@kya-os/mcp-i-core 1.3.12 → 1.3.14

package/src/__tests__/regression/phase2-regression.test.ts

@@ -1,429 +0,0 @@
-/**
- * Phase 2 Regression Tests
- *
- * Ensures Phase 2 (Dynamic Providers) changes don't break existing functionality.
- * Tests backward compatibility and verifies no regressions.
- *
- * @package @kya-os/mcp-i-core
- */
-
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { ToolProtectionService } from "../../services/tool-protection.service";
-import { ProviderResolver } from "../../services/provider-resolver";
-import { OAuthProviderRegistry } from "../../services/oauth-provider-registry";
-import { OAuthConfigService } from "../../services/oauth-config.service";
-import { BatchDelegationService } from "../../services/batch-delegation.service";
-import {
-  InMemoryToolProtectionCache,
-  type ToolProtectionCache,
-} from "../../cache/tool-protection-cache";
-import type {
-  ToolProtectionServiceConfig,
-  ToolProtectionConfig,
-} from "../../types/tool-protection";
-import type { ToolProtection } from "@kya-os/contracts/tool-protection";
-import type { OAuthConfig } from "@kya-os/contracts/config";
-
-// Mock global fetch
-global.fetch = vi.fn();
-
-describe("Phase 2 Regression Tests", () => {
-  let cache: ToolProtectionCache;
-  let config: ToolProtectionServiceConfig;
-  const mockAgentDid = "did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK";
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    cache = new InMemoryToolProtectionCache();
-    config = {
-      apiUrl: "https://kya.vouched.id",
-      apiKey: "test-api-key-12345",
-      cacheTtl: 300000,
-      debug: false,
-    };
-  });
-
-  describe("Backward Compatibility", () => {
-    describe("Phase 1 tools (no oauthProvider)", () => {
-      it("should work with Phase 1 tools that don't specify oauthProvider", async () => {
-        const service = new ToolProtectionService(config, cache);
-
-        const apiResponse = {
-          success: true,
-          data: {
-            toolProtections: {
-              phase1_tool: {
-                requiresDelegation: true,
-                requiredScopes: ["repo:read"],
-                // No oauthProvider field (Phase 1 compatibility)
-              },
-            },
-          },
-          metadata: {},
-        };
-
-        (global.fetch as any).mockResolvedValueOnce({
-          ok: true,
-          json: async () => apiResponse,
-        });
-
-        const result = await service.getToolProtectionConfig(mockAgentDid);
-
-        expect(result.toolProtections.phase1_tool.requiresDelegation).toBe(true);
-        expect(result.toolProtections.phase1_tool.requiredScopes).toEqual([
-          "repo:read",
-        ]);
-        // Should not have oauthProvider field
-        expect(result.toolProtections.phase1_tool).not.toHaveProperty(
-          "oauthProvider"
-        );
-      });
-
-      it("should work with ProviderResolver fallback for Phase 1 tools", async () => {
-        const mockConfigService: OAuthConfigService = {
-          getOAuthConfig: vi.fn().mockResolvedValue({
-            providers: {
-              github: {
-                clientId: "github_client_id",
-                authorizationUrl: "https://github.com/login/oauth/authorize",
-                tokenUrl: "https://github.com/login/oauth/access_token",
-                supportsPKCE: true,
-                requiresClientSecret: false,
-              },
-            },
-          }),
-        } as any;
-
-        const mockRegistry = {
-          hasProvider: vi.fn().mockImplementation((name: string) => name === "github"),
-          getAllProviders: vi.fn().mockReturnValue([
-            { clientId: "github_client_id" },
-          ]),
-          getProviderNames: vi.fn().mockReturnValue(["github"]),
-          loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
-          getConfiguredProvider: vi.fn().mockReturnValue("github"), // configuredProvider is github
-        } as any;
-
-        const resolver = new ProviderResolver(mockRegistry, mockConfigService);
-
-        const toolProtection: ToolProtection = {
-          requiresDelegation: true,
-          requiredScopes: ["custom:scope"],
-          // No oauthProvider - should use configuredProvider fallback
-        };
-
-        const consoleSpy = vi
-          .spyOn(console, "warn")
-          .mockImplementation(() => {});
-
-        const provider = await resolver.resolveProvider(
-          toolProtection,
-          "test-project"
-        );
-
-        expect(provider).toBe("github");
-        expect(consoleSpy).toHaveBeenCalledWith(
-          expect.stringContaining("project-configured provider")
-        );
-
-        consoleSpy.mockRestore();
-      });
-    });
-
-    describe("Old API endpoint format", () => {
-      it("should still support old endpoint format (tools array)", async () => {
-        const service = new ToolProtectionService(config, cache);
-
-        const apiResponse = {
-          success: true,
-          data: {
-            tools: [
-              {
-                name: "old_tool",
-                requiresDelegation: true,
-                scopes: ["scope1"],
-              },
-            ],
-          },
-          metadata: {},
-        };
-
-        (global.fetch as any).mockResolvedValueOnce({
-          ok: true,
-          json: async () => apiResponse,
-        });
-
-        const result = await service.getToolProtectionConfig(mockAgentDid);
-
-        expect(result.toolProtections.old_tool).toBeDefined();
-        expect(result.toolProtections.old_tool.requiresDelegation).toBe(true);
-      });
-
-      it("should still support old endpoint format (tools object)", async () => {
-        const service = new ToolProtectionService(config, cache);
-
-        const apiResponse = {
-          success: true,
-          data: {
-            tools: {
-              old_tool: {
-                requiresDelegation: true,
-                scopes: ["scope1"],
-              },
-            },
-          },
-          metadata: {},
-        };
-
-        (global.fetch as any).mockResolvedValueOnce({
-          ok: true,
-          json: async () => apiResponse,
-        });
-
-        const result = await service.getToolProtectionConfig(mockAgentDid);
-
-        expect(result.toolProtections.old_tool).toBeDefined();
-        expect(result.toolProtections.old_tool.requiresDelegation).toBe(true);
-      });
-    });
-
-    describe("snake_case field names", () => {
-      it("should still support snake_case field names", async () => {
-        const projectId = "test-project-123";
-        config.projectId = projectId;
-        const service = new ToolProtectionService(config, cache);
-
-        const apiResponse = {
-          success: true,
-          data: {
-            toolProtections: {
-              tool_with_snake_case: {
-                requires_delegation: true,
-                required_scopes: ["scope1"],
-                oauth_provider: "github", // snake_case
-              },
-            },
-          },
-          metadata: {},
-        };
-
-        (global.fetch as any).mockResolvedValueOnce({
-          ok: true,
-          json: async () => apiResponse,
-        });
-
-        const result = await service.getToolProtectionConfig(mockAgentDid);
-
-        expect(result.toolProtections.tool_with_snake_case.requiresDelegation).toBe(
-          true
-        );
-        expect(result.toolProtections.tool_with_snake_case.requiredScopes).toEqual([
-          "scope1",
-        ]);
-        expect(result.toolProtections.tool_with_snake_case.oauthProvider).toBe(
-          "github"
-        );
-      });
-    });
-  });
-
-  describe("No Regressions", () => {
-    describe("Phase 1 OAuth flow", () => {
-      it("should still work with Phase 1 OAuth flow (no oauthProvider)", async () => {
-        const mockConfigService: OAuthConfigService = {
-          getOAuthConfig: vi.fn().mockResolvedValue({
-            providers: {
-              github: {
-                clientId: "github_client_id",
-                authorizationUrl: "https://github.com/login/oauth/authorize",
-                tokenUrl: "https://github.com/login/oauth/access_token",
-                supportsPKCE: true,
-                requiresClientSecret: false,
-              },
-            },
-          }),
-        } as any;
-
-        const mockRegistry = {
-          hasProvider: vi.fn().mockImplementation((name: string) => name === "github"),
-          getAllProviders: vi.fn().mockReturnValue([
-            { clientId: "github_client_id" },
-          ]),
-          getProviderNames: vi.fn().mockReturnValue(["github"]),
-          loadFromAgentShield: vi.fn().mockResolvedValue(undefined),
-          getConfiguredProvider: vi.fn().mockReturnValue("github"), // configuredProvider is github
-        } as any;
-
-        const resolver = new ProviderResolver(mockRegistry, mockConfigService);
-
-        const toolProtection: ToolProtection = {
-          requiresDelegation: true,
-          requiredScopes: ["repo:read"],
-          // No oauthProvider - Phase 1 mode - uses configuredProvider fallback
-        };
-
-        const provider = await resolver.resolveProvider(
-          toolProtection,
-          "test-project"
-        );
-
-        // Should fallback to configuredProvider
-        expect(provider).toBe("github");
-      });
-    });
-
-    describe("Token resolution", () => {
-      it("should still work with token resolution (Phase 1 compatibility)", async () => {
-        // This test verifies that token resolution infrastructure still works
-        // The actual token resolution is tested in Phase 1 E2E tests
-        // This is a placeholder to ensure Phase 2 doesn't break the flow
-
-        const toolProtection: ToolProtection = {
-          requiresDelegation: true,
-          requiredScopes: ["repo:read"],
-          // No oauthProvider - should still work
-        };
-
-        // Verify tool protection structure is valid
-        expect(toolProtection.requiresDelegation).toBe(true);
-        expect(toolProtection.requiredScopes).toEqual(["repo:read"]);
-        // oauthProvider is optional
-        expect(toolProtection.oauthProvider).toBeUndefined();
-      });
-    });
-
-    describe("Tool context building", () => {
-      it("should still work with tool context building (Phase 1 compatibility)", async () => {
-        // This test verifies that tool context building infrastructure still works
-        // The actual context building is tested in Phase 1 E2E tests
-        // This is a placeholder to ensure Phase 2 doesn't break the flow
-
-        const toolProtection: ToolProtection = {
-          requiresDelegation: true,
-          requiredScopes: ["repo:read"],
-          // No oauthProvider - should still work
-        };
-
-        // Verify tool protection can be used for context building
-        expect(toolProtection.requiredScopes).toBeDefined();
-        expect(Array.isArray(toolProtection.requiredScopes)).toBe(true);
-      });
-    });
-
-    describe("Consent page rendering", () => {
-      it("should render consent page without provider badge (Phase 1 mode)", () => {
-        // This test verifies that consent page can render without provider badge
-        // The actual rendering is tested in E2E tests
-        // This is a placeholder to ensure Phase 2 doesn't break Phase 1 rendering
-
-        const toolProtection: ToolProtection = {
-          requiresDelegation: true,
-          requiredScopes: ["repo:read"],
-          // No oauthProvider - Phase 1 mode
-        };
-
-        // Verify tool protection structure allows consent page rendering
-        expect(toolProtection.requiresDelegation).toBe(true);
-        expect(toolProtection.requiredScopes.length).toBeGreaterThan(0);
-      });
-    });
-  });
-
-  describe("Mixed Phase 1 and Phase 2 tools", () => {
-    it("should handle mix of Phase 1 and Phase 2 tools in same project", async () => {
-      const projectId = "test-project-123";
-      config.projectId = projectId;
-      const service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            phase1_tool: {
-              requiresDelegation: true,
-              requiredScopes: ["repo:read"],
-              // No oauthProvider (Phase 1)
-            },
-            phase2_tool: {
-              requiresDelegation: true,
-              requiredScopes: ["gmail:send"],
-              oauthProvider: "google", // Phase 2
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      // Phase 1 tool should not have oauthProvider
-      expect(result.toolProtections.phase1_tool).not.toHaveProperty(
-        "oauthProvider"
-      );
-
-      // Phase 2 tool should have oauthProvider
-      expect(result.toolProtections.phase2_tool.oauthProvider).toBe("google");
-    });
-  });
-
-  describe("Cache compatibility", () => {
-    it("should handle cached Phase 1 configs correctly", async () => {
-      const projectId = "test-project-123";
-      config.projectId = projectId;
-      const service = new ToolProtectionService(config, cache);
-
-      // Cache Phase 1 config (no oauthProvider)
-      const cachedConfig: ToolProtectionConfig = {
-        toolProtections: {
-          phase1_tool: {
-            requiresDelegation: true,
-            requiredScopes: ["repo:read"],
-            // No oauthProvider
-          },
-        },
-      };
-
-      const cacheKey = `config:tool-protections:${projectId}`;
-      await cache.set(cacheKey, cachedConfig, 300000);
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.phase1_tool.requiresDelegation).toBe(true);
-      expect(result.toolProtections.phase1_tool).not.toHaveProperty(
-        "oauthProvider"
-      );
-      expect(global.fetch).not.toHaveBeenCalled();
-    });
-
-    it("should handle cached Phase 2 configs correctly", async () => {
-      const projectId = "test-project-123";
-      config.projectId = projectId;
-      const service = new ToolProtectionService(config, cache);
-
-      // Cache Phase 2 config (with oauthProvider)
-      const cachedConfig: ToolProtectionConfig = {
-        toolProtections: {
-          phase2_tool: {
-            requiresDelegation: true,
-            requiredScopes: ["repo:read"],
-            oauthProvider: "github",
-          },
-        },
-      };
-
-      const cacheKey = `config:tool-protections:${projectId}`;
-      await cache.set(cacheKey, cachedConfig, 300000);
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.phase2_tool.oauthProvider).toBe("github");
-      expect(global.fetch).not.toHaveBeenCalled();
-    });
-  });
-});
-

package/src/__tests__/runtime/audit-logger.test.ts

@@ -1,154 +0,0 @@
-/**
- * IAuditLogger Interface Tests
- *
- * Tests for the IAuditLogger interface contract validation
- * and type compatibility checks.
- */
-
-import { describe, it, expect } from "vitest";
-import type { IAuditLogger } from "../../runtime/audit-logger.js";
-import type { AuditContext, AuditEventContext } from "@kya-os/contracts/audit";
-
-/**
- * Mock implementation of IAuditLogger for testing
- */
-class MockAuditLogger implements IAuditLogger {
-  public logAuditRecordCalls: AuditContext[] = [];
-  public logEventCalls: AuditEventContext[] = [];
-
-  async logAuditRecord(context: AuditContext): Promise<void> {
-    this.logAuditRecordCalls.push(context);
-  }
-
-  async logEvent(context: AuditEventContext): Promise<void> {
-    this.logEventCalls.push(context);
-  }
-}
-
-describe("IAuditLogger Interface", () => {
-  describe("Interface contract validation", () => {
-    it("should require logAuditRecord method", () => {
-      const logger: IAuditLogger = new MockAuditLogger();
-      expect(typeof logger.logAuditRecord).toBe("function");
-    });
-
-    it("should require logEvent method", () => {
-      const logger: IAuditLogger = new MockAuditLogger();
-      expect(typeof logger.logEvent).toBe("function");
-    });
-
-    it("should accept AuditContext for logAuditRecord", async () => {
-      const logger = new MockAuditLogger();
-      const context: AuditContext = {
-        identity: {
-          did: "did:key:test",
-          kid: "key-123",
-        } as any,
-        session: {
-          sessionId: "session-123",
-          audience: "example.com",
-        } as any,
-        requestHash: "sha256:abc",
-        responseHash: "sha256:def",
-        verified: "yes",
-        scopeId: "test:execute",
-      };
-
-      await logger.logAuditRecord(context);
-      expect(logger.logAuditRecordCalls).toHaveLength(1);
-      expect(logger.logAuditRecordCalls[0]).toEqual(context);
-    });
-
-    it("should accept AuditEventContext for logEvent", async () => {
-      const logger = new MockAuditLogger();
-      const context: AuditEventContext = {
-        eventType: "consent:approved",
-        identity: {
-          did: "did:key:test",
-          kid: "key-123",
-        } as any,
-        session: {
-          sessionId: "session-123",
-          audience: "example.com",
-        } as any,
-        eventData: { tool: "test-tool" },
-      };
-
-      await logger.logEvent(context);
-      expect(logger.logEventCalls).toHaveLength(1);
-      expect(logger.logEventCalls[0]).toEqual(context);
-    });
-  });
-
-  describe("Type compatibility checks", () => {
-    it("should be compatible with implementations that return Promise<void>", async () => {
-      const logger: IAuditLogger = new MockAuditLogger();
-      const context: AuditContext = {
-        identity: { did: "did:key:test", kid: "key-123" } as any,
-        session: { sessionId: "session-123", audience: "example.com" } as any,
-        requestHash: "sha256:abc",
-        responseHash: "sha256:def",
-        verified: "yes",
-      };
-
-      const result = await logger.logAuditRecord(context);
-      expect(result).toBeUndefined(); // Should return void
-    });
-
-    it("should accept optional scopeId in AuditContext", async () => {
-      const logger = new MockAuditLogger();
-      const contextWithoutScope: AuditContext = {
-        identity: { did: "did:key:test", kid: "key-123" } as any,
-        session: { sessionId: "session-123", audience: "example.com" } as any,
-        requestHash: "sha256:abc",
-        responseHash: "sha256:def",
-        verified: "yes",
-        // scopeId is optional
-      };
-
-      await expect(
-        logger.logAuditRecord(contextWithoutScope)
-      ).resolves.not.toThrow();
-    });
-
-    it("should accept optional eventData in AuditEventContext", async () => {
-      const logger = new MockAuditLogger();
-      const contextWithoutData: AuditEventContext = {
-        eventType: "test:event",
-        identity: { did: "did:key:test", kid: "key-123" } as any,
-        session: { sessionId: "session-123", audience: "example.com" } as any,
-        // eventData is optional
-      };
-
-      await expect(logger.logEvent(contextWithoutData)).resolves.not.toThrow();
-    });
-  });
-
-  describe("Verify both methods are required", () => {
-    it("should fail type check if logAuditRecord is missing", () => {
-      // This test documents that TypeScript will catch missing methods
-      // In practice, this would be a compile-time error
-      class IncompleteLogger implements Partial<IAuditLogger> {
-        async logEvent(_context: AuditEventContext): Promise<void> {
-          // Missing logAuditRecord
-        }
-      }
-
-      // TypeScript would error: Property 'logAuditRecord' is missing
-      // This test verifies the interface contract is enforced
-      expect(true).toBe(true); // Placeholder - actual check is compile-time
-    });
-
-    it("should fail type check if logEvent is missing", () => {
-      // This test documents that TypeScript will catch missing methods
-      class IncompleteLogger implements Partial<IAuditLogger> {
-        async logAuditRecord(_context: AuditContext): Promise<void> {
-          // Missing logEvent
-        }
-      }
-
-      // TypeScript would error: Property 'logEvent' is missing
-      expect(true).toBe(true); // Placeholder - actual check is compile-time
-    });
-  });
-});