@kya-os/mcp-i-core 1.3.12 → 1.3.14

package/src/__tests__/services/agentshield-integration.test.ts

@@ -1,791 +0,0 @@
-/**
- * AgentShield Integration Tests
- *
- * Tests for AgentShield API integration including:
- * - Tool protection config fetching
- * - API authentication
- * - Error handling
- * - Response format compatibility
- */
-
-import { describe, test, expect, beforeEach, vi, afterEach } from 'vitest';
-import { ToolProtectionService } from '../../services/tool-protection.service';
-import { InMemoryToolProtectionCache } from '../../cache/tool-protection-cache';
-import type { ToolProtectionServiceConfig } from '../../types/tool-protection';
-
-// Mock global fetch
-global.fetch = vi.fn();
-
-describe('AgentShield Integration', () => {
-  let service: ToolProtectionService;
-  let cache: InMemoryToolProtectionCache;
-  let config: ToolProtectionServiceConfig;
-  const mockAgentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-  const baseUrl = 'https://kya.vouched.id';
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    cache = new InMemoryToolProtectionCache();
-    config = {
-      apiUrl: baseUrl,
-      apiKey: 'test-api-key-12345',
-      projectId: 'test-project-123',
-      cacheTtl: 300000,
-      debug: false,
-    };
-    service = new ToolProtectionService(config, cache);
-  });
-
-  afterEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  describe('API Authentication', () => {
-    test('should use X-API-Key header for new endpoint', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {},
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.objectContaining({
-          headers: expect.objectContaining({
-            'X-API-Key': 'test-api-key-12345',
-            'X-Project-Id': 'test-project-123',
-          }),
-        })
-      );
-    });
-
-    test('should use Authorization Bearer header for old endpoint', async () => {
-      delete config.projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          tools: [],
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.any(String),
-        expect.objectContaining({
-          headers: expect.objectContaining({
-            Authorization: 'Bearer test-api-key-12345',
-          }),
-        })
-      );
-    });
-
-    test('should reject requests without API key', async () => {
-      config.apiKey = '';
-      service = new ToolProtectionService(config, cache);
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'API key is missing or empty'
-      );
-    });
-
-    test('should mask API key in debug logs', async () => {
-      config.debug = true;
-      config.apiKey = 'sk_live_1234567890abcdef';
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {},
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const consoleSpy = vi.spyOn(console, 'log').mockImplementation(() => {});
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      const logCalls = consoleSpy.mock.calls;
-      const debugLog = logCalls.find((call) =>
-        call[0].includes('Fetching from API')
-      );
-
-      if (debugLog && debugLog[2]) {
-        const logData = debugLog[2] as any;
-        expect(logData.apiKeyMasked).toMatch(/^sk_live\.\.\./);
-        expect(logData.apiKeyMasked).not.toContain('1234567890abcdef');
-      }
-
-      consoleSpy.mockRestore();
-    });
-  });
-
-  describe('Endpoint Selection', () => {
-    test('should use project-scoped /config endpoint when projectId is available', async () => {
-      // Merged config format - tools embedded at config.toolProtection.tools
-      const apiResponse = {
-        success: true,
-        data: {
-          config: {
-            toolProtection: {
-              source: 'agentshield',
-              tools: {},
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      // Now calls /config endpoint (not /tool-protections)
-      expect(global.fetch).toHaveBeenCalledWith(
-        `${baseUrl}/api/v1/bouncer/projects/test-project-123/config`,
-        expect.any(Object)
-      );
-    });
-
-    test('should use agent-scoped endpoint when projectId is not available', async () => {
-      delete config.projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          tools: [],
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        `${baseUrl}/api/v1/bouncer/config?agent_did=${encodeURIComponent(mockAgentDid)}`,
-        expect.any(Object)
-      );
-    });
-
-    test('should encode projectId in URL', async () => {
-      config.projectId = 'project/with/special-chars';
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {},
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.stringContaining(encodeURIComponent('project/with/special-chars')),
-        expect.any(Object)
-      );
-    });
-
-    test('should encode agent DID in URL', async () => {
-      delete config.projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          tools: [],
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.stringContaining(encodeURIComponent(mockAgentDid)),
-        expect.any(Object)
-      );
-    });
-  });
-
-  describe('Response Format Compatibility', () => {
-    test('should handle new endpoint format (toolProtections object)', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            checkout: {
-              requiresDelegation: true,
-              requiredScopes: ['cart:write'],
-            },
-            search: {
-              requiresDelegation: false,
-              requiredScopes: [],
-            },
-          },
-        },
-        metadata: {
-          timestamp: new Date().toISOString(),
-          cachedUntil: new Date(Date.now() + 300000).toISOString(),
-        },
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.checkout).toBeDefined();
-      expect(result.toolProtections.checkout.requiresDelegation).toBe(true);
-      expect(result.toolProtections.search.requiresDelegation).toBe(false);
-    });
-
-    test('should handle old endpoint format (tools array)', async () => {
-      delete config.projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          tools: [
-            {
-              name: 'checkout',
-              requiresDelegation: true,
-              scopes: ['cart:write'],
-            },
-            {
-              name: 'search',
-              requiresDelegation: false,
-              scopes: [],
-            },
-          ],
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.checkout).toBeDefined();
-      expect(result.toolProtections.checkout.requiresDelegation).toBe(true);
-      expect(result.toolProtections.search.requiresDelegation).toBe(false);
-    });
-
-    test('should handle old endpoint format (tools object)', async () => {
-      delete config.projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          tools: {
-            checkout: {
-              requiresDelegation: true,
-              scopes: ['cart:write'],
-            },
-            search: {
-              requiresDelegation: false,
-              scopes: [],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.checkout).toBeDefined();
-      expect(result.toolProtections.checkout.requiresDelegation).toBe(true);
-      expect(result.toolProtections.search.requiresDelegation).toBe(false);
-    });
-
-    test('should handle snake_case field names', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            tool1: {
-              requires_delegation: true,
-              required_scopes: ['scope1', 'scope2'],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.tool1.requiresDelegation).toBe(true);
-      expect(result.toolProtections.tool1.requiredScopes).toEqual(['scope1', 'scope2']);
-    });
-
-    test('should handle camelCase field names', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            tool1: {
-              requiresDelegation: true,
-              requiredScopes: ['scope1', 'scope2'],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.tool1.requiresDelegation).toBe(true);
-      expect(result.toolProtections.tool1.requiredScopes).toEqual(['scope1', 'scope2']);
-    });
-
-    test('should prefer camelCase over snake_case when both present', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            tool1: {
-              requires_delegation: false,
-              requiresDelegation: true,
-              required_scopes: ['old'],
-              requiredScopes: ['new'],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.tool1.requiresDelegation).toBe(true);
-      expect(result.toolProtections.tool1.requiredScopes).toEqual(['new']);
-    });
-  });
-
-  describe('Error Handling', () => {
-    test('should handle 401 Unauthorized', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 401,
-        statusText: 'Unauthorized',
-        text: async () => 'Invalid API key',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'Failed to fetch bouncer config: 401 Unauthorized'
-      );
-    });
-
-    test('should handle 403 Forbidden', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 403,
-        statusText: 'Forbidden',
-        text: async () => 'Access denied',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'Failed to fetch bouncer config: 403 Forbidden'
-      );
-    });
-
-    test('should handle 404 Not Found', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 404,
-        statusText: 'Not Found',
-        text: async () => 'Project not found',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'Failed to fetch bouncer config: 404 Not Found'
-      );
-    });
-
-    test('should handle 500 Internal Server Error', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 500,
-        statusText: 'Internal Server Error',
-        text: async () => 'Server error',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'Failed to fetch bouncer config: 500 Internal Server Error'
-      );
-    });
-
-    test('should handle network timeout', async () => {
-      (global.fetch as any).mockRejectedValueOnce(new Error('Network timeout'));
-
-      const fallbackConfig = {
-        toolProtections: {
-          fallback: {
-            requiresDelegation: true,
-            requiredScopes: ['fallback'],
-          },
-        },
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result).toEqual(fallbackConfig);
-    });
-
-    test('should handle malformed JSON response', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => {
-          throw new Error('Unexpected token');
-        },
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow();
-    });
-
-    test('should handle response with success: false', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => ({
-          success: false,
-          error: {
-            code: 'INVALID_REQUEST',
-            message: 'Invalid project ID',
-          },
-        }),
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'API returned success: false'
-      );
-    });
-
-    test('should handle empty response body', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 500,
-        statusText: 'Internal Server Error',
-        text: async () => '',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid)).rejects.toThrow(
-        'Failed to fetch bouncer config: 500 Internal Server Error - '
-      );
-    });
-  });
-
-  describe('Fallback Behavior', () => {
-    test('should use fallback config when API is unavailable', async () => {
-      const fallbackConfig = {
-        toolProtections: {
-          fallback_tool: {
-            requiresDelegation: true,
-            requiredScopes: ['fallback'],
-          },
-        },
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      (global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
-
-      const consoleSpy = vi.spyOn(console, 'warn').mockImplementation(() => {});
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result).toEqual(fallbackConfig);
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining('using fallback config'),
-        expect.any(Object)
-      );
-
-      consoleSpy.mockRestore();
-    });
-
-    test('should return deny-all config when no fallback is available (fail-safe)', async () => {
-      (global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
-
-      const consoleSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections['*']).toBeDefined();
-      expect(result.toolProtections['*']?.requiresDelegation).toBe(true);
-      expect(consoleSpy).toHaveBeenCalledWith(
-        expect.stringContaining('API fetch failed, no fallback, failing closed (deny-all)'),
-        expect.any(Object)
-      );
-
-      consoleSpy.mockRestore();
-    });
-
-    test('should cache fallback config', async () => {
-      const fallbackConfig = {
-        toolProtections: {
-          fallback_tool: {
-            requiresDelegation: true,
-            requiredScopes: ['fallback'],
-          },
-        },
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      (global.fetch as any).mockRejectedValue(new Error('Network error'));
-
-      // First call - should use fallback
-      const result1 = await service.getToolProtectionConfig(mockAgentDid);
-
-      // Second call - should use cached fallback (no API call)
-      const result2 = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result1).toEqual(result2);
-      expect(result1).toEqual(fallbackConfig);
-      // Should only attempt API call once (both calls use cached fallback)
-      expect(global.fetch).toHaveBeenCalledTimes(1);
-    });
-  });
-
-  describe('Caching Integration', () => {
-    test('should cache successful API responses', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            tool1: {
-              requiresDelegation: true,
-              requiredScopes: ['scope1'],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      // First call - should fetch from API
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      // Second call - should use cache
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledTimes(1);
-      expect(result.toolProtections.tool1).toBeDefined();
-    });
-
-    test('should respect cache TTL', async () => {
-      config.cacheTtl = 1000; // 1 second
-      service = new ToolProtectionService(config, cache);
-
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {},
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      // Wait for cache to expire
-      await new Promise((resolve) => setTimeout(resolve, 1100));
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(global.fetch).toHaveBeenCalledTimes(2);
-    });
-  });
-
-  describe('Real-world Scenarios', () => {
-    test('should handle typical e-commerce tool protection config', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            search_products: {
-              requiresDelegation: false,
-              requiredScopes: [],
-            },
-            add_to_cart: {
-              requiresDelegation: true,
-              requiredScopes: ['cart:write'],
-            },
-            checkout: {
-              requiresDelegation: true,
-              requiredScopes: ['cart:write', 'payment:process'],
-            },
-            view_order: {
-              requiresDelegation: false,
-              requiredScopes: [],
-            },
-          },
-        },
-        metadata: {
-          timestamp: new Date().toISOString(),
-          cachedUntil: new Date(Date.now() + 300000).toISOString(),
-        },
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.search_products.requiresDelegation).toBe(false);
-      expect(result.toolProtections.add_to_cart.requiresDelegation).toBe(true);
-      expect(result.toolProtections.add_to_cart.requiredScopes).toContain('cart:write');
-      expect(result.toolProtections.checkout.requiredScopes).toContain('payment:process');
-    });
-
-    test('should handle API rate limiting gracefully', async () => {
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 429,
-        statusText: 'Too Many Requests',
-        text: async () => 'Rate limit exceeded',
-      });
-
-      const fallbackConfig = {
-        toolProtections: {
-          tool1: {
-            requiresDelegation: true,
-            requiredScopes: ['scope1'],
-          },
-        },
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result).toEqual(fallbackConfig);
-    });
-
-    test('should handle concurrent requests', async () => {
-      const apiResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            tool1: {
-              requiresDelegation: true,
-              requiredScopes: ['scope1'],
-            },
-          },
-        },
-        metadata: {},
-      };
-
-      (global.fetch as any).mockResolvedValue({
-        ok: true,
-        json: async () => apiResponse,
-      });
-
-      // Make concurrent requests
-      const promises = [
-        service.getToolProtectionConfig(mockAgentDid),
-        service.getToolProtectionConfig(mockAgentDid),
-        service.getToolProtectionConfig(mockAgentDid),
-      ];
-
-      const results = await Promise.all(promises);
-
-      // All should return same config
-      results.forEach((result) => {
-        expect(result.toolProtections.tool1).toBeDefined();
-      });
-
-      // Should only fetch once (cache prevents duplicate fetches)
-      // Note: Due to race conditions, multiple fetches might occur
-      expect(global.fetch).toHaveBeenCalled();
-    });
-  });
-});
-