@nexvora/mcp-server 0.3.2 → 0.4.0

package/src/__tests__/NexvoraClient.test.ts

@@ -1,424 +0,0 @@
-import { jest } from "@jest/globals";
-
-import { type Config, type IConfigStore } from "../config.js";
-import {
-  NexvoraApiError,
-  NexvoraClient,
-  PatRevokedOrExpiredError,
-  PatScopeMissingError,
-  SessionExpiredError,
-} from "../NexvoraClient.js";
-
-const BASE_URL = "https://api.nxvora.online";
-const TOKEN = "test-token-abc";
-
-function makeClient(overrides?: Partial<{ baseUrl: string; accessToken: string; agentId?: string }>) {
-  return new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, ...overrides });
-}
-
-// ── In-memory config store for refresh tests ──────────────────────────────────
-
-function makeConfigStore(overrides?: Partial<Config>): IConfigStore & { config: Config } {
-  const store = {
-    config: {
-      accessToken: TOKEN,
-      refreshToken: "refresh-token-xyz",
-      expiresAt: Math.floor(Date.now() / 1000) + 3600, // valid for 1h by default
-      serverUrl: BASE_URL,
-      userId: "user-001",
-      ...overrides,
-    } as Config,
-    read(): Config {
-      return this.config;
-    },
-    write(c: Config): void {
-      this.config = c;
-    },
-  };
-  return store;
-}
-
-describe("NexvoraClient", () => {
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  let fetchMock: any;
-
-  beforeEach(() => {
-    fetchMock = jest.fn();
-    global.fetch = fetchMock;
-  });
-
-  afterEach(() => {
-    jest.resetAllMocks();
-  });
-
-  describe("sendAudit", () => {
-    it("posts to /mcp/audit with Bearer token", async () => {
-      fetchMock.mockResolvedValueOnce(new Response(null, { status: 204 }));
-
-      const client = makeClient();
-      await client.sendAudit({ toolName: "nexvora_wallet_balance", outcome: "success" });
-
-      expect(fetchMock).toHaveBeenCalledWith(
-        `${BASE_URL}/mcp/audit`,
-        expect.objectContaining({
-          method: "POST",
-          headers: expect.objectContaining({ Authorization: `Bearer ${TOKEN}` }),
-        }),
-      );
-    });
-
-    it("swallows network errors silently", async () => {
-      fetchMock.mockRejectedValueOnce(new Error("Network failure"));
-
-      const client = makeClient();
-      await expect(
-        client.sendAudit({ toolName: "nexvora_wallet_balance", outcome: "success" }),
-      ).resolves.toBeUndefined();
-    });
-
-    it("swallows non-2xx responses silently", async () => {
-      fetchMock.mockResolvedValueOnce(new Response("Server Error", { status: 500 }));
-
-      const client = makeClient();
-      await expect(
-        client.sendAudit({ toolName: "nexvora_wallet_balance", outcome: "error" }),
-      ).resolves.toBeUndefined();
-    });
-
-    it("strips trailing slash from baseUrl", async () => {
-      fetchMock.mockResolvedValueOnce(new Response(null, { status: 204 }));
-
-      const client = new NexvoraClient({ baseUrl: `${BASE_URL}/`, accessToken: TOKEN });
-      await client.sendAudit({ toolName: "tool", outcome: "success" });
-
-      const [url] = fetchMock.mock.calls[0]!;
-      expect(url).toBe(`${BASE_URL}/mcp/audit`);
-    });
-  });
-
-  describe("post", () => {
-    it("returns parsed JSON on 2xx response", async () => {
-      const body = { id: "task-123", status: "PENDING" };
-      fetchMock.mockResolvedValueOnce(
-        new Response(JSON.stringify(body), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        }),
-      );
-
-      const client = makeClient();
-      const result = await client.post("/tasks", { prompt: "test" });
-
-      expect(result).toEqual(body);
-    });
-
-    it("throws NexvoraApiError on 4xx", async () => {
-      fetchMock.mockResolvedValueOnce(new Response("Not Found", { status: 404 }));
-
-      const client = makeClient();
-      await expect(client.post("/tasks", {})).rejects.toBeInstanceOf(NexvoraApiError);
-    });
-
-    it("throws NexvoraApiError with correct statusCode", async () => {
-      fetchMock.mockResolvedValueOnce(new Response("Too Many Requests", { status: 429 }));
-
-      const client = makeClient();
-      try {
-        await client.post("/tasks", {});
-      } catch (err) {
-        expect(err).toBeInstanceOf(NexvoraApiError);
-        expect((err as NexvoraApiError).statusCode).toBe(429);
-        expect((err as NexvoraApiError).isRateLimited).toBe(true);
-      }
-    });
-  });
-
-  describe("NexvoraApiError.toAuditOutcome", () => {
-    it("returns rate_limited for 429", () => {
-      const err = new NexvoraApiError(429, "", "/tasks");
-      expect(err.toAuditOutcome()).toBe("rate_limited");
-    });
-
-    it("returns unauthorized for 401", () => {
-      const err = new NexvoraApiError(401, "", "/tasks");
-      expect(err.toAuditOutcome()).toBe("unauthorized");
-    });
-
-    it("returns unauthorized for 403", () => {
-      const err = new NexvoraApiError(403, "", "/tasks");
-      expect(err.toAuditOutcome()).toBe("unauthorized");
-    });
-
-    it("returns error for 500", () => {
-      const err = new NexvoraApiError(500, "", "/tasks");
-      expect(err.toAuditOutcome()).toBe("error");
-    });
-  });
-
-  describe("token refresh", () => {
-    const REFRESH_RESPONSE = {
-      accessToken: "new-access-token",
-      refreshToken: "new-refresh-token",
-      expiresAt: Math.floor(Date.now() / 1000) + 7200,
-    };
-
-    it("proactively refreshes when token expires within 60 seconds", async () => {
-      const store = makeConfigStore({
-        expiresAt: Math.floor(Date.now() / 1000) + 30, // expires in 30s
-      });
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, configStore: store });
-
-      // refresh call then actual GET
-      fetchMock
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(REFRESH_RESPONSE), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          }),
-        )
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify({ ok: true }), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          }),
-        );
-
-      await client.get("/some-path");
-
-      // First call should be to /auth/refresh
-      const [firstUrl] = fetchMock.mock.calls[0] as [string];
-      expect(firstUrl).toBe(`${BASE_URL}/auth/refresh`);
-
-      // Config store should be updated with new tokens
-      expect(store.config.accessToken).toBe("new-access-token");
-      expect(store.config.refreshToken).toBe("new-refresh-token");
-    });
-
-    it("retries original request with new token after 401", async () => {
-      const store = makeConfigStore();
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, configStore: store });
-
-      fetchMock
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 })) // original request
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify(REFRESH_RESPONSE), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          }),
-        ) // refresh
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify({ data: "result" }), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          }),
-        ); // retry
-
-      const result = await client.get<{ data: string }>("/protected");
-
-      expect(result).toEqual({ data: "result" });
-      expect(fetchMock).toHaveBeenCalledTimes(3);
-      // Retry uses the new token
-      const [, retryInit] = fetchMock.mock.calls[2] as [string, RequestInit];
-      expect((retryInit.headers as Record<string, string>)["Authorization"]).toBe(
-        "Bearer new-access-token",
-      );
-    });
-
-    it("throws SessionExpiredError when refresh endpoint returns 401", async () => {
-      const store = makeConfigStore();
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, configStore: store });
-
-      fetchMock
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 })) // original
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 })); // refresh also fails
-
-      await expect(client.get("/protected")).rejects.toBeInstanceOf(SessionExpiredError);
-    });
-
-    it("SessionExpiredError message tells user to re-login", async () => {
-      const store = makeConfigStore();
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, configStore: store });
-
-      fetchMock
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 }))
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 }));
-
-      try {
-        await client.get("/protected");
-      } catch (err) {
-        expect((err as Error).message).toContain("nexvora login");
-      }
-    });
-
-    it("deduplicates concurrent refresh requests — only ONE /auth/refresh call", async () => {
-      const store = makeConfigStore({
-        expiresAt: Math.floor(Date.now() / 1000) + 30, // proactive refresh
-      });
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: TOKEN, configStore: store });
-
-      const dataResponse = () =>
-        new Response(JSON.stringify({ ok: true }), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        });
-      const refreshResponse = new Response(JSON.stringify(REFRESH_RESPONSE), {
-        status: 200,
-        headers: { "Content-Type": "application/json" },
-      });
-
-      // One refresh + three data responses
-      fetchMock
-        .mockResolvedValueOnce(refreshResponse)
-        .mockResolvedValueOnce(dataResponse())
-        .mockResolvedValueOnce(dataResponse())
-        .mockResolvedValueOnce(dataResponse());
-
-      // Fire three concurrent requests
-      await Promise.all([
-        client.get("/path-a"),
-        client.get("/path-b"),
-        client.get("/path-c"),
-      ]);
-
-      const refreshCalls = (fetchMock.mock.calls as [string][]).filter(([url]) =>
-        url.endsWith("/auth/refresh"),
-      );
-      expect(refreshCalls).toHaveLength(1);
-    });
-
-    it("does not attempt refresh when no configStore is provided", async () => {
-      // Client without configStore
-      const client = makeClient();
-
-      fetchMock.mockResolvedValueOnce(new Response("Unauthorized", { status: 401 }));
-
-      // Should throw NexvoraApiError (not attempt refresh)
-      await expect(client.get("/protected")).rejects.toBeInstanceOf(NexvoraApiError);
-      expect(fetchMock).toHaveBeenCalledTimes(1);
-    });
-  });
-
-  // ── PAT (Personal Access Token) authentication path ─────────────────────────
-  describe("PAT auth path", () => {
-    const PAT = "nxv_pat_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA111";
-
-    it("PAT path skips token refresh entirely (no /auth/refresh call)", async () => {
-      // Even with an expired config + a config store present, a PAT must never
-      // hit /auth/refresh — refresh tokens belong to the OAuth path only.
-      const store = makeConfigStore({ expiresAt: 0 }); // expired
-      fetchMock.mockResolvedValueOnce(
-        new Response(JSON.stringify({ balance: 1000 }), {
-          status: 200,
-          headers: { "Content-Type": "application/json" },
-        }),
-      );
-
-      const client = new NexvoraClient({
-        baseUrl: BASE_URL,
-        accessToken: PAT,
-        configStore: store,
-      });
-      await client.get("/wallet");
-
-      const calledUrls = fetchMock.mock.calls.map((c: unknown[]) => c[0]);
-      expect(calledUrls).toEqual([`${BASE_URL}/wallet`]);
-      expect(calledUrls).not.toContain(`${BASE_URL}/auth/refresh`);
-    });
-
-    it("PAT 401 throws PatRevokedOrExpiredError pointing to regen URL", async () => {
-      fetchMock.mockResolvedValueOnce(
-        new Response("Unauthorized", { status: 401 }),
-      );
-
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: PAT });
-      const error = await client.get("/wallet").catch((e: Error) => e);
-
-      expect(error).toBeInstanceOf(PatRevokedOrExpiredError);
-      expect(error.message).toContain(
-        "https://app.nxvora.online/app/settings/mcp-tokens",
-      );
-      // No refresh attempted — exactly one fetch
-      expect(fetchMock).toHaveBeenCalledTimes(1);
-    });
-
-    it("PAT 403 with type=pat-scope-missing throws PatScopeMissingError", async () => {
-      fetchMock.mockResolvedValueOnce(
-        new Response(
-          JSON.stringify({
-            type: "https://nxvora.online/errors/pat-scope-missing",
-            required_scope: "tool:submit_task",
-            detail: "This token lacks the required scope: tool:submit_task",
-          }),
-          {
-            status: 403,
-            headers: { "Content-Type": "application/problem+json" },
-          },
-        ),
-      );
-
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: PAT });
-      const error = await client.post("/tasks", { prompt: "x" }).catch(
-        (e: Error) => e,
-      );
-
-      expect(error).toBeInstanceOf(PatScopeMissingError);
-      expect((error as PatScopeMissingError).requiredScope).toBe(
-        "tool:submit_task",
-      );
-      expect(error.message).toContain("tool:submit_task");
-    });
-
-    it("PAT 403 without pat-scope-missing falls through to NexvoraApiError", async () => {
-      // A generic 403 (not scope-related) should still surface as the standard
-      // NexvoraApiError so the existing tool-side rate-limit / unauthorized
-      // branching keeps working.
-      fetchMock.mockResolvedValueOnce(
-        new Response("Forbidden", { status: 403 }),
-      );
-
-      const client = new NexvoraClient({ baseUrl: BASE_URL, accessToken: PAT });
-      await expect(client.get("/wallet")).rejects.toBeInstanceOf(
-        NexvoraApiError,
-      );
-    });
-
-    it("JWT 401 still triggers refresh (regression guard)", async () => {
-      // Config is fresh (expiresAt in the future) so ensureTokenFresh does NOT
-      // proactively refresh. The 401 from the backend triggers the *reactive*
-      // refresh path — this is the regression we're guarding against.
-      const store = makeConfigStore();
-      // Initial request returns 401, refresh succeeds, retry returns 200.
-      fetchMock
-        .mockResolvedValueOnce(new Response("Unauthorized", { status: 401 }))
-        .mockResolvedValueOnce(
-          new Response(
-            JSON.stringify({
-              accessToken: "new-jwt",
-              refreshToken: "new-refresh",
-              expiresAt: Math.floor(Date.now() / 1000) + 3600,
-            }),
-            {
-              status: 200,
-              headers: { "Content-Type": "application/json" },
-            },
-          ),
-        )
-        .mockResolvedValueOnce(
-          new Response(JSON.stringify({ ok: true }), {
-            status: 200,
-            headers: { "Content-Type": "application/json" },
-          }),
-        );
-
-      const client = new NexvoraClient({
-        baseUrl: BASE_URL,
-        accessToken: "test-jwt",
-        configStore: store,
-      });
-      const result = await client.get<{ ok: boolean }>("/wallet");
-      expect(result).toEqual({ ok: true });
-      // Three calls: original 401, /auth/refresh, retry
-      expect(fetchMock).toHaveBeenCalledTimes(3);
-    });
-  });
-});

package/src/__tests__/RateLimiter.test.ts

@@ -1,151 +0,0 @@
-import { jest } from "@jest/globals";
-
-import { DEFAULT_RATE_LIMITS, RateLimiterRegistry, TokenBucket } from "../RateLimiter.js";
-
-// ── TokenBucket ────────────────────────────────────────────────────────────────
-
-describe("TokenBucket", () => {
-  beforeEach(() => {
-    jest.useFakeTimers({ now: 1_000_000_000_000 });
-  });
-  afterEach(() => {
-    jest.useRealTimers();
-  });
-
-  it("allows the first call when bucket is full", () => {
-    const bucket = new TokenBucket(5, 5 / 60);
-    expect(bucket.tryConsume()).toEqual({ allowed: true });
-  });
-
-  it("allows up to capacity calls before exhausting", () => {
-    const bucket = new TokenBucket(3, 3 / 60);
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(false);
-  });
-
-  it("returns retryAfterMs > 0 when exhausted", () => {
-    const bucket = new TokenBucket(1, 1 / 60);
-    bucket.tryConsume(); // consume the only token
-    const result = bucket.tryConsume();
-    expect(result.allowed).toBe(false);
-    if (!result.allowed) {
-      expect(result.retryAfterMs).toBeGreaterThan(0);
-    }
-  });
-
-  it("refills tokens after time passes", () => {
-    const bucket = new TokenBucket(5, 5 / 60); // 5/min → 1 token per 12s
-    // drain all 5 tokens
-    for (let i = 0; i < 5; i++) bucket.tryConsume();
-    expect(bucket.tryConsume().allowed).toBe(false);
-
-    // advance 15 seconds (>12s → should have > 1 token)
-    jest.advanceTimersByTime(15_000);
-    expect(bucket.tryConsume().allowed).toBe(true);
-  });
-
-  it("does not refill above capacity", () => {
-    const bucket = new TokenBucket(3, 3 / 60);
-    // advance 10 minutes — should not exceed capacity of 3
-    jest.advanceTimersByTime(600_000);
-    // consume 3 (capacity) — all should be allowed
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(true);
-    expect(bucket.tryConsume().allowed).toBe(false);
-  });
-
-  it("retryAfterMs decreases as time passes", () => {
-    const bucket = new TokenBucket(1, 1 / 60); // 1/min → refills 1 token per 60s
-    bucket.tryConsume(); // drain
-
-    const before = bucket.tryConsume();
-    expect(before.allowed).toBe(false);
-    const retryBefore = before.allowed ? 0 : before.retryAfterMs;
-
-    jest.advanceTimersByTime(10_000); // advance 10s
-
-    const after = bucket.tryConsume();
-    expect(after.allowed).toBe(false);
-    const retryAfter = after.allowed ? 0 : after.retryAfterMs;
-
-    expect(retryAfter).toBeLessThan(retryBefore);
-  });
-});
-
-// ── RateLimiterRegistry ────────────────────────────────────────────────────────
-
-describe("RateLimiterRegistry", () => {
-  beforeEach(() => {
-    jest.useFakeTimers({ now: 1_000_000_000_000 });
-  });
-  afterEach(() => {
-    jest.useRealTimers();
-  });
-
-  it("always allows tools not in the registry", () => {
-    const registry = new RateLimiterRegistry({});
-    expect(registry.tryConsume("unknown_tool")).toEqual({ allowed: true });
-  });
-
-  it("enforces limits for tools in the registry", () => {
-    const registry = new RateLimiterRegistry({ my_tool: 2 });
-    expect(registry.tryConsume("my_tool").allowed).toBe(true);
-    expect(registry.tryConsume("my_tool").allowed).toBe(true);
-    expect(registry.tryConsume("my_tool").allowed).toBe(false);
-  });
-
-  it("isolates buckets per tool — exhausting one does not affect another", () => {
-    const registry = new RateLimiterRegistry({ tool_a: 1, tool_b: 1 });
-    registry.tryConsume("tool_a"); // exhaust tool_a
-    expect(registry.tryConsume("tool_a").allowed).toBe(false);
-    expect(registry.tryConsume("tool_b").allowed).toBe(true); // tool_b unaffected
-  });
-
-  it("refills after time passes", () => {
-    const registry = new RateLimiterRegistry({ tight_tool: 1 }); // 1/min = 1 token per 60s
-    registry.tryConsume("tight_tool"); // drain
-    expect(registry.tryConsume("tight_tool").allowed).toBe(false);
-
-    jest.advanceTimersByTime(65_000); // 65s > 60s refill period
-    expect(registry.tryConsume("tight_tool").allowed).toBe(true);
-  });
-
-  it("DEFAULT_RATE_LIMITS contains all 11 required tools", () => {
-    const required = [
-      "nexvora_wallet_balance",
-      "nexvora_observatory",
-      "nexvora_agentstack_search",
-      "nexvora_agentstack_ask",
-      "nexvora_agentstack_answer",
-      "nexvora_feed_post",
-      "nexvora_feed_react",
-      "nexvora_consulting_search",
-      "nexvora_consulting_book",
-      "nexvora_knowledge_search",
-      "nexvora_knowledge_subscribe",
-    ];
-    for (const tool of required) {
-      expect(DEFAULT_RATE_LIMITS).toHaveProperty(tool);
-      expect(DEFAULT_RATE_LIMITS[tool]).toBeGreaterThan(0);
-    }
-  });
-
-  it("uses DEFAULT_RATE_LIMITS when constructed with no arguments", () => {
-    const registry = new RateLimiterRegistry();
-    // nexvora_agentstack_ask has limit 5 — exhaust and verify
-    for (let i = 0; i < 5; i++) {
-      expect(registry.tryConsume("nexvora_agentstack_ask").allowed).toBe(true);
-    }
-    expect(registry.tryConsume("nexvora_agentstack_ask").allowed).toBe(false);
-  });
-
-  it("allows overriding individual limits via constructor", () => {
-    const registry = new RateLimiterRegistry({ nexvora_feed_post: 2 });
-    expect(registry.tryConsume("nexvora_feed_post").allowed).toBe(true);
-    expect(registry.tryConsume("nexvora_feed_post").allowed).toBe(true);
-    expect(registry.tryConsume("nexvora_feed_post").allowed).toBe(false);
-  });
-});