@kya-os/mcp-i 0.1.0 → 1.2.0

package/dist/runtime/__tests__/audit.test.js

@@ -0,0 +1,328 @@
+"use strict";
+/**
+ * Tests for Audit Logging System
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const audit_js_1 = require("../audit.js");
+(0, vitest_1.describe)("AuditLogger", () => {
+    let auditLogger;
+    let mockLogFunction;
+    let mockIdentity;
+    let mockSession;
+    (0, vitest_1.beforeEach)(() => {
+        mockLogFunction = vitest_1.vi.fn();
+        auditLogger = new audit_js_1.AuditLogger({
+            logFunction: mockLogFunction,
+        });
+        mockIdentity = {
+            did: "did:web:example.com:agents:test-agent",
+            keyId: "key-test-123",
+            privateKey: "test-private-key",
+            publicKey: "test-public-key",
+            createdAt: new Date().toISOString(),
+        };
+        mockSession = {
+            sessionId: "sess_test_123",
+            audience: "example.com",
+            nonce: "test-nonce-456",
+            timestamp: Math.floor(Date.now() / 1000),
+            createdAt: Math.floor(Date.now() / 1000),
+            lastActivity: Math.floor(Date.now() / 1000),
+            ttlMinutes: 30,
+        };
+    });
+    (0, vitest_1.describe)("Audit Record Generation", () => {
+        (0, vitest_1.it)("should emit audit record on first call per session", async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+                scopeId: "orders.create",
+            };
+            await auditLogger.logAuditRecord(context);
+            (0, vitest_1.expect)(mockLogFunction).toHaveBeenCalledOnce();
+            const auditLine = mockLogFunction.mock.calls[0][0];
+            (0, vitest_1.expect)(auditLine).toContain("audit.v1");
+            (0, vitest_1.expect)(auditLine).toContain("session=sess_test_123");
+            (0, vitest_1.expect)(auditLine).toContain("audience=example.com");
+            (0, vitest_1.expect)(auditLine).toContain("did=did:web:example.com:agents:test-agent");
+            (0, vitest_1.expect)(auditLine).toContain("kid=key-test-123");
+            (0, vitest_1.expect)(auditLine).toContain("reqHash=sha256:abc123");
+            (0, vitest_1.expect)(auditLine).toContain("resHash=sha256:def456");
+            (0, vitest_1.expect)(auditLine).toContain("verified=yes");
+            (0, vitest_1.expect)(auditLine).toContain("scope=orders.create");
+        });
+        (0, vitest_1.it)("should not emit duplicate audit records for same session", async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            // First call should emit audit record
+            await auditLogger.logAuditRecord(context);
+            (0, vitest_1.expect)(mockLogFunction).toHaveBeenCalledOnce();
+            // Second call for same session should not emit
+            await auditLogger.logAuditRecord(context);
+            (0, vitest_1.expect)(mockLogFunction).toHaveBeenCalledOnce(); // Still only once
+        });
+        (0, vitest_1.it)("should emit separate audit records for different sessions", async () => {
+            const context1 = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            const context2 = {
+                identity: mockIdentity,
+                session: { ...mockSession, sessionId: "sess_test_456" },
+                requestHash: "sha256:ghi789",
+                responseHash: "sha256:jkl012",
+                verified: "no",
+            };
+            await auditLogger.logAuditRecord(context1);
+            await auditLogger.logAuditRecord(context2);
+            (0, vitest_1.expect)(mockLogFunction).toHaveBeenCalledTimes(2);
+        });
+        (0, vitest_1.it)('should use "-" for missing scope', async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+                // No scopeId provided
+            };
+            await auditLogger.logAuditRecord(context);
+            const auditLine = mockLogFunction.mock.calls[0][0];
+            (0, vitest_1.expect)(auditLine).toContain("scope=-");
+        });
+        (0, vitest_1.it)("should not log when disabled", async () => {
+            const disabledLogger = new audit_js_1.AuditLogger({
+                enabled: false,
+                logFunction: mockLogFunction,
+            });
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            await disabledLogger.logAuditRecord(context);
+            (0, vitest_1.expect)(mockLogFunction).not.toHaveBeenCalled();
+        });
+    });
+    (0, vitest_1.describe)("Audit Line Format", () => {
+        (0, vitest_1.it)("should format audit line with frozen format", async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+                scopeId: "orders.create",
+            };
+            await auditLogger.logAuditRecord(context);
+            const auditLine = mockLogFunction.mock.calls[0][0];
+            const parts = auditLine.split(" ");
+            (0, vitest_1.expect)(parts[0]).toBe("audit.v1");
+            (0, vitest_1.expect)(parts[1]).toMatch(/^ts=\d+$/);
+            (0, vitest_1.expect)(parts[2]).toBe("session=sess_test_123");
+            (0, vitest_1.expect)(parts[3]).toBe("audience=example.com");
+            (0, vitest_1.expect)(parts[4]).toBe("did=did:web:example.com:agents:test-agent");
+            (0, vitest_1.expect)(parts[5]).toBe("kid=key-test-123");
+            (0, vitest_1.expect)(parts[6]).toBe("reqHash=sha256:abc123");
+            (0, vitest_1.expect)(parts[7]).toBe("resHash=sha256:def456");
+            (0, vitest_1.expect)(parts[8]).toBe("verified=yes");
+            (0, vitest_1.expect)(parts[9]).toBe("scope=orders.create");
+        });
+        (0, vitest_1.it)("should include timestamp in unix seconds", async () => {
+            const beforeTime = Math.floor(Date.now() / 1000);
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            await auditLogger.logAuditRecord(context);
+            const afterTime = Math.floor(Date.now() / 1000);
+            const auditLine = mockLogFunction.mock.calls[0][0];
+            const tsMatch = auditLine.match(/ts=(\d+)/);
+            (0, vitest_1.expect)(tsMatch).toBeTruthy();
+            const timestamp = parseInt(tsMatch[1], 10);
+            (0, vitest_1.expect)(timestamp).toBeGreaterThanOrEqual(beforeTime);
+            (0, vitest_1.expect)(timestamp).toBeLessThanOrEqual(afterTime);
+        });
+    });
+    (0, vitest_1.describe)("Configuration and Statistics", () => {
+        (0, vitest_1.it)("should provide accurate statistics", async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            const initialStats = auditLogger.getStats();
+            (0, vitest_1.expect)(initialStats.sessionsLogged).toBe(0);
+            (0, vitest_1.expect)(initialStats.enabled).toBe(true);
+            (0, vitest_1.expect)(initialStats.includePayloads).toBe(false);
+            await auditLogger.logAuditRecord(context);
+            const finalStats = auditLogger.getStats();
+            (0, vitest_1.expect)(finalStats.sessionsLogged).toBe(1);
+        });
+        (0, vitest_1.it)("should allow configuration updates", () => {
+            auditLogger.updateConfig({ enabled: false, includePayloads: true });
+            const stats = auditLogger.getStats();
+            (0, vitest_1.expect)(stats.enabled).toBe(false);
+            (0, vitest_1.expect)(stats.includePayloads).toBe(true);
+        });
+        (0, vitest_1.it)("should clear session log", async () => {
+            const context = {
+                identity: mockIdentity,
+                session: mockSession,
+                requestHash: "sha256:abc123",
+                responseHash: "sha256:def456",
+                verified: "yes",
+            };
+            await auditLogger.logAuditRecord(context);
+            (0, vitest_1.expect)(auditLogger.getStats().sessionsLogged).toBe(1);
+            auditLogger.clearSessionLog();
+            (0, vitest_1.expect)(auditLogger.getStats().sessionsLogged).toBe(0);
+        });
+    });
+});
+(0, vitest_1.describe)("Key Rotation Audit", () => {
+    let mockLogFunction;
+    let mockIdentity;
+    (0, vitest_1.beforeEach)(() => {
+        mockLogFunction = vitest_1.vi.fn();
+        mockIdentity = {
+            did: "did:web:example.com:agents:test-agent",
+            keyId: "key-new-456",
+            privateKey: "test-private-key",
+            publicKey: "test-public-key",
+            createdAt: new Date().toISOString(),
+        };
+    });
+    (0, vitest_1.it)("should log key rotation audit record", () => {
+        const context = {
+            identity: mockIdentity,
+            oldKeyId: "key-old-123",
+            newKeyId: "key-new-456",
+            mode: "dev",
+            delegated: "no",
+            force: "no",
+        };
+        (0, audit_js_1.logKeyRotationAudit)(context, mockLogFunction);
+        (0, vitest_1.expect)(mockLogFunction).toHaveBeenCalledOnce();
+        const auditLine = mockLogFunction.mock.calls[0][0];
+        (0, vitest_1.expect)(auditLine).toContain("keys.rotate.v1");
+        (0, vitest_1.expect)(auditLine).toContain("did=did:web:example.com:agents:test-agent");
+        (0, vitest_1.expect)(auditLine).toContain("oldKid=key-old-123");
+        (0, vitest_1.expect)(auditLine).toContain("newKid=key-new-456");
+        (0, vitest_1.expect)(auditLine).toContain("mode=dev");
+        (0, vitest_1.expect)(auditLine).toContain("delegated=no");
+        (0, vitest_1.expect)(auditLine).toContain("force=no");
+    });
+    (0, vitest_1.it)("should log production key rotation with delegation", () => {
+        const context = {
+            identity: mockIdentity,
+            oldKeyId: "key-old-123",
+            newKeyId: "key-new-456",
+            mode: "prod",
+            delegated: "yes",
+            force: "no",
+        };
+        (0, audit_js_1.logKeyRotationAudit)(context, mockLogFunction);
+        const auditLine = mockLogFunction.mock.calls[0][0];
+        (0, vitest_1.expect)(auditLine).toContain("mode=prod");
+        (0, vitest_1.expect)(auditLine).toContain("delegated=yes");
+    });
+    (0, vitest_1.it)("should log forced key rotation", () => {
+        const context = {
+            identity: mockIdentity,
+            oldKeyId: "key-old-123",
+            newKeyId: "key-new-456",
+            mode: "prod",
+            delegated: "no",
+            force: "yes",
+        };
+        (0, audit_js_1.logKeyRotationAudit)(context, mockLogFunction);
+        const auditLine = mockLogFunction.mock.calls[0][0];
+        (0, vitest_1.expect)(auditLine).toContain("force=yes");
+    });
+});
+(0, vitest_1.describe)("Audit Line Parsing", () => {
+    (0, vitest_1.it)("should parse valid audit line", () => {
+        const auditLine = "audit.v1 ts=1640995200 session=sess_test_123 audience=example.com did=did:web:example.com:agents:test-agent kid=key-test-123 reqHash=sha256:abc123 resHash=sha256:def456 verified=yes scope=orders.create";
+        const record = (0, audit_js_1.parseAuditLine)(auditLine);
+        (0, vitest_1.expect)(record).toBeTruthy();
+        (0, vitest_1.expect)(record.version).toBe("audit.v1");
+        (0, vitest_1.expect)(record.ts).toBe(1640995200);
+        (0, vitest_1.expect)(record.session).toBe("sess_test_123");
+        (0, vitest_1.expect)(record.audience).toBe("example.com");
+        (0, vitest_1.expect)(record.did).toBe("did:web:example.com:agents:test-agent");
+        (0, vitest_1.expect)(record.kid).toBe("key-test-123");
+        (0, vitest_1.expect)(record.reqHash).toBe("sha256:abc123");
+        (0, vitest_1.expect)(record.resHash).toBe("sha256:def456");
+        (0, vitest_1.expect)(record.verified).toBe("yes");
+        (0, vitest_1.expect)(record.scope).toBe("orders.create");
+    });
+    (0, vitest_1.it)("should parse audit line with no scope", () => {
+        const auditLine = "audit.v1 ts=1640995200 session=sess_test_123 audience=example.com did=did:web:example.com:agents:test-agent kid=key-test-123 reqHash=sha256:abc123 resHash=sha256:def456 verified=no scope=-";
+        const record = (0, audit_js_1.parseAuditLine)(auditLine);
+        (0, vitest_1.expect)(record).toBeTruthy();
+        (0, vitest_1.expect)(record.verified).toBe("no");
+        (0, vitest_1.expect)(record.scope).toBe("-");
+    });
+    (0, vitest_1.it)("should return null for invalid audit line", () => {
+        const invalidLines = [
+            "invalid line",
+            "audit.v1 incomplete",
+            "wrong.version ts=123 session=test",
+            "audit.v1 ts=invalid session=test audience=test",
+        ];
+        for (const line of invalidLines) {
+            (0, vitest_1.expect)((0, audit_js_1.parseAuditLine)(line)).toBeNull();
+        }
+    });
+});
+(0, vitest_1.describe)("Audit Record Validation", () => {
+    (0, vitest_1.it)("should validate correct audit record", () => {
+        const validRecord = {
+            version: "audit.v1",
+            ts: 1640995200,
+            session: "sess_test_123",
+            audience: "example.com",
+            did: "did:web:example.com:agents:test-agent",
+            kid: "key-test-123",
+            reqHash: "sha256:abc123",
+            resHash: "sha256:def456",
+            verified: "yes",
+            scope: "orders.create",
+        };
+        (0, vitest_1.expect)((0, audit_js_1.validateAuditRecord)(validRecord)).toBe(true);
+    });
+    (0, vitest_1.it)("should reject invalid audit records", () => {
+        const invalidRecords = [
+            null,
+            undefined,
+            {},
+            { version: "wrong.version" },
+            { version: "audit.v1", ts: "invalid" },
+            { version: "audit.v1", ts: 123, verified: "maybe" },
+            { version: "audit.v1", ts: 123, reqHash: "invalid-hash" },
+        ];
+        for (const record of invalidRecords) {
+            (0, vitest_1.expect)((0, audit_js_1.validateAuditRecord)(record)).toBe(false);
+        }
+    });
+});

package/dist/runtime/__tests__/identity.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for Identity Management System
+ */
+export {};

package/dist/runtime/__tests__/identity.test.js

@@ -0,0 +1,164 @@
+"use strict";
+/**
+ * Tests for Identity Management System
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const fs_1 = require("fs");
+const promises_1 = require("fs/promises");
+const path_1 = require("path");
+const identity_js_1 = require("../identity.js");
+// Mock environment variables
+const originalEnv = process.env;
+(0, vitest_1.describe)("IdentityManager", () => {
+    let tempDir;
+    let identityManager;
+    (0, vitest_1.beforeEach)(async () => {
+        // Create temp directory for tests
+        tempDir = (0, path_1.join)(process.cwd(), ".test-mcpi");
+        await (0, promises_1.mkdir)(tempDir, { recursive: true });
+        // Reset environment
+        process.env = { ...originalEnv };
+        delete process.env.AGENT_PRIVATE_KEY;
+        delete process.env.AGENT_KEY_ID;
+        delete process.env.AGENT_DID;
+        delete process.env.KYA_VOUCHED_API_KEY;
+    });
+    (0, vitest_1.afterEach)(async () => {
+        // Cleanup
+        try {
+            if ((0, fs_1.existsSync)(tempDir)) {
+                await (0, promises_1.rmdir)(tempDir, { recursive: true });
+            }
+        }
+        catch (error) {
+            // Ignore cleanup errors
+        }
+        // Restore environment
+        process.env = originalEnv;
+    });
+    (0, vitest_1.describe)("Development Environment", () => {
+        (0, vitest_1.beforeEach)(() => {
+            identityManager = new identity_js_1.IdentityManager({
+                environment: "development",
+                devIdentityPath: (0, path_1.join)(tempDir, "identity.json"),
+            });
+        });
+        (0, vitest_1.it)("should generate new identity when none exists", async () => {
+            const identity = await identityManager.ensureIdentity();
+            (0, vitest_1.expect)(identity).toBeDefined();
+            (0, vitest_1.expect)(identity.did).toMatch(/^did:web:localhost:3000:agents:key-[a-f0-9]{8}$/);
+            (0, vitest_1.expect)(identity.keyId).toMatch(/^key-[a-f0-9]{8}$/);
+            (0, vitest_1.expect)(identity.privateKey).toBeTruthy();
+            (0, vitest_1.expect)(identity.publicKey).toBeTruthy();
+            (0, vitest_1.expect)(identity.createdAt).toBeTruthy();
+            // Verify keys are base64 encoded
+            (0, vitest_1.expect)(() => Buffer.from(identity.privateKey, "base64")).not.toThrow();
+            (0, vitest_1.expect)(() => Buffer.from(identity.publicKey, "base64")).not.toThrow();
+        });
+        (0, vitest_1.it)("should load existing identity from file", async () => {
+            // Generate first identity
+            const identity1 = await identityManager.ensureIdentity();
+            // Create new manager instance
+            const identityManager2 = new identity_js_1.IdentityManager({
+                environment: "development",
+                devIdentityPath: (0, path_1.join)(tempDir, "identity.json"),
+            });
+            // Should load the same identity
+            const identity2 = await identityManager2.ensureIdentity();
+            (0, vitest_1.expect)(identity2.did).toBe(identity1.did);
+            (0, vitest_1.expect)(identity2.keyId).toBe(identity1.keyId);
+            (0, vitest_1.expect)(identity2.privateKey).toBe(identity1.privateKey);
+            (0, vitest_1.expect)(identity2.publicKey).toBe(identity1.publicKey);
+        });
+        (0, vitest_1.it)("should cache identity after first load", async () => {
+            const identity1 = await identityManager.ensureIdentity();
+            const identity2 = await identityManager.ensureIdentity();
+            (0, vitest_1.expect)(identity1).toBe(identity2); // Same object reference
+        });
+        (0, vitest_1.it)("should regenerate identity if file is corrupted", async () => {
+            const identityPath = (0, path_1.join)(tempDir, "identity.json");
+            // Write corrupted file
+            await import("fs/promises").then((fs) => fs.writeFile(identityPath, "invalid json", "utf-8"));
+            // Should generate new identity
+            const identity = await identityManager.ensureIdentity();
+            (0, vitest_1.expect)(identity).toBeDefined();
+            (0, vitest_1.expect)(identity.did).toMatch(/^did:web:localhost:3000:agents:key-[a-f0-9]{8}$/);
+        });
+        (0, vitest_1.it)("should validate identity correctly", async () => {
+            const identity = await identityManager.ensureIdentity();
+            const isValid = await identityManager.validateIdentity(identity);
+            (0, vitest_1.expect)(isValid).toBe(true);
+        });
+        (0, vitest_1.it)("should reject invalid identity", async () => {
+            const invalidIdentity = {
+                did: "invalid-did",
+                keyId: "key-1",
+                privateKey: "invalid-key",
+                publicKey: "invalid-key",
+                createdAt: new Date().toISOString(),
+            };
+            const isValid = await identityManager.validateIdentity(invalidIdentity);
+            (0, vitest_1.expect)(isValid).toBe(false);
+        });
+    });
+    (0, vitest_1.describe)("Production Environment", () => {
+        (0, vitest_1.beforeEach)(() => {
+            identityManager = new identity_js_1.IdentityManager({
+                environment: "production",
+            });
+        });
+        (0, vitest_1.it)("should load identity from environment variables", async () => {
+            // Set up environment variables
+            process.env.AGENT_PRIVATE_KEY = Buffer.from("test-private-key-32-bytes-long!!").toString("base64");
+            process.env.AGENT_KEY_ID = "key-prod-123";
+            process.env.AGENT_DID = "did:web:example.com:agents:my-agent";
+            process.env.KYA_VOUCHED_API_KEY = "test-api-key";
+            const identity = await identityManager.ensureIdentity();
+            (0, vitest_1.expect)(identity.did).toBe("did:web:example.com:agents:my-agent");
+            (0, vitest_1.expect)(identity.keyId).toBe("key-prod-123");
+            (0, vitest_1.expect)(identity.privateKey).toBe(process.env.AGENT_PRIVATE_KEY);
+            (0, vitest_1.expect)(identity.publicKey).toBeTruthy();
+        });
+        (0, vitest_1.it)("should fail fast when environment variables are missing", async () => {
+            // Only set some variables
+            process.env.AGENT_DID = "did:web:example.com:agents:my-agent";
+            process.env.AGENT_KEY_ID = "key-prod-123";
+            await (0, vitest_1.expect)(identityManager.ensureIdentity()).rejects.toThrow(vitest_1.expect.objectContaining({
+                message: vitest_1.expect.stringContaining("Missing required environment variables"),
+                code: identity_js_1.IDENTITY_ERRORS.ENOIDENTITY,
+            }));
+        });
+        (0, vitest_1.it)("should list all missing environment variables", async () => {
+            const error = await identityManager.ensureIdentity().catch((e) => e);
+            (0, vitest_1.expect)(error.message).toContain("AGENT_PRIVATE_KEY, AGENT_KEY_ID, AGENT_DID, KYA_VOUCHED_API_KEY");
+        });
+    });
+    (0, vitest_1.describe)("Configuration", () => {
+        (0, vitest_1.it)("should use single public DID by default", () => {
+            const manager = new identity_js_1.IdentityManager();
+            const config = manager.getConfig();
+            (0, vitest_1.expect)(config.privacyMode).toBe(false);
+        });
+        (0, vitest_1.it)("should allow privacy mode configuration", () => {
+            const manager = new identity_js_1.IdentityManager({
+                environment: "development",
+                privacyMode: true,
+            });
+            const config = manager.getConfig();
+            (0, vitest_1.expect)(config.privacyMode).toBe(true);
+        });
+        (0, vitest_1.it)("should clear cache when requested", async () => {
+            const manager = new identity_js_1.IdentityManager({
+                environment: "development",
+                devIdentityPath: (0, path_1.join)(tempDir, "identity.json"),
+            });
+            const identity1 = await manager.ensureIdentity();
+            manager.clearCache();
+            const identity2 = await manager.ensureIdentity();
+            // Should be different object references but same content
+            (0, vitest_1.expect)(identity1).not.toBe(identity2);
+            (0, vitest_1.expect)(identity1.did).toBe(identity2.did);
+        });
+    });
+});

package/dist/runtime/__tests__/mcpi-runtime.test.d.ts

@@ -0,0 +1,4 @@
+/**
+ * Tests for XMCP-I Runtime Integration
+ */
+export {};