@thotischner/observability-mcp 3.0.0 → 3.1.0

package/dist/metrics/self.d.ts

@@ -5,6 +5,7 @@ export declare const mcpToolLatency: Histogram<"tool">;
 export declare const connectorCalls: Counter<"type" | "source" | "outcome" | "operation">;
 export declare const apiRequests: Counter<"status" | "route" | "method">;
 export declare const mcpActiveSessions: Gauge<string>;
+export declare const auditDlqDepth: Gauge<string>;
 /**
  * Wrap a (potentially async) tool handler to record call count + latency.
  * Outcome is "ok" or "error" — never throws on its own.

package/dist/metrics/self.js

@@ -40,6 +40,14 @@ export const mcpActiveSessions = new Gauge({
     help: "Active MCP Streamable HTTP sessions.",
     registers: [selfRegistry],
 });
+// P9: Audit webhook dead-letter queue depth. Refreshed on each
+// `/metrics` scrape and when the operator hits `/api/audit/dlq`.
+// Stays at 0 when no DLQ file is configured or the file is missing.
+export const auditDlqDepth = new Gauge({
+    name: "obsmcp_audit_webhook_dlq_depth",
+    help: "Number of audit entries waiting in the webhook-sink dead-letter queue.",
+    registers: [selfRegistry],
+});
 /**
  * Wrap a (potentially async) tool handler to record call count + latency.
  * Outcome is "ok" or "error" — never throws on its own.

package/dist/openapi.js

@@ -394,6 +394,45 @@ export function buildOpenApiSpec(version) {
                     responses: { "204": { description: "Cookie cleared." } },
                 },
             },
+            "/api/auth/revocations": {
+                get: {
+                    tags: ["auth"],
+                    summary: "List session revocations (admin).",
+                    description: "Returns the current revocation blocklist. Admin-gated (users:delete). Empty in anonymous mode.",
+                    responses: {
+                        "200": { description: "Array of revocation entries." },
+                        "401": { description: "Authentication required." },
+                        "403": { description: "Caller lacks the admin permission." },
+                    },
+                },
+                post: {
+                    tags: ["auth"],
+                    summary: "Revoke a session or all of a subject's sessions (admin).",
+                    description: "Adds an entry to the on-disk blocklist. Provide exactly one of `sid` (revoke one session — copy it from /api/me) or `sub` (log a user out everywhere — revokes every session issued so far; a fresh login afterwards is unaffected). The next request bearing a revoked cookie is treated as logged out.",
+                    requestBody: {
+                        required: true,
+                        content: {
+                            "application/json": {
+                                schema: {
+                                    type: "object",
+                                    properties: {
+                                        sid: { type: "string", description: "Session id to revoke (from /api/me)." },
+                                        sub: { type: "string", description: "Subject whose current sessions to revoke." },
+                                        reason: { type: "string", description: "Optional free-text reason (truncated to 500 chars)." },
+                                    },
+                                },
+                            },
+                        },
+                    },
+                    responses: {
+                        "201": { description: "Revocation recorded; the entry is returned." },
+                        "400": { description: "Neither or both of sid/sub supplied." },
+                        "401": { description: "Authentication required." },
+                        "403": { description: "Caller lacks the admin permission." },
+                        "503": { description: "Server is in anonymous mode (no sessions to revoke)." },
+                    },
+                },
+            },
             "/api/auth/oidc/login": {
                 get: {
                     tags: ["auth"],

package/dist/openapi.test.js

@@ -19,6 +19,7 @@ test("openapi — every user-visible /api path is documented", () => {
         "/api/me",
         "/api/auth/login",
         "/api/auth/logout",
+        "/api/auth/revocations",
         "/api/auth/oidc/login",
         "/api/auth/oidc/callback",
         "/api/auth/oidc/logout",

package/dist/policy/redact.js

@@ -31,7 +31,7 @@ const PATTERNS = [
     // - PEM private-key blocks: greedy match across newlines.
     { category: "aws-key", re: /\b(?:AKIA|ASIA|AROA)[0-9A-Z]{16,20}\b/g },
     { category: "slack-token", re: /\bxox[abprsu]-[A-Za-z0-9-]{10,}\b/g },
-    { category: "gh-pat", re: /\b(?:github_pat_[A-Za-z0-9_]{40,}|gh[opsuru]_[A-Za-z0-9]{36})\b/g },
+    { category: "gh-pat", re: /\b(?:github_pat_[A-Za-z0-9_]{40,}|gh[oprsu]_[A-Za-z0-9]{36})\b/g },
     { category: "private-key", re: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----[\s\S]*?-----END (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/g },
     // emails before other patterns so they don't get eaten partially
     { category: "email", re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },

package/dist/postmortem/store.d.ts

@@ -0,0 +1,34 @@
+import type { PostmortemReport } from "./synthesizer.js";
+export interface StoredPostmortem {
+    id: string;
+    /** RFC-3339 timestamp of when the report was generated. */
+    ts: string;
+    /** Subject identity that called generate_postmortem. */
+    createdBy: string;
+    /** Tenant the report belongs to. */
+    tenant: string;
+    /** The shipped report shape — service + window + synopsis +
+     *  markdown + sections. */
+    report: PostmortemReport;
+}
+export declare class PostmortemStore {
+    private readonly path;
+    private entries;
+    private bootstrapped;
+    constructor(path: string);
+    load(): Promise<void>;
+    /** List entries, newest-first. Optionally scoped to a tenant. */
+    list(tenant?: string): StoredPostmortem[];
+    get(id: string, tenant?: string): StoredPostmortem | undefined;
+    /** Append a freshly-generated report. Returns the stored entry
+     *  with its assigned id + ts. */
+    append(input: {
+        report: PostmortemReport;
+        createdBy: string;
+        tenant: string;
+    }): Promise<StoredPostmortem>;
+    /** Delete one entry by id. Atomic rewrite. Returns whether
+     *  anything was removed. */
+    delete(id: string, tenant?: string): Promise<boolean>;
+    private rewrite;
+}

package/dist/postmortem/store.js

@@ -0,0 +1,113 @@
+// PostmortemStore — file-backed JSONL persistence for
+// generate_postmortem output.
+//
+// Design notes:
+//   - One JSON object per line (append-only). Cheap to tail, cheap
+//     to scan, surives crashes mid-write (the partial line is just
+//     ignored on load).
+//   - load() reads the whole file into an in-memory array (in
+//     practice operators don't accumulate thousands; the tool
+//     produces one report per incident).
+//   - delete() rewrites the file atomically (tmp + rename). Same
+//     pattern as the SCIM store from F21.
+//
+// The schema is intentionally narrow — we store what the tool's
+// PostmortemReport already returns plus an id, ts, and createdBy.
+import { readFile, writeFile, mkdir, rename, appendFile } from "node:fs/promises";
+import { dirname } from "node:path";
+import { randomUUID } from "node:crypto";
+export class PostmortemStore {
+    path;
+    entries = [];
+    bootstrapped = null;
+    constructor(path) {
+        this.path = path;
+    }
+    async load() {
+        if (this.bootstrapped)
+            return this.bootstrapped;
+        this.bootstrapped = (async () => {
+            try {
+                const raw = await readFile(this.path, "utf8");
+                const out = [];
+                for (const line of raw.split("\n")) {
+                    const t = line.trim();
+                    if (!t)
+                        continue;
+                    try {
+                        const obj = JSON.parse(t);
+                        if (obj && typeof obj.id === "string")
+                            out.push(obj);
+                    }
+                    catch {
+                        // Partial / corrupt line — skip, don't fail load. The
+                        // operator can purge by re-saving with delete().
+                    }
+                }
+                this.entries = out;
+            }
+            catch (err) {
+                if (err.code === "ENOENT") {
+                    this.entries = [];
+                    return;
+                }
+                console.warn(`[postmortem-store] failed to load ${this.path}: ${err.message} — starting empty`);
+                this.entries = [];
+            }
+        })();
+        return this.bootstrapped;
+    }
+    /** List entries, newest-first. Optionally scoped to a tenant. */
+    list(tenant) {
+        const src = tenant ? this.entries.filter((e) => e.tenant === tenant) : this.entries;
+        return src.slice().sort((a, b) => b.ts.localeCompare(a.ts));
+    }
+    get(id, tenant) {
+        const e = this.entries.find((x) => x.id === id);
+        if (!e)
+            return undefined;
+        if (tenant && e.tenant !== tenant)
+            return undefined;
+        return e;
+    }
+    /** Append a freshly-generated report. Returns the stored entry
+     *  with its assigned id + ts. */
+    async append(input) {
+        const entry = {
+            id: randomUUID(),
+            ts: new Date().toISOString(),
+            createdBy: input.createdBy,
+            tenant: input.tenant,
+            report: input.report,
+        };
+        this.entries.push(entry);
+        await mkdir(dirname(this.path), { recursive: true }).catch(() => undefined);
+        // Append-only — atomic enough for a JSONL (one write = one
+        // syscall; partial writes are skipped on load).
+        await appendFile(this.path, JSON.stringify(entry) + "\n", { mode: 0o600 });
+        return entry;
+    }
+    /** Delete one entry by id. Atomic rewrite. Returns whether
+     *  anything was removed. */
+    async delete(id, tenant) {
+        const before = this.entries.length;
+        this.entries = this.entries.filter((e) => {
+            if (e.id !== id)
+                return true;
+            if (tenant && e.tenant !== tenant)
+                return true;
+            return false;
+        });
+        if (this.entries.length === before)
+            return false;
+        await this.rewrite();
+        return true;
+    }
+    async rewrite() {
+        await mkdir(dirname(this.path), { recursive: true }).catch(() => undefined);
+        const body = this.entries.map((e) => JSON.stringify(e)).join("\n") + (this.entries.length ? "\n" : "");
+        const tmp = `${this.path}.tmp`;
+        await writeFile(tmp, body, { mode: 0o600 });
+        await rename(tmp, this.path);
+    }
+}

package/dist/postmortem/store.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/postmortem/store.test.js

@@ -0,0 +1,118 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync, statSync, existsSync, readFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { PostmortemStore } from "./store.js";
+function tmpStore() {
+    return join(mkdtempSync(join(tmpdir(), "pmstore-")), "postmortems.jsonl");
+}
+function fakeReport(service = "payment") {
+    return {
+        service,
+        window: "1h",
+        fromIso: "2026-06-06T00:00:00.000Z",
+        toIso: "2026-06-06T01:00:00.000Z",
+        synopsis: "test",
+        markdown: "# Test",
+        sections: {
+            timeline: [],
+            blastRadius: { nodes: [], edgeCount: 0 },
+            topTraces: [],
+            contributingSignals: [],
+            followUps: [],
+            logHighlights: [],
+        },
+    };
+}
+test("PostmortemStore: load() on missing file → empty list", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    assert.deepEqual(s.list(), []);
+});
+test("PostmortemStore: append issues UUID + ISO ts, persists JSONL", async () => {
+    const path = tmpStore();
+    const s = new PostmortemStore(path);
+    await s.load();
+    const stored = await s.append({ report: fakeReport(), createdBy: "alice", tenant: "default" });
+    assert.match(stored.id, /^[0-9a-f-]{36}$/);
+    assert.match(stored.ts, /^\d{4}-\d{2}-\d{2}T/);
+    assert.equal(stored.report.service, "payment");
+    // disk format is one JSON per line
+    const raw = readFileSync(path, "utf8");
+    assert.equal(raw.split("\n").filter((l) => l).length, 1);
+    assert.equal(statSync(path).mode & 0o777, 0o600);
+});
+test("PostmortemStore: list() returns newest-first", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "t" });
+    await new Promise((r) => setTimeout(r, 5));
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "t" });
+    const out = s.list();
+    assert.equal(out[0].report.service, "b");
+    assert.equal(out[1].report.service, "a");
+});
+test("PostmortemStore: list(tenant) scopes correctly", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "alpha" });
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "beta" });
+    assert.equal(s.list("alpha").length, 1);
+    assert.equal(s.list("alpha")[0].report.service, "a");
+});
+test("PostmortemStore: get() by id, tenant-scoped", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    const e = await s.append({ report: fakeReport(), createdBy: "u", tenant: "alpha" });
+    assert.equal(s.get(e.id)?.id, e.id);
+    assert.equal(s.get(e.id, "alpha")?.id, e.id);
+    // wrong tenant → undefined
+    assert.equal(s.get(e.id, "beta"), undefined);
+    assert.equal(s.get("nope"), undefined);
+});
+test("PostmortemStore: delete() rewrites file + scoped by tenant", async () => {
+    const path = tmpStore();
+    const s = new PostmortemStore(path);
+    await s.load();
+    const e1 = await s.append({ report: fakeReport("a"), createdBy: "u", tenant: "alpha" });
+    await s.append({ report: fakeReport("b"), createdBy: "u", tenant: "beta" });
+    // wrong tenant → no-op
+    assert.equal(await s.delete(e1.id, "beta"), false);
+    assert.equal(s.list().length, 2);
+    // correct tenant → removed
+    assert.equal(await s.delete(e1.id, "alpha"), true);
+    assert.equal(s.list().length, 1);
+    // disk reflects the rewrite
+    const raw = readFileSync(path, "utf8");
+    assert.equal(raw.split("\n").filter((l) => l).length, 1);
+});
+test("PostmortemStore: delete() missing id → false", async () => {
+    const s = new PostmortemStore(tmpStore());
+    await s.load();
+    assert.equal(await s.delete("nope"), false);
+});
+test("PostmortemStore: round-trip through disk (load after append sees entries)", async () => {
+    const path = tmpStore();
+    const a = new PostmortemStore(path);
+    await a.load();
+    await a.append({ report: fakeReport("a"), createdBy: "u", tenant: "default" });
+    await a.append({ report: fakeReport("b"), createdBy: "u", tenant: "default" });
+    const b = new PostmortemStore(path);
+    await b.load();
+    assert.equal(b.list().length, 2);
+});
+test("PostmortemStore: load skips corrupt lines", async () => {
+    const path = tmpStore();
+    // Hand-write a file with one good + one garbage line
+    const a = new PostmortemStore(path);
+    await a.load();
+    await a.append({ report: fakeReport(), createdBy: "u", tenant: "default" });
+    const fs = await import("node:fs/promises");
+    await fs.appendFile(path, "{not valid json\n");
+    const b = new PostmortemStore(path);
+    await b.load();
+    // Good entry survived; corrupt line ignored.
+    assert.equal(b.list().length, 1);
+    assert.ok(existsSync(path));
+});

package/dist/scim/compliance.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scim/compliance.test.js

@@ -0,0 +1,169 @@
+// SCIM 2.0 (RFC 7643 / 7644) compliance harness.
+//
+// Run against a running gateway with SCIM enabled by setting:
+//   OMCP_SCIM_COMPLIANCE_URL  — the SCIM base, e.g.
+//                               http://localhost:3000/scim/v2
+//   OMCP_SCIM_COMPLIANCE_TOKEN — the bearer matching OMCP_SCIM_TOKEN
+//
+// When the URL is unset every test skips — so the file lives happily
+// in a plain `find src -name "*.test.ts"` unit run without needing a
+// server. The `make scim-compliance` target boots the demo with SCIM
+// configured, waits for /healthz, then runs this file.
+//
+//   OMCP_SCIM_COMPLIANCE_URL=http://localhost:3000/scim/v2 \
+//   OMCP_SCIM_COMPLIANCE_TOKEN=secret \
+//   npx tsx --test src/scim/compliance.test.ts
+//
+// The suite is self-contained: it creates resources, exercises them,
+// and deletes them, leaving the store as it found it.
+import { test } from "node:test";
+import assert from "node:assert/strict";
+const BASE = process.env.OMCP_SCIM_COMPLIANCE_URL?.replace(/\/+$/, "");
+const TOKEN = process.env.OMCP_SCIM_COMPLIANCE_TOKEN || "";
+const skip = !BASE;
+const opts = skip ? { skip: "OMCP_SCIM_COMPLIANCE_URL not set" } : {};
+const SCHEMA_USER = "urn:ietf:params:scim:schemas:core:2.0:User";
+const SCHEMA_GROUP = "urn:ietf:params:scim:schemas:core:2.0:Group";
+const SCHEMA_PATCH = "urn:ietf:params:scim:api:messages:2.0:PatchOp";
+const SCHEMA_LIST = "urn:ietf:params:scim:api:messages:2.0:ListResponse";
+const SCHEMA_ERROR = "urn:ietf:params:scim:api:messages:2.0:Error";
+async function scim(method, path, body, withAuth = true) {
+    if (!BASE)
+        throw new Error("OMCP_SCIM_COMPLIANCE_URL not set");
+    const headers = { "content-type": "application/scim+json" };
+    if (withAuth)
+        headers["authorization"] = `Bearer ${TOKEN}`;
+    const res = await fetch(`${BASE}${path}`, {
+        method,
+        headers,
+        body: body === undefined ? undefined : JSON.stringify(body),
+    });
+    const h = {};
+    res.headers.forEach((v, k) => { h[k] = v; });
+    const text = await res.text();
+    let json = {};
+    if (text.trim().startsWith("{"))
+        json = JSON.parse(text);
+    return { status: res.status, json, headers: h };
+}
+// Resources created during the run, deleted in the final test.
+const created = { users: [], groups: [] };
+function uniq(p) { return `${p}-${Math.floor(performance.now() * 1000)}-${created.users.length + created.groups.length}`; }
+// --- Discovery (RFC 7643 §5) -----------------------------------------
+test("ServiceProviderConfig advertises the spec schema + patch support", opts, async () => {
+    const r = await scim("GET", "/ServiceProviderConfig");
+    assert.equal(r.status, 200);
+    assert.ok(r.json.schemas.includes("urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"));
+    assert.ok(r.json.patch, "patch capability block present");
+});
+test("ResourceTypes lists User + Group endpoints", opts, async () => {
+    const r = await scim("GET", "/ResourceTypes");
+    assert.equal(r.status, 200);
+    const txt = JSON.stringify(r.json);
+    assert.ok(txt.includes("/Users") && txt.includes("/Groups"));
+});
+test("Schemas endpoint returns the core schema definitions", opts, async () => {
+    const r = await scim("GET", "/Schemas");
+    assert.equal(r.status, 200);
+    const txt = JSON.stringify(r.json);
+    assert.ok(txt.includes(SCHEMA_USER) && txt.includes(SCHEMA_GROUP));
+});
+// --- Auth (RFC 7644 §2) ----------------------------------------------
+test("requests without a bearer token are rejected 401", opts, async () => {
+    const r = await scim("GET", "/Users", undefined, false);
+    assert.equal(r.status, 401);
+    assert.ok(r.json.schemas?.includes(SCHEMA_ERROR));
+});
+// --- User lifecycle (RFC 7644 §3.3–3.6) ------------------------------
+let userId = "";
+const userName = uniq("compliance-user") + "@example.com";
+test("POST /Users creates a user → 201 with id + meta", opts, async () => {
+    const r = await scim("POST", "/Users", {
+        schemas: [SCHEMA_USER],
+        userName,
+        name: { givenName: "Comp", familyName: "Liance" },
+        emails: [{ value: userName, primary: true }],
+        active: true,
+    });
+    assert.equal(r.status, 201);
+    assert.equal(typeof r.json.id, "string");
+    assert.equal(r.json.userName, userName);
+    const meta = r.json.meta;
+    assert.equal(meta.resourceType, "User");
+    assert.ok(meta.created && meta.lastModified);
+    userId = r.json.id;
+    created.users.push(userId);
+});
+test("duplicate userName is rejected 409 uniqueness", opts, async () => {
+    const r = await scim("POST", "/Users", { schemas: [SCHEMA_USER], userName });
+    assert.equal(r.status, 409);
+    assert.equal(r.json.scimType, "uniqueness");
+});
+test("GET /Users/:id returns the created user", opts, async () => {
+    const r = await scim("GET", `/Users/${userId}`);
+    assert.equal(r.status, 200);
+    assert.equal(r.json.id, userId);
+    assert.equal(r.json.userName, userName);
+});
+test("GET /Users returns a ListResponse envelope", opts, async () => {
+    const r = await scim("GET", "/Users");
+    assert.equal(r.status, 200);
+    assert.ok(r.json.schemas.includes(SCHEMA_LIST));
+    assert.equal(typeof r.json.totalResults, "number");
+    assert.ok(Array.isArray(r.json.Resources));
+});
+test("PATCH /Users/:id replace toggles active", opts, async () => {
+    const r = await scim("PATCH", `/Users/${userId}`, {
+        schemas: [SCHEMA_PATCH],
+        Operations: [{ op: "replace", path: "active", value: false }],
+    });
+    assert.equal(r.status, 200);
+    assert.equal(r.json.active, false);
+});
+test("unknown user id → 404 with SCIM error schema", opts, async () => {
+    const r = await scim("GET", "/Users/does-not-exist");
+    assert.equal(r.status, 404);
+    assert.ok(r.json.schemas.includes(SCHEMA_ERROR));
+});
+// --- Group lifecycle + membership PATCH (Q14) ------------------------
+let groupId = "";
+test("POST /Groups creates a group", opts, async () => {
+    const r = await scim("POST", "/Groups", { schemas: [SCHEMA_GROUP], displayName: uniq("compliance-grp") });
+    assert.equal(r.status, 201);
+    groupId = r.json.id;
+    created.groups.push(groupId);
+    assert.equal(r.json.meta.resourceType, "Group");
+});
+test("PATCH /Groups/:id add member → membership reflected", opts, async () => {
+    const r = await scim("PATCH", `/Groups/${groupId}`, {
+        schemas: [SCHEMA_PATCH],
+        Operations: [{ op: "add", path: "members", value: [{ value: userId, display: userName }] }],
+    });
+    assert.equal(r.status, 200);
+    const members = r.json.members || [];
+    assert.ok(members.some((m) => m.value === userId), "added member present");
+});
+test("PATCH /Groups/:id remove member by filter → membership cleared", opts, async () => {
+    const r = await scim("PATCH", `/Groups/${groupId}`, {
+        schemas: [SCHEMA_PATCH],
+        Operations: [{ op: "remove", path: `members[value eq "${userId}"]` }],
+    });
+    assert.equal(r.status, 200);
+    const members = r.json.members || [];
+    assert.ok(!members.some((m) => m.value === userId), "removed member gone");
+});
+// --- Cleanup (DELETE → 204, then 404) --------------------------------
+test("DELETE created resources → 204 and subsequent GET → 404", opts, async () => {
+    for (const id of created.groups) {
+        const del = await scim("DELETE", `/Groups/${id}`);
+        assert.ok(del.status === 204 || del.status === 200, `group delete status ${del.status}`);
+        const get = await scim("GET", `/Groups/${id}`);
+        assert.equal(get.status, 404);
+    }
+    for (const id of created.users) {
+        const del = await scim("DELETE", `/Users/${id}`);
+        assert.ok(del.status === 204 || del.status === 200, `user delete status ${del.status}`);
+        const get = await scim("GET", `/Users/${id}`);
+        assert.equal(get.status, 404);
+    }
+});

package/dist/scim/factory.test.d.ts

@@ -0,0 +1 @@
+export {};

package/dist/scim/factory.test.js

@@ -0,0 +1,54 @@
+import { test } from "node:test";
+import assert from "node:assert/strict";
+import { mkdtempSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { createScimStore, ScimStore } from "./store.js";
+import { RedisScimStore } from "./redis-store.js";
+function tmpStorePath() {
+    return join(mkdtempSync(join(tmpdir(), "omcp-scim-factory-")), "scim.json");
+}
+test("createScimStore default = file backend", async () => {
+    const path = tmpStorePath();
+    delete process.env.OMCP_SCIM_BACKEND;
+    const store = await createScimStore({ path });
+    assert.ok(store instanceof ScimStore);
+    // The store is usable
+    const u = await store.createUser({ userName: "a@x" });
+    assert.equal(u.userName, "a@x");
+});
+test("createScimStore explicit backend=file", async () => {
+    const store = await createScimStore({ backend: "file", path: tmpStorePath() });
+    assert.ok(store instanceof ScimStore);
+});
+test("createScimStore backend=redis requires a client", async () => {
+    await assert.rejects(createScimStore({ backend: "redis" }), /backend=redis requires a redis client/);
+});
+test("createScimStore backend=redis returns RedisScimStore", async () => {
+    const fake = {
+        _s: new Map(),
+        async get(k) { return this._s.has(k) ? this._s.get(k) : null; },
+        async set(k, v) { this._s.set(k, v); return "OK"; },
+    };
+    const store = await createScimStore({ backend: "redis", redis: fake });
+    assert.ok(store instanceof RedisScimStore);
+    const u = await store.createUser({ userName: "u@x" });
+    assert.equal(u.userName, "u@x");
+    // Persisted to the fake redis
+    assert.ok(fake._s.has("omcp:scim:snapshot"));
+});
+test("createScimStore reads OMCP_SCIM_BACKEND env when no explicit backend", async () => {
+    process.env.OMCP_SCIM_BACKEND = "redis";
+    try {
+        const fake = {
+            _s: new Map(),
+            async get(k) { return this._s.get(k) ?? null; },
+            async set(k, v) { this._s.set(k, v); return "OK"; },
+        };
+        const store = await createScimStore({ redis: fake });
+        assert.ok(store instanceof RedisScimStore);
+    }
+    finally {
+        delete process.env.OMCP_SCIM_BACKEND;
+    }
+});

package/dist/scim/patch-ops.test.d.ts

@@ -0,0 +1 @@
+export {};