@mcpose/testing 2.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Amir Gorji
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/dist/index.d.ts

@@ -0,0 +1,27 @@
+import type { AuditEvent, ReplayManifest } from '@mcpose/audit';
+import type { Identity } from 'mcpose';
+export type { AuditEvent, ReplayManifest };
+/**
+ * Asserts that an ordered sequence of audit events forms a valid HMAC chain.
+ * Verifies that each event's chainHash is consistent with its position
+ * (i.e. that no entry has been inserted, removed, or tampered).
+ *
+ * Does NOT re-compute the HMAC (the signing key is not available here) —
+ * instead checks that the chainHash changes with each entry (chain is live)
+ * and that the `replayManifestPosition` values are sequential.
+ */
+export declare function assertAuditChainIntegrity(events: AuditEvent[]): void;
+/**
+ * Asserts that every Merkle proof in a ReplayManifest verifies against the root.
+ */
+export declare function assertReplayManifestValid(events: AuditEvent[], manifest: ReplayManifest): void;
+/**
+ * Asserts that a high-sensitivity audit event does not contain plaintext
+ * input or output matching any of the given patterns.
+ */
+export declare function assertPiiRedacted(event: AuditEvent, patterns: RegExp[]): void;
+/**
+ * Asserts that a delegation chain is non-empty and each entry has a valid sub.
+ */
+export declare function assertDelegationHonored(chain: Identity[]): void;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAEhE,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,QAAQ,CAAC;AAEvC,YAAY,EAAE,UAAU,EAAE,cAAc,EAAE,CAAC;AAE3C;;;;;;;;GAQG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,UAAU,EAAE,GAAG,IAAI,CAwBpE;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,UAAU,EAAE,EACpB,QAAQ,EAAE,cAAc,GACvB,IAAI,CAiBN;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,EAAE,GAAG,IAAI,CAU7E;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,IAAI,CAS/D"}

package/dist/index.js

@@ -0,0 +1,71 @@
+import { verifyMerkleProof } from '@mcpose/audit';
+/**
+ * Asserts that an ordered sequence of audit events forms a valid HMAC chain.
+ * Verifies that each event's chainHash is consistent with its position
+ * (i.e. that no entry has been inserted, removed, or tampered).
+ *
+ * Does NOT re-compute the HMAC (the signing key is not available here) —
+ * instead checks that the chainHash changes with each entry (chain is live)
+ * and that the `replayManifestPosition` values are sequential.
+ */
+export function assertAuditChainIntegrity(events) {
+    if (events.length === 0)
+        return;
+    const seen = new Set();
+    for (let i = 0; i < events.length; i++) {
+        const event = events[i];
+        if (event.replayManifestPosition !== i) {
+            throw new Error(`Audit chain broken at index ${i}: replayManifestPosition is ${event.replayManifestPosition}, expected ${i}`);
+        }
+        if (!event.chainHash || event.chainHash.length === 0) {
+            throw new Error(`Audit chain broken at index ${i}: chainHash is empty`);
+        }
+        if (seen.has(event.chainHash)) {
+            throw new Error(`Audit chain broken at index ${i}: duplicate chainHash "${event.chainHash}" — chain has been tampered`);
+        }
+        seen.add(event.chainHash);
+    }
+}
+/**
+ * Asserts that every Merkle proof in a ReplayManifest verifies against the root.
+ */
+export function assertReplayManifestValid(events, manifest) {
+    if (manifest.eventCount !== events.length) {
+        throw new Error(`ReplayManifest eventCount (${manifest.eventCount}) does not match events array length (${events.length})`);
+    }
+    for (let i = 0; i < events.length; i++) {
+        const valid = verifyMerkleProof(events[i].chainHash, manifest.merkleProofs[i], manifest.merkleRoot);
+        if (!valid) {
+            throw new Error(`Merkle proof for event at index ${i} does not verify against root`);
+        }
+    }
+}
+/**
+ * Asserts that a high-sensitivity audit event does not contain plaintext
+ * input or output matching any of the given patterns.
+ */
+export function assertPiiRedacted(event, patterns) {
+    if (event.sensitivityTier !== 'high') {
+        const lowOrMed = event;
+        const raw = JSON.stringify({ inputRaw: lowOrMed.inputRaw, outputRaw: lowOrMed.outputRaw });
+        for (const pattern of patterns) {
+            if (pattern.test(raw)) {
+                throw new Error(`PII pattern ${pattern} found in audit event for tool "${event.tool}"`);
+            }
+        }
+    }
+}
+/**
+ * Asserts that a delegation chain is non-empty and each entry has a valid sub.
+ */
+export function assertDelegationHonored(chain) {
+    if (chain.length === 0) {
+        throw new Error('Delegation chain is empty — expected at least one delegating identity');
+    }
+    for (let i = 0; i < chain.length; i++) {
+        if (!chain[i].sub) {
+            throw new Error(`Delegation chain entry at index ${i} has no sub`);
+        }
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAKlD;;;;;;;;GAQG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAoB;IAC5D,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO;IAEhC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;QAExB,IAAI,KAAK,CAAC,sBAAsB,KAAK,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,KAAK,CACb,+BAA+B,CAAC,+BAA+B,KAAK,CAAC,sBAAsB,cAAc,CAAC,EAAE,CAC7G,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,KAAK,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACrD,MAAM,IAAI,KAAK,CAAC,+BAA+B,CAAC,sBAAsB,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CACb,+BAA+B,CAAC,0BAA0B,KAAK,CAAC,SAAS,6BAA6B,CACvG,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAC5B,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CACvC,MAAoB,EACpB,QAAwB;IAExB,IAAI,QAAQ,CAAC,UAAU,KAAK,MAAM,CAAC,MAAM,EAAE,CAAC;QAC1C,MAAM,IAAI,KAAK,CACb,8BAA8B,QAAQ,CAAC,UAAU,yCAAyC,MAAM,CAAC,MAAM,GAAG,CAC3G,CAAC;IACJ,CAAC;IAED,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACvC,MAAM,KAAK,GAAG,iBAAiB,CAC7B,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,EACnB,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EACxB,QAAQ,CAAC,UAAU,CACpB,CAAC;QACF,IAAI,CAAC,KAAK,EAAE,CAAC;YACX,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,+BAA+B,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAiB,EAAE,QAAkB;IACrE,IAAI,KAAK,CAAC,eAAe,KAAK,MAAM,EAAE,CAAC;QACrC,MAAM,QAAQ,GAAG,KAAoD,CAAC;QACtE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC,SAAS,EAAE,CAAC,CAAC;QAC3F,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,IAAI,KAAK,CAAC,eAAe,OAAO,mCAAmC,KAAK,CAAC,IAAI,GAAG,CAAC,CAAC;YAC1F,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAiB;IACvD,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;IACD,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,EAAE,CAAC;YAClB,MAAM,IAAI,KAAK,CAAC,mCAAmC,CAAC,aAAa,CAAC,CAAC;QACrE,CAAC;IACH,CAAC;AACH,CAAC"}

package/package.json

@@ -0,0 +1,48 @@
+{
+  "name": "@mcpose/testing",
+  "version": "2.0.0",
+  "description": "Compliance testing utilities for mcpose — audit chain assertions, scenario harness",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist",
+    "README.md"
+  ],
+  "keywords": [
+    "mcp",
+    "testing",
+    "compliance",
+    "audit",
+    "fintech"
+  ],
+  "author": "Amir Gorji",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/amir-gorji/mcpose.git",
+    "directory": "packages/testing"
+  },
+  "peerDependencies": {
+    "mcpose": ">=2.0.0",
+    "@mcpose/audit": ">=2.0.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.0.0",
+    "typescript": "^5.0.0",
+    "vitest": "^3.0.0",
+    "mcpose": "2.0.1",
+    "@mcpose/audit": "2.0.0"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "ts:ci": "tsc --noEmit",
+    "test": "vitest run --passWithNoTests"
+  }
+}