@kya-os/mcp-i-core 1.3.13 → 1.3.15

package/src/services/__tests__/access-control.integration.test.ts

@@ -1,443 +0,0 @@
-/**
- * Integration Tests for AccessControlApiService and ProofVerifier
- *
- * End-to-end integration tests covering:
- * - Delegation verification flow with AccessControlApiService
- * - Proof submission flow with AccessControlApiService
- * - Proof verification with ProofVerifier
- * - Runtime integration with service injection
- */
-
-import { describe, it, expect, beforeEach, vi } from "vitest";
-import { AccessControlApiService } from "../access-control.service.js";
-import { ProofVerifier } from "../proof-verifier.js";
-import { MCPIRuntimeBase } from "../../runtime/base.js";
-import {
-  createMockProviders,
-  MockFetchProvider,
-} from "../../__tests__/utils/mock-providers.js";
-import type { ProviderRuntimeConfig } from "../../config.js";
-import type { DetachedProof } from "@kya-os/contracts/proof";
-import type {
-  VerifyDelegationRequest,
-  ProofSubmissionRequest,
-  ProofSubmissionResponse,
-} from "@kya-os/contracts/agentshield-api";
-import { AgentShieldAPIError } from "@kya-os/contracts/agentshield-api";
-
-describe("AccessControlApiService Integration", () => {
-  let accessControlService: AccessControlApiService;
-  let proofVerifier: ProofVerifier;
-  let runtime: MCPIRuntimeBase;
-  let mockFetchProvider: MockFetchProvider;
-  let mockProviders: ReturnType<typeof createMockProviders>;
-
-  beforeEach(() => {
-    mockProviders = createMockProviders();
-    mockFetchProvider = mockProviders.fetchProvider as MockFetchProvider;
-
-    // Reset fetch mock before each test
-    vi.clearAllMocks();
-    mockFetchProvider.fetch.mockClear();
-
-    accessControlService = new AccessControlApiService({
-      baseUrl: "https://api.example.com",
-      apiKey: "test-api-key",
-      fetchProvider: mockFetchProvider,
-      logger: vi.fn(),
-    });
-
-    proofVerifier = new ProofVerifier({
-      cryptoProvider: mockProviders.cryptoProvider,
-      clockProvider: mockProviders.clockProvider,
-      nonceCacheProvider: mockProviders.nonceCacheProvider,
-      fetchProvider: mockFetchProvider,
-      timestampSkewSeconds: 120,
-    });
-
-    const config: ProviderRuntimeConfig = {
-      ...mockProviders,
-      environment: "development",
-      session: {
-        timestampSkewSeconds: 120,
-        ttlMinutes: 30,
-      },
-    };
-
-    runtime = new MCPIRuntimeBase(config);
-    (runtime as any).proofVerifier = proofVerifier;
-    (runtime as any).accessControlService = accessControlService;
-  });
-
-  describe("Delegation Verification Flow", () => {
-    it("should verify delegation end-to-end", async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: "did:key:z123",
-        scopes: ["scope1", "scope2"],
-      };
-
-      const mockResponse = {
-        success: true,
-        data: {
-          valid: true,
-          delegation_id: "123e4567-e89b-12d3-a456-426614174000", // Valid UUID format
-          credential: {
-            agent_did: "did:key:z123",
-            scopes: ["scope1", "scope2"],
-            issued_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
-            created_at: Math.floor(Date.now() / 1000), // Unix timestamp (positive integer)
-          },
-        },
-        metadata: {
-          requestId: "test-request-id",
-          timestamp: new Date().toISOString(),
-        },
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        })
-      );
-
-      const result = await accessControlService.verifyDelegation(request);
-
-      expect(result.data.valid).toBe(true);
-      expect(result.data.delegation_id).toBe(
-        "123e4567-e89b-12d3-a456-426614174000"
-      );
-      expect(result.data.credential?.scopes).toEqual(["scope1", "scope2"]);
-    });
-
-    it("should handle delegation verification failure", async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: "did:key:z123",
-        scopes: ["scope1"],
-      };
-
-      const mockResponse = {
-        success: true,
-        data: {
-          valid: false,
-          reason: "No delegation found for agent",
-        },
-        metadata: {
-          requestId: "test-request-id",
-          timestamp: new Date().toISOString(),
-        },
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        })
-      );
-
-      const result = await accessControlService.verifyDelegation(request);
-
-      expect(result.data.valid).toBe(false);
-      expect(result.data.reason).toBe("No delegation found for agent");
-    });
-  });
-
-  describe("Proof Submission Flow", () => {
-    it("should submit proof end-to-end", async () => {
-      const proof: DetachedProof = {
-        jws: "header.payload.signature",
-        meta: {
-          did: "did:key:z123",
-          kid: "did:key:z123#key-1",
-          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-          nonce: "nonce-123",
-          audience: "mcp-client",
-          sessionId: "session-123",
-          requestHash: "sha256:" + "a".repeat(64),
-          responseHash: "sha256:" + "b".repeat(64),
-        },
-      };
-
-      const request = {
-        session_id: "550e8400-e29b-41d4-a716-446655440000", // Valid UUID
-        delegation_id: "123e4567-e89b-12d3-a456-426614174000", // Valid UUID format
-        proofs: [proof],
-        context: {
-          toolCalls: [
-            {
-              tool: "testTool",
-              args: { param: "value" },
-              scopeId: "testTool:execute",
-            },
-          ],
-        },
-      } as ProofSubmissionRequest;
-
-      const mockResponse = {
-        success: true,
-        accepted: 1,
-        rejected: 0,
-        outcomes: {
-          success: 1,
-          failed: 0,
-          blocked: 0,
-          error: 0,
-        },
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        })
-      );
-
-      const result = await accessControlService.submitProofs(request);
-
-      // Type assertion needed due to TypeScript type resolution issues with outdated node_modules types
-      // The actual runtime type has accepted/rejected/outcomes, but node_modules has old types
-      const typedResult = result as unknown as {
-        success: boolean;
-        accepted: number;
-        rejected: number;
-        outcomes: Record<string, number>;
-        errors?: Array<{
-          proof_index: number;
-          error: { code: string; message: string };
-        }>;
-      };
-      expect(typedResult.accepted).toBe(1);
-      expect(typedResult.rejected).toBe(0);
-      expect(typedResult.outcomes.success).toBe(1);
-    });
-
-    it("should handle proof submission with errors", async () => {
-      const proof: DetachedProof = {
-        jws: "invalid.jws.signature",
-        meta: {
-          did: "did:key:z123",
-          kid: "did:key:z123#key-1",
-          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-          nonce: "nonce-123",
-          audience: "mcp-client",
-          sessionId: "session-123",
-          requestHash: "sha256:" + "a".repeat(64),
-          responseHash: "sha256:" + "b".repeat(64),
-        },
-      };
-
-      const request: ProofSubmissionRequest = {
-        session_id: "550e8400-e29b-41d4-a716-446655440000", // Valid UUID
-        delegation_id: null, // Explicitly set to null for optional field
-        proofs: [proof],
-      };
-
-      const mockResponse = {
-        success: true,
-        accepted: 0,
-        rejected: 1,
-        outcomes: {
-          success: 0,
-          failed: 1,
-          blocked: 0,
-          error: 0,
-        },
-        errors: [
-          {
-            proof_index: 0,
-            error: {
-              code: "invalid_signature",
-              message: "Invalid JWS signature",
-            },
-          },
-        ],
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        })
-      );
-
-      const result = await accessControlService.submitProofs(request);
-
-      // Type assertion needed due to TypeScript type resolution issues with outdated node_modules types
-      // The actual runtime type has accepted/rejected/outcomes, but node_modules has old types
-      const typedResult = result as unknown as {
-        success: boolean;
-        accepted: number;
-        rejected: number;
-        outcomes: Record<string, number>;
-        errors?: Array<{
-          proof_index: number;
-          error: { code: string; message: string };
-        }>;
-      };
-      expect(typedResult.accepted).toBe(0);
-      expect(typedResult.rejected).toBe(1);
-      expect(typedResult.errors).toBeDefined();
-      expect(typedResult.errors?.length).toBe(1);
-    });
-  });
-
-  describe("Proof Verification Flow", () => {
-    it("should verify proof using ProofVerifier", async () => {
-      // Set up DID document for resolution
-      const didDoc = {
-        id: "did:key:z123",
-        verificationMethod: [
-          {
-            id: "did:key:z123#key-1",
-            type: "JsonWebKey2020",
-            publicKeyJwk: {
-              kty: "OKP",
-              crv: "Ed25519",
-              x: "VCpo2LMLhn6iWku8MKvSLg2ZAoC-nlOyPVQaO3FxVeQ",
-            },
-          },
-        ],
-      };
-
-      mockFetchProvider.setDIDDocument("did:key:z123", didDoc);
-
-      const proof: DetachedProof = {
-        jws: "header.payload.signature",
-        meta: {
-          did: "did:key:z123",
-          kid: "did:key:z123#key-1",
-          ts: Math.floor(Date.now() / 1000), // Unix timestamp in seconds
-          nonce: "nonce-123",
-          audience: "mcp-client",
-          sessionId: "session-123",
-          requestHash: "sha256:" + "a".repeat(64),
-          responseHash: "sha256:" + "b".repeat(64),
-        },
-      };
-
-      // Note: This test would require actual cryptographic verification
-      // For now, we test the flow structure
-      const publicKeyJwk = didDoc.verificationMethod[0].publicKeyJwk as {
-        kty: "OKP";
-        crv: "Ed25519";
-        x: string;
-      };
-
-      // Mock nonce cache to return false (nonce not seen)
-      vi.spyOn(mockProviders.nonceCacheProvider, "has").mockResolvedValue(
-        false
-      );
-
-      const result = await proofVerifier.verifyProof(proof, publicKeyJwk);
-
-      // Result will depend on actual signature verification
-      expect(result).toBeDefined();
-      expect("valid" in result).toBe(true);
-    });
-  });
-
-  describe("Runtime Integration", () => {
-    it("should use AccessControlApiService from runtime", async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: "did:key:z123",
-        scopes: ["scope1"],
-      };
-
-      const mockResponse = {
-        success: true,
-        data: { valid: true },
-        metadata: {
-          requestId: "test-request-id",
-          timestamp: new Date().toISOString(),
-        },
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(JSON.stringify(mockResponse), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        })
-      );
-
-      const runtimeService = (runtime as any)
-        .accessControlService as AccessControlApiService;
-
-      expect(runtimeService).toBeDefined();
-      const result = await runtimeService.verifyDelegation(request);
-      expect(result.data.valid).toBe(true);
-    });
-
-    it("should use ProofVerifier from runtime", async () => {
-      const runtimeVerifier = (runtime as any).proofVerifier as ProofVerifier;
-      expect(runtimeVerifier).toBeDefined();
-
-      // Verify it's the same instance
-      expect(runtimeVerifier).toBe(proofVerifier);
-    });
-  });
-
-  describe("Error Handling and Retry", () => {
-    it("should retry on transient errors", async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: "did:key:z123",
-        scopes: ["scope1"],
-      };
-
-      const mockResponse = {
-        success: true,
-        data: { valid: true },
-        metadata: {
-          requestId: "test-request-id",
-          timestamp: new Date().toISOString(),
-        },
-      };
-
-      // First call fails with 500, second succeeds
-      mockFetchProvider.fetch
-        .mockResolvedValueOnce(
-          new Response("Internal Server Error", { status: 500 })
-        )
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(mockResponse), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          })
-        );
-
-      const result = await accessControlService.verifyDelegation(request);
-
-      expect(result.data.valid).toBe(true);
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(2);
-    });
-
-    it("should not retry on client errors", async () => {
-      const request: VerifyDelegationRequest = {
-        agent_did: "did:key:z123",
-        scopes: ["scope1"],
-      };
-
-      mockFetchProvider.fetch.mockResolvedValue(
-        new Response(
-          JSON.stringify({
-            success: false,
-            error: {
-              code: "validation_error",
-              message: "Invalid request",
-            },
-          }),
-          {
-            status: 400,
-            headers: { "Content-Type": "application/json" },
-          }
-        )
-      );
-
-      await expect(
-        accessControlService.verifyDelegation(request)
-      ).rejects.toThrow(AgentShieldAPIError);
-
-      // Should not retry
-      expect(mockFetchProvider.fetch).toHaveBeenCalledTimes(1);
-    });
-  });
-});