@kya-os/mcp-i-core 1.3.0 → 1.3.2

package/src/__tests__/services/cache-no-warming.test.ts

@@ -0,0 +1,177 @@
+/**
+ * Cache Invalidation: No Warming Test
+ *
+ * CRITICAL TEST: Proves that clearAndRefresh does NOT fetch immediately after clearing.
+ *
+ * Background:
+ * - In mcp-i-cloudflare@1.6.4+, cache warming was added as an "optimization"
+ * - The idea was to fetch fresh data immediately after clearing
+ * - BUT this backfired when upstream APIs (AgentShield) have CDN caching
+ * - The immediate fetch would get stale CDN data and store it in our cache
+ * - This defeated the purpose of cache invalidation
+ *
+ * Fix:
+ * - clearAndRefresh now just DELETES the cache entry
+ * - It does NOT fetch or warm the cache
+ * - The next actual tool call will fetch fresh data (with natural delay)
+ *
+ * This was the behavior in mcp-i-cloudflare@1.6.3 that worked perfectly.
+ */
+
+import { describe, it, expect, vi, beforeEach } from "vitest";
+import { ToolProtectionService } from "../../services/tool-protection.service.js";
+import { InMemoryToolProtectionCache } from "../../cache/tool-protection-cache.js";
+
+describe("Cache Invalidation - No Warming", () => {
+  let cache: InMemoryToolProtectionCache;
+  let service: ToolProtectionService;
+  let fetchSpy: ReturnType<typeof vi.fn>;
+
+  beforeEach(() => {
+    cache = new InMemoryToolProtectionCache();
+    fetchSpy = vi.fn();
+
+    service = new ToolProtectionService(
+      {
+        apiUrl: "https://test.agentshield.com",
+        apiKey: "test-key",
+        projectId: "test-project",
+        cacheTtl: 300000,
+        debug: true,
+      },
+      cache
+    );
+
+    // Spy on the internal fetch method
+    (service as any).fetchFromApi = fetchSpy;
+  });
+
+  it("clearAndRefresh should DELETE cache without fetching", async () => {
+    // Seed the cache with old data
+    const oldConfig = {
+      toolProtections: {
+        greet: { requiresDelegation: false, requiredScopes: ["greet:execute"] },
+      },
+    };
+    await cache.set("config:tool-protections:test-project", oldConfig, 300000);
+
+    // Clear the cache
+    const result = await service.clearAndRefresh("did:key:test-agent");
+
+    // CRITICAL: fetchFromApi should NOT have been called
+    expect(fetchSpy).not.toHaveBeenCalled();
+
+    // Result should indicate cache was cleared, not refreshed
+    expect(result.source).toBe("cleared");
+    expect(result.cacheKey).toBe("config:tool-protections:test-project");
+    expect(result.config.toolProtections).toEqual({});
+  });
+
+  it("cache should be empty after clearAndRefresh (no warming)", async () => {
+    // Seed the cache
+    const oldConfig = {
+      toolProtections: {
+        greet: { requiresDelegation: true, requiredScopes: ["greet:execute"] },
+      },
+    };
+    await cache.set("config:tool-protections:test-project", oldConfig, 300000);
+
+    // Verify it's cached
+    const beforeClear = await cache.get("config:tool-protections:test-project");
+    expect(beforeClear).not.toBeNull();
+    expect(beforeClear?.toolProtections.greet.requiresDelegation).toBe(true);
+
+    // Clear the cache
+    await service.clearAndRefresh("did:key:test-agent");
+
+    // Cache should be EMPTY (not warmed with new data)
+    const afterClear = await cache.get("config:tool-protections:test-project");
+    expect(afterClear).toBeNull();
+  });
+
+  it("next getToolProtectionConfig call should fetch fresh from API", async () => {
+    // Setup: Mock API to return DIFFERENT data than what was cached
+    const staleConfig = {
+      toolProtections: {
+        greet: { requiresDelegation: false, requiredScopes: [] },
+      },
+    };
+
+    // Seed cache with stale data
+    await cache.set(
+      "config:tool-protections:test-project",
+      staleConfig,
+      300000
+    );
+
+    // Mock API to return fresh data (requiresDelegation: TRUE)
+    fetchSpy.mockResolvedValueOnce({
+      data: {
+        toolProtections: {
+          greet: {
+            requiresDelegation: true,
+            requiredScopes: ["greet:execute"],
+          },
+        },
+      },
+    });
+
+    // Clear cache (should NOT fetch)
+    await service.clearAndRefresh("did:key:test-agent");
+    expect(fetchSpy).not.toHaveBeenCalled();
+
+    // Now get config - this SHOULD fetch from API
+    const result = await service.getToolProtectionConfig("did:key:test-agent");
+
+    // API should have been called now (cache was cleared, so it fetched)
+    expect(fetchSpy).toHaveBeenCalledTimes(1);
+
+    // Result should have fresh data from API (not stale cached data)
+    expect(result.toolProtections.greet.requiresDelegation).toBe(true);
+  });
+
+  it("proves stale CDN data issue is avoided", async () => {
+    /**
+     * This test proves why NO warming is better than warming.
+     *
+     * Scenario:
+     * 1. User toggles delegation ON in dashboard
+     * 2. AgentShield DB updates, but CDN still has old data (5 min TTL)
+     * 3. User triggers cache clear
+     *
+     * WITH warming (broken):
+     * - clearAndRefresh immediately fetches from API
+     * - API returns stale CDN data (requiresDelegation: false)
+     * - We store stale data in our cache
+     * - Tool call uses stale data = BUG
+     *
+     * WITHOUT warming (fixed):
+     * - clearAndRefresh just deletes cache
+     * - Next tool call fetches from API (some time later)
+     * - Better chance CDN has refreshed
+     * - Even if CDN still stale, user can retry after CDN TTL
+     */
+
+    // Simulate stale CDN response (old config before user toggled delegation)
+    const staleCdnResponse = {
+      data: {
+        toolProtections: {
+          greet: { requiresDelegation: false, requiredScopes: [] },
+        },
+      },
+    };
+
+    fetchSpy.mockResolvedValue(staleCdnResponse);
+
+    // Clear cache
+    await service.clearAndRefresh("did:key:test-agent");
+
+    // CRITICAL: We did NOT store the stale CDN data
+    // fetchSpy was NOT called during clearAndRefresh
+    expect(fetchSpy).not.toHaveBeenCalled();
+
+    // Cache is empty, not poisoned with stale data
+    const cached = await cache.get("config:tool-protections:test-project");
+    expect(cached).toBeNull();
+  });
+});

package/src/__tests__/services/provider-resolver-edge-cases.test.ts

@@ -57,12 +57,14 @@ describe("ProviderResolver - Edge Cases", () => {
     const getProviderNamesMock = vi.fn().mockReturnValue([]);
     const loadFromAgentShieldMock = vi.fn().mockResolvedValue(undefined);
     const hasProviderMock = vi.fn().mockReturnValue(false);
+    const getConfiguredProviderMock = vi.fn().mockReturnValue(null);
 
     mockRegistry = {
       hasProvider: hasProviderMock,
       getAllProviders: vi.fn().mockReturnValue([]),
       getProviderNames: getProviderNamesMock,
       loadFromAgentShield: loadFromAgentShieldMock,
+      getConfiguredProvider: getConfiguredProviderMock,
     } as any;
 
     resolver = new ProviderResolver(mockRegistry, mockConfigService);
@@ -154,19 +156,16 @@ describe("ProviderResolver - Edge Cases", () => {
         requiredScopes: [],
       };
 
-      // Should fall through to Priority 3
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // Should fall through to Priority 3 (configuredProvider)
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Should use first configured provider (Priority 3)
+      // Should use configured provider (Priority 3)
       expect(provider).toBe("github");
     });
 
@@ -176,19 +175,16 @@ describe("ProviderResolver - Edge Cases", () => {
         requiredScopes: ["github:repo:read", "google:calendar:read"],
       };
 
-      // Ambiguous scopes should fall through to Priority 3
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // Ambiguous scopes should fall through to Priority 3 (configuredProvider)
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Should use first configured provider (Priority 3)
+      // Should use configured provider (Priority 3)
       expect(provider).toBe("github");
     });
 
@@ -198,19 +194,16 @@ describe("ProviderResolver - Edge Cases", () => {
         requiredScopes: ["custom:unknown:scope"],
       };
 
-      // Unknown prefix should fall through to Priority 3
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // Unknown prefix should fall through to Priority 3 (configuredProvider)
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Should use first configured provider (Priority 3)
+      // Should use configured provider (Priority 3)
       expect(provider).toBe("github");
     });
 
@@ -277,19 +270,16 @@ describe("ProviderResolver - Edge Cases", () => {
         requiredScopes: ["read", "write"], // No colons
       };
 
-      // Should fall through to Priority 3
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      // Should fall through to Priority 3 (configuredProvider)
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Should use first configured provider (Priority 3)
+      // Should use configured provider (Priority 3)
       expect(provider).toBe("github");
     });
 
@@ -299,90 +289,102 @@ describe("ProviderResolver - Edge Cases", () => {
         requiredScopes: ["github:repo:read"],
       };
 
-      // Inferred provider exists but not in registry
-      (mockRegistry.getProviderNames as any).mockReturnValue(["google"]); // Only google configured
-      (mockRegistry.hasProvider as any).mockReturnValue(false); // github not in registry
-
-      // Should fall through to Priority 3
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "google_client_id" },
-      ]);
+      // Inferred provider (github) exists but not in registry
+      // configuredProvider is google
       (mockRegistry.getProviderNames as any).mockReturnValue(["google"]);
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "google");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("google");
 
       const provider = await resolver.resolveProvider(
         toolProtection,
         "test-project"
       );
 
-      // Should use first configured provider (Priority 3)
+      // Should use configured provider (Priority 3)
       expect(provider).toBe("google");
     });
   });
 
-  describe("Fallback behavior (Priority 3)", () => {
-    it("should log deprecation warning for Phase 1 fallback", async () => {
+  describe("Fallback behavior (Priority 3 - configuredProvider)", () => {
+    it("should log warning when using configuredProvider fallback", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: ["custom:scope"],
       };
 
-      (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([
-        { clientId: "github_client_id" },
-      ]);
-      (mockRegistry.getProviderNames as any).mockReturnValue(["github"]);
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
 
       const consoleSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
 
       await resolver.resolveProvider(toolProtection, "test-project");
 
       expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("deprecated")
+        expect.stringContaining("project-configured provider")
       );
       expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("first configured provider")
+        expect.stringContaining("github")
       );
 
       consoleSpy.mockRestore();
     });
 
-    it("should use first configured provider when oauthProvider not specified", async () => {
+    it("should use configuredProvider when oauthProvider not specified", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: ["custom:scope"],
       };
 
+      // Multiple providers available, but configuredProvider is google
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => 
+        name === "github" || name === "google"
+      );
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("google");
+
+      const provider = await resolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      // Should use configuredProvider, not first alphabetically
+      expect(provider).toBe("google");
+    });
+
+    it("should NOT fall back to first provider alphabetically", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["custom:scope"],
+      };
+
+      // Multiple providers in registry, but NO configuredProvider
       (mockRegistry.hasProvider as any).mockReturnValue(false);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
       (mockRegistry.getAllProviders as any).mockReturnValue([
         { clientId: "github_client_id" },
         { clientId: "google_client_id" },
       ]);
       (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
 
-      const provider = await resolver.resolveProvider(
-        toolProtection,
-        "test-project"
-      );
-
-      // Should use first provider
-      expect(provider).toBe("github");
+      // Should throw error, NOT pick first provider
+      await expect(
+        resolver.resolveProvider(toolProtection, "test-project")
+      ).rejects.toThrow(/no provider is configured/);
     });
   });
 
   describe("Error scenarios (Priority 4)", () => {
-    it("should throw error if no providers configured", async () => {
+    it("should throw error if no provider is configured", async () => {
       const toolProtection: ToolProtection = {
         requiresDelegation: true,
         requiredScopes: [],
       };
 
       (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([]);
-      (mockRegistry.getProviderNames as any).mockReturnValue([]);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
 
       await expect(
         resolver.resolveProvider(toolProtection, "test-project")
-      ).rejects.toThrow(/no provider could be resolved/);
+      ).rejects.toThrow(/no provider is configured/);
     });
 
     it("should include project ID in error message", async () => {
@@ -392,8 +394,7 @@ describe("ProviderResolver - Edge Cases", () => {
       };
 
       (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([]);
-      (mockRegistry.getProviderNames as any).mockReturnValue([]);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
 
       try {
         await resolver.resolveProvider(toolProtection, "test-project-123");
@@ -409,15 +410,14 @@ describe("ProviderResolver - Edge Cases", () => {
       };
 
       (mockRegistry.hasProvider as any).mockReturnValue(false);
-      (mockRegistry.getAllProviders as any).mockReturnValue([]);
-      (mockRegistry.getProviderNames as any).mockReturnValue([]);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
 
       try {
         await resolver.resolveProvider(toolProtection, "test-project");
       } catch (error) {
         const message = (error as Error).message;
-        expect(message).toContain("oauthProvider");
-        expect(message).toContain("configure");
+        expect(message).toContain("AgentShield dashboard");
+        expect(message).toContain("Configure");
       }
     });
   });
@@ -483,5 +483,109 @@ describe("ProviderResolver - Edge Cases", () => {
       expect(provider).toBe("github");
     });
   });
+
+  describe("configuredProvider behavior (Priority 3)", () => {
+    it("should use configuredProvider when tool has no oauthProvider", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["greet:execute"], // No scope inference match
+      };
+
+      // configuredProvider is github
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => name === "github");
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
+
+      const provider = await resolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      expect(provider).toBe("github");
+      expect(mockRegistry.getConfiguredProvider).toHaveBeenCalled();
+    });
+
+    it("should throw when configuredProvider is null and tool needs OAuth", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["greet:execute"],
+      };
+
+      // No configuredProvider set
+      (mockRegistry.hasProvider as any).mockReturnValue(false);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
+
+      await expect(
+        resolver.resolveProvider(toolProtection, "test-project")
+      ).rejects.toThrow(/no provider is configured/);
+    });
+
+    it("should NOT use unconfigured providers as fallback", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["greet:execute"],
+      };
+
+      // Registry has providers but configuredProvider is null
+      // This simulates AgentShield returning all providers but none configured
+      (mockRegistry.hasProvider as any).mockReturnValue(false);
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue(null);
+      (mockRegistry.getAllProviders as any).mockReturnValue([
+        { clientId: "github_client_id" },
+        { clientId: "google_client_id" },
+        { clientId: "microsoft_client_id" },
+      ]);
+      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google", "microsoft"]);
+
+      // Should NOT pick "github" alphabetically - should throw
+      await expect(
+        resolver.resolveProvider(toolProtection, "test-project")
+      ).rejects.toThrow(/no provider is configured/);
+    });
+
+    it("should prefer tool-specific oauthProvider over configuredProvider", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: [],
+        oauthProvider: "google", // Tool specifies google
+      };
+
+      // configuredProvider is github, but tool wants google
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => 
+        name === "github" || name === "google"
+      );
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
+      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
+
+      const provider = await resolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      // Priority 1 (tool-specific) should win over Priority 3 (configuredProvider)
+      expect(provider).toBe("google");
+    });
+
+    it("should prefer scope-inferred provider over configuredProvider", async () => {
+      const toolProtection: ToolProtection = {
+        requiresDelegation: true,
+        requiredScopes: ["google:calendar:read"], // Infers google
+      };
+
+      // configuredProvider is github, but scopes infer google
+      (mockRegistry.hasProvider as any).mockImplementation((name: string) => 
+        name === "github" || name === "google"
+      );
+      (mockRegistry.getConfiguredProvider as any).mockReturnValue("github");
+      (mockRegistry.getProviderNames as any).mockReturnValue(["github", "google"]);
+
+      const provider = await resolver.resolveProvider(
+        toolProtection,
+        "test-project"
+      );
+
+      // Priority 2 (scope inference) should win over Priority 3 (configuredProvider)
+      expect(provider).toBe("google");
+    });
+  });
 });
 

package/src/services/__tests__/provider-resolution.integration.test.ts

@@ -37,6 +37,8 @@ describe("Provider Resolution Integration", () => {
         requiresClientSecret: false,
       },
     },
+    // Explicitly configured provider (Priority 3 fallback)
+    configuredProvider: "github",
   };
 
   beforeEach(() => {
@@ -95,7 +97,7 @@ describe("Provider Resolution Integration", () => {
       consoleSpy.mockRestore();
     });
 
-    it("should fall back to first configured provider for Phase 1 compatibility", async () => {
+    it("should fall back to configuredProvider for Phase 1 compatibility", async () => {
       await providerRegistry.loadFromAgentShield("test-project");
 
       const toolProtection: ToolProtection = {
@@ -111,10 +113,10 @@ describe("Provider Resolution Integration", () => {
         "test-project"
       );
 
-      // Should use first configured provider (github)
+      // Should use configuredProvider (github)
       expect(provider).toBe("github");
       expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining("deprecated")
+        expect.stringContaining("project-configured provider")
       );
 
       consoleSpy.mockRestore();
@@ -157,9 +159,11 @@ describe("Provider Resolution Integration", () => {
         "test-project"
       );
 
-      // Should fall back to first provider
+      // Should fall back to configuredProvider
       expect(provider).toBe("github");
-      expect(consoleSpy).toHaveBeenCalled();
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining("project-configured provider")
+      );
 
       consoleSpy.mockRestore();
     });