@kya-os/mcp-i-core 1.3.7-canary.clientinfo.20251126041014 → 1.3.8-canary.0

package/src/__tests__/services/tool-protection-merged-config.test.ts

@@ -0,0 +1,485 @@
+/**
+ * ToolProtectionService Tests - Merged Config Format
+ *
+ * TDD tests for ToolProtectionService consuming the new merged config API
+ * where tool protections are embedded at config.toolProtection.tools.
+ *
+ * These tests document the expected behavior BEFORE implementation.
+ * The service should fetch from /config endpoint and extract tool protections
+ * from the embedded tools field.
+ *
+ * @since 1.6.0
+ */
+
+import { describe, test, expect, beforeEach, vi, afterEach } from 'vitest';
+import { ToolProtectionService } from '../../services/tool-protection.service';
+import {
+  InMemoryToolProtectionCache,
+  type ToolProtectionCache,
+} from '../../cache/tool-protection-cache';
+import type {
+  ToolProtectionServiceConfig,
+  ToolProtectionConfig,
+} from '../../types/tool-protection';
+
+// Mock global fetch
+global.fetch = vi.fn();
+
+describe('ToolProtectionService - Merged Config API', () => {
+  let service: ToolProtectionService;
+  let cache: ToolProtectionCache;
+  let config: ToolProtectionServiceConfig;
+  const mockAgentDid = 'did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK';
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    cache = new InMemoryToolProtectionCache();
+    config = {
+      apiUrl: 'https://kya.vouched.id',
+      apiKey: 'test-api-key-12345',
+      projectId: 'test-project-123',
+      cacheTtl: 300000,
+      debug: false,
+    };
+    service = new ToolProtectionService(config, cache);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe('Fetching from /config endpoint with embedded tools', () => {
+    test('should fetch from /config endpoint and extract toolProtection.tools', async () => {
+      // New merged config API response format
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: {
+              serverDid: 'did:key:test',
+              environment: 'production',
+              storageLocation: 'cloudflare-kv'
+            },
+            proofing: {
+              enabled: true,
+              destinations: [],
+              batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 }
+            },
+            delegation: {
+              enabled: true,
+              enforceStrictly: true,
+              verifier: { type: 'agentshield' },
+              authorization: {}
+            },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                checkout: {
+                  requiresDelegation: true,
+                  requiredScopes: ['cart:write', 'payment:execute'],
+                  riskLevel: 'high'
+                },
+                greet: {
+                  requiresDelegation: false,
+                  requiredScopes: []
+                }
+              }
+            },
+            audit: { enabled: true, includeProofHashes: true, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'cloudflare' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        },
+        metadata: {
+          timestamp: new Date().toISOString(),
+          cachedUntil: new Date(Date.now() + 60000).toISOString()
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      // Should extract tool protections from embedded field
+      expect(result.toolProtections).toEqual({
+        checkout: {
+          requiresDelegation: true,
+          requiredScopes: ['cart:write', 'payment:execute'],
+          riskLevel: 'high'
+        },
+        greet: {
+          requiresDelegation: false,
+          requiredScopes: []
+        }
+      });
+
+      // Should have called the /config endpoint (not /tool-protections)
+      expect(global.fetch).toHaveBeenCalledWith(
+        expect.stringContaining('/config'),
+        expect.any(Object)
+      );
+    });
+
+    test('should use projectId-based /config endpoint when projectId is set', async () => {
+      const projectId = 'my-project-id';
+      config.projectId = projectId;
+      service = new ToolProtectionService(config, cache);
+
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
+              }
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      await service.getToolProtectionConfig(mockAgentDid);
+
+      // Should call /api/v1/bouncer/projects/{projectId}/config
+      expect(global.fetch).toHaveBeenCalledWith(
+        `https://kya.vouched.id/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/config`,
+        expect.any(Object)
+      );
+    });
+
+    test('should handle empty tools object from merged config', async () => {
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {} // No tools discovered yet
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      expect(result.toolProtections).toEqual({});
+    });
+  });
+
+  describe('checkToolProtection with merged config', () => {
+    test('should correctly identify protected tool from merged config', async () => {
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: true, enforceStrictly: true, verifier: { type: 'agentshield' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                checkout: {
+                  requiresDelegation: true,
+                  requiredScopes: ['checkout:execute'],
+                  riskLevel: 'high'
+                },
+                greet: {
+                  requiresDelegation: false,
+                  requiredScopes: []
+                }
+              }
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'cloudflare' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      // Protected tool should return protection details
+      const checkoutProtection = await service.checkToolProtection('checkout', mockAgentDid);
+      expect(checkoutProtection).toEqual({
+        requiresDelegation: true,
+        requiredScopes: ['checkout:execute'],
+        riskLevel: 'high'
+      });
+
+      // Unprotected tool should return null
+      const greetProtection = await service.checkToolProtection('greet', mockAgentDid);
+      expect(greetProtection).toBeNull();
+    });
+
+    test('should return null for unknown tool', async () => {
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                greet: { requiresDelegation: false, requiredScopes: [] }
+              }
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      const unknownProtection = await service.checkToolProtection('unknown-tool', mockAgentDid);
+      expect(unknownProtection).toBeNull();
+    });
+  });
+
+  describe('Fallback behavior with merged config', () => {
+    test('should use fallback config when network error occurs', async () => {
+      const fallbackConfig: ToolProtectionConfig = {
+        toolProtections: {
+          greet: {
+            requiresDelegation: true,
+            requiredScopes: ['fallback:scope']
+          }
+        }
+      };
+
+      config.fallbackConfig = fallbackConfig;
+      service = new ToolProtectionService(config, cache);
+
+      // Network error (not HTTP error) triggers fallback
+      (global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      expect(result.toolProtections.greet).toEqual({
+        requiresDelegation: true,
+        requiredScopes: ['fallback:scope']
+      });
+    });
+
+    test('should throw error when API returns HTTP error (500)', async () => {
+      // HTTP errors (4xx, 5xx) are intentionally propagated, not fallback
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: false,
+        status: 500,
+        statusText: 'Internal Server Error',
+        text: async () => 'Server error',
+      });
+
+      await expect(service.getToolProtectionConfig(mockAgentDid))
+        .rejects.toThrow('Failed to fetch bouncer config: 500');
+    });
+
+    test('should handle API returning config without tools field', async () => {
+      // Simulate old API format without tools field
+      const oldFormatResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield'
+              // No tools field - old format
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.5.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      const fallbackConfig: ToolProtectionConfig = {
+        toolProtections: {
+          greet: {
+            requiresDelegation: true,
+            requiredScopes: ['fallback:scope']
+          }
+        }
+      };
+
+      config.fallbackConfig = fallbackConfig;
+      service = new ToolProtectionService(config, cache);
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(oldFormatResponse),
+        json: async () => oldFormatResponse,
+      });
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      // Should fallback to empty or use fallback config
+      // After implementation: should return empty tools or use fallback
+      expect(result.toolProtections).toBeDefined();
+    });
+  });
+
+  describe('Caching with merged config', () => {
+    test('should cache tool protections extracted from merged config', async () => {
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
+              }
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      // First call - should fetch from API
+      await service.getToolProtectionConfig(mockAgentDid);
+      expect(global.fetch).toHaveBeenCalledTimes(1);
+
+      // Second call - should use cache
+      await service.getToolProtectionConfig(mockAgentDid);
+      expect(global.fetch).toHaveBeenCalledTimes(1); // No additional fetch
+    });
+
+    test('should respect cache TTL for merged config', async () => {
+      const mergedConfigResponse = {
+        success: true,
+        data: {
+          config: {
+            identity: { serverDid: 'did:key:test', environment: 'production', storageLocation: 'cloudflare-kv' },
+            proofing: { enabled: false, destinations: [], batchQueue: { maxBatchSize: 10, flushIntervalMs: 5000, maxRetries: 3 } },
+            delegation: { enabled: false, enforceStrictly: false, verifier: { type: 'memory' }, authorization: {} },
+            toolProtection: {
+              source: 'agentshield',
+              tools: {
+                greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
+              }
+            },
+            audit: { enabled: false, includeProofHashes: false, includePayloads: false },
+            session: { timestampSkewSeconds: 120, ttlMinutes: 30 },
+            platform: { type: 'node' },
+            metadata: { version: '1.6.0', lastUpdated: new Date().toISOString(), source: 'dashboard' }
+          }
+        }
+      };
+
+      // Use short TTL
+      config.cacheTtl = 100; // 100ms
+      service = new ToolProtectionService(config, cache);
+
+      (global.fetch as any).mockResolvedValue({
+        ok: true,
+        text: async () => JSON.stringify(mergedConfigResponse),
+        json: async () => mergedConfigResponse,
+      });
+
+      // First call
+      await service.getToolProtectionConfig(mockAgentDid);
+      expect(global.fetch).toHaveBeenCalledTimes(1);
+
+      // Wait for cache to expire
+      await new Promise(resolve => setTimeout(resolve, 150));
+
+      // Second call - should fetch again (cache expired)
+      await service.getToolProtectionConfig(mockAgentDid);
+      expect(global.fetch).toHaveBeenCalledTimes(2);
+    });
+  });
+
+  describe('Backward compatibility - /tool-protections response format', () => {
+    test('should still handle legacy /tool-protections response format if encountered', async () => {
+      // This tests backward compatibility during transition period
+      // The service might encounter the old response format
+      const legacyResponse = {
+        success: true,
+        data: {
+          toolProtections: {
+            greet: { requiresDelegation: true, requiredScopes: ['greeting:write'] }
+          }
+        },
+        metadata: {
+          timestamp: new Date().toISOString(),
+          cachedUntil: new Date(Date.now() + 60000).toISOString()
+        }
+      };
+
+      (global.fetch as any).mockResolvedValueOnce({
+        ok: true,
+        text: async () => JSON.stringify(legacyResponse),
+        json: async () => legacyResponse,
+      });
+
+      const result = await service.getToolProtectionConfig(mockAgentDid);
+
+      // Should still work with legacy format
+      expect(result.toolProtections.greet).toEqual({
+        requiresDelegation: true,
+        requiredScopes: ['greeting:write']
+      });
+    });
+  });
+});
+

package/src/__tests__/services/tool-protection.service.test.ts

@@ -113,23 +113,29 @@ describe('ToolProtectionService', () => {
       });
     });
 
-    describe('API fetch - new endpoint format', () => {
-      test('should fetch from project-scoped endpoint when projectId is available', async () => {
+    describe('API fetch - merged config format', () => {
+      test('should fetch from project-scoped /config endpoint when projectId is available', async () => {
         const projectId = 'test-project-123';
         config.projectId = projectId;
         service = new ToolProtectionService(config, cache);
 
+        // Merged config format - tools embedded at config.toolProtection.tools
         const apiResponse = {
           success: true,
           data: {
-            toolProtections: {
-              checkout: {
-                requiresDelegation: true,
-                requiredScopes: ['cart:write'],
-              },
-              search: {
-                requiresDelegation: false,
-                requiredScopes: [],
+            config: {
+              toolProtection: {
+                source: 'agentshield',
+                tools: {
+                  checkout: {
+                    requiresDelegation: true,
+                    requiredScopes: ['cart:write'],
+                  },
+                  search: {
+                    requiresDelegation: false,
+                    requiredScopes: [],
+                  },
+                },
               },
             },
           },
@@ -146,8 +152,9 @@ describe('ToolProtectionService', () => {
 
         const result = await service.getToolProtectionConfig(mockAgentDid);
 
+        // Now calls /config endpoint (not /tool-protections)
         expect(global.fetch).toHaveBeenCalledWith(
-          `https://kya.vouched.id/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/tool-protections`,
+          `https://kya.vouched.id/api/v1/bouncer/projects/${encodeURIComponent(projectId)}/config`,
           expect.objectContaining({
             method: 'GET',
             headers: expect.objectContaining({