@kya-os/mcp-i-core 1.3.12 → 1.3.14

package/src/__tests__/services/tool-protection-merged-config.test.ts

@@ -1,485 +0,0 @@
-/**
- * ToolProtectionService Tests - Merged Config Format
- *
- * TDD tests for ToolProtectionService consuming the new merged config API
- * where tool protections are embedded at config.toolProtection.tools.
- *
- * These tests document the expected behavior BEFORE implementation.
- * The service should fetch from /config endpoint and extract tool protections
- * from the embedded tools field.
- *
- * @since 1.6.0
- */
-
-import { describe, test, expect, beforeEach, vi, afterEach } from 'vitest';
-import { ToolProtectionService } from '../../services/tool-protection.service';
-import {
-  InMemoryToolProtectionCache,
-  type ToolProtectionCache,
-} from '../../cache/tool-protection-cache';
-import type {
-  ToolProtectionServiceConfig,
-  ToolProtectionConfig,
-} from '../../types/tool-protection';
-
-// Mock global fetch
-global.fetch = vi.fn();
-
-describe('ToolProtectionService - Merged Config API', () => {
-  let service: ToolProtectionService;
-  let cache: ToolProtectionCache;
-  let config: ToolProtectionServiceConfig;
-  const mockAgentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
-
-  beforeEach(() => {
-    vi.clearAllMocks();
-    cache = new InMemoryToolProtectionCache();
-    config = {
-      apiUrl: 'https://kya.vouched.id',
-      apiKey: 'test-api-key-12345',
-      projectId: 'test-project-123',
-      cacheTtl: 300000,
-      debug: false,
-    };
-    service = new ToolProtectionService(config, cache);
-  });
-
-  afterEach(() => {
-    vi.restoreAllMocks();
-  });
-
-  describe('Fetching from /config endpoint with embedded tools', () => {
-    test('should fetch from /config endpoint and extract toolProtection.tools', async () => {
-      // New merged config API response format
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: {
-              serverDid: 'did:key:test',
-              environment: 'production',
-              storageLocation: 'cloudflare-kv'
-            },
-            proofing: {
-              enabled: true,
-              destinations: [],
-              batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 }
-            },
-            delegation: {
-              enabled: true,
-              enforceStrictly: true,
-              verifier: { type: 'agentshield' },
-              authorization: {}
-            },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                checkout: {
-                  requiresDelegation: true,
-                  requiredScopes: ['cart:write', 'payment:execute'],
-                  riskLevel: 'high'
-                },
-                greet: {
-                  requiresDelegation: false,
-                  requiredScopes: []
-                }
-              }
-            },
-            audit: { enabled: true, includeProofHashes: true, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'cloudflare' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        },
-        metadata: {
-          timestamp: new Date().toISOString(),
-          cachedUntil: new Date(Date.now() + 60000).toISOString()
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      // Should extract tool protections from embedded field
-      expect(result.toolProtections).toEqual({
-        checkout: {
-          requiresDelegation: true,
-          requiredScopes: ['cart:write', 'payment:execute'],
-          riskLevel: 'high'
-        },
-        greet: {
-          requiresDelegation: false,
-          requiredScopes: []
-        }
-      });
-
-      // Should have called the /config endpoint (not /tool-protections)
-      expect(global.fetch).toHaveBeenCalledWith(
-        expect.stringContaining('/config'),
-        expect.any(Object)
-      );
-    });
-
-    test('should use projectId-based /config endpoint when projectId is set', async () => {
-      const projectId = 'my-project-id';
-      config.projectId = projectId;
-      service = new ToolProtectionService(config, cache);
-
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
-              }
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      await service.getToolProtectionConfig(mockAgentDid);
-
-      // Should call /api/v1/bouncer/projects/{projectId}/config
-      expect(global.fetch).toHaveBeenCalledWith(
-        `https://kya.vouched.id/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/config`,
-        expect.any(Object)
-      );
-    });
-
-    test('should handle empty tools object from merged config', async () => {
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {} // No tools discovered yet
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections).toEqual({});
-    });
-  });
-
-  describe('checkToolProtection with merged config', () => {
-    test('should correctly identify protected tool from merged config', async () => {
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: true, enforceStrictly: true, verifier: { type: 'agentshield' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                checkout: {
-                  requiresDelegation: true,
-                  requiredScopes: ['checkout:execute'],
-                  riskLevel: 'high'
-                },
-                greet: {
-                  requiresDelegation: false,
-                  requiredScopes: []
-                }
-              }
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'cloudflare' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      // Protected tool should return protection details
-      const checkoutProtection = await service.checkToolProtection('checkout', mockAgentDid);
-      expect(checkoutProtection).toEqual({
-        requiresDelegation: true,
-        requiredScopes: ['checkout:execute'],
-        riskLevel: 'high'
-      });
-
-      // Unprotected tool should return null
-      const greetProtection = await service.checkToolProtection('greet', mockAgentDid);
-      expect(greetProtection).toBeNull();
-    });
-
-    test('should return null for unknown tool', async () => {
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                greet: { requiresDelegation: false, requiredScopes: [] }
-              }
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      const unknownProtection = await service.checkToolProtection('unknown-tool', mockAgentDid);
-      expect(unknownProtection).toBeNull();
-    });
-  });
-
-  describe('Fallback behavior with merged config', () => {
-    test('should use fallback config when network error occurs', async () => {
-      const fallbackConfig: ToolProtectionConfig = {
-        toolProtections: {
-          greet: {
-            requiresDelegation: true,
-            requiredScopes: ['fallback:scope']
-          }
-        }
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      // Network error (not HTTP error) triggers fallback
-      (global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      expect(result.toolProtections.greet).toEqual({
-        requiresDelegation: true,
-        requiredScopes: ['fallback:scope']
-      });
-    });
-
-    test('should throw error when API returns HTTP error (500)', async () => {
-      // HTTP errors (4xx, 5xx) are intentionally propagated, not fallback
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: false,
-        status: 500,
-        statusText: 'Internal Server Error',
-        text: async () => 'Server error',
-      });
-
-      await expect(service.getToolProtectionConfig(mockAgentDid))
-        .rejects.toThrow('Failed to fetch bouncer config: 500');
-    });
-
-    test('should handle API returning config without tools field', async () => {
-      // Simulate old API format without tools field
-      const oldFormatResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield'
-              // No tools field - old format
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.5.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      const fallbackConfig: ToolProtectionConfig = {
-        toolProtections: {
-          greet: {
-            requiresDelegation: true,
-            requiredScopes: ['fallback:scope']
-          }
-        }
-      };
-
-      config.fallbackConfig = fallbackConfig;
-      service = new ToolProtectionService(config, cache);
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(oldFormatResponse),
-        json: async () => oldFormatResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      // Should fallback to empty or use fallback config
-      // After implementation: should return empty tools or use fallback
-      expect(result.toolProtections).toBeDefined();
-    });
-  });
-
-  describe('Caching with merged config', () => {
-    test('should cache tool protections extracted from merged config', async () => {
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
-              }
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      // First call - should fetch from API
-      await service.getToolProtectionConfig(mockAgentDid);
-      expect(global.fetch).toHaveBeenCalledTimes(1);
-
-      // Second call - should use cache
-      await service.getToolProtectionConfig(mockAgentDid);
-      expect(global.fetch).toHaveBeenCalledTimes(1); // No additional fetch
-    });
-
-    test('should respect cache TTL for merged config', async () => {
-      const mergedConfigResponse = {
-        success: true,
-        data: {
-          config: {
-            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
-            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
-            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
-            toolProtection: {
-              source: 'agentshield',
-              tools: {
-                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
-              }
-            },
-            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
-            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
-            platform: { type: 'node' },
-            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
-          }
-        }
-      };
-
-      // Use short TTL
-      config.cacheTtl = 100; // 100ms
-      service = new ToolProtectionService(config, cache);
-
-      (global.fetch as any).mockResolvedValue({
-        ok: true,
-        text: async () => JSON.stringify(mergedConfigResponse),
-        json: async () => mergedConfigResponse,
-      });
-
-      // First call
-      await service.getToolProtectionConfig(mockAgentDid);
-      expect(global.fetch).toHaveBeenCalledTimes(1);
-
-      // Wait for cache to expire
-      await new Promise(resolve => setTimeout(resolve, 150));
-
-      // Second call - should fetch again (cache expired)
-      await service.getToolProtectionConfig(mockAgentDid);
-      expect(global.fetch).toHaveBeenCalledTimes(2);
-    });
-  });
-
-  describe('Backward compatibility - /tool-protections response format', () => {
-    test('should still handle legacy /tool-protections response format if encountered', async () => {
-      // This tests backward compatibility during transition period
-      // The service might encounter the old response format
-      const legacyResponse = {
-        success: true,
-        data: {
-          toolProtections: {
-            greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
-          }
-        },
-        metadata: {
-          timestamp: new Date().toISOString(),
-          cachedUntil: new Date(Date.now() + 60000).toISOString()
-        }
-      };
-
-      (global.fetch as any).mockResolvedValueOnce({
-        ok: true,
-        text: async () => JSON.stringify(legacyResponse),
-        json: async () => legacyResponse,
-      });
-
-      const result = await service.getToolProtectionConfig(mockAgentDid);
-
-      // Should still work with legacy format
-      expect(result.toolProtections.greet).toEqual({
-        requiresDelegation: true,
-        requiredScopes: ['greeting:write']
-      });
-    });
-  });
-});
-