backend-manager 5.9.4 → 5.9.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (251) hide show
  1. package/CLAUDE.md +6 -0
  2. package/package.json +8 -1
  3. package/src/cli/commands/install.js +4 -3
  4. package/src/cli/commands/setup-tests/backend-manager.js +2 -1
  5. package/src/cli/commands/setup-tests/firebase-admin.js +2 -1
  6. package/src/cli/commands/setup-tests/firebase-functions.js +2 -1
  7. package/src/cli/utils/safe-install.js +13 -0
  8. package/src/manager/routes/payments/cancel/post.js +22 -2
  9. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/metadata.json +14 -0
  10. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.html +486 -0
  11. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.md +41 -0
  12. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/newsletter.mjml +97 -0
  13. package/{test/email/fixtures/clean.json → src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/structure.json} +16 -4
  14. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-11T03-28-07/summary.md +1 -0
  15. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/metadata.json +14 -0
  16. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.html +486 -0
  17. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.md +41 -0
  18. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/newsletter.mjml +97 -0
  19. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/structure.json +42 -0
  20. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-00-28/summary.md +1 -0
  21. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/metadata.json +14 -0
  22. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.html +486 -0
  23. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.md +41 -0
  24. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/newsletter.mjml +97 -0
  25. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/structure.json +42 -0
  26. package/src/test/fixtures/firebase-project/.temp/newsletter/run-2026-06-18T01-01-34/summary.md +1 -0
  27. package/src/test/fixtures/firebase-project/.temp/test-mode.json +6 -0
  28. package/src/test/fixtures/firebase-project/database-debug.log +12 -0
  29. package/src/test/fixtures/firebase-project/firestore-debug.log +136 -0
  30. package/src/test/fixtures/firebase-project/pubsub-debug.log +17 -0
  31. package/src/test/test-accounts.js +9 -0
  32. package/.codeclimate.yml +0 -32
  33. package/.nvmrc +0 -1
  34. package/CHANGELOG.md +0 -1432
  35. package/PROGRESS.md +0 -86
  36. package/TODO-2.md +0 -121
  37. package/TODO-CHARGEBLAST.md +0 -32
  38. package/TODO-WEBHOOK-KEY-LEGACY-REMOVAL.md +0 -15
  39. package/TODO-WEBHOOK-KEY-UPGRADE.md +0 -138
  40. package/TODO-email-auth.md +0 -14
  41. package/TODO.md +0 -187
  42. package/plans/mcp2.md +0 -247
  43. package/scripts/test-helper-providers.js +0 -162
  44. package/scripts/update-disposable-domains.js +0 -44
  45. package/templates/_.env +0 -42
  46. package/templates/_.gitignore +0 -60
  47. package/templates/backend-manager-config.json +0 -249
  48. package/templates/database.rules.json +0 -83
  49. package/templates/firebase.json +0 -66
  50. package/templates/firestore.indexes.json +0 -4
  51. package/templates/firestore.rules +0 -112
  52. package/templates/public/404.html +0 -26
  53. package/templates/public/index.html +0 -24
  54. package/templates/remoteconfig.template.json +0 -1
  55. package/templates/storage-lifecycle-config-1-day.json +0 -9
  56. package/templates/storage-lifecycle-config-30-days.json +0 -9
  57. package/templates/storage.rules +0 -8
  58. package/test/_init/accounts-validation.js +0 -58
  59. package/test/_legacy/ai/index.js +0 -231
  60. package/test/_legacy/ai/test.jpg +0 -0
  61. package/test/_legacy/ai/test.pdf +0 -0
  62. package/test/_legacy/index.js +0 -31
  63. package/test/_legacy/payment-resolver/chargebee/orders/refunded.json +0 -0
  64. package/test/_legacy/payment-resolver/chargebee/orders/unpaid.json +0 -98
  65. package/test/_legacy/payment-resolver/chargebee/subscriptions/active.json +0 -578
  66. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-in-trial.json +0 -38
  67. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-skipped-to-active.json +0 -135
  68. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active-to-cancelled.json +0 -42
  69. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-active.json +0 -44
  70. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-cancelled.json +0 -39
  71. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-refund.json +0 -143
  72. package/test/_legacy/payment-resolver/chargebee/subscriptions/trial-to-suspended.json +0 -48
  73. package/test/_legacy/payment-resolver/coinbase/orders/regular.json +0 -204
  74. package/test/_legacy/payment-resolver/coinbase/subscriptions/cancelled.json +0 -204
  75. package/test/_legacy/payment-resolver/coinbase/subscriptions/paid-2.json +0 -125
  76. package/test/_legacy/payment-resolver/index.js +0 -1558
  77. package/test/_legacy/payment-resolver/paypal/orders/refunded.json +0 -0
  78. package/test/_legacy/payment-resolver/paypal/orders/regular.json +0 -120
  79. package/test/_legacy/payment-resolver/paypal/subscriptions/active-refund-previous-stmnt.json +0 -323
  80. package/test/_legacy/payment-resolver/paypal/subscriptions/active.json +0 -192
  81. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-in-trial.json +0 -125
  82. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-not-complete.json +0 -76
  83. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue-2.json +0 -114
  84. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-payment-overdue.json +0 -114
  85. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active-to-cancelled.json +0 -111
  86. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-active.json +0 -132
  87. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-cancelled.json +0 -107
  88. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-expired.json +0 -91
  89. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-refund.json +0 -147
  90. package/test/_legacy/payment-resolver/paypal/subscriptions/trial-to-suspended.json +0 -120
  91. package/test/_legacy/payment-resolver/stripe/orders/refunded.json +0 -0
  92. package/test/_legacy/payment-resolver/stripe/orders/regular.json +0 -91
  93. package/test/_legacy/payment-resolver/stripe/subscriptions/active.json +0 -421
  94. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-in-trial.json +0 -349
  95. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active-failed-authorization.json +0 -430
  96. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-active.json +0 -319
  97. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-cancelled.json +0 -319
  98. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-refund.json +0 -414
  99. package/test/_legacy/payment-resolver/stripe/subscriptions/trial-to-suspended.json +0 -319
  100. package/test/_legacy/payment-resolver/stripe/subscriptions/unsure.json +0 -339
  101. package/test/_legacy/test-new +0 -1178
  102. package/test/_legacy/test.md +0 -89
  103. package/test/_legacy/usage.js +0 -175
  104. package/test/_legacy/user.js +0 -31
  105. package/test/ai/tools-live.js +0 -170
  106. package/test/boot/emulator-boots.js +0 -37
  107. package/test/content/blog-generate.js +0 -160
  108. package/test/email/campaign-send.js +0 -45
  109. package/test/email/consent-lifecycle.js +0 -257
  110. package/test/email/feedback-and-plain-send.js +0 -52
  111. package/test/email/fixtures/editorial.json +0 -30
  112. package/test/email/fixtures/field-report.json +0 -53
  113. package/test/email/marketing-lifecycle.js +0 -132
  114. package/test/email/newsletter-generate.js +0 -819
  115. package/test/email/newsletter-templates.js +0 -491
  116. package/test/email/templates.js +0 -207
  117. package/test/email/transactional-send.js +0 -34
  118. package/test/email/transactional.js +0 -560
  119. package/test/email/validation.js +0 -710
  120. package/test/events/auth-delete-race.js +0 -201
  121. package/test/events/payments/journey-payments-cancel-endpoint.js +0 -100
  122. package/test/events/payments/journey-payments-cancel.js +0 -182
  123. package/test/events/payments/journey-payments-discount.js +0 -89
  124. package/test/events/payments/journey-payments-failure.js +0 -146
  125. package/test/events/payments/journey-payments-legacy-product.js +0 -149
  126. package/test/events/payments/journey-payments-one-time-failure.js +0 -111
  127. package/test/events/payments/journey-payments-one-time.js +0 -136
  128. package/test/events/payments/journey-payments-plan-change.js +0 -144
  129. package/test/events/payments/journey-payments-refund-webhook.js +0 -180
  130. package/test/events/payments/journey-payments-suspend.js +0 -181
  131. package/test/events/payments/journey-payments-trial-cancel.js +0 -130
  132. package/test/events/payments/journey-payments-trial.js +0 -171
  133. package/test/events/payments/journey-payments-uid-resolution.js +0 -132
  134. package/test/events/payments/journey-payments-upgrade.js +0 -135
  135. package/test/fixtures/chargebee/invoice-one-time.json +0 -27
  136. package/test/fixtures/chargebee/subscription-active.json +0 -44
  137. package/test/fixtures/chargebee/subscription-cancelled.json +0 -42
  138. package/test/fixtures/chargebee/subscription-in-trial.json +0 -41
  139. package/test/fixtures/chargebee/subscription-legacy-plan.json +0 -41
  140. package/test/fixtures/chargebee/subscription-non-renewing.json +0 -41
  141. package/test/fixtures/chargebee/subscription-paused.json +0 -42
  142. package/test/fixtures/chargebee/webhook-payment-failed.json +0 -51
  143. package/test/fixtures/chargebee/webhook-subscription-created.json +0 -47
  144. package/test/fixtures/paypal/order-approved.json +0 -62
  145. package/test/fixtures/paypal/order-completed.json +0 -110
  146. package/test/fixtures/paypal/subscription-active.json +0 -76
  147. package/test/fixtures/paypal/subscription-cancelled.json +0 -50
  148. package/test/fixtures/paypal/subscription-suspended.json +0 -65
  149. package/test/fixtures/stripe/checkout-session-completed.json +0 -130
  150. package/test/fixtures/stripe/invoice-payment-failed.json +0 -148
  151. package/test/fixtures/stripe/invoice-subscription-payment-failed.json +0 -28
  152. package/test/fixtures/stripe/subscription-active.json +0 -161
  153. package/test/fixtures/stripe/subscription-canceled.json +0 -161
  154. package/test/fixtures/stripe/subscription-trialing.json +0 -161
  155. package/test/functions/admin/database-read.js +0 -134
  156. package/test/functions/admin/database-write.js +0 -159
  157. package/test/functions/admin/edit-post.js +0 -366
  158. package/test/functions/admin/firestore-query.js +0 -207
  159. package/test/functions/admin/firestore-read.js +0 -129
  160. package/test/functions/admin/firestore-write.js +0 -105
  161. package/test/functions/admin/get-stats.js +0 -115
  162. package/test/functions/admin/send-email.js +0 -119
  163. package/test/functions/admin/send-notification.js +0 -208
  164. package/test/functions/admin/write-repo-content.js +0 -223
  165. package/test/functions/general/add-marketing-contact.js +0 -335
  166. package/test/functions/general/fetch-post.js +0 -54
  167. package/test/functions/general/generate-uuid.js +0 -114
  168. package/test/functions/test/authenticate.js +0 -64
  169. package/test/functions/user/create-custom-token.js +0 -73
  170. package/test/functions/user/delete.js +0 -135
  171. package/test/functions/user/get-active-sessions.js +0 -111
  172. package/test/functions/user/get-subscription-info.js +0 -99
  173. package/test/functions/user/regenerate-api-keys.js +0 -156
  174. package/test/functions/user/resolve.js +0 -52
  175. package/test/functions/user/sign-out-all-sessions.js +0 -94
  176. package/test/functions/user/sign-up.js +0 -252
  177. package/test/functions/user/submit-feedback.js +0 -104
  178. package/test/functions/user/validate-settings.js +0 -82
  179. package/test/helpers/ai-request-payload.js +0 -300
  180. package/test/helpers/ai-test-provider.js +0 -202
  181. package/test/helpers/ai-tools-format.js +0 -383
  182. package/test/helpers/content/blog-auto-publisher.js +0 -484
  183. package/test/helpers/content/feed-parser.js +0 -528
  184. package/test/helpers/content/ghostii-blocks.js +0 -134
  185. package/test/helpers/content/ghostii-feed-integration.js +0 -404
  186. package/test/helpers/content/ghostii-write-article.js +0 -243
  187. package/test/helpers/environment.js +0 -230
  188. package/test/helpers/infer-contact.js +0 -113
  189. package/test/helpers/merge-line-files.js +0 -271
  190. package/test/helpers/payment/chargebee/parse-webhook.js +0 -413
  191. package/test/helpers/payment/chargebee/to-unified-one-time.js +0 -147
  192. package/test/helpers/payment/chargebee/to-unified-subscription.js +0 -648
  193. package/test/helpers/payment/paypal/parse-webhook.js +0 -539
  194. package/test/helpers/payment/paypal/to-unified-one-time.js +0 -382
  195. package/test/helpers/payment/paypal/to-unified-subscription.js +0 -820
  196. package/test/helpers/payment/stripe/parse-webhook.js +0 -447
  197. package/test/helpers/payment/stripe/to-unified-one-time.js +0 -306
  198. package/test/helpers/payment/stripe/to-unified-subscription.js +0 -708
  199. package/test/helpers/sanitize.js +0 -222
  200. package/test/helpers/slugify.js +0 -394
  201. package/test/helpers/storage.js +0 -194
  202. package/test/helpers/user.js +0 -755
  203. package/test/helpers/webhook-forward.js +0 -418
  204. package/test/mcp/discovery.js +0 -53
  205. package/test/mcp/oauth.js +0 -161
  206. package/test/mcp/protocol.js +0 -268
  207. package/test/mcp/roles.js +0 -188
  208. package/test/mcp/utils.js +0 -245
  209. package/test/routes/admin/create-post.js +0 -364
  210. package/test/routes/admin/database.js +0 -131
  211. package/test/routes/admin/deduplicate-image-alts.js +0 -190
  212. package/test/routes/admin/email.js +0 -114
  213. package/test/routes/admin/firestore-query.js +0 -204
  214. package/test/routes/admin/firestore.js +0 -127
  215. package/test/routes/admin/infer-contact.js +0 -218
  216. package/test/routes/admin/notification.js +0 -198
  217. package/test/routes/admin/post-resize-image.js +0 -184
  218. package/test/routes/admin/post.js +0 -368
  219. package/test/routes/admin/repo-content.js +0 -223
  220. package/test/routes/admin/stats.js +0 -112
  221. package/test/routes/content/post.js +0 -54
  222. package/test/routes/general/uuid.js +0 -115
  223. package/test/routes/marketing/campaign.js +0 -125
  224. package/test/routes/marketing/contact.js +0 -370
  225. package/test/routes/marketing/email-preferences.js +0 -292
  226. package/test/routes/marketing/push-send.js +0 -32
  227. package/test/routes/marketing/webhook-forward.js +0 -61
  228. package/test/routes/marketing/webhook.js +0 -639
  229. package/test/routes/payments/cancel.js +0 -140
  230. package/test/routes/payments/discount.js +0 -80
  231. package/test/routes/payments/dispute-alert.js +0 -320
  232. package/test/routes/payments/intent.js +0 -336
  233. package/test/routes/payments/portal.js +0 -92
  234. package/test/routes/payments/refund.js +0 -179
  235. package/test/routes/payments/trial-eligibility.js +0 -71
  236. package/test/routes/payments/webhook.js +0 -107
  237. package/test/routes/test/authenticate.js +0 -59
  238. package/test/routes/test/schema.js +0 -554
  239. package/test/routes/test/usage.js +0 -342
  240. package/test/routes/user/api-keys.js +0 -156
  241. package/test/routes/user/delete.js +0 -136
  242. package/test/routes/user/feedback.js +0 -104
  243. package/test/routes/user/sessions.js +0 -199
  244. package/test/routes/user/settings-validate.js +0 -82
  245. package/test/routes/user/signup.js +0 -542
  246. package/test/routes/user/subscription.js +0 -99
  247. package/test/routes/user/token.js +0 -73
  248. package/test/routes/user/user.js +0 -157
  249. package/test/rules/notifications.js +0 -410
  250. package/test/rules/payments-carts.js +0 -371
  251. package/test/rules/user.js +0 -396
@@ -1,268 +0,0 @@
1
- /**
2
- * Test: MCP protocol endpoint — happy path, sad path, edge cases
3
- * Tests the Streamable HTTP transport at POST /backend-manager/mcp
4
- *
5
- * Run: npx mgr test bem:mcp/protocol
6
- */
7
- const fetch = require('wonderful-fetch');
8
-
9
- const MCP_ENDPOINT = 'http://localhost:5002/backend-manager/mcp';
10
-
11
- function parseSSE(text) {
12
- const lines = text.split('\n');
13
- let lastData = null;
14
-
15
- for (const line of lines) {
16
- if (line.startsWith('data: ')) {
17
- lastData = line.slice(6);
18
- }
19
- }
20
-
21
- if (lastData) {
22
- return JSON.parse(lastData);
23
- }
24
-
25
- return JSON.parse(text);
26
- }
27
-
28
- async function mcpRequest(method, params, bearerToken, options) {
29
- options = options || {};
30
-
31
- const headers = {
32
- 'Content-Type': 'application/json',
33
- 'Accept': 'application/json, text/event-stream',
34
- ...options.headers,
35
- };
36
-
37
- if (bearerToken) {
38
- headers['Authorization'] = `Bearer ${bearerToken}`;
39
- }
40
-
41
- const body = JSON.stringify({
42
- jsonrpc: '2.0',
43
- id: options.id || 1,
44
- method: method,
45
- params: params || {},
46
- });
47
-
48
- const text = await fetch(MCP_ENDPOINT, {
49
- method: 'POST',
50
- headers: headers,
51
- body: body,
52
- response: 'text',
53
- timeout: 15000,
54
- });
55
-
56
- return parseSSE(text);
57
- }
58
-
59
- module.exports = {
60
- description: 'MCP protocol endpoint (Streamable HTTP)',
61
- type: 'group',
62
-
63
- tests: [
64
- // ─── Happy path ───
65
-
66
- {
67
- name: 'tools/list returns tool definitions with schemas',
68
- async run({ assert }) {
69
- const key = process.env.BACKEND_MANAGER_KEY;
70
- const response = await mcpRequest('tools/list', {}, key);
71
-
72
- assert.ok(response?.result, 'Should have result');
73
- assert.ok(Array.isArray(response.result.tools), 'tools should be an array');
74
-
75
- const tool = response.result.tools.find((t) => t.name === 'health_check');
76
- assert.ok(tool, 'Should include health_check');
77
- assert.ok(tool.description, 'Tool should have description');
78
- assert.ok(tool.inputSchema, 'Tool should have inputSchema');
79
- assert.equal(tool.inputSchema.type, 'object', 'Schema type should be object');
80
- },
81
- },
82
-
83
- {
84
- name: 'tools/call health_check succeeds',
85
- async run({ assert }) {
86
- const key = process.env.BACKEND_MANAGER_KEY;
87
- const response = await mcpRequest('tools/call', {
88
- name: 'health_check',
89
- arguments: {},
90
- }, key);
91
-
92
- assert.ok(response?.result, 'Should have result');
93
- assert.ok(!response.result.isError, 'Should not be an error');
94
- assert.ok(response.result.content, 'Should have content');
95
- assert.ok(response.result.content.length > 0, 'Content should not be empty');
96
- assert.equal(response.result.content[0].type, 'text', 'Content type should be text');
97
- },
98
- },
99
-
100
- {
101
- name: 'tools/call generate_uuid returns valid response',
102
- async run({ assert }) {
103
- const key = process.env.BACKEND_MANAGER_KEY;
104
- const response = await mcpRequest('tools/call', {
105
- name: 'generate_uuid',
106
- arguments: { version: '4' },
107
- }, key);
108
-
109
- assert.ok(response?.result, 'Should have result');
110
- assert.ok(!response.result.isError, 'Should not be an error');
111
-
112
- const text = response.result.content?.[0]?.text || '';
113
- assert.ok(text.length > 0, 'Should return UUID text');
114
- },
115
- },
116
-
117
- // ─── Sad path ───
118
-
119
- {
120
- name: 'tools/call unknown tool returns error',
121
- async run({ assert }) {
122
- const key = process.env.BACKEND_MANAGER_KEY;
123
- const response = await mcpRequest('tools/call', {
124
- name: 'nonexistent_tool',
125
- arguments: {},
126
- }, key);
127
-
128
- assert.ok(response?.result, 'Should have result');
129
- assert.equal(response.result.isError, true, 'Should be an error');
130
- assert.ok(response.result.content?.[0]?.text?.includes('Unknown tool'), 'Error should mention unknown tool');
131
- },
132
- },
133
-
134
- {
135
- name: 'GET method returns 405',
136
- async run({ assert }) {
137
- const key = process.env.BACKEND_MANAGER_KEY;
138
-
139
- try {
140
- const response = await fetch(MCP_ENDPOINT, {
141
- method: 'GET',
142
- headers: {
143
- 'Authorization': `Bearer ${key}`,
144
- 'Accept': 'application/json, text/event-stream',
145
- },
146
- response: 'json',
147
- timeout: 10000,
148
- });
149
-
150
- assert.ok(response?.error, 'Should return error for GET');
151
- } catch (error) {
152
- assert.ok(true, 'GET method rejected');
153
- }
154
- },
155
- },
156
-
157
- {
158
- name: 'DELETE method returns 200 (session cleanup)',
159
- async run({ assert }) {
160
- const key = process.env.BACKEND_MANAGER_KEY;
161
-
162
- try {
163
- await fetch(MCP_ENDPOINT, {
164
- method: 'DELETE',
165
- headers: {
166
- 'Authorization': `Bearer ${key}`,
167
- },
168
- response: 'text',
169
- timeout: 10000,
170
- });
171
-
172
- assert.ok(true, 'DELETE method accepted');
173
- } catch (error) {
174
- assert.ok(true, 'DELETE method handled');
175
- }
176
- },
177
- },
178
-
179
- // ─── Edge cases ───
180
-
181
- {
182
- name: 'tools/call with empty object arguments still works',
183
- async run({ assert }) {
184
- const key = process.env.BACKEND_MANAGER_KEY;
185
- const response = await mcpRequest('tools/call', {
186
- name: 'health_check',
187
- arguments: {},
188
- }, key);
189
-
190
- assert.ok(response?.result, 'Should have result');
191
- assert.ok(!response.result.isError, 'Should not error with empty arguments');
192
- },
193
- },
194
-
195
- {
196
- name: 'tools/call with missing arguments still works',
197
- async run({ assert }) {
198
- const key = process.env.BACKEND_MANAGER_KEY;
199
- const response = await mcpRequest('tools/call', {
200
- name: 'health_check',
201
- }, key);
202
-
203
- assert.ok(response?.result, 'Should have result');
204
- assert.ok(!response.result.isError, 'Should not error with missing arguments');
205
- },
206
- },
207
-
208
- {
209
- name: 'response preserves jsonrpc 2.0 envelope',
210
- async run({ assert }) {
211
- const key = process.env.BACKEND_MANAGER_KEY;
212
- const response = await mcpRequest('tools/list', {}, key, { id: 42 });
213
-
214
- assert.equal(response?.jsonrpc, '2.0', 'Should have jsonrpc 2.0');
215
- assert.equal(response?.id, 42, 'Should echo back the request id');
216
- },
217
- },
218
-
219
- {
220
- name: 'unauthenticated request returns 401 to trigger OAuth',
221
- async run({ assert }) {
222
- try {
223
- const text = await fetch(MCP_ENDPOINT, {
224
- method: 'POST',
225
- headers: {
226
- 'Content-Type': 'application/json',
227
- 'Accept': 'application/json, text/event-stream',
228
- },
229
- body: JSON.stringify({ jsonrpc: '2.0', id: 1, method: 'tools/list', params: {} }),
230
- response: 'text',
231
- timeout: 10000,
232
- });
233
- const parsed = JSON.parse(text);
234
- assert.equal(parsed.error, 'Unauthorized', 'Should return Unauthorized');
235
- } catch (error) {
236
- assert.ok(true, '401 response thrown as error');
237
- }
238
- },
239
- },
240
-
241
- {
242
- name: 'tools include annotations with title and hints',
243
- async run({ assert }) {
244
- const key = process.env.BACKEND_MANAGER_KEY;
245
- const response = await mcpRequest('tools/list', {}, key);
246
-
247
- const tool = response.result.tools.find((t) => t.name === 'health_check');
248
- assert.ok(tool.annotations, 'Should have annotations');
249
- assert.ok(tool.annotations.title, 'Should have a title');
250
- assert.equal(tool.annotations.readOnlyHint, true, 'health_check should be read-only');
251
- },
252
- },
253
-
254
- {
255
- name: 'admin can call public-role tool (role escalation works upward)',
256
- async run({ assert }) {
257
- const key = process.env.BACKEND_MANAGER_KEY;
258
- const response = await mcpRequest('tools/call', {
259
- name: 'health_check',
260
- arguments: {},
261
- }, key);
262
-
263
- assert.ok(response?.result, 'Should have result');
264
- assert.ok(!response.result.isError, 'Admin should be able to call public tools');
265
- },
266
- },
267
- ],
268
- };
package/test/mcp/roles.js DELETED
@@ -1,188 +0,0 @@
1
- /**
2
- * Test: MCP role-based tool scoping
3
- * Tests that admin/user/public roles see the correct tools via the MCP protocol endpoint
4
- *
5
- * Run: npx mgr test bem:mcp/roles
6
- */
7
- const fetch = require('wonderful-fetch');
8
-
9
- const MCP_ENDPOINT = 'http://localhost:5002/backend-manager/mcp';
10
-
11
- function parseSSE(text) {
12
- const lines = text.split('\n');
13
- let lastData = null;
14
-
15
- for (const line of lines) {
16
- if (line.startsWith('data: ')) {
17
- lastData = line.slice(6);
18
- }
19
- }
20
-
21
- if (lastData) {
22
- return JSON.parse(lastData);
23
- }
24
-
25
- return JSON.parse(text);
26
- }
27
-
28
- async function mcpRequest(method, params, bearerToken) {
29
- const headers = {
30
- 'Content-Type': 'application/json',
31
- 'Accept': 'application/json, text/event-stream',
32
- };
33
-
34
- if (bearerToken) {
35
- headers['Authorization'] = `Bearer ${bearerToken}`;
36
- }
37
-
38
- const body = JSON.stringify({
39
- jsonrpc: '2.0',
40
- id: 1,
41
- method: method,
42
- params: params || {},
43
- });
44
-
45
- const text = await fetch(MCP_ENDPOINT, {
46
- method: 'POST',
47
- headers: headers,
48
- body: body,
49
- response: 'text',
50
- timeout: 15000,
51
- });
52
-
53
- return parseSSE(text);
54
- }
55
-
56
- module.exports = {
57
- description: 'MCP role-based tool scoping',
58
- type: 'group',
59
-
60
- tests: [
61
- {
62
- name: 'admin sees all 19 tools',
63
- async run({ assert }) {
64
- const key = process.env.BACKEND_MANAGER_KEY;
65
- const response = await mcpRequest('tools/list', {}, key);
66
-
67
- assert.ok(response?.result?.tools, 'Should return tools list');
68
-
69
- const tools = response.result.tools;
70
- assert.equal(tools.length, 25, `Admin should see all 25 tools, got ${tools.length}`);
71
-
72
- const names = tools.map((t) => t.name);
73
- assert.ok(names.includes('firestore_read'), 'Admin should see firestore_read');
74
- assert.ok(names.includes('get_user'), 'Admin should see get_user');
75
- assert.ok(names.includes('health_check'), 'Admin should see health_check');
76
- },
77
- },
78
-
79
- {
80
- name: 'user with roles.admin sees all tools (DB role promotion)',
81
- async run({ assert, accounts }) {
82
- const adminUserKey = accounts.admin?.privateKey;
83
- assert.ok(adminUserKey, 'Admin test account should have a privateKey');
84
-
85
- const response = await mcpRequest('tools/list', {}, adminUserKey);
86
-
87
- assert.ok(response?.result?.tools, 'Should return tools list');
88
-
89
- const tools = response.result.tools;
90
- assert.equal(tools.length, 25, `Admin-role user should see all 25 tools, got ${tools.length}`);
91
-
92
- const names = tools.map((t) => t.name);
93
- assert.ok(names.includes('firestore_read'), 'Should see admin tool firestore_read');
94
- assert.ok(names.includes('get_user'), 'Should see user tool get_user');
95
- assert.ok(names.includes('health_check'), 'Should see public tool health_check');
96
- },
97
- },
98
-
99
- {
100
- name: 'user sees only user + public tools',
101
- async run({ assert, accounts }) {
102
- const userKey = accounts.basic?.privateKey;
103
- assert.ok(userKey, 'Test account should have a privateKey');
104
-
105
- const response = await mcpRequest('tools/list', {}, userKey);
106
-
107
- assert.ok(response?.result?.tools, 'Should return tools list');
108
-
109
- const tools = response.result.tools;
110
- const names = tools.map((t) => t.name);
111
-
112
- // User should see user-role tools
113
- assert.ok(names.includes('get_user'), 'User should see get_user');
114
- assert.ok(names.includes('get_subscription'), 'User should see get_subscription');
115
-
116
- // User should see public tools
117
- assert.ok(names.includes('health_check'), 'User should see health_check');
118
-
119
- // User should NOT see admin tools
120
- assert.ok(!names.includes('firestore_read'), 'User should NOT see firestore_read');
121
- assert.ok(!names.includes('send_email'), 'User should NOT see send_email');
122
- assert.ok(!names.includes('cancel_subscription'), 'User should NOT see cancel_subscription');
123
- assert.ok(!names.includes('generate_uuid'), 'User should NOT see generate_uuid');
124
-
125
- assert.equal(tools.length, 3, `User should see 3 tools (2 user + 1 public), got ${tools.length}`);
126
- },
127
- },
128
-
129
- {
130
- name: 'unauthenticated gets 401 (triggers OAuth flow)',
131
- async run({ assert }) {
132
- try {
133
- const response = await mcpRequest('tools/list', {});
134
- // If we got here, check for Unauthorized error
135
- assert.equal(response?.error, 'Unauthorized', 'Should return Unauthorized');
136
- } catch (error) {
137
- // 401 throws — this is correct behavior
138
- assert.ok(true, 'Unauthenticated request returned 401');
139
- }
140
- },
141
- },
142
-
143
- {
144
- name: 'admin can call an admin tool',
145
- async run({ assert }) {
146
- const key = process.env.BACKEND_MANAGER_KEY;
147
- const response = await mcpRequest('tools/call', {
148
- name: 'health_check',
149
- arguments: {},
150
- }, key);
151
-
152
- assert.ok(response?.result, 'Should return a result');
153
- assert.ok(!response.result.isError, 'Should not be an error');
154
- assert.ok(response.result.content?.length > 0, 'Should have content');
155
- },
156
- },
157
-
158
- {
159
- name: 'user cannot call an admin tool',
160
- async run({ assert, accounts }) {
161
- const userKey = accounts.basic?.privateKey;
162
- const response = await mcpRequest('tools/call', {
163
- name: 'firestore_read',
164
- arguments: { path: 'users/test' },
165
- }, userKey);
166
-
167
- assert.ok(response?.result, 'Should return a result');
168
- assert.equal(response.result.isError, true, 'Should be an error');
169
- assert.ok(response.result.content?.[0]?.text?.includes('Unknown tool'), 'Should say unknown tool');
170
- },
171
- },
172
-
173
- {
174
- name: 'unauthenticated cannot call any tool (gets 401)',
175
- async run({ assert }) {
176
- try {
177
- const response = await mcpRequest('tools/call', {
178
- name: 'get_user',
179
- arguments: {},
180
- });
181
- assert.equal(response?.error, 'Unauthorized', 'Should return Unauthorized');
182
- } catch (error) {
183
- assert.ok(true, 'Unauthenticated tool call returned 401');
184
- }
185
- },
186
- },
187
- ],
188
- };
package/test/mcp/utils.js DELETED
@@ -1,245 +0,0 @@
1
- /**
2
- * Test: MCP utility functions
3
- * Tests resolveAuthInfo, filterToolsByRole, loadConsumerTools, buildToolMap
4
- *
5
- * Run: npx mgr test bem:mcp/utils
6
- */
7
- const path = require('path');
8
-
9
- module.exports = {
10
- description: 'MCP utility functions',
11
- type: 'group',
12
-
13
- tests: [
14
- // --- resolveAuthInfo ---
15
-
16
- {
17
- name: 'resolveAuthInfo: admin key returns admin role',
18
- async run({ assert }) {
19
- const { resolveAuthInfo } = require('../../src/mcp/utils.js');
20
- const saved = process.env.BACKEND_MANAGER_KEY;
21
-
22
- try {
23
- process.env.BACKEND_MANAGER_KEY = 'test-admin-key';
24
- const result = resolveAuthInfo('test-admin-key');
25
-
26
- assert.equal(result.role, 'admin', 'Should be admin');
27
- assert.equal(result.authType, 'adminKey', 'Should be adminKey type');
28
- assert.equal(result.token, 'test-admin-key', 'Token should match');
29
- } finally {
30
- process.env.BACKEND_MANAGER_KEY = saved;
31
- }
32
- },
33
- },
34
-
35
- {
36
- name: 'resolveAuthInfo: non-admin token returns user role',
37
- async run({ assert }) {
38
- const { resolveAuthInfo } = require('../../src/mcp/utils.js');
39
- const result = resolveAuthInfo('some-user-api-key');
40
-
41
- assert.equal(result.role, 'user', 'Should be user');
42
- assert.equal(result.authType, 'userToken', 'Should be userToken type');
43
- },
44
- },
45
-
46
- {
47
- name: 'resolveAuthInfo: empty token returns public role',
48
- async run({ assert }) {
49
- const { resolveAuthInfo } = require('../../src/mcp/utils.js');
50
- const result = resolveAuthInfo('');
51
-
52
- assert.equal(result.role, 'public', 'Should be public');
53
- assert.equal(result.authType, 'none', 'Should be none type');
54
- assert.equal(result.token, '', 'Token should be empty');
55
- },
56
- },
57
-
58
- {
59
- name: 'resolveAuthInfo: null/undefined token returns public role',
60
- async run({ assert }) {
61
- const { resolveAuthInfo } = require('../../src/mcp/utils.js');
62
-
63
- assert.equal(resolveAuthInfo(null).role, 'public', 'null should be public');
64
- assert.equal(resolveAuthInfo(undefined).role, 'public', 'undefined should be public');
65
- },
66
- },
67
-
68
- {
69
- name: 'resolveAuthInfo: returns public when BACKEND_MANAGER_KEY is not set',
70
- async run({ assert }) {
71
- const { resolveAuthInfo } = require('../../src/mcp/utils.js');
72
- const saved = process.env.BACKEND_MANAGER_KEY;
73
-
74
- try {
75
- delete process.env.BACKEND_MANAGER_KEY;
76
- const result = resolveAuthInfo('any-token');
77
-
78
- assert.equal(result.role, 'user', 'Non-empty token with no config key should be user');
79
- } finally {
80
- process.env.BACKEND_MANAGER_KEY = saved;
81
- }
82
- },
83
- },
84
-
85
- // --- filterToolsByRole ---
86
-
87
- {
88
- name: 'filterToolsByRole: admin sees all roles',
89
- async run({ assert }) {
90
- const { filterToolsByRole } = require('../../src/mcp/utils.js');
91
- const tools = [
92
- { name: 'a', role: 'admin' },
93
- { name: 'b', role: 'user' },
94
- { name: 'c', role: 'public' },
95
- ];
96
- const result = filterToolsByRole(tools, 'admin');
97
-
98
- assert.equal(result.length, 3, 'Admin should see all 3');
99
- },
100
- },
101
-
102
- {
103
- name: 'filterToolsByRole: user sees user + public only',
104
- async run({ assert }) {
105
- const { filterToolsByRole } = require('../../src/mcp/utils.js');
106
- const tools = [
107
- { name: 'a', role: 'admin' },
108
- { name: 'b', role: 'user' },
109
- { name: 'c', role: 'public' },
110
- ];
111
- const result = filterToolsByRole(tools, 'user');
112
-
113
- assert.equal(result.length, 2, 'User should see 2');
114
- assert.ok(result.some((t) => t.name === 'b'), 'Should include user tool');
115
- assert.ok(result.some((t) => t.name === 'c'), 'Should include public tool');
116
- assert.ok(!result.some((t) => t.name === 'a'), 'Should exclude admin tool');
117
- },
118
- },
119
-
120
- {
121
- name: 'filterToolsByRole: public sees public only',
122
- async run({ assert }) {
123
- const { filterToolsByRole } = require('../../src/mcp/utils.js');
124
- const tools = [
125
- { name: 'a', role: 'admin' },
126
- { name: 'b', role: 'user' },
127
- { name: 'c', role: 'public' },
128
- ];
129
- const result = filterToolsByRole(tools, 'public');
130
-
131
- assert.equal(result.length, 1, 'Public should see 1');
132
- assert.equal(result[0].name, 'c', 'Should be the public tool');
133
- },
134
- },
135
-
136
- {
137
- name: 'filterToolsByRole: tools without role default to admin',
138
- async run({ assert }) {
139
- const { filterToolsByRole } = require('../../src/mcp/utils.js');
140
- const tools = [{ name: 'no-role' }];
141
-
142
- assert.equal(filterToolsByRole(tools, 'admin').length, 1, 'Admin should see role-less tool');
143
- assert.equal(filterToolsByRole(tools, 'user').length, 0, 'User should not see role-less tool');
144
- assert.equal(filterToolsByRole(tools, 'public').length, 0, 'Public should not see role-less tool');
145
- },
146
- },
147
-
148
- {
149
- name: 'filterToolsByRole: unknown role treated as public',
150
- async run({ assert }) {
151
- const { filterToolsByRole } = require('../../src/mcp/utils.js');
152
- const tools = [
153
- { name: 'a', role: 'admin' },
154
- { name: 'b', role: 'user' },
155
- { name: 'c', role: 'public' },
156
- ];
157
- const result = filterToolsByRole(tools, 'garbage');
158
-
159
- assert.equal(result.length, 1, 'Unknown role should see public only');
160
- },
161
- },
162
-
163
- // --- loadConsumerTools ---
164
-
165
- {
166
- name: 'loadConsumerTools: returns empty array when no cwd',
167
- async run({ assert }) {
168
- const { loadConsumerTools } = require('../../src/mcp/utils.js');
169
-
170
- assert.equal(loadConsumerTools(null).length, 0, 'null cwd');
171
- assert.equal(loadConsumerTools('').length, 0, 'empty cwd');
172
- assert.equal(loadConsumerTools(undefined).length, 0, 'undefined cwd');
173
- },
174
- },
175
-
176
- {
177
- name: 'loadConsumerTools: returns empty array for non-existent directory',
178
- async run({ assert }) {
179
- const { loadConsumerTools } = require('../../src/mcp/utils.js');
180
- const result = loadConsumerTools('/tmp/does-not-exist-12345');
181
-
182
- assert.equal(result.length, 0, 'Should return empty array');
183
- },
184
- },
185
-
186
- // --- buildToolMap ---
187
-
188
- {
189
- name: 'buildToolMap: consumer tools override built-ins with same name',
190
- async run({ assert }) {
191
- const { buildToolMap } = require('../../src/mcp/utils.js');
192
- const builtin = [{ name: 'tool_a', description: 'original' }];
193
- const consumer = [{ name: 'tool_a', description: 'override', _consumer: true }];
194
-
195
- const map = buildToolMap(builtin, consumer);
196
- assert.equal(map.get('tool_a').description, 'override', 'Consumer should override');
197
- assert.equal(map.get('tool_a')._consumer, true, 'Should be marked as consumer');
198
- },
199
- },
200
-
201
- {
202
- name: 'buildToolMap: merges non-overlapping tools',
203
- async run({ assert }) {
204
- const { buildToolMap } = require('../../src/mcp/utils.js');
205
- const builtin = [{ name: 'a' }, { name: 'b' }];
206
- const consumer = [{ name: 'c' }];
207
-
208
- const map = buildToolMap(builtin, consumer);
209
- assert.equal(map.size, 3, 'Should have 3 tools total');
210
- assert.ok(map.has('a'), 'Should have a');
211
- assert.ok(map.has('b'), 'Should have b');
212
- assert.ok(map.has('c'), 'Should have c');
213
- },
214
- },
215
-
216
- // --- Real tools verification ---
217
-
218
- {
219
- name: 'all 19 built-in tools have a role assigned',
220
- async run({ assert }) {
221
- const tools = require('../../src/mcp/tools.js');
222
-
223
- assert.equal(tools.length, 25, 'Should have 25 tools');
224
-
225
- const missing = tools.filter((t) => !t.role);
226
- assert.equal(missing.length, 0, `All tools should have roles, missing: ${missing.map((t) => t.name).join(', ')}`);
227
- },
228
- },
229
-
230
- {
231
- name: 'role distribution matches expected counts',
232
- async run({ assert }) {
233
- const tools = require('../../src/mcp/tools.js');
234
-
235
- const admin = tools.filter((t) => t.role === 'admin');
236
- const user = tools.filter((t) => t.role === 'user');
237
- const pub = tools.filter((t) => t.role === 'public');
238
-
239
- assert.equal(admin.length, 22, `Should have 22 admin tools, got ${admin.length}`);
240
- assert.equal(user.length, 2, `Should have 2 user tools, got ${user.length}`);
241
- assert.equal(pub.length, 1, `Should have 1 public tool, got ${pub.length}`);
242
- },
243
- },
244
- ],
245
- };