@kya-os/mcp-i-core 1.3.10-canary.clientinfo.20251126124133 → 1.3.10

package/src/__tests__/integration/full-flow.test.ts

@@ -358,14 +358,20 @@ describe("Full Flow Integration", () => {
   });
 
   describe("AgentShield integration flow", () => {
-    test("should fetch tool protection config from AgentShield", async () => {
+    test("should fetch tool protection config from AgentShield merged config", async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {
-            protected_tool: {
-              requiresDelegation: true,
-              requiredScopes: ["scope1"],
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                protected_tool: {
+                  requiresDelegation: true,
+                  requiredScopes: ["scope1"],
+                },
+              },
             },
           },
         },
@@ -384,22 +390,29 @@ describe("Full Flow Integration", () => {
       expect(config.toolProtections.protected_tool.requiresDelegation).toBe(
         true
       );
+      // Now calls /config endpoint (not /tool-protections)
       expect(global.fetch).toHaveBeenCalledWith(
         expect.stringContaining(
-          "/api/v1/bouncer/projects/test-project/tool-protections"
+          "/api/v1/bouncer/projects/test-project/config"
         ),
         expect.any(Object)
       );
     });
 
     test("should cache tool protection config", async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {
-            tool1: {
-              requiresDelegation: true,
-              requiredScopes: ["scope1"],
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                tool1: {
+                  requiresDelegation: true,
+                  requiredScopes: ["scope1"],
+                },
+              },
             },
           },
         },

package/src/__tests__/runtime/base-extensions.test.ts

@@ -108,7 +108,8 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
   });
 
   describe('handleHandshake with user DID generation', () => {
-    it('should generate user DID when enabled', async () => {
+    it('should start session as anonymous (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - userDid is only set after OAuth
       const configWithUserDid = {
         ...config,
         identity: {
@@ -124,11 +125,16 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
         audience: 'https://client.example.com'
       });
 
-      expect(response.userDid).toBeDefined();
-      expect(response.userDid).toMatch(/^did:key:z/);
+      // Phase 5: userDid is undefined in response - session is anonymous
+      expect(response.userDid).toBeUndefined();
+
+      // Check session's identityState
+      const session = await runtimeWithUserDid.getCurrentSession();
+      expect(session.identityState).toBe('anonymous');
     });
 
-    it('should use provided clientDid over generated userDid', async () => {
+    it('should use provided clientDid with anonymous session (Phase 5)', async () => {
+      // Phase 5: clientDid can be set while session stays anonymous (no userDid)
       const configWithUserDid = {
         ...config,
         identity: {
@@ -147,13 +153,10 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session.clientDid).toBe('did:key:zprovided123');
-      
-      // When userDid generation is enabled, it should be generated even when clientDid is provided
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      // userDid should be different from clientDid
-      expect(session.userDid).not.toBe(session.clientDid);
+
+      // Phase 5: userDid is undefined - session is anonymous until OAuth
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
     });
 
     it('should handle user DID generation errors gracefully', async () => {
@@ -168,25 +171,24 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
       const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
       await runtimeWithUserDid.initialize();
 
-      // Mock userDidManager to throw error
+      // Phase 5: getOrCreateUserDid now returns null instead of generating ephemeral DIDs
+      // Sessions start anonymous - no userDid at handshake
       const userDidManager = (runtimeWithUserDid as any).userDidManager;
       const originalGetOrCreate = userDidManager.getOrCreateUserDid;
-      userDidManager.getOrCreateUserDid = vi.fn().mockRejectedValue(new Error('DID generation failed'));
-
-      const consoleWarnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      userDidManager.getOrCreateUserDid = vi.fn().mockResolvedValue(null);
 
       const response = await runtimeWithUserDid.handleHandshake({
         audience: 'https://client.example.com'
       });
 
-      // Should still succeed without userDid
+      // Should succeed with anonymous session (no userDid)
       expect(response.sessionId).toBeDefined();
-      expect(consoleWarnSpy).toHaveBeenCalledWith(
-        expect.stringContaining('[MCP-I] Failed to generate user DID'),
-        expect.any(Error)
-      );
 
-      consoleWarnSpy.mockRestore();
+      // Phase 5: Session should be anonymous without userDid
+      const session = await runtimeWithUserDid.getCurrentSession();
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
       userDidManager.getOrCreateUserDid = originalGetOrCreate;
     });
   });

package/src/__tests__/runtime/proof-client-did.test.ts

@@ -143,8 +143,8 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
       expect(session.clientDid).toBe('did:key:zhandshake123');
     });
 
-    it('should handle userDid from handshake session', async () => {
-      // Initialize runtime with user DID generation enabled
+    it('should handle anonymous session from handshake (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - no userDid at handshake
       const configWithUserDid = {
         ...config,
         identity: {
@@ -162,12 +162,12 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session).toBeDefined();
-      
-      // When userDid generation is enabled, it should be generated and available
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      
+
+      // Phase 5: Sessions start anonymous without userDid
+      // userDid is only set after OAuth identity resolution
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
       const proof = await runtimeWithUserDid.createProof(
         { test: 'data' },
         session
@@ -234,7 +234,8 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
       expect(session.clientDid).toBe('did:key:zclient789');
     });
 
-    it('should use generated userDid as clientDid when no clientDid provided', async () => {
+    it('should handle anonymous session when no clientDid provided (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - userDid and clientDid may both be undefined
       const configWithUserDid = {
         ...config,
         identity: {
@@ -252,15 +253,15 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session).toBeDefined();
-      
-      // When userDid generation is enabled, it should be generated and available
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      
-      // clientDid should be set to userDid if no explicit clientDid provided
-      expect(session.clientDid || session.userDid).toBeDefined();
-      
+
+      // Phase 5: Sessions start anonymous without userDid
+      // userDid is only set after OAuth identity resolution
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
+      // clientDid can also be undefined in anonymous sessions
+      // Both will be set after OAuth completes
+
       // Verify proof includes the session
       const proof = await runtimeWithUserDid.createProof(
         { test: 'data' },

package/src/__tests__/services/agentshield-integration.test.ts

@@ -144,11 +144,17 @@ describe('AgentShield Integration', () => {
   });
 
   describe('Endpoint Selection', () => {
-    test('should use project-scoped endpoint when projectId is available', async () => {
+    test('should use project-scoped /config endpoint when projectId is available', async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {},
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {},
+            },
+          },
         },
         metadata: {},
       };
@@ -160,8 +166,9 @@ describe('AgentShield Integration', () => {
 
       await service.getToolProtectionConfig(mockAgentDid);
 
+      // Now calls /config endpoint (not /tool-protections)
       expect(global.fetch).toHaveBeenCalledWith(
-        `${baseUrl}/api/v1/bouncer/projects/test-project-123/tool-protections`,
+        `${baseUrl}/api/v1/bouncer/projects/test-project-123/config`,
         expect.any(Object)
       );
     });