@kya-os/mcp-i-core 1.2.3-canary.7 → 1.3.0

package/src/__tests__/regression/phase2-regression.test.ts

@@ -0,0 +1,427 @@
+/**
+ * Phase 2 Regression Tests
+ *
+ * Ensures Phase 2 (Dynamic Providers) changes don't break existing functionality.
+ * Tests backward compatibility and verifies no regressions.
+ *
+ * @package @kya-os/mcp-i-core
+ */
+
+import { describe, it, expect, beforeEach, vi } from "vitest";
+import { ToolProtectionService } from "../../services/tool-protection.service";
+import { ProviderResolver } from "../../services/provider-resolver";
+import { OAuthProviderRegistry } from "../../services/oauth-provider-registry";
+import { OAuthConfigService } from "../../services/oauth-config.service";
+import { BatchDelegationService } from "../../services/batch-delegation.service";
+import {
+  InMemoryToolProtectionCache,
+  type ToolProtectionCache,
+} from "../../cache/tool-protection-cache";
+import type {
+  ToolProtectionServiceConfig,
+  ToolProtectionConfig,
+} from "../../types/tool-protection";
+import type { ToolProtection } from "@kya-os/contracts/tool-protection";
+import type { OAuthConfig } from "@kya-os/contracts/config";
+
+// Mock global fetch
+global.fetch = vi.fn();
+
+describe("Phase 2 Regression Tests", () => {
+  let cache: ToolProtectionCache;
+  let config: ToolProtectionServiceConfig;
+  const mockAgentDid = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK";
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cache = new InMemoryToolProtectionCache();
+    config = {
+      apiUrl: "https://kya.vouched.id",
+      apiKey: "test-api-key-12345",
+      cacheTtl: 300000,
+      debug: false,
+    };
+  });
+
+  describe("Backward Compatibility", () => {
+    describe("Phase 1 tools (no oauthProvider)", () => {
+      it("should work with Phase 1 tools that don't specify oauthProvider", async () => {
+        const service = new ToolProtectionService(config, cache);
+
+        const apiResponse = {
+          success: true,
+          data: {
+            toolProtections: {
+              phase1_tool: {
+                requiresDelegation: true,
+                requiredScopes: ["repo:read"],
+                // No oauthProvider field (Phase 1 compatibility)
+              },
+            },
+          },
+          metadata: {},
+        };
+
+        (global.fetch as any).mockResolvedValueOnce({
+          ok: true,
+          json: async () => apiResponse,
+        });
+
+        const result = await service.getToolProtectionConfig(mockAgentDid);
+
+        expect(result.toolProtections.phase1_tool.requiresDelegation).toBe(true);
+        expect(result.toolProtections.phase1_tool.requiredScopes).toEqual([
+          "repo:read",
+        ]);
+        // Should not have oauthProvider field
+        expect(result.toolProtections.phase1_tool).not.toHaveProperty(
+          "oauthProvider"
+        );
+      });
+
+      it("should work with ProviderResolver fallback for Phase 1 tools", async () => {
+        const mockConfigService: OAuthConfigService = {
+          getOAuthConfig: vi.fn().mockResolvedValue({
+            providers: {
+              github: {
+                clientId: "github_client_id",
+                authorizationUrl: "https://github.com/login/oauth/authorize",
+                tokenUrl: "https://github.com/login/oauth/access_token",
+                supportsPKCE: true,
+                requiresClientSecret: false,
+              },
+            },
+          }),
+        } as any;
+
+        const mockRegistry = {
+          hasProvider: vi.fn().mockReturnValue(false),
+          getAllProviders: vi.fn().mockReturnValue([
+            { clientId: "github_client_id" },
+          ]),
+          getProviderNames: vi.fn().mockReturnValue(["github"]),
+          loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
+        } as any;
+
+        const resolver = new ProviderResolver(mockRegistry, mockConfigService);
+
+        const toolProtection: ToolProtection = {
+          requiresDelegation: true,
+          requiredScopes: ["custom:scope"],
+          // No oauthProvider - should use fallback
+        };
+
+        const consoleSpy = vi
+          .spyOn(console, "warn")
+          .mockImplementation(() => {});
+
+        const provider = await resolver.resolveProvider(
+          toolProtection,
+          "test-project"
+        );
+
+        expect(provider).toBe("github");
+        expect(consoleSpy).toHaveBeenCalledWith(
+          expect.stringContaining("deprecated")
+        );
+
+        consoleSpy.mockRestore();
+      });
+    });
+
+    describe("Old API endpoint format", () => {
+      it("should still support old endpoint format (tools array)", async () => {
+        const service = new ToolProtectionService(config, cache);
+
+        const apiResponse = {
+          success: true,
+          data: {
+            tools: [
+              {
+                name: "old_tool",
+                requiresDelegation: true,
+                scopes: ["scope1"],
+              },
+            ],
+          },
+          metadata: {},
+        };
+
+        (global.fetch as any).mockResolvedValueOnce({
+          ok: true,
+          json: async () => apiResponse,
+        });
+
+        const result = await service.getToolProtectionConfig(mockAgentDid);
+
+        expect(result.toolProtections.old_tool).toBeDefined();
+        expect(result.toolProtections.old_tool.requiresDelegation).toBe(true);
+      });
+
+      it("should still support old endpoint format (tools object)", async () => {
+        const service = new ToolProtectionService(config, cache);
+
+        const apiResponse = {
+          success: true,
+          data: {
+            tools: {
+              old_tool: {
+                requiresDelegation: true,
+                scopes: ["scope1"],
+              },
+            },
+          },
+          metadata: {},
+        };
+
+        (global.fetch as any).mockResolvedValueOnce({
+          ok: true,
+          json: async () => apiResponse,
+        });
+
+        const result = await service.getToolProtectionConfig(mockAgentDid);
+
+        expect(result.toolProtections.old_tool).toBeDefined();
+        expect(result.toolProtections.old_tool.requiresDelegation).toBe(true);
+      });
+    });
+
+    describe("snake_case field names", () => {
+      it("should still support snake_case field names", async () => {
+        const projectId = "test-project-123";
+        config.projectId = projectId;
+        const service = new ToolProtectionService(config, cache);
+
+        const apiResponse = {
+          success: true,
+          data: {
+            toolProtections: {
+              tool_with_snake_case: {
+                requires_delegation: true,
+                required_scopes: ["scope1"],
+                oauth_provider: "github", // snake_case
+              },
+            },
+          },
+          metadata: {},
+        };
+
+        (global.fetch as any).mockResolvedValueOnce({
+          ok: true,
+          json: async () => apiResponse,
+        });
+
+        const result = await service.getToolProtectionConfig(mockAgentDid);
+
+        expect(result.toolProtections.tool_with_snake_case.requiresDelegation).toBe(
+          true
+        );
+        expect(result.toolProtections.tool_with_snake_case.requiredScopes).toEqual([
+          "scope1",
+        ]);
+        expect(result.toolProtections.tool_with_snake_case.oauthProvider).toBe(
+          "github"
+        );
+      });
+    });
+  });
+
+  describe("No Regressions", () => {
+    describe("Phase 1 OAuth flow", () => {
+      it("should still work with Phase 1 OAuth flow (no oauthProvider)", async () => {
+        const mockConfigService: OAuthConfigService = {
+          getOAuthConfig: vi.fn().mockResolvedValue({
+            providers: {
+              github: {
+                clientId: "github_client_id",
+                authorizationUrl: "https://github.com/login/oauth/authorize",
+                tokenUrl: "https://github.com/login/oauth/access_token",
+                supportsPKCE: true,
+                requiresClientSecret: false,
+              },
+            },
+          }),
+        } as any;
+
+        const mockRegistry = {
+          hasProvider: vi.fn().mockReturnValue(false),
+          getAllProviders: vi.fn().mockReturnValue([
+            { clientId: "github_client_id" },
+          ]),
+          getProviderNames: vi.fn().mockReturnValue(["github"]),
+          loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
+        } as any;
+
+        const resolver = new ProviderResolver(mockRegistry, mockConfigService);
+
+        const toolProtection: ToolProtection = {
+          requiresDelegation: true,
+          requiredScopes: ["repo:read"],
+          // No oauthProvider - Phase 1 mode
+        };
+
+        const provider = await resolver.resolveProvider(
+          toolProtection,
+          "test-project"
+        );
+
+        // Should fallback to first configured provider
+        expect(provider).toBe("github");
+      });
+    });
+
+    describe("Token resolution", () => {
+      it("should still work with token resolution (Phase 1 compatibility)", async () => {
+        // This test verifies that token resolution infrastructure still works
+        // The actual token resolution is tested in Phase 1 E2E tests
+        // This is a placeholder to ensure Phase 2 doesn't break the flow
+
+        const toolProtection: ToolProtection = {
+          requiresDelegation: true,
+          requiredScopes: ["repo:read"],
+          // No oauthProvider - should still work
+        };
+
+        // Verify tool protection structure is valid
+        expect(toolProtection.requiresDelegation).toBe(true);
+        expect(toolProtection.requiredScopes).toEqual(["repo:read"]);
+        // oauthProvider is optional
+        expect(toolProtection.oauthProvider).toBeUndefined();
+      });
+    });
+
+    describe("Tool context building", () => {
+      it("should still work with tool context building (Phase 1 compatibility)", async () => {
+        // This test verifies that tool context building infrastructure still works
+        // The actual context building is tested in Phase 1 E2E tests
+        // This is a placeholder to ensure Phase 2 doesn't break the flow
+
+        const toolProtection: ToolProtection = {
+          requiresDelegation: true,
+          requiredScopes: ["repo:read"],
+          // No oauthProvider - should still work
+        };
+
+        // Verify tool protection can be used for context building
+        expect(toolProtection.requiredScopes).toBeDefined();
+        expect(Array.isArray(toolProtection.requiredScopes)).toBe(true);
+      });
+    });
+
+    describe("Consent page rendering", () => {
+      it("should render consent page without provider badge (Phase 1 mode)", () => {
+        // This test verifies that consent page can render without provider badge
+        // The actual rendering is tested in E2E tests
+        // This is a placeholder to ensure Phase 2 doesn't break Phase 1 rendering
+
+        const toolProtection: ToolProtection = {
+          requiresDelegation: true,
+          requiredScopes: ["repo:read"],
+          // No oauthProvider - Phase 1 mode
+        };
+
+        // Verify tool protection structure allows consent page rendering
+        expect(toolProtection.requiresDelegation).toBe(true);
+        expect(toolProtection.requiredScopes.length).toBeGreaterThan(0);
+      });
+    });
+  });
+
+  describe("Mixed Phase 1 and Phase 2 tools", () => {
+    it("should handle mix of Phase 1 and Phase 2 tools in same project", async () => {
+      const projectId = "test-project-123";
+      config.projectId = projectId;
+      const service = new ToolProtectionService(config, cache);
+
+      const apiResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            phase1_tool: {
+              requiresDelegation: true,
+              requiredScopes: ["repo:read"],
+              // No oauthProvider (Phase 1)
+            },
+            phase2_tool: {
+              requiresDelegation: true,
+              requiredScopes: ["gmail:send"],
+              oauthProvider: "google", // Phase 2
+            },
+          },
+        },
+        metadata: {},
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        json: async () => apiResponse,
+      });
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      // Phase 1 tool should not have oauthProvider
+      expect(result.toolProtections.phase1_tool).not.toHaveProperty(
+        "oauthProvider"
+      );
+
+      // Phase 2 tool should have oauthProvider
+      expect(result.toolProtections.phase2_tool.oauthProvider).toBe("google");
+    });
+  });
+
+  describe("Cache compatibility", () => {
+    it("should handle cached Phase 1 configs correctly", async () => {
+      const projectId = "test-project-123";
+      config.projectId = projectId;
+      const service = new ToolProtectionService(config, cache);
+
+      // Cache Phase 1 config (no oauthProvider)
+      const cachedConfig: ToolProtectionConfig = {
+        toolProtections: {
+          phase1_tool: {
+            requiresDelegation: true,
+            requiredScopes: ["repo:read"],
+            // No oauthProvider
+          },
+        },
+      };
+
+      const cacheKey = `config:tool-protections:${projectId}`;
+      await cache.set(cacheKey, cachedConfig, 300000);
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      expect(result.toolProtections.phase1_tool.requiresDelegation).toBe(true);
+      expect(result.toolProtections.phase1_tool).not.toHaveProperty(
+        "oauthProvider"
+      );
+      expect(global.fetch).not.toHaveBeenCalled();
+    });
+
+    it("should handle cached Phase 2 configs correctly", async () => {
+      const projectId = "test-project-123";
+      config.projectId = projectId;
+      const service = new ToolProtectionService(config, cache);
+
+      // Cache Phase 2 config (with oauthProvider)
+      const cachedConfig: ToolProtectionConfig = {
+        toolProtections: {
+          phase2_tool: {
+            requiresDelegation: true,
+            requiredScopes: ["repo:read"],
+            oauthProvider: "github",
+          },
+        },
+      };
+
+      const cacheKey = `config:tool-protections:${projectId}`;
+      await cache.set(cacheKey, cachedConfig, 300000);
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      expect(result.toolProtections.phase2_tool.oauthProvider).toBe("github");
+      expect(global.fetch).not.toHaveBeenCalled();
+    });
+  });
+});
+

package/src/__tests__/runtime/audit-logger.test.ts

@@ -0,0 +1,154 @@
+/**
+ * IAuditLogger Interface Tests
+ *
+ * Tests for the IAuditLogger interface contract validation
+ * and type compatibility checks.
+ */
+
+import { describe, it, expect } from "vitest";
+import type { IAuditLogger } from "../../runtime/audit-logger.js";
+import type { AuditContext, AuditEventContext } from "@kya-os/contracts/audit";
+
+/**
+ * Mock implementation of IAuditLogger for testing
+ */
+class MockAuditLogger implements IAuditLogger {
+  public logAuditRecordCalls: AuditContext[] = [];
+  public logEventCalls: AuditEventContext[] = [];
+
+  async logAuditRecord(context: AuditContext): Promise<void> {
+    this.logAuditRecordCalls.push(context);
+  }
+
+  async logEvent(context: AuditEventContext): Promise<void> {
+    this.logEventCalls.push(context);
+  }
+}
+
+describe("IAuditLogger Interface", () => {
+  describe("Interface contract validation", () => {
+    it("should require logAuditRecord method", () => {
+      const logger: IAuditLogger = new MockAuditLogger();
+      expect(typeof logger.logAuditRecord).toBe("function");
+    });
+
+    it("should require logEvent method", () => {
+      const logger: IAuditLogger = new MockAuditLogger();
+      expect(typeof logger.logEvent).toBe("function");
+    });
+
+    it("should accept AuditContext for logAuditRecord", async () => {
+      const logger = new MockAuditLogger();
+      const context: AuditContext = {
+        identity: {
+          did: "did:key:test",
+          kid: "key-123",
+        } as any,
+        session: {
+          sessionId: "session-123",
+          audience: "example.com",
+        } as any,
+        requestHash: "sha256:abc",
+        responseHash: "sha256:def",
+        verified: "yes",
+        scopeId: "test:execute",
+      };
+
+      await logger.logAuditRecord(context);
+      expect(logger.logAuditRecordCalls).toHaveLength(1);
+      expect(logger.logAuditRecordCalls[0]).toEqual(context);
+    });
+
+    it("should accept AuditEventContext for logEvent", async () => {
+      const logger = new MockAuditLogger();
+      const context: AuditEventContext = {
+        eventType: "consent:approved",
+        identity: {
+          did: "did:key:test",
+          kid: "key-123",
+        } as any,
+        session: {
+          sessionId: "session-123",
+          audience: "example.com",
+        } as any,
+        eventData: { tool: "test-tool" },
+      };
+
+      await logger.logEvent(context);
+      expect(logger.logEventCalls).toHaveLength(1);
+      expect(logger.logEventCalls[0]).toEqual(context);
+    });
+  });
+
+  describe("Type compatibility checks", () => {
+    it("should be compatible with implementations that return Promise<void>", async () => {
+      const logger: IAuditLogger = new MockAuditLogger();
+      const context: AuditContext = {
+        identity: { did: "did:key:test", kid: "key-123" } as any,
+        session: { sessionId: "session-123", audience: "example.com" } as any,
+        requestHash: "sha256:abc",
+        responseHash: "sha256:def",
+        verified: "yes",
+      };
+
+      const result = await logger.logAuditRecord(context);
+      expect(result).toBeUndefined(); // Should return void
+    });
+
+    it("should accept optional scopeId in AuditContext", async () => {
+      const logger = new MockAuditLogger();
+      const contextWithoutScope: AuditContext = {
+        identity: { did: "did:key:test", kid: "key-123" } as any,
+        session: { sessionId: "session-123", audience: "example.com" } as any,
+        requestHash: "sha256:abc",
+        responseHash: "sha256:def",
+        verified: "yes",
+        // scopeId is optional
+      };
+
+      await expect(
+        logger.logAuditRecord(contextWithoutScope)
+      ).resolves.not.toThrow();
+    });
+
+    it("should accept optional eventData in AuditEventContext", async () => {
+      const logger = new MockAuditLogger();
+      const contextWithoutData: AuditEventContext = {
+        eventType: "test:event",
+        identity: { did: "did:key:test", kid: "key-123" } as any,
+        session: { sessionId: "session-123", audience: "example.com" } as any,
+        // eventData is optional
+      };
+
+      await expect(logger.logEvent(contextWithoutData)).resolves.not.toThrow();
+    });
+  });
+
+  describe("Verify both methods are required", () => {
+    it("should fail type check if logAuditRecord is missing", () => {
+      // This test documents that TypeScript will catch missing methods
+      // In practice, this would be a compile-time error
+      class IncompleteLogger implements Partial<IAuditLogger> {
+        async logEvent(_context: AuditEventContext): Promise<void> {
+          // Missing logAuditRecord
+        }
+      }
+
+      // TypeScript would error: Property 'logAuditRecord' is missing
+      // This test verifies the interface contract is enforced
+      expect(true).toBe(true); // Placeholder - actual check is compile-time
+    });
+
+    it("should fail type check if logEvent is missing", () => {
+      // This test documents that TypeScript will catch missing methods
+      class IncompleteLogger implements Partial<IAuditLogger> {
+        async logAuditRecord(_context: AuditContext): Promise<void> {
+          // Missing logEvent
+        }
+      }
+
+      // TypeScript would error: Property 'logEvent' is missing
+      expect(true).toBe(true); // Placeholder - actual check is compile-time
+    });
+  });
+});