npm - cedar-mcp-server - Versions diffs - 1.0.0 - Mend

cedar-mcp-server 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (215) hide show

package/.editorconfig +12 -0
package/.github/workflows/ci.yml +31 -0
package/.github/workflows/release.yml +42 -0
package/.nvmrc +1 -0
package/CHANGELOG.md +241 -0
package/CONTRIBUTING.md +83 -0
package/LICENSE +182 -0
package/README.md +1635 -0
package/SECURITY.md +37 -0
package/dist/http-server.d.ts +61 -0
package/dist/http-server.d.ts.map +1 -0
package/dist/http-server.js +194 -0
package/dist/http-server.js.map +1 -0
package/dist/index.d.ts +32 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +270 -0
package/dist/index.js.map +1 -0
package/dist/parser/policy-ast.d.ts +49 -0
package/dist/parser/policy-ast.d.ts.map +1 -0
package/dist/parser/policy-ast.js +311 -0
package/dist/parser/policy-ast.js.map +1 -0
package/dist/prompts/index.d.ts +38 -0
package/dist/prompts/index.d.ts.map +1 -0
package/dist/prompts/index.js +172 -0
package/dist/prompts/index.js.map +1 -0
package/dist/resources/ref-resolver.d.ts +23 -0
package/dist/resources/ref-resolver.d.ts.map +1 -0
package/dist/resources/ref-resolver.js +128 -0
package/dist/resources/ref-resolver.js.map +1 -0
package/dist/resources/store-manager.d.ts +64 -0
package/dist/resources/store-manager.d.ts.map +1 -0
package/dist/resources/store-manager.js +221 -0
package/dist/resources/store-manager.js.map +1 -0
package/dist/server.d.ts +18 -0
package/dist/server.d.ts.map +1 -0
package/dist/server.js +539 -0
package/dist/server.js.map +1 -0
package/dist/tools/advise/avp-rules.d.ts +49 -0
package/dist/tools/advise/avp-rules.d.ts.map +1 -0
package/dist/tools/advise/avp-rules.js +59 -0
package/dist/tools/advise/avp-rules.js.map +1 -0
package/dist/tools/advise/cedar-patterns.d.ts +24 -0
package/dist/tools/advise/cedar-patterns.d.ts.map +1 -0
package/dist/tools/advise/cedar-patterns.js +57 -0
package/dist/tools/advise/cedar-patterns.js.map +1 -0
package/dist/tools/advise/context-builder.d.ts +28 -0
package/dist/tools/advise/context-builder.d.ts.map +1 -0
package/dist/tools/advise/context-builder.js +89 -0
package/dist/tools/advise/context-builder.js.map +1 -0
package/dist/tools/advise/gotchas.d.ts +15 -0
package/dist/tools/advise/gotchas.d.ts.map +1 -0
package/dist/tools/advise/gotchas.js +83 -0
package/dist/tools/advise/gotchas.js.map +1 -0
package/dist/tools/advise.d.ts +96 -0
package/dist/tools/advise.d.ts.map +1 -0
package/dist/tools/advise.js +258 -0
package/dist/tools/advise.js.map +1 -0
package/dist/tools/authorize-batch.d.ts +35 -0
package/dist/tools/authorize-batch.d.ts.map +1 -0
package/dist/tools/authorize-batch.js +262 -0
package/dist/tools/authorize-batch.js.map +1 -0
package/dist/tools/authorize.d.ts +115 -0
package/dist/tools/authorize.d.ts.map +1 -0
package/dist/tools/authorize.js +373 -0
package/dist/tools/authorize.js.map +1 -0
package/dist/tools/check-change.d.ts +19 -0
package/dist/tools/check-change.d.ts.map +1 -0
package/dist/tools/check-change.js +91 -0
package/dist/tools/check-change.js.map +1 -0
package/dist/tools/diff-schema.d.ts +103 -0
package/dist/tools/diff-schema.d.ts.map +1 -0
package/dist/tools/diff-schema.js +379 -0
package/dist/tools/diff-schema.js.map +1 -0
package/dist/tools/diff-stores.d.ts +45 -0
package/dist/tools/diff-stores.d.ts.map +1 -0
package/dist/tools/diff-stores.js +222 -0
package/dist/tools/diff-stores.js.map +1 -0
package/dist/tools/explain.d.ts +80 -0
package/dist/tools/explain.d.ts.map +1 -0
package/dist/tools/explain.js +187 -0
package/dist/tools/explain.js.map +1 -0
package/dist/tools/format.d.ts +11 -0
package/dist/tools/format.d.ts.map +1 -0
package/dist/tools/format.js +20 -0
package/dist/tools/format.js.map +1 -0
package/dist/tools/generate-sample.d.ts +28 -0
package/dist/tools/generate-sample.d.ts.map +1 -0
package/dist/tools/generate-sample.js +568 -0
package/dist/tools/generate-sample.js.map +1 -0
package/dist/tools/link-template.d.ts +17 -0
package/dist/tools/link-template.d.ts.map +1 -0
package/dist/tools/link-template.js +78 -0
package/dist/tools/link-template.js.map +1 -0
package/dist/tools/list-template-links.d.ts +16 -0
package/dist/tools/list-template-links.d.ts.map +1 -0
package/dist/tools/list-template-links.js +22 -0
package/dist/tools/list-template-links.js.map +1 -0
package/dist/tools/list-templates.d.ts +16 -0
package/dist/tools/list-templates.d.ts.map +1 -0
package/dist/tools/list-templates.js +36 -0
package/dist/tools/list-templates.js.map +1 -0
package/dist/tools/translate.d.ts +11 -0
package/dist/tools/translate.d.ts.map +1 -0
package/dist/tools/translate.js +53 -0
package/dist/tools/translate.js.map +1 -0
package/dist/tools/validate-entities.d.ts +19 -0
package/dist/tools/validate-entities.d.ts.map +1 -0
package/dist/tools/validate-entities.js +88 -0
package/dist/tools/validate-entities.js.map +1 -0
package/dist/tools/validate-schema.d.ts +22 -0
package/dist/tools/validate-schema.d.ts.map +1 -0
package/dist/tools/validate-schema.js +89 -0
package/dist/tools/validate-schema.js.map +1 -0
package/dist/tools/validate-template.d.ts +18 -0
package/dist/tools/validate-template.d.ts.map +1 -0
package/dist/tools/validate-template.js +59 -0
package/dist/tools/validate-template.js.map +1 -0
package/dist/tools/validate.d.ts +90 -0
package/dist/tools/validate.d.ts.map +1 -0
package/dist/tools/validate.js +351 -0
package/dist/tools/validate.js.map +1 -0
package/dist/utils/format-detector.d.ts +49 -0
package/dist/utils/format-detector.d.ts.map +1 -0
package/dist/utils/format-detector.js +298 -0
package/dist/utils/format-detector.js.map +1 -0
package/examples/README.md +36 -0
package/examples/abac-multi-tenant/README.md +150 -0
package/examples/abac-multi-tenant/entities/users-and-docs.json +33 -0
package/examples/abac-multi-tenant/policies/member-read-internal.cedar +9 -0
package/examples/abac-multi-tenant/policies/owner-full-access.cedar +9 -0
package/examples/abac-multi-tenant/policies/premium-share-guard.cedar +9 -0
package/examples/abac-multi-tenant/policies/private-doc-guard.cedar +13 -0
package/examples/abac-multi-tenant/run.ts +92 -0
package/examples/abac-multi-tenant/schema.json +60 -0
package/examples/api-gateway-path-routing/README.md +154 -0
package/examples/api-gateway-path-routing/entities/users-and-roles.json +20 -0
package/examples/api-gateway-path-routing/policies/admin-full-access.cedar +6 -0
package/examples/api-gateway-path-routing/policies/developer-projects.cedar +14 -0
package/examples/api-gateway-path-routing/policies/viewer-readonly.cedar +10 -0
package/examples/api-gateway-path-routing/run.ts +108 -0
package/examples/api-gateway-path-routing/schema.json +54 -0
package/examples/rbac-document-management/README.md +167 -0
package/examples/rbac-document-management/entities/users-and-docs.json +43 -0
package/examples/rbac-document-management/policies/admin.cedar +6 -0
package/examples/rbac-document-management/policies/editor.cedar +6 -0
package/examples/rbac-document-management/policies/top-secret-forbid.cedar +13 -0
package/examples/rbac-document-management/policies/viewer.cedar +6 -0
package/examples/rbac-document-management/run.ts +87 -0
package/examples/rbac-document-management/schema.json +57 -0
package/package.json +50 -0
package/src/http-server.ts +239 -0
package/src/index.ts +294 -0
package/src/parser/policy-ast.ts +345 -0
package/src/prompts/README.md +3 -0
package/src/prompts/index.ts +217 -0
package/src/resources/ref-resolver.ts +134 -0
package/src/resources/store-manager.ts +248 -0
package/src/server.ts +711 -0
package/src/tools/advise/avp-rules.ts +70 -0
package/src/tools/advise/cedar-patterns.ts +73 -0
package/src/tools/advise/context-builder.ts +109 -0
package/src/tools/advise/gotchas.ts +92 -0
package/src/tools/advise.ts +366 -0
package/src/tools/authorize-batch.ts +345 -0
package/src/tools/authorize.ts +464 -0
package/src/tools/check-change.ts +119 -0
package/src/tools/diff-schema.ts +510 -0
package/src/tools/diff-stores.ts +298 -0
package/src/tools/explain.ts +278 -0
package/src/tools/format.ts +33 -0
package/src/tools/generate-sample.ts +665 -0
package/src/tools/link-template.ts +109 -0
package/src/tools/list-template-links.ts +41 -0
package/src/tools/list-templates.ts +55 -0
package/src/tools/translate.ts +66 -0
package/src/tools/validate-entities.ts +125 -0
package/src/tools/validate-schema.ts +128 -0
package/src/tools/validate-template.ts +72 -0
package/src/tools/validate.ts +459 -0
package/src/utils/format-detector.ts +356 -0
package/test/fixtures/docmgmt.ts +121 -0
package/test/fixtures/multitenant.ts +163 -0
package/test/index.test.ts +96 -0
package/test/integration/e2e/behavior.test.ts +359 -0
package/test/integration/e2e/edge-cases.test.ts +365 -0
package/test/integration/e2e/failure-modes.test.ts +266 -0
package/test/integration/e2e/protocol.test.ts +252 -0
package/test/integration/http-smoke.test.ts +588 -0
package/test/integration/smoke.test.ts +475 -0
package/test/prompts/prompts.test.ts +173 -0
package/test/property/properties.test.ts +234 -0
package/test/resources/ref-resolver.test.ts +186 -0
package/test/resources/store-manager.test.ts +344 -0
package/test/setup.test.ts +7 -0
package/test/tools/advise/avp-rules.test.ts +76 -0
package/test/tools/advise.test.ts +339 -0
package/test/tools/authorize-batch.test.ts +459 -0
package/test/tools/authorize.test.ts +682 -0
package/test/tools/check-change.test.ts +104 -0
package/test/tools/cross-fixture.test.ts +170 -0
package/test/tools/diff-schema.test.ts +355 -0
package/test/tools/diff-stores.test.ts +291 -0
package/test/tools/explain.test.ts +221 -0
package/test/tools/format.test.ts +33 -0
package/test/tools/generate-sample.test.ts +480 -0
package/test/tools/link-template.test.ts +90 -0
package/test/tools/list-templates.test.ts +151 -0
package/test/tools/translate.test.ts +89 -0
package/test/tools/validate-entities.test.ts +178 -0
package/test/tools/validate-schema.test.ts +86 -0
package/test/tools/validate-template.test.ts +89 -0
package/test/tools/validate.test.ts +331 -0
package/test/utils/format-detector.test.ts +518 -0
package/tsconfig.json +17 -0
package/vitest.config.ts +13 -0

package/test/tools/advise.test.ts ADDED Viewed

@@ -0,0 +1,339 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { handleAdvise } from "../../src/tools/advise.js";
+import { StoreManager } from "../../src/resources/store-manager.js";
+// ─── Fixture data (Dataset 1: DocMgmt, NDA-safe) ──────────────────────────────
+const SCHEMA_CEDARSCHEMA = `namespace DocMgmt {
+  entity User in [Role] = { name: String, email: String };
+  entity Role;
+  entity Document = { classification: String, business_unit: String };
+  action READ appliesTo { principal: [User], resource: [Document], context: {} };
+  action WRITE appliesTo { principal: [User], resource: [Document], context: {} };
+}`;
+const SCHEMA_JSON = JSON.stringify({
+  DocMgmt: {
+    entityTypes: {
+      User: { memberOfTypes: ["Role"], shape: { type: "Record", attributes: { name: { type: "String", required: true } } } },
+      Role: { shape: { type: "Record", attributes: {} }, memberOfTypes: [] },
+      Document: { shape: { type: "Record", attributes: { classification: { type: "String", required: true } } } },
+    },
+    actions: {
+      READ: { appliesTo: { principalTypes: ["User"], resourceTypes: ["Document"], context: { type: "Record", attributes: {} } } },
+      WRITE: { appliesTo: { principalTypes: ["User"], resourceTypes: ["Document"], context: { type: "Record", attributes: {} } } },
+    },
+  },
+});
+const ADMIN_POLICY = `permit(principal in DocMgmt::Role::"admin", action, resource);`;
+const EDITOR_POLICY = `permit(principal in DocMgmt::Role::"editor", action == DocMgmt::Action::"READ", resource);`;
+const REBAC_POLICY = `permit(principal is DocMgmt::User, action == DocMgmt::Action::"READ", resource is DocMgmt::Document) when { principal in resource.owners };`;
+function makeStore(baseDir: string, name: string, policies: Record<string, string>, schema = SCHEMA_CEDARSCHEMA, schemaFile = "schema.cedarschema"): string {
+  const path = join(baseDir, name);
+  mkdirSync(join(path, "policies"), { recursive: true });
+  for (const [id, content] of Object.entries(policies)) {
+    writeFileSync(join(path, "policies", `${id}.cedar`), content);
+  }
+  writeFileSync(join(path, schemaFile), schema);
+  return path;
+}
+// ─── Tests ────────────────────────────────────────────────────────────────────
+describe("cedar_advise — context preparator (v2, no sampling)", () => {
+  let tmpDir: string;
+  let manager: StoreManager;
+  beforeEach(() => {
+    tmpDir = join(tmpdir(), `cedar-advise-test-${Date.now()}-${Math.random().toString(36).slice(2)}`);
+    mkdirSync(tmpDir, { recursive: true });
+    manager = new StoreManager();
+  });
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+  // ─── Pivot guarantees: no sampler, deterministic, synchronous-shaped ────────
+  it("B1 — handleAdvise is a pure function: no sampler argument, no async LLM call", () => {
+    // The signature accepts (input, manager?) — no sampler. Calling it returns a value
+    // synchronously without awaiting any client LLM round-trip.
+    const result = handleAdvise({ intent: "test" });
+    expect(result).toBeDefined();
+    expect(result.tool).toBe("cedar_advise");
+    expect(result.bundle_version).toBe("v2");
+  });
+  it("B2 — deterministic: two calls with identical inputs return identical bundles", () => {
+    const a = handleAdvise({ intent: "Restrict read to verified email users" });
+    const b = handleAdvise({ intent: "Restrict read to verified email users" });
+    expect(a).toEqual(b);
+  });
+  // ─── Bundle universal payload (independent of store_ref) ────────────────────
+  it("B3 — bundle echoes intent verbatim", () => {
+    const intent = "Only admins should delete top-secret documents";
+    const result = handleAdvise({ intent });
+    expect(result.intent).toBe(intent);
+  });
+  it("B4 — bundle includes Cedar patterns reference with all four patterns", () => {
+    const result = handleAdvise({ intent: "anything" });
+    const names = result.cedar_patterns_reference.patterns.map(p => p.name);
+    expect(names).toEqual(expect.arrayContaining([
+      expect.stringMatching(/Membership/),
+      expect.stringMatching(/Relationship/),
+      expect.stringMatching(/Discretionary/),
+      expect.stringMatching(/Hybrid/),
+    ]));
+    expect(result.cedar_patterns_reference.summary).toContain("MEMBERSHIP");
+  });
+  it("B5 — bundle includes AVP UpdatePolicy rules with three buckets", () => {
+    const result = handleAdvise({ intent: "anything" });
+    expect(result.avp_update_policy_rules.in_place_via_update_policy.length).toBeGreaterThan(0);
+    expect(result.avp_update_policy_rules.requires_delete_recreate.length).toBeGreaterThan(0);
+    expect(result.avp_update_policy_rules.new_via_create_policy.length).toBeGreaterThan(0);
+    expect(result.avp_update_policy_rules.summary).toContain("UpdatePolicy");
+  });
+  it("B6 — bundle includes AVP validation error catalog", () => {
+    const result = handleAdvise({ intent: "anything" });
+    const ids = result.avp_validation_error_catalog.map(e => e.id);
+    expect(ids).toContain("UnsafeOptionalAttributeAccess");
+    expect(ids).toContain("UnrecognizedEntityType");
+    expect(ids).toContain("MissingAttribute");
+  });
+  it("B7 — bundle includes sequencing_guidance with schema-before-policy rule", () => {
+    const result = handleAdvise({ intent: "anything" });
+    expect(result.sequencing_guidance.length).toBeGreaterThan(0);
+    const joined = result.sequencing_guidance.join(" ");
+    expect(joined).toMatch(/schema.*before.*polic/i);
+  });
+  it("B8 — bundle includes next_steps_for_llm directing follow-up tool calls", () => {
+    const result = handleAdvise({ intent: "anything" });
+    expect(result.next_steps_for_llm).toContain("cedar_validate");
+    expect(result.next_steps_for_llm).toContain("cedar_check_policy_change");
+  });
+  // ─── Gotcha selection from intent keywords ───────────────────────────────────
+  it("B9 — selects optional_attribute_guard gotcha for verified-email intent", () => {
+    const result = handleAdvise({
+      intent: "Require verified email attribute before granting read access",
+    });
+    const ids = result.applicable_gotchas.map(g => g.id);
+    expect(ids).toContain("optional_attribute_guard");
+  });
+  it("B10 — selects forbid_overrides_permit gotcha for block/deny intent", () => {
+    const result = handleAdvise({
+      intent: "Block all access to sensitive top-secret documents except admins",
+    });
+    const ids = result.applicable_gotchas.map(g => g.id);
+    expect(ids).toContain("forbid_overrides_permit");
+  });
+  it("B11 — selects rebac_migration_data gotcha for relationship/owners intent", () => {
+    const result = handleAdvise({
+      intent: "Migrate to per-resource owner-based access (owners attribute on Document)",
+    });
+    const ids = result.applicable_gotchas.map(g => g.id);
+    expect(ids).toContain("rebac_migration_data");
+  });
+  it("B12 — no gotcha keywords matched: applicable_gotchas is empty but bundle still valid", () => {
+    const result = handleAdvise({ intent: "xyzzy plugh frobnitz" });
+    expect(result.applicable_gotchas).toEqual([]);
+    // Universal sections still populated
+    expect(result.cedar_patterns_reference.patterns.length).toBeGreaterThan(0);
+    expect(result.avp_update_policy_rules.in_place_via_update_policy.length).toBeGreaterThan(0);
+  });
+  // ─── Store context handling ─────────────────────────────────────────────────
+  it("B13 — store_ref omitted: store_status='not_provided', no schema, empty inventory", () => {
+    const result = handleAdvise({ intent: "anything" });
+    expect(result.store_status).toBe("not_provided");
+    expect(result.store_name).toBeUndefined();
+    expect(result.schema_summary).toBeUndefined();
+    expect(result.policy_inventory).toEqual([]);
+    expect(result.patterns_detected_in_store).toEqual([]);
+  });
+  it("B14 — store_ref unknown: store_status='not_found', store_name preserved", () => {
+    const result = handleAdvise({ intent: "anything", store_ref: "nonexistent" }, manager);
+    expect(result.store_status).toBe("not_found");
+    expect(result.store_name).toBe("nonexistent");
+    expect(result.schema_summary).toBeUndefined();
+    expect(result.policy_inventory).toEqual([]);
+  });
+  it("B15 — store_ref loaded: bundle includes schema_summary, inventory, pattern counts", () => {
+    const storePath = makeStore(tmpDir, "mystore", { admin: ADMIN_POLICY, editor: EDITOR_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "mystore" }]);
+    const result = handleAdvise({ intent: "Add ABAC condition", store_ref: "mystore" }, manager);
+    expect(result.store_status).toBe("loaded");
+    expect(result.store_name).toBe("mystore");
+    expect(result.schema_summary?.valid).toBe(true);
+    expect(result.schema_summary?.format).toBe("cedarschema");
+    expect(result.schema_summary?.namespaces).toContain("DocMgmt");
+    expect(result.policy_inventory).toHaveLength(2);
+    expect(result.policy_inventory.map(p => p.policy_id).sort()).toEqual(["admin", "editor"]);
+    // Both admin and editor use principal-in-Role → Membership pattern
+    const membershipCount = result.patterns_detected_in_store.find(p => p.pattern === "membership")?.count;
+    expect(membershipCount).toBe(2);
+  });
+  it("B16 — store_ref accepts cedar:// URI form", () => {
+    const storePath = makeStore(tmpDir, "production", { admin: ADMIN_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "production" }]);
+    const result = handleAdvise(
+      { intent: "Update policy", store_ref: "cedar://policies/production" },
+      manager
+    );
+    expect(result.store_status).toBe("loaded");
+    expect(result.store_name).toBe("production");
+  });
+  it("B17 — policy_inventory entries include full Cedar text so the LLM can quote exact scope", () => {
+    const storePath = makeStore(tmpDir, "withtext", { admin: ADMIN_POLICY, editor: EDITOR_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "withtext" }]);
+    const result = handleAdvise({ intent: "Modify editor permissions", store_ref: "withtext" }, manager);
+    const editor = result.policy_inventory.find(p => p.policy_id === "editor");
+    expect(editor).toBeDefined();
+    expect(editor!.policy_text).toContain('Role::"editor"');
+    expect(editor!.policy_text).toContain('Action::"READ"');
+  });
+  it("B18 — ReBAC policy classified as relationship pattern in patterns_detected_in_store", () => {
+    const storePath = makeStore(tmpDir, "rebac", { owner: REBAC_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "rebac" }]);
+    const result = handleAdvise({ intent: "Audit ReBAC policies", store_ref: "rebac" }, manager);
+    const relationshipCount = result.patterns_detected_in_store.find(p => p.pattern === "relationship")?.count;
+    expect(relationshipCount).toBe(1);
+  });
+  it("B19 — JSON-format schema parsed and summarized correctly", () => {
+    const storePath = makeStore(tmpDir, "jsonstore", { admin: ADMIN_POLICY }, SCHEMA_JSON, "schema.json");
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "jsonstore" }]);
+    const result = handleAdvise({ intent: "anything", store_ref: "jsonstore" }, manager);
+    expect(result.schema_summary?.valid).toBe(true);
+    expect(result.schema_summary?.format).toBe("json");
+    expect(result.schema_summary?.namespaces).toEqual(["DocMgmt"]);
+    expect(result.schema_summary?.entity_type_count).toBe(3);
+    expect(result.schema_summary?.action_count).toBe(2);
+  });
+  // ─── MCP tool description contract (for the bypass-prevention case) ─────────
+  it("B20 — bundle is self-describing: tool name + version + intent recorded for downstream auditing", () => {
+    const result = handleAdvise({ intent: "Add a deletion permission" });
+    expect(result.tool).toBe("cedar_advise");
+    expect(result.bundle_version).toBe("v2");
+    expect(result.intent).toBe("Add a deletion permission");
+  });
+  // ─── 11b: store auto-resolve + discoverability ─────────────────────────────
+  it("B21 — no store_ref + zero stores loaded: store_status='not_provided', no available_stores", () => {
+    const result = handleAdvise({ intent: "anything" }, manager);
+    expect(result.store_status).toBe("not_provided");
+    expect(result.store_name).toBeUndefined();
+    expect(result.available_stores).toBeUndefined();
+    expect(result.auto_discovered).toBeUndefined();
+  });
+  it("B22 — no store_ref + exactly one store loaded: auto-resolves to that store, store_status='loaded', auto_discovered.store_from='single_loaded_store'", () => {
+    const storePath = makeStore(tmpDir, "onlystore", { admin: ADMIN_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "onlystore" }]);
+    const result = handleAdvise({ intent: "Plan a change" }, manager);
+    expect(result.store_status).toBe("loaded");
+    expect(result.store_name).toBe("onlystore");
+    expect(result.auto_discovered).toEqual({ store_from: "single_loaded_store" });
+    expect(result.schema_summary?.valid).toBe(true);
+    expect(result.policy_inventory).toHaveLength(1);
+    // available_stores is irrelevant on a clean resolution; should be omitted to keep the payload small
+    expect(result.available_stores).toBeUndefined();
+  });
+  it("B23 — no store_ref + multiple stores loaded: store_status='ambiguous', available_stores lists candidates, no schema_summary", () => {
+    const blue = makeStore(tmpDir, "blue", { admin: ADMIN_POLICY });
+    const green = makeStore(tmpDir, "green", { admin: ADMIN_POLICY });
+    manager.loadFromRoots([
+      { uri: `file://${blue}`, name: "blue" },
+      { uri: `file://${green}`, name: "green" },
+    ]);
+    const result = handleAdvise({ intent: "Plan a change" }, manager);
+    expect(result.store_status).toBe("ambiguous");
+    expect(result.store_name).toBeUndefined();
+    expect(result.available_stores).toEqual(expect.arrayContaining(["blue", "green"]));
+    expect(result.available_stores).toHaveLength(2);
+    expect(result.schema_summary).toBeUndefined();
+    expect(result.policy_inventory).toEqual([]);
+    expect(result.auto_discovered).toBeUndefined();
+  });
+  it("B24 — store_ref provided but not found + other stores loaded: store_status='not_found', available_stores hints recovery", () => {
+    const storePath = makeStore(tmpDir, "production", { admin: ADMIN_POLICY });
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "production" }]);
+    const result = handleAdvise({ intent: "anything", store_ref: "stagign" }, manager);
+    expect(result.store_status).toBe("not_found");
+    expect(result.store_name).toBe("stagign");
+    expect(result.available_stores).toEqual(["production"]);
+    expect(result.schema_summary).toBeUndefined();
+    expect(result.policy_inventory).toEqual([]);
+    expect(result.auto_discovered).toBeUndefined();
+  });
+  it("B25 — 11d audit finding: schemaless single-store auto-resolve degrades to 'not_provided', not self-referential 'not_found'", () => {
+    // A workspace with `policies/` but no schema file triggers cwd-fallback in
+    // index.ts (looksLikeCedarWorkspace passes on policies/ alone) and lands as
+    // a single loaded store. buildStoreContext returns null because readSchema
+    // throws. The pre-fix branch surfaced this as `not_found` with
+    // store_name === available_stores[0], creating a self-referential response
+    // that the next_steps_for_llm "re-invoke with corrected name" advice would
+    // loop on. After the fix the response degrades to `not_provided`: the LLM
+    // gets the universal Cedar / AVP context and treats this as a store-less
+    // call, no loop.
+    const path = join(tmpDir, "schemaless");
+    mkdirSync(join(path, "policies"), { recursive: true });
+    writeFileSync(join(path, "policies", "admin.cedar"), ADMIN_POLICY);
+    // Deliberately NO schema.cedarschema / schema.json
+    manager.loadFromRoots([{ uri: `file://${path}`, name: "schemaless" }]);
+    const result = handleAdvise({ intent: "plan a change" }, manager);
+    expect(result.store_status).toBe("not_provided");
+    expect(result.store_name).toBeUndefined();
+    expect(result.available_stores).toBeUndefined();
+    expect(result.auto_discovered).toBeUndefined();
+    // Universal context still present.
+    expect(result.cedar_patterns_reference.patterns.length).toBeGreaterThan(0);
+  });
+});