@vantageos/vantage-crm-mcp 0.1.0

package/dist/mcp-server/tests/security.test.js

@@ -0,0 +1,257 @@
+"use strict";
+/**
+ * MCP Server — Security & Compliance Tests
+ *
+ * Tests:
+ *   BL-1: Multi-tenant workspace isolation cross-check (IDOR prevention)
+ *   SHOULD-FIX-1: NOT_IMPLEMENTED stable envelope (not throw)
+ *   SHOULD-FIX-2: purge_archived_records 30-day grace (Convex-side enforced)
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+// ---------------------------------------------------------------------------
+// Mock convexClient for tool-layer tests
+// ---------------------------------------------------------------------------
+vitest_1.vi.mock('../lib/convexClient', () => ({
+    getConvexClient: vitest_1.vi.fn(() => ({
+        query: vitest_1.vi.fn().mockResolvedValue([]),
+        mutation: vitest_1.vi.fn().mockResolvedValue({ purged: 0, skippedGrace: 0 }),
+    })),
+    withEnvelope: async (fn) => {
+        try {
+            const data = await fn();
+            return { success: true, data };
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            const code = e instanceof Error && e.name !== 'Error' ? e.name : 'CONVEX_ERROR';
+            return { success: false, error: { code, message } };
+        }
+    },
+    ok: (data) => ({ success: true, data }),
+    err: (code, message) => ({ success: false, error: { code, message } }),
+}));
+// ---------------------------------------------------------------------------
+// BL-1: requireWorkspaceMatchesToken — extracted logic test
+// ---------------------------------------------------------------------------
+/**
+ * Inline the helper to test the isolation logic in isolation from the HTTP server.
+ * The actual function is in mcp-server/transport/http.ts.
+ */
+function requireWorkspaceMatchesToken(tokenContext, args) {
+    const tokenWorkspaceId = tokenContext.workspaceId ?? tokenContext.orgId;
+    const argsWorkspaceId = args['workspaceId'];
+    if (argsWorkspaceId !== undefined &&
+        argsWorkspaceId !== null &&
+        tokenWorkspaceId !== null &&
+        argsWorkspaceId !== tokenWorkspaceId) {
+        const err = new Error(`Token workspace (${tokenWorkspaceId}) does not match args.workspaceId (${String(argsWorkspaceId)}). Cross-tenant access denied.`);
+        err.name = 'WorkspaceMismatchError';
+        err.code = 'FORBIDDEN_WORKSPACE_MISMATCH';
+        throw err;
+    }
+}
+(0, vitest_1.describe)('BL-1: multi-tenant workspace isolation', () => {
+    (0, vitest_1.it)('allows matching workspaceId', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: 'ws_abc', orgId: 'org_xyz' }, { workspaceId: 'ws_abc' })).not.toThrow();
+    });
+    (0, vitest_1.it)('allows request without workspaceId in args (e.g. getById tools)', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: 'ws_abc', orgId: 'org_xyz' }, { contactId: 'contact_123' })).not.toThrow();
+    });
+    (0, vitest_1.it)('REJECTS token workspace A vs args workspace B — IDOR cross-tenant', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: 'ws_workspaceA', orgId: 'org_orgX' }, { workspaceId: 'ws_workspaceB' })).toThrow('Cross-tenant access denied');
+    });
+    (0, vitest_1.it)('rejection error has FORBIDDEN_WORKSPACE_MISMATCH code', () => {
+        try {
+            requireWorkspaceMatchesToken({ workspaceId: 'ws_A', orgId: 'org_X' }, { workspaceId: 'ws_B' });
+            vitest_1.expect.fail('should have thrown');
+        }
+        catch (e) {
+            (0, vitest_1.expect)(e.code).toBe('FORBIDDEN_WORKSPACE_MISMATCH');
+            (0, vitest_1.expect)(e.message).toContain('ws_A');
+            (0, vitest_1.expect)(e.message).toContain('ws_B');
+        }
+    });
+    (0, vitest_1.it)('falls back to orgId when workspaceId is null on token', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: null, orgId: 'org_abc' }, { workspaceId: 'org_abc' })).not.toThrow();
+    });
+    (0, vitest_1.it)('rejects when orgId fallback does not match args.workspaceId', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: null, orgId: 'org_abc' }, { workspaceId: 'org_xyz' })).toThrow('Cross-tenant access denied');
+    });
+    (0, vitest_1.it)('allows when both token and args workspaceId are null/undefined', () => {
+        (0, vitest_1.expect)(() => requireWorkspaceMatchesToken({ workspaceId: null, orgId: 'org_abc' }, { contactId: 'x' })).not.toThrow();
+    });
+});
+// ---------------------------------------------------------------------------
+// SHOULD-FIX-1: NOT_IMPLEMENTED stable envelope shape
+// ---------------------------------------------------------------------------
+const admin_1 = require("../tools/admin");
+const customFields_1 = require("../tools/customFields");
+const rbac_1 = require("../tools/rbac");
+const workflows_1 = require("../tools/workflows");
+(0, vitest_1.describe)('SHOULD-FIX-1: NOT_IMPLEMENTED stable envelope', () => {
+    (0, vitest_1.it)('list_audit_log returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, admin_1.list_audit_log)({
+            workspaceId: 'ws_test',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+        (0, vitest_1.expect)(result.error?.message).toMatch(/V0\.2/);
+    });
+    (0, vitest_1.it)('get_entity_history returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, admin_1.get_entity_history)({
+            workspaceId: 'ws_test',
+            entityType: 'contact',
+            entityId: 'cnt_123',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('get_actor_history returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, admin_1.get_actor_history)({
+            workspaceId: 'ws_test',
+            actorId: 'user_abc',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('delete_custom_field returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, customFields_1.delete_custom_field)({
+            definitionId: 'def_123',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('update_member_role returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, rbac_1.update_member_role)({
+            workspaceId: 'ws_test',
+            userId: 'user_abc',
+            newRole: 'editor',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('update_member_permissions returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, rbac_1.update_member_permissions)({
+            workspaceId: 'ws_test',
+            userId: 'user_abc',
+            permissions: { canExportData: true },
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('replay_execution returns NOT_IMPLEMENTED envelope (not throw)', async () => {
+        const result = (await (0, workflows_1.replay_execution)({
+            executionId: 'exec_xyz',
+        }));
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.code).toBe('NOT_IMPLEMENTED');
+    });
+    (0, vitest_1.it)('NOT_IMPLEMENTED tools do NOT throw — verified for all 7', async () => {
+        const calls = [
+            () => (0, admin_1.list_audit_log)({ workspaceId: 'ws_test' }),
+            () => (0, admin_1.get_entity_history)({ workspaceId: 'ws_test', entityType: 'deal', entityId: 'e' }),
+            () => (0, admin_1.get_actor_history)({ workspaceId: 'ws_test', actorId: 'a' }),
+            () => (0, customFields_1.delete_custom_field)({ definitionId: 'def_x' }),
+            () => (0, rbac_1.update_member_role)({ workspaceId: 'ws_test', userId: 'u', newRole: 'viewer' }),
+            () => (0, rbac_1.update_member_permissions)({ workspaceId: 'ws_test', userId: 'u', permissions: {} }),
+            () => (0, workflows_1.replay_execution)({ executionId: 'exec_x' }),
+        ];
+        for (const call of calls) {
+            await (0, vitest_1.expect)(call()).resolves.toMatchObject({
+                success: false,
+                error: { code: 'NOT_IMPLEMENTED' },
+            });
+        }
+    });
+});
+// ---------------------------------------------------------------------------
+// SHOULD-FIX-2: purge_archived_records grace — Convex-side guard
+// ---------------------------------------------------------------------------
+/**
+ * The actual 30-day grace is enforced in convex/crm/admin.ts purgeArchivedRecords.
+ * This test validates the guard logic (extracted for unit testing without Convex runtime).
+ * Integration: see comment at bottom for Convex direct-call validation strategy.
+ */
+function assertPurgeGrace(archivedAt) {
+    const GRACE_PERIOD_MS = 30 * 24 * 60 * 60 * 1000;
+    if (Date.now() - archivedAt < GRACE_PERIOD_MS) {
+        throw new Error('PURGE_GRACE_NOT_ELAPSED');
+    }
+}
+(0, vitest_1.describe)('SHOULD-FIX-2: purge 30-day grace server-side enforcement', () => {
+    (0, vitest_1.it)('rejects record archived less than 30 days ago', () => {
+        const archivedAt = Date.now() - 10 * 24 * 60 * 60 * 1000; // 10 days ago
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).toThrow('PURGE_GRACE_NOT_ELAPSED');
+    });
+    (0, vitest_1.it)('rejects record archived 29 days ago', () => {
+        const archivedAt = Date.now() - 29 * 24 * 60 * 60 * 1000;
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).toThrow('PURGE_GRACE_NOT_ELAPSED');
+    });
+    (0, vitest_1.it)('rejects record archived exactly 1 second less than 30 days ago', () => {
+        const archivedAt = Date.now() - (30 * 24 * 60 * 60 * 1000 - 1000);
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).toThrow('PURGE_GRACE_NOT_ELAPSED');
+    });
+    (0, vitest_1.it)('allows record archived exactly 30 days ago', () => {
+        const archivedAt = Date.now() - 30 * 24 * 60 * 60 * 1000;
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).not.toThrow();
+    });
+    (0, vitest_1.it)('allows record archived 31 days ago', () => {
+        const archivedAt = Date.now() - 31 * 24 * 60 * 60 * 1000;
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).not.toThrow();
+    });
+    (0, vitest_1.it)('allows record archived 90 days ago', () => {
+        const archivedAt = Date.now() - 90 * 24 * 60 * 60 * 1000;
+        (0, vitest_1.expect)(() => assertPurgeGrace(archivedAt)).not.toThrow();
+    });
+    /**
+     * Convex-direct call guard:
+     * convex/crm/admin.ts purgeArchivedRecords iterates all archived records and
+     * skips (does NOT delete) any record where Date.now() - archivedAt < GRACE_PERIOD_MS.
+     * The returned { skippedGrace: N } count confirms grace enforcement for callers
+     * that bypass the MCP layer. No Zod dependency in the Convex handler.
+     */
+    (0, vitest_1.it)('purge_archived_records MCP tool routes to Convex mutation (not throwing)', async () => {
+        const { purge_archived_records } = await Promise.resolve().then(() => __importStar(require('../tools/admin')));
+        const result = (await purge_archived_records({
+            workspaceId: 'ws_test',
+            entityType: 'contact',
+            olderThanDays: 30,
+        }));
+        // With mocked Convex client returning { purged: 0, skippedGrace: 0 }
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});

package/dist/mcp-server/tests/tools.test.js

@@ -0,0 +1,272 @@
+"use strict";
+/**
+ * MCP Server — Tool Handler Unit Tests
+ *
+ * Tests Zod validation + envelope behavior for one tool per category (10 tools).
+ * Does NOT make live Convex calls — validates input schema rejection.
+ *
+ * Scope enforcement integration tests are in scopeEnforcement.test.ts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+// ---------------------------------------------------------------------------
+// Mock the Convex client so handlers don't make live network calls
+// ---------------------------------------------------------------------------
+vitest_1.vi.mock('../lib/convexClient', () => ({
+    getConvexClient: vitest_1.vi.fn(() => ({
+        query: vitest_1.vi.fn().mockResolvedValue([]),
+        mutation: vitest_1.vi.fn().mockResolvedValue('mock_id_123'),
+        action: vitest_1.vi.fn().mockResolvedValue(null),
+    })),
+    withEnvelope: async (fn) => {
+        try {
+            const data = await fn();
+            return { success: true, data };
+        }
+        catch (e) {
+            const message = e instanceof Error ? e.message : String(e);
+            return { success: false, error: { code: 'ERROR', message } };
+        }
+    },
+    ok: (data) => ({ success: true, data }),
+    err: (code, message) => ({ success: false, error: { code, message } }),
+}));
+/**
+ * Wrap a handler call to catch ZodError thrown before withEnvelope.
+ * In production, handlers throw ZodError synchronously on bad input.
+ * The MCP server catches these in CallTool. Tests simulate that behavior.
+ */
+async function callHandler(fn, args) {
+    try {
+        return (await fn(args));
+    }
+    catch (e) {
+        const message = e instanceof Error ? e.message : String(e);
+        return { success: false, error: { code: 'ZOD_ERROR', message } };
+    }
+}
+// ---------------------------------------------------------------------------
+// Imports after mock
+// ---------------------------------------------------------------------------
+const contacts_1 = require("../tools/contacts");
+const companies_1 = require("../tools/companies");
+const deals_1 = require("../tools/deals");
+const activities_1 = require("../tools/activities");
+const customFields_1 = require("../tools/customFields");
+const customObjects_1 = require("../tools/customObjects");
+const workflows_1 = require("../tools/workflows");
+const search_1 = require("../tools/search");
+const admin_1 = require("../tools/admin");
+const rbac_1 = require("../tools/rbac");
+// ---------------------------------------------------------------------------
+// Contacts
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/contacts', () => {
+    (0, vitest_1.it)('create_contact: rejects missing required fields', async () => {
+        const result = await callHandler(contacts_1.create_contact, { workspaceId: 'ws1' });
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.message).toMatch(/firstName|lastName/);
+    });
+    (0, vitest_1.it)('create_contact: accepts valid args', async () => {
+        const result = await callHandler(contacts_1.create_contact, {
+            workspaceId: 'ws1',
+            firstName: 'John',
+            lastName: 'Doe',
+            email: 'john@example.com',
+            type: 'lead',
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+    (0, vitest_1.it)('get_contact: rejects missing contactId', async () => {
+        const result = await callHandler(contacts_1.get_contact, {});
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.message).toMatch(/contactId/);
+    });
+    (0, vitest_1.it)('get_contact: rejects invalid email in create', async () => {
+        const result = await callHandler(contacts_1.create_contact, {
+            workspaceId: 'ws1',
+            firstName: 'Bad',
+            lastName: 'Email',
+            email: 'not-an-email',
+        });
+        (0, vitest_1.expect)(result.success).toBe(false);
+        (0, vitest_1.expect)(result.error?.message).toMatch(/email/i);
+    });
+});
+// ---------------------------------------------------------------------------
+// Companies
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/companies', () => {
+    (0, vitest_1.it)('create_company: rejects missing name', async () => {
+        const result = await callHandler(companies_1.create_company, { workspaceId: 'ws1' });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('create_company: accepts valid args', async () => {
+        const result = await callHandler(companies_1.create_company, {
+            workspaceId: 'ws1',
+            name: 'Acme Corp',
+            industry: 'Technology',
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Deals
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/deals', () => {
+    (0, vitest_1.it)('create_deal: rejects missing title', async () => {
+        const result = await callHandler(deals_1.create_deal, { workspaceId: 'ws1', stage: 'Lead' });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('create_deal: accepts valid args', async () => {
+        const result = await callHandler(deals_1.create_deal, {
+            workspaceId: 'ws1',
+            title: 'Enterprise Deal',
+            stage: 'Prospecting',
+            value: 50000,
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+    (0, vitest_1.it)('move_deal_stage: rejects probability > 100', async () => {
+        const result = await callHandler(deals_1.move_deal_stage, {
+            dealId: 'deal_123',
+            newStage: 'Closed Won',
+            probability: 150,
+        });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('move_deal_stage: accepts valid args', async () => {
+        const result = await callHandler(deals_1.move_deal_stage, {
+            dealId: 'deal_123',
+            newStage: 'Negotiation',
+            probability: 75,
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Activities
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/activities', () => {
+    (0, vitest_1.it)('create_activity: rejects invalid type', async () => {
+        const result = await callHandler(activities_1.create_activity, {
+            workspaceId: 'ws1',
+            type: 'invalid_type',
+            subject: 'Test',
+        });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('create_activity: accepts valid task type', async () => {
+        const result = await callHandler(activities_1.create_activity, {
+            workspaceId: 'ws1',
+            type: 'task',
+            subject: 'Follow up',
+            dueAt: Date.now() + 86400000,
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Custom Fields
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/customFields', () => {
+    (0, vitest_1.it)('add_custom_field: rejects invalid key format', async () => {
+        const result = await callHandler(customFields_1.add_custom_field, {
+            workspaceId: 'ws1',
+            entityType: 'contact',
+            key: 'Invalid Key!',
+            label: 'Test Field',
+            fieldType: 'text',
+        });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('add_custom_field: accepts valid snake_case key', async () => {
+        const result = await callHandler(customFields_1.add_custom_field, {
+            workspaceId: 'ws1',
+            entityType: 'contact',
+            key: 'lead_source',
+            label: 'Lead Source',
+            fieldType: 'select',
+            options: ['inbound', 'outbound', 'referral'],
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Custom Objects
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/customObjects', () => {
+    (0, vitest_1.it)('create_record: rejects missing fields', async () => {
+        const result = await callHandler(customObjects_1.create_record, { workspaceId: 'ws1', objectType: 'project' });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('create_record: accepts valid args', async () => {
+        const result = await callHandler(customObjects_1.create_record, {
+            workspaceId: 'ws1',
+            objectType: 'project',
+            fields: { name: 'Q4 Campaign', budget: 50000 },
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Workflows
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/workflows', () => {
+    (0, vitest_1.it)('create_workflow: rejects missing trigger', async () => {
+        const result = await callHandler(workflows_1.create_workflow, {
+            workspaceId: 'ws1',
+            name: 'Lead nurture',
+            actions: [],
+        });
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('create_workflow: accepts valid args', async () => {
+        const result = await callHandler(workflows_1.create_workflow, {
+            workspaceId: 'ws1',
+            name: 'Lead nurture',
+            trigger: { type: 'contact_created', config: {} },
+            actions: [{ type: 'send_email', config: { templateId: 'welcome' }, order: 0 }],
+        });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Search / Analytics
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/search', () => {
+    (0, vitest_1.it)('pipeline_value: rejects missing workspaceId', async () => {
+        const result = await callHandler(search_1.pipeline_value, {});
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('pipeline_value: accepts valid args', async () => {
+        const result = await callHandler(search_1.pipeline_value, { workspaceId: 'ws1' });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// Admin
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/admin', () => {
+    (0, vitest_1.it)('list_workspace_limits: rejects missing workspaceId', async () => {
+        const result = await callHandler(admin_1.list_workspace_limits, {});
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('list_workspace_limits: accepts valid args', async () => {
+        const result = await callHandler(admin_1.list_workspace_limits, { workspaceId: 'ws1' });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});
+// ---------------------------------------------------------------------------
+// RBAC
+// ---------------------------------------------------------------------------
+(0, vitest_1.describe)('tool/rbac', () => {
+    (0, vitest_1.it)('list_workspace_members: rejects missing workspaceId', async () => {
+        const result = await callHandler(rbac_1.list_workspace_members, {});
+        (0, vitest_1.expect)(result.success).toBe(false);
+    });
+    (0, vitest_1.it)('list_workspace_members: accepts valid workspaceId', async () => {
+        const result = await callHandler(rbac_1.list_workspace_members, { workspaceId: 'ws1' });
+        (0, vitest_1.expect)(result.success).toBe(true);
+    });
+});