@mhingston5/conduit 1.1.6 → 1.1.8

package/tests/__snapshots__/assets.test.ts.snap

@@ -58,28 +58,30 @@ exports[`Asset Integrity (Golden Tests) > should match Python SDK snapshot 1`] =
 "# Generated SDK - Do not edit
 _allowed_tools = ["test__*","github__*"]
 
-class _ToolNamespace:
-    def __init__(self, methods):
-        for name, fn in methods.items():
-            setattr(self, name, fn)
+class _test_Namespace:
+    async def hello(self, args=None, **kwargs):
+        params = args if args is not None else kwargs
+        return await _internal_call_tool("test__hello", params)
+
+class _github_Namespace:
+    async def create_issue(self, args=None, **kwargs):
+        params = args if args is not None else kwargs
+        return await _internal_call_tool("github__create_issue", params)
 
 class _Tools:
     def __init__(self):
-        self.test = _ToolNamespace({
-            "hello": lambda args, n="test__hello": _internal_call_tool(n, args)
-        })
-        self.github = _ToolNamespace({
-            "create_issue": lambda args, n="github__create_issue": _internal_call_tool(n, args)
-        })
+        self.test = _test_Namespace()
+        self.github = _github_Namespace()
 
     def __getattr__(self, name):
         # Flat access fallback: search all namespaces
-        for ns in self.__dict__.values():
-            if isinstance(ns, _ToolNamespace) and hasattr(ns, name):
-                return getattr(ns, name)
+        for attr_name in dir(self):
+            attr = getattr(self, attr_name, None)
+            if attr and hasattr(attr, name):
+                return getattr(attr, name)
         raise AttributeError(f"Namespace or Tool '{name}' not found")
 
-    async def raw(self, name, args):
+    async def raw(self, name, args=None):
         """Call a tool by its full name (escape hatch for dynamic/unknown tools)"""
         normalized = name.replace(".", "__")
         if _allowed_tools is not None:
@@ -89,7 +91,7 @@ class _Tools:
             )
             if not allowed:
                 raise PermissionError(f"Tool {name} is not in the allowlist")
-        return await _internal_call_tool(normalized, args)
+        return await _internal_call_tool(normalized, args or {})
 
 tools = _Tools()"
 `;

package/tests/auth.service.test.ts

@@ -70,4 +70,61 @@ describe('AuthService', () => {
         expect(headers2['Authorization']).toBe('Bearer cached-access');
         expect(axios.post).toHaveBeenCalledTimes(1); // Still 1, not 2
     });
+
+    it('should send JSON token refresh for Atlassian token endpoint', async () => {
+        const creds: any = {
+            type: 'oauth2',
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'https://auth.atlassian.com/oauth/token',
+            refreshToken: 'refresh',
+        };
+
+        (axios.post as any).mockResolvedValue({
+            data: {
+                access_token: 'new-access',
+                expires_in: 0,
+            },
+        });
+
+        await authService.getAuthHeaders(creds);
+
+        const [, body, config] = (axios.post as any).mock.calls[0];
+        expect(body).toMatchObject({
+            grant_type: 'refresh_token',
+            refresh_token: 'refresh',
+            client_id: 'id',
+            client_secret: 'secret',
+        });
+        expect(config.headers['Content-Type']).toBe('application/json');
+    });
+
+    it('should include tokenParams and cache rotating refresh tokens', async () => {
+        const creds: any = {
+            type: 'oauth2',
+            clientId: 'id',
+            clientSecret: 'secret',
+            tokenUrl: 'https://auth.atlassian.com/oauth/token',
+            refreshToken: 'r1',
+            tokenRequestFormat: 'json',
+            tokenParams: { audience: 'api.atlassian.com' },
+        };
+
+        (axios.post as any)
+            .mockResolvedValueOnce({
+                data: { access_token: 'a1', expires_in: 0, refresh_token: 'r2' },
+            })
+            .mockResolvedValueOnce({
+                data: { access_token: 'a2', expires_in: 0 },
+            });
+
+        await authService.getAuthHeaders(creds);
+        await authService.getAuthHeaders(creds);
+
+        const firstBody = (axios.post as any).mock.calls[0][1];
+        expect(firstBody).toMatchObject({ refresh_token: 'r1', audience: 'api.atlassian.com' });
+
+        const secondBody = (axios.post as any).mock.calls[1][1];
+        expect(secondBody).toMatchObject({ refresh_token: 'r2', audience: 'api.atlassian.com' });
+    });
 });

package/tests/config.service.test.ts

@@ -81,6 +81,9 @@ upstreams:
       clientSecret: my-secret
       tokenUrl: http://token
       refreshToken: my-refresh
+      tokenRequestFormat: json
+      tokenParams:
+        audience: api.atlassian.com
 `);
 
         vi.stubEnv('CONFIG_FILE', 'conduit.test.yaml');
@@ -92,10 +95,35 @@ upstreams:
             clientId: 'my-id',
             clientSecret: 'my-secret',
             tokenUrl: 'http://token',
-            refreshToken: 'my-refresh'
+            refreshToken: 'my-refresh',
+            tokenRequestFormat: 'json',
+            tokenParams: { audience: 'api.atlassian.com' },
         });
 
         existsSpy.mockRestore();
         readSpy.mockRestore();
     });
+
+    it('should parse streamableHttp upstream correctly', () => {
+        const existsSpy = vi.spyOn(fs, 'existsSync').mockImplementation((p: any) => p.endsWith('conduit.test.yaml'));
+        const readSpy = vi.spyOn(fs, 'readFileSync').mockReturnValue(`
+upstreams:
+  - id: atlassian
+    type: streamableHttp
+    url: https://mcp.atlassian.com/v1/sse
+    credentials:
+      type: bearer
+      bearerToken: test-token
+`);
+
+        vi.stubEnv('CONFIG_FILE', 'conduit.test.yaml');
+        const configService = new ConfigService();
+        const upstreams = configService.get('upstreams');
+        expect(upstreams).toHaveLength(1);
+        expect(upstreams![0].type).toBe('streamableHttp');
+        expect((upstreams![0] as any).url).toBe('https://mcp.atlassian.com/v1/sse');
+
+        existsSpy.mockRestore();
+        readSpy.mockRestore();
+    });
 });

package/tests/middleware.test.ts

@@ -15,6 +15,7 @@ describe('Middleware Tests', () => {
             validateToken: vi.fn(),
             checkRateLimit: vi.fn(),
             getIpcToken: vi.fn(),
+            isMasterToken: vi.fn(),
             validateIpcToken: vi.fn(),
             getSession: vi.fn(),
         };
@@ -39,8 +40,7 @@ describe('Middleware Tests', () => {
             authMiddleware = new AuthMiddleware(mockSecurityService as SecurityService);
         });
 
-        it('should validate bearer token', () => {
-            mockSecurityService.validateToken.mockReturnValue(true);
+        it('should validate bearer token', async () => {
             const request = {
                 jsonrpc: '2.0',
                 id: 1,
@@ -48,24 +48,27 @@ describe('Middleware Tests', () => {
                 auth: { bearerToken: 'valid-token' }
             };
 
-            mockSecurityService.getIpcToken.mockReturnValue('master-token');
+            // Not master and not a valid session -> Forbidden
+            mockSecurityService.isMasterToken.mockReturnValue(false);
             mockSecurityService.validateIpcToken.mockReturnValue(false);
-            // Mock validateToken behavior via logic or specific mock if used, but AuthMiddleware uses getIpcToken/validateIpcToken
 
-            authMiddleware.handle(request as any, context, mockNext);
+            const result1 = await authMiddleware.handle(request as any, context, mockNext);
+            expect(mockSecurityService.isMasterToken).toHaveBeenCalledWith('valid-token');
             expect(mockSecurityService.validateIpcToken).toHaveBeenCalledWith('valid-token');
-            expect(mockNext).not.toHaveBeenCalled(); // Should fail because neither master nor session valid
-            // Wait, logic says: isMaster = token === getIpcToken(). isSession = validateIpcToken() && !isMaster.
-            // If valid-token is NOT master and NOT session, it returns 403.
+            expect(result1?.error?.code).toBe(ConduitError.Forbidden);
+            expect(mockNext).not.toHaveBeenCalled();
+
+            // Master token -> allowed
+            mockNext.mockClear();
+            mockSecurityService.isMasterToken.mockReturnValue(true);
 
-            // Let's make it a master token to pass 'valid-token' test
-            mockSecurityService.getIpcToken.mockReturnValue('valid-token');
-            authMiddleware.handle(request as any, context, mockNext);
+            const result2 = await authMiddleware.handle(request as any, context, mockNext);
+            expect(result2?.error).toBeUndefined();
             expect(mockNext).toHaveBeenCalled();
         });
 
         it('should throw Forbidden if token is invalid', async () => {
-            mockSecurityService.getIpcToken.mockReturnValue('master-token');
+            mockSecurityService.isMasterToken.mockReturnValue(false);
             mockSecurityService.validateIpcToken.mockReturnValue(false);
 
             const request = {
@@ -76,7 +79,7 @@ describe('Middleware Tests', () => {
             };
 
             const result = await authMiddleware.handle(request as any, context, mockNext);
-            expect(result.error?.code).toBe(ConduitError.Forbidden);
+            expect(result?.error?.code).toBe(ConduitError.Forbidden);
             expect(mockNext).not.toHaveBeenCalled();
         });
     });

package/tests/routing.test.ts

@@ -43,6 +43,7 @@ describe('RequestController Routing', () => {
             createSession: vi.fn().mockReturnValue('token'),
             invalidateSession: vi.fn(),
             getIpcToken: vi.fn().mockReturnValue('master-token'),
+            isMasterToken: vi.fn().mockReturnValue(true),
             validateIpcToken: vi.fn().mockReturnValue(true),
             getSession: vi.fn(),
             checkRateLimit: vi.fn().mockReturnValue(true),

package/tests/upstream.transports.test.ts

@@ -0,0 +1,156 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+const mcpClientMocks = {
+    connect: vi.fn(async () => undefined),
+    listTools: vi.fn(async () => ({ tools: [{ name: 'hello', description: 'hi', inputSchema: {} }] })),
+    callTool: vi.fn(async () => ({ content: [{ type: 'text', text: 'ok' }] })),
+    request: vi.fn(async () => ({ ok: true })),
+};
+
+const transportMocks = {
+    streamableHttpCtor: vi.fn(),
+    sseCtor: vi.fn(),
+};
+
+vi.mock('@modelcontextprotocol/sdk/client/index.js', () => {
+    return {
+        Client: class {
+            connect = mcpClientMocks.connect;
+            listTools = mcpClientMocks.listTools;
+            callTool = mcpClientMocks.callTool;
+            request = mcpClientMocks.request;
+            constructor() {}
+        },
+    };
+});
+
+vi.mock('@modelcontextprotocol/sdk/client/streamableHttp.js', () => {
+    return {
+        StreamableHTTPClientTransport: class {
+            url: URL;
+            opts: any;
+            constructor(url: URL, opts: any) {
+                this.url = url;
+                this.opts = opts;
+                transportMocks.streamableHttpCtor(url, opts);
+            }
+        },
+    };
+});
+
+vi.mock('@modelcontextprotocol/sdk/client/sse.js', () => {
+    return {
+        SSEClientTransport: class {
+            url: URL;
+            opts: any;
+            constructor(url: URL, opts: any) {
+                this.url = url;
+                this.opts = opts;
+                transportMocks.sseCtor(url, opts);
+            }
+        },
+    };
+});
+
+// Not used directly but imported by UpstreamClient
+vi.mock('@modelcontextprotocol/sdk/client/stdio.js', () => {
+    return {
+        StdioClientTransport: class {},
+    };
+});
+
+describe('UpstreamClient (remote transports)', () => {
+    const originalFetch = globalThis.fetch;
+
+    beforeEach(() => {
+        vi.clearAllMocks();
+        globalThis.fetch = vi.fn(async () => new Response(null, { status: 200 })) as any;
+    });
+
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
+    });
+
+    it('uses Streamable HTTP client transport for type=streamableHttp', async () => {
+        const { UpstreamClient } = await import('../src/gateway/upstream.client.js');
+
+        const logger: any = { child: () => logger, debug: vi.fn(), info: vi.fn(), error: vi.fn() };
+        const authService: any = { getAuthHeaders: vi.fn(async () => ({ Authorization: 'Bearer t' })) };
+        const urlValidator: any = { validateUrl: vi.fn(async () => ({ valid: true })) };
+
+        const client = new UpstreamClient(
+            logger,
+            { id: 'atl', type: 'streamableHttp', url: 'https://mcp.atlassian.com/v1/sse' } as any,
+            authService,
+            urlValidator
+        );
+
+        const res = await client.call({ jsonrpc: '2.0', id: '1', method: 'tools/list' } as any, { correlationId: 'c1' } as any);
+
+        expect(transportMocks.streamableHttpCtor).toHaveBeenCalled();
+        expect(urlValidator.validateUrl).toHaveBeenCalled();
+        expect(mcpClientMocks.connect).toHaveBeenCalled();
+        expect(mcpClientMocks.listTools).toHaveBeenCalled();
+        expect(res.result).toBeDefined();
+    });
+
+    it('pins DNS resolution and blocks cross-origin fetches', async () => {
+        const { UpstreamClient } = await import('../src/gateway/upstream.client.js');
+
+        const logger: any = { child: () => logger, debug: vi.fn(), info: vi.fn(), error: vi.fn() };
+        const authService: any = { getAuthHeaders: vi.fn(async () => ({ Authorization: 'Bearer t' })) };
+        const urlValidator: any = { validateUrl: vi.fn(async () => ({ valid: true, resolvedIp: '93.184.216.34' })) };
+
+        const client = new UpstreamClient(
+            logger,
+            { id: 'atl', type: 'streamableHttp', url: 'https://mcp.atlassian.com/v1/sse' } as any,
+            authService,
+            urlValidator
+        );
+
+        // Trigger initial URL validation + pinning
+        await client.call({ jsonrpc: '2.0', id: '1', method: 'tools/list' } as any, { correlationId: 'c1' } as any);
+
+        const [, opts] = transportMocks.streamableHttpCtor.mock.calls[0];
+        const wrappedFetch = opts.fetch;
+
+        // Same-origin request should pass a dispatcher and block redirects
+        await wrappedFetch('https://mcp.atlassian.com/v1/sse', {});
+        expect((globalThis.fetch as any).mock.calls.length).toBeGreaterThan(0);
+        const [request, init] = (globalThis.fetch as any).mock.calls.at(-1);
+        expect(request).toBeInstanceOf(Request);
+        expect(request.redirect).toBe('manual');
+        expect(init?.dispatcher).toBeDefined();
+
+        // Cross-origin request should be blocked
+        await expect(wrappedFetch('https://evil.example.com/', {})).rejects.toThrow(/Forbidden upstream redirect\/origin/);
+    });
+
+    it('lazily creates SSE transport for type=sse and attaches auth headers', async () => {
+        const { UpstreamClient } = await import('../src/gateway/upstream.client.js');
+
+        const logger: any = { child: () => logger, debug: vi.fn(), info: vi.fn(), error: vi.fn() };
+        const authService: any = { getAuthHeaders: vi.fn(async () => ({ Authorization: 'Bearer t' })) };
+        const urlValidator: any = { validateUrl: vi.fn(async () => ({ valid: true })) };
+
+        const client = new UpstreamClient(
+            logger,
+            {
+                id: 'atl',
+                type: 'sse',
+                url: 'https://mcp.atlassian.com/v1/sse',
+                credentials: { type: 'bearer', bearerToken: 't' },
+            } as any,
+            authService,
+            urlValidator
+        );
+
+        await client.call({ jsonrpc: '2.0', id: '1', method: 'tools/list' } as any, { correlationId: 'c1' } as any);
+
+        expect(authService.getAuthHeaders).toHaveBeenCalled();
+        expect(transportMocks.sseCtor).toHaveBeenCalled();
+        const [, opts] = transportMocks.sseCtor.mock.calls[0];
+        expect(opts.requestInit.headers).toMatchObject({ Authorization: 'Bearer t' });
+        expect(mcpClientMocks.connect).toHaveBeenCalled();
+    });
+});

package/tests/debug.fallback.test.ts

@@ -1,40 +0,0 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
-import { GatewayService } from '../src/gateway/gateway.service.js';
-import { ExecutionContext } from '../src/core/execution.context.js';
-import pino from 'pino';
-
-const logger = pino({ level: 'silent' });
-
-describe('GatewayService Namespace Fallback Debug', () => {
-    let gateway: GatewayService;
-    let context: ExecutionContext;
-
-    beforeEach(() => {
-        const securityService = {
-            validateUrl: vi.fn().mockReturnValue({ valid: true }),
-        } as any;
-        gateway = new GatewayService(logger, securityService);
-        context = new ExecutionContext({ logger });
-    });
-
-    it('should show detailed error when upstream not found', async () => {
-        const response = await gateway.callTool('nonexistent__tool', {}, context);
-        expect(response.error?.message).toContain("Upstream not found: 'nonexistent'");
-        expect(response.error?.message).toContain("Available: none");
-    });
-
-    it('should hit fallback for namespaceless tool', async () => {
-        // Register an upstream with a tool
-        gateway.registerUpstream({ id: 'fs', url: 'http://fs' });
-
-        // Mock discovery
-        vi.spyOn(gateway, 'discoverTools').mockResolvedValue([
-            { name: 'fs__list_directory', description: '', inputSchema: {} }
-        ] as any);
-
-        const response = await gateway.callTool('list_directory', {}, context);
-        // It should NOT return "Upstream not found: ''"
-        expect(response.error?.message).not.toContain("Upstream not found");
-        // It should try to call fs__list_directory (which will fail due to lack of axios mock here, but that's fine)
-    });
-});

package/tests/debug_upstream.ts

@@ -1,69 +0,0 @@
-/**
- * Debug script to verify the filesystem upstream is working correctly.
- * Run with: npx tsx tests/debug_upstream.ts
- */
-import { ConfigService } from '../src/core/config.service.js';
-import { createLogger } from '../src/core/logger.js';
-import { GatewayService } from '../src/gateway/gateway.service.js';
-import { SecurityService } from '../src/core/security.service.js';
-import { ExecutionContext } from '../src/core/execution.context.js';
-
-async function main() {
-    console.log('=== Conduit Upstream Debug ===\n');
-
-    const configService = new ConfigService();
-    const logger = createLogger(configService);
-
-    console.log('Config loaded from:', process.cwd());
-    console.log('Upstreams configured:', JSON.stringify(configService.get('upstreams'), null, 2));
-    console.log();
-
-    const securityService = new SecurityService(logger, undefined);
-    const gatewayService = new GatewayService(logger, securityService);
-
-    // Register upstreams from config
-    const upstreams = configService.get('upstreams') || [];
-    for (const upstream of upstreams) {
-        console.log(`Registering upstream: ${upstream.id} (${upstream.type})`);
-        gatewayService.registerUpstream(upstream);
-    }
-
-    console.log('\n=== Testing Tool Discovery ===\n');
-
-    const context = new ExecutionContext({ logger });
-
-    // Give the filesystem server a moment to start
-    console.log('Waiting 3 seconds for upstream servers to initialize...');
-    await new Promise(resolve => setTimeout(resolve, 3000));
-
-    try {
-        const tools = await gatewayService.discoverTools(context);
-        console.log(`\nDiscovered ${tools.length} tools:`);
-        for (const tool of tools) {
-            console.log(`  - ${tool.name}: ${tool.description || '(no description)'}`);
-        }
-
-        // Try to find list_directory
-        const listDirTool = tools.find(t => t.name.includes('list_directory') || t.name.includes('list_dir'));
-        if (listDirTool) {
-            console.log(`\n✅ Found list_directory tool: ${listDirTool.name}`);
-
-            // Try calling it
-            console.log('\n=== Testing Tool Call ===\n');
-            const result = await gatewayService.callTool(listDirTool.name, { path: '/private/tmp' }, context);
-            console.log('Result:', JSON.stringify(result, null, 2));
-        } else {
-            console.log('\n❌ list_directory tool NOT found in discovered tools');
-        }
-    } catch (error: any) {
-        console.error('Error during discovery:', error.message);
-    }
-
-    console.log('\n=== Debug Complete ===');
-    process.exit(0);
-}
-
-main().catch(err => {
-    console.error('Fatal error:', err);
-    process.exit(1);
-});