backend-manager 5.6.4 → 5.7.1

package/test/mcp/protocol.js

@@ -0,0 +1,268 @@
+/**
+ * Test: MCP protocol endpoint — happy path, sad path, edge cases
+ * Tests the Streamable HTTP transport at POST /backend-manager/mcp
+ *
+ * Run: npx mgr test bem:mcp/protocol
+ */
+const fetch = require('wonderful-fetch');
+
+const MCP_ENDPOINT = 'http://localhost:5002/backend-manager/mcp';
+
+function parseSSE(text) {
+  const lines = text.split('\n');
+  let lastData = null;
+
+  for (const line of lines) {
+    if (line.startsWith('data: ')) {
+      lastData = line.slice(6);
+    }
+  }
+
+  if (lastData) {
+    return JSON.parse(lastData);
+  }
+
+  return JSON.parse(text);
+}
+
+async function mcpRequest(method, params, bearerToken, options) {
+  options = options || {};
+
+  const headers = {
+    'Content-Type': 'application/json',
+    'Accept': 'application/json, text/event-stream',
+    ...options.headers,
+  };
+
+  if (bearerToken) {
+    headers['Authorization'] = `Bearer ${bearerToken}`;
+  }
+
+  const body = JSON.stringify({
+    jsonrpc: '2.0',
+    id: options.id || 1,
+    method: method,
+    params: params || {},
+  });
+
+  const text = await fetch(MCP_ENDPOINT, {
+    method: 'POST',
+    headers: headers,
+    body: body,
+    response: 'text',
+    timeout: 15000,
+  });
+
+  return parseSSE(text);
+}
+
+module.exports = {
+  description: 'MCP protocol endpoint (Streamable HTTP)',
+  type: 'group',
+
+  tests: [
+    // ─── Happy path ───
+
+    {
+      name: 'tools/list returns tool definitions with schemas',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/list', {}, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(Array.isArray(response.result.tools), 'tools should be an array');
+
+        const tool = response.result.tools.find((t) => t.name === 'health_check');
+        assert.ok(tool, 'Should include health_check');
+        assert.ok(tool.description, 'Tool should have description');
+        assert.ok(tool.inputSchema, 'Tool should have inputSchema');
+        assert.equal(tool.inputSchema.type, 'object', 'Schema type should be object');
+      },
+    },
+
+    {
+      name: 'tools/call health_check succeeds',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'health_check',
+          arguments: {},
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(!response.result.isError, 'Should not be an error');
+        assert.ok(response.result.content, 'Should have content');
+        assert.ok(response.result.content.length > 0, 'Content should not be empty');
+        assert.equal(response.result.content[0].type, 'text', 'Content type should be text');
+      },
+    },
+
+    {
+      name: 'tools/call generate_uuid returns valid response',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'generate_uuid',
+          arguments: { version: '4' },
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(!response.result.isError, 'Should not be an error');
+
+        const text = response.result.content?.[0]?.text || '';
+        assert.ok(text.length > 0, 'Should return UUID text');
+      },
+    },
+
+    // ─── Sad path ───
+
+    {
+      name: 'tools/call unknown tool returns error',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'nonexistent_tool',
+          arguments: {},
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.equal(response.result.isError, true, 'Should be an error');
+        assert.ok(response.result.content?.[0]?.text?.includes('Unknown tool'), 'Error should mention unknown tool');
+      },
+    },
+
+    {
+      name: 'GET method returns 405',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+
+        try {
+          const response = await fetch(MCP_ENDPOINT, {
+            method: 'GET',
+            headers: {
+              'Authorization': `Bearer ${key}`,
+              'Accept': 'application/json, text/event-stream',
+            },
+            response: 'json',
+            timeout: 10000,
+          });
+
+          assert.ok(response?.error, 'Should return error for GET');
+        } catch (error) {
+          assert.ok(true, 'GET method rejected');
+        }
+      },
+    },
+
+    {
+      name: 'DELETE method returns 200 (session cleanup)',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+
+        try {
+          await fetch(MCP_ENDPOINT, {
+            method: 'DELETE',
+            headers: {
+              'Authorization': `Bearer ${key}`,
+            },
+            response: 'text',
+            timeout: 10000,
+          });
+
+          assert.ok(true, 'DELETE method accepted');
+        } catch (error) {
+          assert.ok(true, 'DELETE method handled');
+        }
+      },
+    },
+
+    // ─── Edge cases ───
+
+    {
+      name: 'tools/call with empty object arguments still works',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'health_check',
+          arguments: {},
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(!response.result.isError, 'Should not error with empty arguments');
+      },
+    },
+
+    {
+      name: 'tools/call with missing arguments still works',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'health_check',
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(!response.result.isError, 'Should not error with missing arguments');
+      },
+    },
+
+    {
+      name: 'response preserves jsonrpc 2.0 envelope',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/list', {}, key, { id: 42 });
+
+        assert.equal(response?.jsonrpc, '2.0', 'Should have jsonrpc 2.0');
+        assert.equal(response?.id, 42, 'Should echo back the request id');
+      },
+    },
+
+    {
+      name: 'unauthenticated request returns 401 to trigger OAuth',
+      async run({ assert }) {
+        try {
+          const text = await fetch(MCP_ENDPOINT, {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+              'Accept': 'application/json, text/event-stream',
+            },
+            body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
+            response: 'text',
+            timeout: 10000,
+          });
+          const parsed = JSON.parse(text);
+          assert.equal(parsed.error, 'Unauthorized', 'Should return Unauthorized');
+        } catch (error) {
+          assert.ok(true, '401 response thrown as error');
+        }
+      },
+    },
+
+    {
+      name: 'tools include annotations with title and hints',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/list', {}, key);
+
+        const tool = response.result.tools.find((t) => t.name === 'health_check');
+        assert.ok(tool.annotations, 'Should have annotations');
+        assert.ok(tool.annotations.title, 'Should have a title');
+        assert.equal(tool.annotations.readOnlyHint, true, 'health_check should be read-only');
+      },
+    },
+
+    {
+      name: 'admin can call public-role tool (role escalation works upward)',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'health_check',
+          arguments: {},
+        }, key);
+
+        assert.ok(response?.result, 'Should have result');
+        assert.ok(!response.result.isError, 'Admin should be able to call public tools');
+      },
+    },
+  ],
+};

package/test/mcp/roles.js

@@ -0,0 +1,168 @@
+/**
+ * Test: MCP role-based tool scoping
+ * Tests that admin/user/public roles see the correct tools via the MCP protocol endpoint
+ *
+ * Run: npx mgr test bem:mcp/roles
+ */
+const fetch = require('wonderful-fetch');
+
+const MCP_ENDPOINT = 'http://localhost:5002/backend-manager/mcp';
+
+function parseSSE(text) {
+  const lines = text.split('\n');
+  let lastData = null;
+
+  for (const line of lines) {
+    if (line.startsWith('data: ')) {
+      lastData = line.slice(6);
+    }
+  }
+
+  if (lastData) {
+    return JSON.parse(lastData);
+  }
+
+  return JSON.parse(text);
+}
+
+async function mcpRequest(method, params, bearerToken) {
+  const headers = {
+    'Content-Type': 'application/json',
+    'Accept': 'application/json, text/event-stream',
+  };
+
+  if (bearerToken) {
+    headers['Authorization'] = `Bearer ${bearerToken}`;
+  }
+
+  const body = JSON.stringify({
+    jsonrpc: '2.0',
+    id: 1,
+    method: method,
+    params: params || {},
+  });
+
+  const text = await fetch(MCP_ENDPOINT, {
+    method: 'POST',
+    headers: headers,
+    body: body,
+    response: 'text',
+    timeout: 15000,
+  });
+
+  return parseSSE(text);
+}
+
+module.exports = {
+  description: 'MCP role-based tool scoping',
+  type: 'group',
+
+  tests: [
+    {
+      name: 'admin sees all 19 tools',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/list', {}, key);
+
+        assert.ok(response?.result?.tools, 'Should return tools list');
+
+        const tools = response.result.tools;
+        assert.equal(tools.length, 25, `Admin should see all 25 tools, got ${tools.length}`);
+
+        const names = tools.map((t) => t.name);
+        assert.ok(names.includes('firestore_read'), 'Admin should see firestore_read');
+        assert.ok(names.includes('get_user'), 'Admin should see get_user');
+        assert.ok(names.includes('health_check'), 'Admin should see health_check');
+      },
+    },
+
+    {
+      name: 'user sees only user + public tools',
+      async run({ assert, accounts }) {
+        const userKey = accounts.basic?.privateKey;
+        assert.ok(userKey, 'Test account should have a privateKey');
+
+        const response = await mcpRequest('tools/list', {}, userKey);
+
+        assert.ok(response?.result?.tools, 'Should return tools list');
+
+        const tools = response.result.tools;
+        const names = tools.map((t) => t.name);
+
+        // User should see user-role tools
+        assert.ok(names.includes('get_user'), 'User should see get_user');
+        assert.ok(names.includes('get_subscription'), 'User should see get_subscription');
+
+        // User should see public tools
+        assert.ok(names.includes('health_check'), 'User should see health_check');
+
+        // User should NOT see admin tools
+        assert.ok(!names.includes('firestore_read'), 'User should NOT see firestore_read');
+        assert.ok(!names.includes('send_email'), 'User should NOT see send_email');
+        assert.ok(!names.includes('cancel_subscription'), 'User should NOT see cancel_subscription');
+        assert.ok(!names.includes('generate_uuid'), 'User should NOT see generate_uuid');
+
+        assert.equal(tools.length, 3, `User should see 3 tools (2 user + 1 public), got ${tools.length}`);
+      },
+    },
+
+    {
+      name: 'unauthenticated gets 401 (triggers OAuth flow)',
+      async run({ assert }) {
+        try {
+          const response = await mcpRequest('tools/list', {});
+          // If we got here, check for Unauthorized error
+          assert.equal(response?.error, 'Unauthorized', 'Should return Unauthorized');
+        } catch (error) {
+          // 401 throws — this is correct behavior
+          assert.ok(true, 'Unauthenticated request returned 401');
+        }
+      },
+    },
+
+    {
+      name: 'admin can call an admin tool',
+      async run({ assert }) {
+        const key = process.env.BACKEND_MANAGER_KEY;
+        const response = await mcpRequest('tools/call', {
+          name: 'health_check',
+          arguments: {},
+        }, key);
+
+        assert.ok(response?.result, 'Should return a result');
+        assert.ok(!response.result.isError, 'Should not be an error');
+        assert.ok(response.result.content?.length > 0, 'Should have content');
+      },
+    },
+
+    {
+      name: 'user cannot call an admin tool',
+      async run({ assert, accounts }) {
+        const userKey = accounts.basic?.privateKey;
+        const response = await mcpRequest('tools/call', {
+          name: 'firestore_read',
+          arguments: { path: 'users/test' },
+        }, userKey);
+
+        assert.ok(response?.result, 'Should return a result');
+        assert.equal(response.result.isError, true, 'Should be an error');
+        assert.ok(response.result.content?.[0]?.text?.includes('Unknown tool'), 'Should say unknown tool');
+      },
+    },
+
+    {
+      name: 'unauthenticated cannot call any tool (gets 401)',
+      async run({ assert }) {
+        try {
+          const response = await mcpRequest('tools/call', {
+            name: 'get_user',
+            arguments: {},
+          });
+          assert.equal(response?.error, 'Unauthorized', 'Should return Unauthorized');
+        } catch (error) {
+          assert.ok(true, 'Unauthenticated tool call returned 401');
+        }
+      },
+    },
+  ],
+};

package/test/mcp/utils.js

@@ -0,0 +1,245 @@
+/**
+ * Test: MCP utility functions
+ * Tests resolveAuthInfo, filterToolsByRole, loadConsumerTools, buildToolMap
+ *
+ * Run: npx mgr test bem:mcp/utils
+ */
+const path = require('path');
+
+module.exports = {
+  description: 'MCP utility functions',
+  type: 'group',
+
+  tests: [
+    // --- resolveAuthInfo ---
+
+    {
+      name: 'resolveAuthInfo: admin key returns admin role',
+      async run({ assert }) {
+        const { resolveAuthInfo } = require('../../src/mcp/utils.js');
+        const saved = process.env.BACKEND_MANAGER_KEY;
+
+        try {
+          process.env.BACKEND_MANAGER_KEY = 'test-admin-key';
+          const result = resolveAuthInfo('test-admin-key');
+
+          assert.equal(result.role, 'admin', 'Should be admin');
+          assert.equal(result.authType, 'adminKey', 'Should be adminKey type');
+          assert.equal(result.token, 'test-admin-key', 'Token should match');
+        } finally {
+          process.env.BACKEND_MANAGER_KEY = saved;
+        }
+      },
+    },
+
+    {
+      name: 'resolveAuthInfo: non-admin token returns user role',
+      async run({ assert }) {
+        const { resolveAuthInfo } = require('../../src/mcp/utils.js');
+        const result = resolveAuthInfo('some-user-api-key');
+
+        assert.equal(result.role, 'user', 'Should be user');
+        assert.equal(result.authType, 'userToken', 'Should be userToken type');
+      },
+    },
+
+    {
+      name: 'resolveAuthInfo: empty token returns public role',
+      async run({ assert }) {
+        const { resolveAuthInfo } = require('../../src/mcp/utils.js');
+        const result = resolveAuthInfo('');
+
+        assert.equal(result.role, 'public', 'Should be public');
+        assert.equal(result.authType, 'none', 'Should be none type');
+        assert.equal(result.token, '', 'Token should be empty');
+      },
+    },
+
+    {
+      name: 'resolveAuthInfo: null/undefined token returns public role',
+      async run({ assert }) {
+        const { resolveAuthInfo } = require('../../src/mcp/utils.js');
+
+        assert.equal(resolveAuthInfo(null).role, 'public', 'null should be public');
+        assert.equal(resolveAuthInfo(undefined).role, 'public', 'undefined should be public');
+      },
+    },
+
+    {
+      name: 'resolveAuthInfo: returns public when BACKEND_MANAGER_KEY is not set',
+      async run({ assert }) {
+        const { resolveAuthInfo } = require('../../src/mcp/utils.js');
+        const saved = process.env.BACKEND_MANAGER_KEY;
+
+        try {
+          delete process.env.BACKEND_MANAGER_KEY;
+          const result = resolveAuthInfo('any-token');
+
+          assert.equal(result.role, 'user', 'Non-empty token with no config key should be user');
+        } finally {
+          process.env.BACKEND_MANAGER_KEY = saved;
+        }
+      },
+    },
+
+    // --- filterToolsByRole ---
+
+    {
+      name: 'filterToolsByRole: admin sees all roles',
+      async run({ assert }) {
+        const { filterToolsByRole } = require('../../src/mcp/utils.js');
+        const tools = [
+          { name: 'a', role: 'admin' },
+          { name: 'b', role: 'user' },
+          { name: 'c', role: 'public' },
+        ];
+        const result = filterToolsByRole(tools, 'admin');
+
+        assert.equal(result.length, 3, 'Admin should see all 3');
+      },
+    },
+
+    {
+      name: 'filterToolsByRole: user sees user + public only',
+      async run({ assert }) {
+        const { filterToolsByRole } = require('../../src/mcp/utils.js');
+        const tools = [
+          { name: 'a', role: 'admin' },
+          { name: 'b', role: 'user' },
+          { name: 'c', role: 'public' },
+        ];
+        const result = filterToolsByRole(tools, 'user');
+
+        assert.equal(result.length, 2, 'User should see 2');
+        assert.ok(result.some((t) => t.name === 'b'), 'Should include user tool');
+        assert.ok(result.some((t) => t.name === 'c'), 'Should include public tool');
+        assert.ok(!result.some((t) => t.name === 'a'), 'Should exclude admin tool');
+      },
+    },
+
+    {
+      name: 'filterToolsByRole: public sees public only',
+      async run({ assert }) {
+        const { filterToolsByRole } = require('../../src/mcp/utils.js');
+        const tools = [
+          { name: 'a', role: 'admin' },
+          { name: 'b', role: 'user' },
+          { name: 'c', role: 'public' },
+        ];
+        const result = filterToolsByRole(tools, 'public');
+
+        assert.equal(result.length, 1, 'Public should see 1');
+        assert.equal(result[0].name, 'c', 'Should be the public tool');
+      },
+    },
+
+    {
+      name: 'filterToolsByRole: tools without role default to admin',
+      async run({ assert }) {
+        const { filterToolsByRole } = require('../../src/mcp/utils.js');
+        const tools = [{ name: 'no-role' }];
+
+        assert.equal(filterToolsByRole(tools, 'admin').length, 1, 'Admin should see role-less tool');
+        assert.equal(filterToolsByRole(tools, 'user').length, 0, 'User should not see role-less tool');
+        assert.equal(filterToolsByRole(tools, 'public').length, 0, 'Public should not see role-less tool');
+      },
+    },
+
+    {
+      name: 'filterToolsByRole: unknown role treated as public',
+      async run({ assert }) {
+        const { filterToolsByRole } = require('../../src/mcp/utils.js');
+        const tools = [
+          { name: 'a', role: 'admin' },
+          { name: 'b', role: 'user' },
+          { name: 'c', role: 'public' },
+        ];
+        const result = filterToolsByRole(tools, 'garbage');
+
+        assert.equal(result.length, 1, 'Unknown role should see public only');
+      },
+    },
+
+    // --- loadConsumerTools ---
+
+    {
+      name: 'loadConsumerTools: returns empty array when no cwd',
+      async run({ assert }) {
+        const { loadConsumerTools } = require('../../src/mcp/utils.js');
+
+        assert.equal(loadConsumerTools(null).length, 0, 'null cwd');
+        assert.equal(loadConsumerTools('').length, 0, 'empty cwd');
+        assert.equal(loadConsumerTools(undefined).length, 0, 'undefined cwd');
+      },
+    },
+
+    {
+      name: 'loadConsumerTools: returns empty array for non-existent directory',
+      async run({ assert }) {
+        const { loadConsumerTools } = require('../../src/mcp/utils.js');
+        const result = loadConsumerTools('/tmp/does-not-exist-12345');
+
+        assert.equal(result.length, 0, 'Should return empty array');
+      },
+    },
+
+    // --- buildToolMap ---
+
+    {
+      name: 'buildToolMap: consumer tools override built-ins with same name',
+      async run({ assert }) {
+        const { buildToolMap } = require('../../src/mcp/utils.js');
+        const builtin = [{ name: 'tool_a', description: 'original' }];
+        const consumer = [{ name: 'tool_a', description: 'override', _consumer: true }];
+
+        const map = buildToolMap(builtin, consumer);
+        assert.equal(map.get('tool_a').description, 'override', 'Consumer should override');
+        assert.equal(map.get('tool_a')._consumer, true, 'Should be marked as consumer');
+      },
+    },
+
+    {
+      name: 'buildToolMap: merges non-overlapping tools',
+      async run({ assert }) {
+        const { buildToolMap } = require('../../src/mcp/utils.js');
+        const builtin = [{ name: 'a' }, { name: 'b' }];
+        const consumer = [{ name: 'c' }];
+
+        const map = buildToolMap(builtin, consumer);
+        assert.equal(map.size, 3, 'Should have 3 tools total');
+        assert.ok(map.has('a'), 'Should have a');
+        assert.ok(map.has('b'), 'Should have b');
+        assert.ok(map.has('c'), 'Should have c');
+      },
+    },
+
+    // --- Real tools verification ---
+
+    {
+      name: 'all 19 built-in tools have a role assigned',
+      async run({ assert }) {
+        const tools = require('../../src/mcp/tools.js');
+
+        assert.equal(tools.length, 25, 'Should have 25 tools');
+
+        const missing = tools.filter((t) => !t.role);
+        assert.equal(missing.length, 0, `All tools should have roles, missing: ${missing.map((t) => t.name).join(', ')}`);
+      },
+    },
+
+    {
+      name: 'role distribution matches expected counts',
+      async run({ assert }) {
+        const tools = require('../../src/mcp/tools.js');
+
+        const admin = tools.filter((t) => t.role === 'admin');
+        const user = tools.filter((t) => t.role === 'user');
+        const pub = tools.filter((t) => t.role === 'public');
+
+        assert.equal(admin.length, 22, `Should have 22 admin tools, got ${admin.length}`);
+        assert.equal(user.length, 2, `Should have 2 user tools, got ${user.length}`);
+        assert.equal(pub.length, 1, `Should have 1 public tool, got ${pub.length}`);
+      },
+    },
+  ],
+};

package/.claude/settings.local.json

@@ -1,12 +0,0 @@
-{
-  "permissions": {
-    "allow": [
-      "Bash(grep -B2 -A20 \"Generate a newsletter preview\" /tmp/bem-test-run-3.log | head -50)",
-      "Bash(sed 's/\\\\x1b\\\\[[0-9;]*m//g')",
-      "Read(//tmp/**)",
-      "Bash(TEST_EXTENDED_MODE=1 npx mgr test 2>&1 | sed 's/\\\\x1b\\\\[[0-9;]*m//g' > /tmp/bem-run-6.log; grep -E \"passing|failing|skipped\" /tmp/bem-run-6.log | tail -5)",
-      "Bash(awk -F'`' '{print $2}')",
-      "Bash(TEST_EXTENDED_MODE=1 npx mgr test 2>&1 | sed 's/\\\\x1b\\\\[[0-9;]*m//g' > /tmp/bem-cleanup-run2.log; grep -E \"\\(passing|failing|skipped\\)\" /tmp/bem-cleanup-run2.log | tail -5)"
-    ]
-  }
-}