests', async () => {
-      const token = 'concurrent-token';
-
-      // Mock cache miss for all
-      mockVerificationCache.get.mockResolvedValue(null);
-
-      // Mock API success
-      let apiCallCount = 0;
-      global.fetch = vi.fn().mockImplementation(() => {
-        apiCallCount++;
-        return Promise.resolve({ ok: true });
-      });
-
-      // Simulate concurrent requests
-      const requests = Array(5).fill(null).map(() =>
-        // Would call verifyDelegationWithAgentShield(token)
-        Promise.resolve(true)
-      );
-
-      await Promise.all(requests);
-
-      // In real implementation with proper locking,
-      // should only call API once despite concurrent requests
-      // This is a simplified test - actual implementation would need
-      // request deduplication logic
-    });
-  });
-
-  describe('Race Condition Prevention', () => {
-    test('should handle session rotation gracefully', async () => {
-      const oldSessionId = 'old-session';
-      const newSessionId = 'new-session';
-      const agentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-      const token = 'rotation-token';
-
-      // Old session has token
-      mockDelegationStorage.get
-        .mockResolvedValueOnce(token) // Old session hit
-        .mockResolvedValueOnce(null); // New session miss
-
-      // Should migrate token to new session
-      mockDelegationStorage.get.mockResolvedValueOnce(token); // Agent hit
-
-      // Simulate migration to new session
-      await mockDelegationStorage.put(
-        `session:${newSessionId}`,
-        token,
-        { expirationTtl: 300 }
-      );
-
-      // Verify token migrated to new session
-      expect(mockDelegationStorage.put).toHaveBeenCalledWith(
-        `session:${newSessionId}`,
-        token,
-        expect.any(Object)
-      );
-    });
-  });
-});