@kya-os/mcp-i 0.1.0-alpha.3.9 → 1.2.0

package/dist/cache/__tests__/cloudflare-kv-nonce-cache.test.js

@@ -0,0 +1,176 @@
+"use strict";
+/**
+ * Tests for Cloudflare KV Nonce Cache
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const cloudflare_kv_nonce_cache_js_1 = require("../cloudflare-kv-nonce-cache.js");
+// Mock Cloudflare KV namespace
+const mockKV = {
+    get: vitest_1.vi.fn(),
+    getWithMetadata: vitest_1.vi.fn(),
+    put: vitest_1.vi.fn(),
+    delete: vitest_1.vi.fn(),
+};
+(0, vitest_1.describe)("CloudflareKVNonceCache", () => {
+    let cache;
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        cache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV, "test:");
+    });
+    (0, vitest_1.describe)("Basic Operations", () => {
+        (0, vitest_1.it)("should add and check nonce existence", async () => {
+            const nonce = "test-nonce-123";
+            // Mock KV responses
+            mockKV.get.mockResolvedValue(null); // doesn't exist initially
+            mockKV.put.mockResolvedValue(undefined); // successful put
+            // Initially should not exist
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("test:test-nonce-123");
+            // Mock getWithMetadata for add operation
+            mockKV.getWithMetadata.mockResolvedValue({ value: null, metadata: null });
+            // Add nonce
+            await cache.add(nonce, 60);
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalledWith("test:test-nonce-123", vitest_1.expect.stringContaining('"nonce":"test-nonce-123"'), { expirationTtl: 60 });
+            // Mock that it now exists and is valid
+            const futureTime = Date.now() + 50000;
+            mockKV.get.mockResolvedValue(JSON.stringify({
+                nonce,
+                expiresAt: futureTime,
+                createdAt: Date.now(),
+            }));
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(true);
+        });
+        (0, vitest_1.it)("should handle expired nonces correctly", async () => {
+            const nonce = "expired-nonce";
+            // Mock expired nonce data
+            const pastTime = Date.now() - 10000;
+            mockKV.get.mockResolvedValue(JSON.stringify({
+                nonce,
+                expiresAt: pastTime,
+                createdAt: Date.now() - 20000,
+            }));
+            mockKV.delete.mockResolvedValue(undefined);
+            // Should return false and clean up expired entry
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+            (0, vitest_1.expect)(mockKV.delete).toHaveBeenCalledWith("test:expired-nonce");
+        });
+        (0, vitest_1.it)("should handle corrupted data gracefully", async () => {
+            const nonce = "corrupted-nonce";
+            // Mock corrupted JSON data
+            mockKV.get.mockResolvedValue("invalid-json");
+            mockKV.delete.mockResolvedValue(undefined);
+            // Should return false and clean up corrupted entry
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+            (0, vitest_1.expect)(mockKV.delete).toHaveBeenCalledWith("test:corrupted-nonce");
+        });
+    });
+    (0, vitest_1.describe)("Atomic Operations with getWithMetadata", () => {
+        (0, vitest_1.it)("should use getWithMetadata for better atomicity when available", async () => {
+            const nonce = "atomic-test-nonce";
+            // Mock getWithMetadata returning no existing value
+            mockKV.getWithMetadata.mockResolvedValue({ value: null, metadata: null });
+            mockKV.put.mockResolvedValue(undefined);
+            await cache.add(nonce, 60);
+            (0, vitest_1.expect)(mockKV.getWithMetadata).toHaveBeenCalledWith("test:atomic-test-nonce");
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
+        });
+        (0, vitest_1.it)("should prevent duplicate addition with getWithMetadata", async () => {
+            const nonce = "duplicate-nonce";
+            // Mock existing valid nonce
+            const futureTime = Date.now() + 50000;
+            mockKV.getWithMetadata.mockResolvedValue({
+                value: JSON.stringify({
+                    nonce,
+                    expiresAt: futureTime,
+                    createdAt: Date.now(),
+                }),
+                metadata: null,
+            });
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Nonce duplicate-nonce already exists - potential replay attack");
+        });
+        (0, vitest_1.it)("should allow overwrite of expired nonce with getWithMetadata", async () => {
+            const nonce = "expired-overwrite-nonce";
+            // Mock existing expired nonce
+            const pastTime = Date.now() - 10000;
+            mockKV.getWithMetadata.mockResolvedValue({
+                value: JSON.stringify({
+                    nonce,
+                    expiresAt: pastTime,
+                    createdAt: Date.now() - 20000,
+                }),
+                metadata: null,
+            });
+            mockKV.put.mockResolvedValue(undefined);
+            // Should succeed in overwriting expired nonce
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).resolves.not.toThrow();
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
+        });
+    });
+    (0, vitest_1.describe)("Fallback to Basic Operations", () => {
+        (0, vitest_1.it)("should fall back to basic operations when getWithMetadata fails", async () => {
+            const nonce = "fallback-nonce";
+            // Mock getWithMetadata throwing error
+            const getWithMetadataError = new Error("getWithMetadata is not available");
+            mockKV.getWithMetadata.mockRejectedValue(getWithMetadataError);
+            // Mock basic operations
+            mockKV.get.mockResolvedValue(null);
+            mockKV.put.mockResolvedValue(undefined);
+            await cache.add(nonce, 60);
+            // Should have fallen back to basic has() check
+            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("test:fallback-nonce");
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
+        });
+        (0, vitest_1.it)("should prevent duplicate addition in fallback mode", async () => {
+            const nonce = "fallback-duplicate-nonce";
+            // Mock getWithMetadata not available
+            const getWithMetadataError = new Error("getWithMetadata is not available");
+            mockKV.getWithMetadata.mockRejectedValue(getWithMetadataError);
+            // Mock existing nonce in basic mode
+            const futureTime = Date.now() + 50000;
+            mockKV.get.mockResolvedValue(JSON.stringify({
+                nonce,
+                expiresAt: futureTime,
+                createdAt: Date.now(),
+            }));
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Nonce fallback-duplicate-nonce already exists - potential replay attack");
+        });
+    });
+    (0, vitest_1.describe)("Error Handling", () => {
+        (0, vitest_1.it)("should propagate unexpected errors", async () => {
+            const nonce = "error-nonce";
+            const unexpectedError = new Error("Network error");
+            mockKV.getWithMetadata.mockRejectedValue(unexpectedError);
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Network error");
+        });
+        (0, vitest_1.it)("should handle KV operation failures gracefully", async () => {
+            const nonce = "kv-error-nonce";
+            mockKV.get.mockRejectedValue(new Error("KV service unavailable"));
+            // has() should handle KV errors gracefully
+            await (0, vitest_1.expect)(cache.has(nonce)).rejects.toThrow("KV service unavailable");
+        });
+    });
+    (0, vitest_1.describe)("Cleanup", () => {
+        (0, vitest_1.it)("should be a no-op since KV handles expiry", async () => {
+            // cleanup() should not call any KV methods
+            await cache.cleanup();
+            (0, vitest_1.expect)(mockKV.get).not.toHaveBeenCalled();
+            (0, vitest_1.expect)(mockKV.put).not.toHaveBeenCalled();
+            (0, vitest_1.expect)(mockKV.delete).not.toHaveBeenCalled();
+        });
+    });
+    (0, vitest_1.describe)("Key Prefix", () => {
+        (0, vitest_1.it)("should use custom key prefix", async () => {
+            const customCache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV, "custom:");
+            mockKV.get.mockResolvedValue(null);
+            await customCache.has("test-nonce");
+            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("custom:test-nonce");
+        });
+        (0, vitest_1.it)("should use default key prefix", async () => {
+            const defaultCache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV);
+            mockKV.get.mockResolvedValue(null);
+            await defaultCache.has("test-nonce");
+            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("nonce:test-nonce");
+        });
+    });
+});

package/dist/cache/__tests__/concurrency.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Concurrency tests for nonce cache implementations
+ * Tests multi-instance replay prevention and atomic operations
+ */
+export {};

package/dist/cache/__tests__/concurrency.test.js

@@ -0,0 +1,300 @@
+"use strict";
+/**
+ * Concurrency tests for nonce cache implementations
+ * Tests multi-instance replay prevention and atomic operations
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const memory_nonce_cache_js_1 = require("../memory-nonce-cache.js");
+const redis_nonce_cache_js_1 = require("../redis-nonce-cache.js");
+const dynamodb_nonce_cache_js_1 = require("../dynamodb-nonce-cache.js");
+const cloudflare_kv_nonce_cache_js_1 = require("../cloudflare-kv-nonce-cache.js");
+// Mock implementations for external services
+const mockRedis = {
+    exists: vitest_1.vi.fn(),
+    set: vitest_1.vi.fn(),
+};
+const mockDynamoDB = {
+    getItem: vitest_1.vi.fn(),
+    putItem: vitest_1.vi.fn(),
+};
+const mockKV = {
+    get: vitest_1.vi.fn(),
+    getWithMetadata: vitest_1.vi.fn(),
+    put: vitest_1.vi.fn(),
+    delete: vitest_1.vi.fn(),
+};
+(0, vitest_1.describe)("Nonce Cache Concurrency Tests", () => {
+    let memoryCache;
+    let redisCache;
+    let dynamoCache;
+    let kvCache;
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        memoryCache = new memory_nonce_cache_js_1.MemoryNonceCache(100);
+        redisCache = new redis_nonce_cache_js_1.RedisNonceCache(mockRedis, "test:");
+        dynamoCache = new dynamodb_nonce_cache_js_1.DynamoNonceCache(mockDynamoDB, "test-table");
+        kvCache = new cloudflare_kv_nonce_cache_js_1.CloudflareKVNonceCache(mockKV, "test:");
+    });
+    (0, vitest_1.afterEach)(() => {
+        memoryCache.destroy();
+    });
+    (0, vitest_1.describe)("Memory Cache Concurrency", () => {
+        (0, vitest_1.it)("should prevent concurrent duplicate nonce addition", async () => {
+            const nonce = "concurrent-memory-nonce";
+            const ttl = 60;
+            // Simulate concurrent add operations
+            const promises = [
+                memoryCache.add(nonce, ttl),
+                memoryCache.add(nonce, ttl),
+                memoryCache.add(nonce, ttl),
+            ];
+            const results = await Promise.allSettled(promises);
+            // Exactly one should succeed, others should fail
+            const successful = results.filter((r) => r.status === "fulfilled");
+            const failed = results.filter((r) => r.status === "rejected");
+            (0, vitest_1.expect)(successful).toHaveLength(1);
+            (0, vitest_1.expect)(failed).toHaveLength(2);
+            // All failures should be due to duplicate nonce
+            failed.forEach((result) => {
+                if (result.status === "rejected") {
+                    (0, vitest_1.expect)(result.reason.message).toContain("already exists");
+                }
+            });
+            // Nonce should exist after successful addition
+            (0, vitest_1.expect)(await memoryCache.has(nonce)).toBe(true);
+        });
+        (0, vitest_1.it)("should handle rapid sequential operations", async () => {
+            const baseNonce = "rapid-memory-nonce";
+            const operations = [];
+            // Create 100 rapid sequential operations
+            for (let i = 0; i < 100; i++) {
+                operations.push(memoryCache.add(`${baseNonce}-${i}`, 60));
+            }
+            // All should succeed since they're different nonces
+            const results = await Promise.allSettled(operations);
+            const successful = results.filter((r) => r.status === "fulfilled");
+            (0, vitest_1.expect)(successful).toHaveLength(100);
+            // All nonces should exist
+            for (let i = 0; i < 100; i++) {
+                (0, vitest_1.expect)(await memoryCache.has(`${baseNonce}-${i}`)).toBe(true);
+            }
+        });
+    });
+    (0, vitest_1.describe)("Redis Cache Atomicity", () => {
+        (0, vitest_1.it)("should use atomic SET NX EX for add operations", async () => {
+            const nonce = "atomic-redis-nonce";
+            const ttl = 300;
+            // Mock successful atomic operation
+            mockRedis.set.mockResolvedValue("OK");
+            await redisCache.add(nonce, ttl);
+            // Verify atomic command was used
+            (0, vitest_1.expect)(mockRedis.set).toHaveBeenCalledWith("test:atomic-redis-nonce", "1", "EX", ttl, "NX");
+        });
+        (0, vitest_1.it)("should handle concurrent add attempts atomically", async () => {
+            const nonce = "concurrent-redis-nonce";
+            // First call succeeds, subsequent calls fail
+            mockRedis.set.mockResolvedValueOnce("OK").mockResolvedValue(null);
+            const promises = [
+                redisCache.add(nonce, 60),
+                redisCache.add(nonce, 60),
+                redisCache.add(nonce, 60),
+            ];
+            const results = await Promise.allSettled(promises);
+            // First should succeed, others should fail
+            (0, vitest_1.expect)(results[0].status).toBe("fulfilled");
+            (0, vitest_1.expect)(results[1].status).toBe("rejected");
+            (0, vitest_1.expect)(results[2].status).toBe("rejected");
+            // Verify all calls used atomic operation
+            (0, vitest_1.expect)(mockRedis.set).toHaveBeenCalledTimes(3);
+            mockRedis.set.mock.calls.forEach((call) => {
+                (0, vitest_1.expect)(call).toEqual([
+                    vitest_1.expect.stringContaining(nonce),
+                    "1",
+                    "EX",
+                    60,
+                    "NX",
+                ]);
+            });
+        });
+    });
+    (0, vitest_1.describe)("DynamoDB Cache Atomicity", () => {
+        (0, vitest_1.it)("should use conditional writes for atomicity", async () => {
+            const nonce = "atomic-dynamo-nonce";
+            const ttl = 300;
+            // Mock successful conditional write
+            mockDynamoDB.putItem.mockReturnValue({
+                promise: () => Promise.resolve({}),
+            });
+            await dynamoCache.add(nonce, ttl);
+            // Verify conditional expression was used
+            (0, vitest_1.expect)(mockDynamoDB.putItem).toHaveBeenCalledWith({
+                TableName: "test-table",
+                Item: {
+                    nonce: { S: nonce },
+                    expiresAt: { N: vitest_1.expect.any(String) },
+                    createdAt: { N: vitest_1.expect.any(String) },
+                },
+                ConditionExpression: "attribute_not_exists(nonce)",
+            });
+        });
+        (0, vitest_1.it)("should handle concurrent add attempts with conditional writes", async () => {
+            const nonce = "concurrent-dynamo-nonce";
+            // First call succeeds
+            mockDynamoDB.putItem.mockReturnValueOnce({
+                promise: () => Promise.resolve({}),
+            });
+            // Subsequent calls fail with conditional check exception
+            const conditionalError = new Error("ConditionalCheckFailedException");
+            conditionalError.code = "ConditionalCheckFailedException";
+            mockDynamoDB.putItem.mockReturnValue({
+                promise: () => Promise.reject(conditionalError),
+            });
+            const promises = [
+                dynamoCache.add(nonce, 60),
+                dynamoCache.add(nonce, 60),
+                dynamoCache.add(nonce, 60),
+            ];
+            const results = await Promise.allSettled(promises);
+            // First should succeed, others should fail
+            (0, vitest_1.expect)(results[0].status).toBe("fulfilled");
+            (0, vitest_1.expect)(results[1].status).toBe("rejected");
+            (0, vitest_1.expect)(results[2].status).toBe("rejected");
+            // All failures should be due to conditional check
+            results.slice(1).forEach((result) => {
+                if (result.status === "rejected") {
+                    (0, vitest_1.expect)(result.reason.message).toContain("already exists");
+                }
+            });
+        });
+    });
+    (0, vitest_1.describe)("Cloudflare KV Cache Best-Effort Atomicity", () => {
+        (0, vitest_1.it)("should attempt atomicity with getWithMetadata", async () => {
+            const nonce = "atomic-kv-nonce";
+            // Mock no existing value
+            mockKV.getWithMetadata.mockResolvedValue({ value: null, metadata: null });
+            mockKV.put.mockResolvedValue(undefined);
+            await kvCache.add(nonce, 60);
+            (0, vitest_1.expect)(mockKV.getWithMetadata).toHaveBeenCalledWith("test:atomic-kv-nonce");
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
+        });
+        (0, vitest_1.it)("should detect existing nonces with getWithMetadata", async () => {
+            const nonce = "existing-kv-nonce";
+            // Mock existing valid nonce
+            const futureTime = Date.now() + 50000;
+            mockKV.getWithMetadata.mockResolvedValue({
+                value: JSON.stringify({
+                    nonce,
+                    expiresAt: futureTime,
+                    createdAt: Date.now(),
+                }),
+                metadata: null,
+            });
+            await (0, vitest_1.expect)(kvCache.add(nonce, 60)).rejects.toThrow("already exists - potential replay attack");
+        });
+        (0, vitest_1.it)("should fall back to basic operations when getWithMetadata unavailable", async () => {
+            const nonce = "fallback-kv-nonce";
+            // Mock getWithMetadata failure
+            mockKV.getWithMetadata.mockRejectedValue(new Error("getWithMetadata is not available"));
+            // Mock basic operations
+            mockKV.get.mockResolvedValue(null);
+            mockKV.put.mockResolvedValue(undefined);
+            await kvCache.add(nonce, 60);
+            // Should fall back to basic has() check
+            (0, vitest_1.expect)(mockKV.get).toHaveBeenCalledWith("test:fallback-kv-nonce");
+            (0, vitest_1.expect)(mockKV.put).toHaveBeenCalled();
+        });
+    });
+    (0, vitest_1.describe)("Cross-Implementation Consistency", () => {
+        const testCases = [
+            { name: "Memory", cache: () => memoryCache },
+            {
+                name: "Redis",
+                cache: () => redisCache,
+                setup: () => {
+                    mockRedis.exists.mockResolvedValue(0);
+                    mockRedis.set.mockResolvedValue("OK");
+                },
+            },
+            {
+                name: "DynamoDB",
+                cache: () => dynamoCache,
+                setup: () => {
+                    mockDynamoDB.getItem.mockReturnValue({
+                        promise: () => Promise.resolve({}),
+                    });
+                    mockDynamoDB.putItem.mockReturnValue({
+                        promise: () => Promise.resolve({}),
+                    });
+                },
+            },
+            {
+                name: "Cloudflare KV",
+                cache: () => kvCache,
+                setup: () => {
+                    mockKV.get.mockResolvedValue(null);
+                    mockKV.getWithMetadata.mockResolvedValue({
+                        value: null,
+                        metadata: null,
+                    });
+                    mockKV.put.mockResolvedValue(undefined);
+                },
+            },
+        ];
+        testCases.forEach(({ name, cache, setup }) => {
+            (0, vitest_1.it)(`${name} should implement consistent interface`, async () => {
+                if (setup)
+                    setup();
+                const cacheInstance = cache();
+                const nonce = `interface-test-${name.toLowerCase()}-nonce`;
+                // Test interface methods exist and work
+                (0, vitest_1.expect)(typeof cacheInstance.has).toBe("function");
+                (0, vitest_1.expect)(typeof cacheInstance.add).toBe("function");
+                (0, vitest_1.expect)(typeof cacheInstance.cleanup).toBe("function");
+                // Test basic flow
+                if (name === "Memory") {
+                    // Only test actual functionality for memory cache
+                    (0, vitest_1.expect)(await cacheInstance.has(nonce)).toBe(false);
+                    await cacheInstance.add(nonce, 60);
+                    (0, vitest_1.expect)(await cacheInstance.has(nonce)).toBe(true);
+                }
+                // cleanup should not throw
+                await (0, vitest_1.expect)(cacheInstance.cleanup()).resolves.not.toThrow();
+            });
+        });
+    });
+    (0, vitest_1.describe)("Performance and Stress Testing", () => {
+        (0, vitest_1.it)("should handle high-frequency operations on memory cache", async () => {
+            const startTime = Date.now();
+            const operations = [];
+            // Create 1000 rapid operations
+            for (let i = 0; i < 1000; i++) {
+                operations.push(memoryCache.add(`stress-nonce-${i}`, 60));
+            }
+            await Promise.all(operations);
+            const endTime = Date.now();
+            // Should complete within reasonable time (adjust threshold as needed)
+            (0, vitest_1.expect)(endTime - startTime).toBeLessThan(1000); // 1 second
+            // All nonces should exist
+            for (let i = 0; i < 1000; i++) {
+                (0, vitest_1.expect)(await memoryCache.has(`stress-nonce-${i}`)).toBe(true);
+            }
+        });
+        (0, vitest_1.it)("should handle mixed read/write operations on memory cache", async () => {
+            const nonce = "mixed-ops-nonce";
+            // Add initial nonce
+            await memoryCache.add(nonce, 60);
+            // Create mixed operations
+            const operations = [];
+            for (let i = 0; i < 100; i++) {
+                operations.push(memoryCache.has(nonce));
+                operations.push(memoryCache.add(`mixed-${i}`, 60));
+            }
+            const results = await Promise.allSettled(operations);
+            // All has() operations should succeed
+            // All add() operations should succeed (different nonces)
+            const successful = results.filter((r) => r.status === "fulfilled");
+            (0, vitest_1.expect)(successful.length).toBeGreaterThan(150); // Most should succeed
+        });
+    });
+});

package/dist/cache/__tests__/dynamodb-nonce-cache.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for DynamoDB Nonce Cache
+ */
+export {};

package/dist/cache/__tests__/dynamodb-nonce-cache.test.js

@@ -0,0 +1,176 @@
+"use strict";
+/**
+ * Tests for DynamoDB Nonce Cache
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const dynamodb_nonce_cache_js_1 = require("../dynamodb-nonce-cache.js");
+// Mock DynamoDB client
+const mockDynamoDB = {
+    getItem: vitest_1.vi.fn(),
+    putItem: vitest_1.vi.fn(),
+};
+// Helper to create mock DynamoDB responses
+const createMockGetItemResponse = (exists, expired = false) => {
+    if (!exists) {
+        return { promise: () => Promise.resolve({}) };
+    }
+    const expiresAt = expired
+        ? Math.floor(Date.now() / 1000) - 100 // Expired 100 seconds ago
+        : Math.floor(Date.now() / 1000) + 300; // Expires in 300 seconds
+    return {
+        promise: () => Promise.resolve({
+            Item: {
+                nonce: { S: "test-nonce" },
+                expiresAt: { N: expiresAt.toString() },
+            },
+        }),
+    };
+};
+const createMockPutItemResponse = (success = true) => {
+    if (success) {
+        return { promise: () => Promise.resolve({}) };
+    }
+    else {
+        const error = new Error("ConditionalCheckFailedException");
+        error.code = "ConditionalCheckFailedException";
+        return { promise: () => Promise.reject(error) };
+    }
+};
+(0, vitest_1.describe)("DynamoNonceCache", () => {
+    let cache;
+    (0, vitest_1.beforeEach)(() => {
+        vitest_1.vi.clearAllMocks();
+        cache = new dynamodb_nonce_cache_js_1.DynamoNonceCache(mockDynamoDB, "test-nonce-table");
+    });
+    (0, vitest_1.describe)("Basic Operations", () => {
+        (0, vitest_1.it)("should add and check nonce existence", async () => {
+            const nonce = "test-nonce-123";
+            // Mock DynamoDB responses
+            mockDynamoDB.getItem.mockReturnValue(createMockGetItemResponse(false));
+            mockDynamoDB.putItem.mockReturnValue(createMockPutItemResponse(true));
+            // Initially should not exist
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+            (0, vitest_1.expect)(mockDynamoDB.getItem).toHaveBeenCalledWith({
+                TableName: "test-nonce-table",
+                Key: { nonce: { S: nonce } },
+                ConsistentRead: true,
+            });
+            // Add nonce
+            await cache.add(nonce, 60);
+            (0, vitest_1.expect)(mockDynamoDB.putItem).toHaveBeenCalledWith({
+                TableName: "test-nonce-table",
+                Item: {
+                    nonce: { S: nonce },
+                    expiresAt: { N: vitest_1.expect.any(String) },
+                    createdAt: { N: vitest_1.expect.any(String) },
+                },
+                ConditionExpression: "attribute_not_exists(nonce)",
+            });
+            // Mock that it now exists
+            mockDynamoDB.getItem.mockReturnValue(createMockGetItemResponse(true));
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(true);
+        });
+        (0, vitest_1.it)("should prevent duplicate nonce addition", async () => {
+            const nonce = "duplicate-nonce";
+            // Mock DynamoDB conditional check failure
+            mockDynamoDB.putItem.mockReturnValue(createMockPutItemResponse(false));
+            // Adding duplicate nonce should throw
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Nonce duplicate-nonce already exists - potential replay attack");
+        });
+        (0, vitest_1.it)("should handle expired nonces correctly", async () => {
+            const nonce = "expired-nonce";
+            // Mock expired nonce
+            mockDynamoDB.getItem.mockReturnValue(createMockGetItemResponse(true, true));
+            // Should return false for expired nonce
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+        });
+    });
+    (0, vitest_1.describe)("Error Handling", () => {
+        (0, vitest_1.it)("should handle ResourceNotFoundException", async () => {
+            const nonce = "missing-table-nonce";
+            const error = new Error("Table not found");
+            error.code = "ResourceNotFoundException";
+            mockDynamoDB.getItem.mockReturnValue({
+                promise: () => Promise.reject(error),
+            });
+            // Should return false for missing table
+            (0, vitest_1.expect)(await cache.has(nonce)).toBe(false);
+        });
+        (0, vitest_1.it)("should handle ValidationException on add", async () => {
+            const nonce = "validation-error-nonce";
+            const error = new Error("Invalid request");
+            error.code = "ValidationException";
+            mockDynamoDB.putItem.mockReturnValue({
+                promise: () => Promise.reject(error),
+            });
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("Invalid DynamoDB operation");
+        });
+        (0, vitest_1.it)("should handle ProvisionedThroughputExceededException", async () => {
+            const nonce = "throughput-error-nonce";
+            const error = new Error("Throughput exceeded");
+            error.code = "ProvisionedThroughputExceededException";
+            mockDynamoDB.putItem.mockReturnValue({
+                promise: () => Promise.reject(error),
+            });
+            await (0, vitest_1.expect)(cache.add(nonce, 60)).rejects.toThrow("DynamoDB throughput exceeded");
+        });
+        (0, vitest_1.it)("should propagate unknown errors with context", async () => {
+            const nonce = "unknown-error-nonce";
+            const error = new Error("Unknown error");
+            error.code = "UnknownException";
+            mockDynamoDB.getItem.mockReturnValue({
+                promise: () => Promise.reject(error),
+            });
+            await (0, vitest_1.expect)(cache.has(nonce)).rejects.toThrow("Failed to check nonce existence");
+        });
+    });
+    (0, vitest_1.describe)("Atomic Operations", () => {
+        (0, vitest_1.it)("should use conditional write for atomicity", async () => {
+            const nonce = "atomic-test-nonce";
+            const ttl = 300;
+            mockDynamoDB.putItem.mockReturnValue(createMockPutItemResponse(true));
+            await cache.add(nonce, ttl);
+            // Verify conditional expression was used
+            (0, vitest_1.expect)(mockDynamoDB.putItem).toHaveBeenCalledWith({
+                TableName: "test-nonce-table",
+                Item: {
+                    nonce: { S: nonce },
+                    expiresAt: { N: vitest_1.expect.any(String) },
+                    createdAt: { N: vitest_1.expect.any(String) },
+                },
+                ConditionExpression: "attribute_not_exists(nonce)",
+            });
+        });
+        (0, vitest_1.it)("should use consistent reads for has() operations", async () => {
+            const nonce = "consistent-read-nonce";
+            mockDynamoDB.getItem.mockReturnValue(createMockGetItemResponse(false));
+            await cache.has(nonce);
+            (0, vitest_1.expect)(mockDynamoDB.getItem).toHaveBeenCalledWith({
+                TableName: "test-nonce-table",
+                Key: { nonce: { S: nonce } },
+                ConsistentRead: true,
+            });
+        });
+    });
+    (0, vitest_1.describe)("Cleanup", () => {
+        (0, vitest_1.it)("should be a no-op since DynamoDB handles TTL", async () => {
+            // cleanup() should not call any DynamoDB methods
+            await cache.cleanup();
+            (0, vitest_1.expect)(mockDynamoDB.getItem).not.toHaveBeenCalled();
+            (0, vitest_1.expect)(mockDynamoDB.putItem).not.toHaveBeenCalled();
+        });
+    });
+    (0, vitest_1.describe)("Custom Configuration", () => {
+        (0, vitest_1.it)("should use custom attribute names", () => {
+            const customCache = new dynamodb_nonce_cache_js_1.DynamoNonceCache(mockDynamoDB, "custom-table", "customKey", "customTTL");
+            mockDynamoDB.getItem.mockReturnValue(createMockGetItemResponse(false));
+            customCache.has("test-nonce");
+            (0, vitest_1.expect)(mockDynamoDB.getItem).toHaveBeenCalledWith({
+                TableName: "custom-table",
+                Key: { customKey: { S: "test-nonce" } },
+                ConsistentRead: true,
+            });
+        });
+    });
+});

package/dist/cache/__tests__/memory-nonce-cache.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for Memory Nonce Cache
+ */
+export {};