@kya-os/mcp-i-core 1.3.10-canary.clientinfo.20251126124133 → 1.3.11

package/src/__tests__/identity/user-did-manager.test.ts

@@ -1,7 +1,8 @@
 /**
  * User DID Manager Tests
  *
- * Tests for ephemeral user DID generation and management.
+ * Phase 5: Anonymous Sessions Until OAuth
+ * Tests for user DID lookup and storage (no ephemeral generation).
  */
 
 import { describe, test, expect, beforeEach, vi } from 'vitest';
@@ -26,36 +27,37 @@ describe('UserDidManager', () => {
     });
   });
 
-  describe('getOrCreateUserDid', () => {
-  test('should generate new did:key for new session', async () => {
-    const sessionId = 'session-123';
-    
-    // Mock generateKeyPair to return valid base64 keys
-    const mockKeyPair = {
-      privateKey: Buffer.from(new Uint8Array(32).fill(1)).toString('base64'),
-      publicKey: Buffer.from(new Uint8Array(32).fill(2)).toString('base64'),
-    };
-    vi.spyOn(cryptoProvider, 'generateKeyPair').mockResolvedValue(mockKeyPair);
-    
-    const userDid = await manager.getOrCreateUserDid(sessionId);
+  describe('getOrCreateUserDid (Phase 5)', () => {
+    test('should return null for new session without existing DID', async () => {
+      const sessionId = 'session-123';
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
 
-    expect(userDid).toMatch(/^did:key:z/);
-    expect(userDid.length).toBeGreaterThan(40);
-  });
+      // Phase 5: No ephemeral DID generation - returns null for anonymous session
+      const userDid = await manager.getOrCreateUserDid(sessionId);
 
-    test('should return same DID for same session', async () => {
+      expect(userDid).toBeNull();
+    });
+
+    test('should return same null for same session (cache hit)', async () => {
       const sessionId = 'session-123';
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
+
       const did1 = await manager.getOrCreateUserDid(sessionId);
       const did2 = await manager.getOrCreateUserDid(sessionId);
 
-      expect(did1).toBe(did2);
+      expect(did1).toBeNull();
+      expect(did2).toBeNull();
     });
 
-    test('should return different DIDs for different sessions', async () => {
+    test('should return null for different sessions without OAuth', async () => {
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
+
       const did1 = await manager.getOrCreateUserDid('session-1');
       const did2 = await manager.getOrCreateUserDid('session-2');
 
-      expect(did1).not.toBe(did2);
+      // Phase 5: Both sessions are anonymous (null userDid)
+      expect(did1).toBeNull();
+      expect(did2).toBeNull();
     });
 
     test('should retrieve DID from storage if available', async () => {
@@ -69,33 +71,42 @@ describe('UserDidManager', () => {
       expect(storage.get).toHaveBeenCalledWith(sessionId);
     });
 
-    test('should store new DID in storage', async () => {
+    test('should not call storage.set for new sessions (Phase 5)', async () => {
       const sessionId = 'session-123';
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
+
+      // Phase 5: No DID generated, no storage write
       const did = await manager.getOrCreateUserDid(sessionId);
 
-      expect(storage.set).toHaveBeenCalledWith(sessionId, did, 1800);
+      expect(did).toBeNull();
+      expect(storage.set).not.toHaveBeenCalled();
     });
 
-    test('should use cache for subsequent calls', async () => {
+    test('should use cache for existing DID on subsequent calls', async () => {
       const sessionId = 'session-123';
+      const storedDid = 'did:key:zTestStoredDID';
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(storedDid);
+
       const did1 = await manager.getOrCreateUserDid(sessionId);
-      
-      // Clear storage mock to ensure cache is used
+
+      // Clear storage mock - next call should use cache
+      (storage.get as ReturnType<typeof vi.fn>).mockReset();
       (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
-      
+
       const did2 = await manager.getOrCreateUserDid(sessionId);
 
-      expect(did1).toBe(did2);
-      expect(storage.get).not.toHaveBeenCalledTimes(2); // Cache hit
+      expect(did1).toBe(storedDid);
+      expect(did2).toBe(storedDid); // Cache hit
     });
 
-    test('should work without storage provider', async () => {
+    test('should return null without storage provider (Phase 5)', async () => {
       const ephemeralManager = new UserDidManager({
         crypto: cryptoProvider,
       });
 
+      // Phase 5: No storage, no OAuth → anonymous session (null)
       const did = await ephemeralManager.getOrCreateUserDid('session-123');
-      expect(did).toMatch(/^did:key:z/);
+      expect(did).toBeNull();
     });
   });
 
@@ -158,16 +169,23 @@ describe('UserDidManager', () => {
   });
 
   describe('DID format validation', () => {
-    test('should generate valid did:key format', async () => {
-      const did = await manager.getOrCreateUserDid('session-123');
-      
+    test('should return stored DID if it has valid did:key format', async () => {
+      const sessionId = 'session-123';
+      const validDid = 'did:key:z6MkhaXgBZDvotDUGnNPEFXjSNbMoRmbW2BgUjH9tmp1hQ1R';
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(validDid);
+
+      const did = await manager.getOrCreateUserDid(sessionId);
+
       // did:key format: did:key:z<base58-encoded-multicodec-key>
+      expect(did).not.toBeNull();
       expect(did).toMatch(/^did:key:z[1-9A-HJ-NP-Za-km-z]+$/);
     });
 
-    test('should generate different DIDs each time generateUserDid is called', async () => {
-      const dids = new Set<string>();
-      
+    test('should return null for new sessions without OAuth (Phase 5)', async () => {
+      // Phase 5: getOrCreateUserDid returns null for new sessions without existing DID
+      // No ephemeral DID generation - sessions stay anonymous until OAuth
+      const dids = new Set<string | null>();
+
       for (let i = 0; i < 10; i++) {
         const manager = new UserDidManager({
           crypto: cryptoProvider,
@@ -176,28 +194,29 @@ describe('UserDidManager', () => {
         dids.add(did);
       }
 
-      // All DIDs should be unique
-      expect(dids.size).toBe(10);
+      // Phase 5: All DIDs should be null (no generation)
+      expect(dids.size).toBe(1);
+      expect(dids.has(null)).toBe(true);
     });
   });
 
   describe('error handling', () => {
-    test('should handle storage.get errors gracefully', async () => {
+    test('should handle storage.get errors gracefully (Phase 5)', async () => {
       const sessionId = 'session-123';
       (storage.get as ReturnType<typeof vi.fn>).mockRejectedValue(new Error('Storage error'));
 
-      // Should still generate DID despite storage error
+      // Phase 5: Returns null when storage errors occur (no ephemeral generation)
       const did = await manager.getOrCreateUserDid(sessionId);
-      expect(did).toMatch(/^did:key:z/);
+      expect(did).toBeNull();
     });
 
-    test('should handle storage.set errors gracefully', async () => {
+    test('should return null when no existing DID found (Phase 5)', async () => {
       const sessionId = 'session-123';
-      (storage.set as ReturnType<typeof vi.fn>).mockRejectedValue(new Error('Storage error'));
+      (storage.get as ReturnType<typeof vi.fn>).mockResolvedValue(null);
 
-      // Should still return DID despite storage error
+      // Phase 5: Returns null instead of generating ephemeral DID
       const did = await manager.getOrCreateUserDid(sessionId);
-      expect(did).toMatch(/^did:key:z/);
+      expect(did).toBeNull();
     });
 
     test('should handle storage.delete errors gracefully', async () => {

package/src/__tests__/integration/full-flow.test.ts

@@ -358,14 +358,20 @@ describe("Full Flow Integration", () => {
   });
 
   describe("AgentShield integration flow", () => {
-    test("should fetch tool protection config from AgentShield", async () => {
+    test("should fetch tool protection config from AgentShield merged config", async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {
-            protected_tool: {
-              requiresDelegation: true,
-              requiredScopes: ["scope1"],
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                protected_tool: {
+                  requiresDelegation: true,
+                  requiredScopes: ["scope1"],
+                },
+              },
             },
           },
         },
@@ -384,22 +390,29 @@ describe("Full Flow Integration", () => {
       expect(config.toolProtections.protected_tool.requiresDelegation).toBe(
         true
       );
+      // Now calls /config endpoint (not /tool-protections)
       expect(global.fetch).toHaveBeenCalledWith(
         expect.stringContaining(
-          "/api/v1/bouncer/projects/test-project/tool-protections"
+          "/api/v1/bouncer/projects/test-project/config"
         ),
         expect.any(Object)
       );
     });
 
     test("should cache tool protection config", async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {
-            tool1: {
-              requiresDelegation: true,
-              requiredScopes: ["scope1"],
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                tool1: {
+                  requiresDelegation: true,
+                  requiredScopes: ["scope1"],
+                },
+              },
             },
           },
         },

package/src/__tests__/runtime/base-extensions.test.ts

@@ -108,7 +108,8 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
   });
 
   describe('handleHandshake with user DID generation', () => {
-    it('should generate user DID when enabled', async () => {
+    it('should start session as anonymous (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - userDid is only set after OAuth
       const configWithUserDid = {
         ...config,
         identity: {
@@ -124,11 +125,16 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
         audience: 'https://client.example.com'
       });
 
-      expect(response.userDid).toBeDefined();
-      expect(response.userDid).toMatch(/^did:key:z/);
+      // Phase 5: userDid is undefined in response - session is anonymous
+      expect(response.userDid).toBeUndefined();
+
+      // Check session's identityState
+      const session = await runtimeWithUserDid.getCurrentSession();
+      expect(session.identityState).toBe('anonymous');
     });
 
-    it('should use provided clientDid over generated userDid', async () => {
+    it('should use provided clientDid with anonymous session (Phase 5)', async () => {
+      // Phase 5: clientDid can be set while session stays anonymous (no userDid)
       const configWithUserDid = {
         ...config,
         identity: {
@@ -147,13 +153,10 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session.clientDid).toBe('did:key:zprovided123');
-      
-      // When userDid generation is enabled, it should be generated even when clientDid is provided
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      // userDid should be different from clientDid
-      expect(session.userDid).not.toBe(session.clientDid);
+
+      // Phase 5: userDid is undefined - session is anonymous until OAuth
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
     });
 
     it('should handle user DID generation errors gracefully', async () => {
@@ -168,25 +171,24 @@ describe('MCPIRuntimeBase - Base Extensions', () => {
       const runtimeWithUserDid = new MCPIRuntimeBase(configWithUserDid);
       await runtimeWithUserDid.initialize();
 
-      // Mock userDidManager to throw error
+      // Phase 5: getOrCreateUserDid now returns null instead of generating ephemeral DIDs
+      // Sessions start anonymous - no userDid at handshake
       const userDidManager = (runtimeWithUserDid as any).userDidManager;
       const originalGetOrCreate = userDidManager.getOrCreateUserDid;
-      userDidManager.getOrCreateUserDid = vi.fn().mockRejectedValue(new Error('DID generation failed'));
-
-      const consoleWarnSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
+      userDidManager.getOrCreateUserDid = vi.fn().mockResolvedValue(null);
 
       const response = await runtimeWithUserDid.handleHandshake({
         audience: 'https://client.example.com'
       });
 
-      // Should still succeed without userDid
+      // Should succeed with anonymous session (no userDid)
       expect(response.sessionId).toBeDefined();
-      expect(consoleWarnSpy).toHaveBeenCalledWith(
-        expect.stringContaining('[MCP-I] Failed to generate user DID'),
-        expect.any(Error)
-      );
 
-      consoleWarnSpy.mockRestore();
+      // Phase 5: Session should be anonymous without userDid
+      const session = await runtimeWithUserDid.getCurrentSession();
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
       userDidManager.getOrCreateUserDid = originalGetOrCreate;
     });
   });

package/src/__tests__/runtime/proof-client-did.test.ts

@@ -143,8 +143,8 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
       expect(session.clientDid).toBe('did:key:zhandshake123');
     });
 
-    it('should handle userDid from handshake session', async () => {
-      // Initialize runtime with user DID generation enabled
+    it('should handle anonymous session from handshake (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - no userDid at handshake
       const configWithUserDid = {
         ...config,
         identity: {
@@ -162,12 +162,12 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session).toBeDefined();
-      
-      // When userDid generation is enabled, it should be generated and available
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      
+
+      // Phase 5: Sessions start anonymous without userDid
+      // userDid is only set after OAuth identity resolution
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
       const proof = await runtimeWithUserDid.createProof(
         { test: 'data' },
         session
@@ -234,7 +234,8 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
       expect(session.clientDid).toBe('did:key:zclient789');
     });
 
-    it('should use generated userDid as clientDid when no clientDid provided', async () => {
+    it('should handle anonymous session when no clientDid provided (Phase 5)', async () => {
+      // Phase 5: Sessions start anonymous - userDid and clientDid may both be undefined
       const configWithUserDid = {
         ...config,
         identity: {
@@ -252,15 +253,15 @@ describe('MCPIRuntimeBase - Proof Client DID', () => {
 
       const session = await runtimeWithUserDid.getCurrentSession();
       expect(session).toBeDefined();
-      
-      // When userDid generation is enabled, it should be generated and available
-      // This is a critical assertion - if userDid is missing, the test should fail
-      expect(session.userDid).toBeDefined();
-      expect(session.userDid).toMatch(/^did:key:z/);
-      
-      // clientDid should be set to userDid if no explicit clientDid provided
-      expect(session.clientDid || session.userDid).toBeDefined();
-      
+
+      // Phase 5: Sessions start anonymous without userDid
+      // userDid is only set after OAuth identity resolution
+      expect(session.userDid).toBeUndefined();
+      expect(session.identityState).toBe('anonymous');
+
+      // clientDid can also be undefined in anonymous sessions
+      // Both will be set after OAuth completes
+
       // Verify proof includes the session
       const proof = await runtimeWithUserDid.createProof(
         { test: 'data' },

package/src/__tests__/services/agentshield-integration.test.ts

@@ -144,11 +144,17 @@ describe('AgentShield Integration', () => {
   });
 
   describe('Endpoint Selection', () => {
-    test('should use project-scoped endpoint when projectId is available', async () => {
+    test('should use project-scoped /config endpoint when projectId is available', async () => {
+      // Merged config format - tools embedded at config.toolProtection.tools
       const apiResponse = {
         success: true,
         data: {
-          toolProtections: {},
+          config: {
+            toolProtection: {
+              source: 'agentshield',
+              tools: {},
+            },
+          },
         },
         metadata: {},
       };
@@ -160,8 +166,9 @@ describe('AgentShield Integration', () => {
 
       await service.getToolProtectionConfig(mockAgentDid);
 
+      // Now calls /config endpoint (not /tool-protections)
       expect(global.fetch).toHaveBeenCalledWith(
-        `${baseUrl}/api/v1/bouncer/projects/test-project-123/tool-protections`,
+        `${baseUrl}/api/v1/bouncer/projects/test-project-123/config`,
         expect.any(Object)
       );
     });