cedar-mcp-server 1.0.0

package/test/tools/list-templates.test.ts

@@ -0,0 +1,151 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { mkdirSync, writeFileSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { handleListTemplates } from "../../src/tools/list-templates.js";
+import { handleListTemplateLinks } from "../../src/tools/list-template-links.js";
+import { StoreManager } from "../../src/resources/store-manager.js";
+
+const TEMPLATE_A = `permit(principal == ?principal, action == App::Action::"read", resource == ?resource);`;
+const TEMPLATE_B = `permit(principal, action == App::Action::"write", resource == ?resource);`;
+
+function makeStore(baseDir: string, opts: {
+  templates?: Record<string, string>;
+  links?: Record<string, object>;
+} = {}): { manager: StoreManager; storePath: string } {
+  const storePath = join(baseDir, "mystore");
+  mkdirSync(join(storePath, "policies"), { recursive: true });
+  writeFileSync(join(storePath, "schema.cedarschema"), "namespace App {}");
+
+  if (opts.templates) {
+    mkdirSync(join(storePath, "templates"), { recursive: true });
+    for (const [id, content] of Object.entries(opts.templates)) {
+      writeFileSync(join(storePath, "templates", `${id}.cedar`), content);
+    }
+  }
+
+  if (opts.links) {
+    mkdirSync(join(storePath, "template-links"), { recursive: true });
+    for (const [id, data] of Object.entries(opts.links)) {
+      writeFileSync(join(storePath, "template-links", `${id}.json`), JSON.stringify(data));
+    }
+  }
+
+  const manager = new StoreManager();
+  manager.loadFromRoots([{ uri: `file://${storePath}`, name: "mystore" }]);
+  return { manager, storePath };
+}
+
+describe("cedar_list_templates", () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = join(tmpdir(), `cedar-list-tmpl-${Date.now()}`);
+    mkdirSync(tmpDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it("LST1 — lists all templates in store with id and slot info", async () => {
+    const { manager } = makeStore(tmpDir, {
+      templates: { "viewer-access": TEMPLATE_A, "writer-access": TEMPLATE_B },
+    });
+
+    const result = await handleListTemplates({ store: "mystore" }, manager);
+
+    expect(result.error).toBeUndefined();
+    expect(result.store).toBe("mystore");
+    expect(result.templates).toHaveLength(2);
+    const ids = result.templates.map(t => t.id);
+    expect(ids).toContain("viewer-access");
+    expect(ids).toContain("writer-access");
+    const viewerTmpl = result.templates.find(t => t.id === "viewer-access")!;
+    expect(viewerTmpl.slots).toContain("?principal");
+    expect(viewerTmpl.slots).toContain("?resource");
+    const writerTmpl = result.templates.find(t => t.id === "writer-access")!;
+    expect(writerTmpl.slots).toContain("?resource");
+    expect(writerTmpl.slots).not.toContain("?principal");
+  });
+
+  it("LST2 — returns empty list when no templates directory", async () => {
+    const { manager } = makeStore(tmpDir);
+
+    const result = await handleListTemplates({ store: "mystore" }, manager);
+
+    expect(result.error).toBeUndefined();
+    expect(result.templates).toHaveLength(0);
+  });
+
+  it("LST3 — returns error for unknown store", async () => {
+    const { manager } = makeStore(tmpDir);
+
+    const result = await handleListTemplates({ store: "nonexistent" }, manager);
+
+    expect(result.error).toBeDefined();
+  });
+});
+
+describe("cedar_list_template_links", () => {
+  let tmpDir: string;
+
+  beforeEach(() => {
+    tmpDir = join(tmpdir(), `cedar-list-links-${Date.now()}`);
+    mkdirSync(tmpDir, { recursive: true });
+  });
+
+  afterEach(() => {
+    rmSync(tmpDir, { recursive: true, force: true });
+  });
+
+  it("LSTL1 — lists template links with template_id and slot_values", async () => {
+    const { manager } = makeStore(tmpDir, {
+      links: {
+        "alice-doc42": { template_id: "viewer-access", slot_values: { "?principal": 'App::User::"alice"', "?resource": 'App::Document::"doc-42"' } },
+        "bob-doc99": { template_id: "viewer-access", slot_values: { "?principal": 'App::User::"bob"', "?resource": 'App::Document::"doc-99"' } },
+      },
+    });
+
+    const result = await handleListTemplateLinks({ store: "mystore" }, manager);
+
+    expect(result.error).toBeUndefined();
+    expect(result.store).toBe("mystore");
+    expect(result.links).toHaveLength(2);
+    const alice = result.links.find(l => l.id === "alice-doc42")!;
+    expect(alice.template_id).toBe("viewer-access");
+    expect(alice.slot_values["?principal"]).toBe('App::User::"alice"');
+  });
+
+  it("LSTL2 — returns empty list when no template-links directory", async () => {
+    const { manager } = makeStore(tmpDir);
+
+    const result = await handleListTemplateLinks({ store: "mystore" }, manager);
+
+    expect(result.error).toBeUndefined();
+    expect(result.links).toHaveLength(0);
+  });
+
+  it("LSTL3 — returns error for unknown store", async () => {
+    const { manager } = makeStore(tmpDir);
+
+    const result = await handleListTemplateLinks({ store: "nonexistent" }, manager);
+
+    expect(result.error).toBeDefined();
+  });
+
+  it("LSTL4 — malformed link JSON surfaces as structured error not unhandled throw", async () => {
+    const { manager, storePath } = makeStore(tmpDir, {
+      links: { "good-link": { template_id: "t", slot_values: {} } },
+    });
+    // Overwrite with malformed JSON after store is loaded
+    writeFileSync(join(storePath, "template-links", "bad-link.json"), "{{{not json");
+
+    // Reload to pick up the new file
+    manager.loadFromRoots([{ uri: `file://${storePath}`, name: "mystore" }]);
+    const result = await handleListTemplateLinks({ store: "mystore" }, manager);
+
+    expect(result.error).toBeDefined();
+    expect(result.error).toMatch(/bad-link/);
+  });
+});

package/test/tools/translate.test.ts

@@ -0,0 +1,89 @@
+import { describe, it, expect } from "vitest";
+import { handleTranslate } from "../../src/tools/translate.js";
+import { SCHEMA_JSON } from "../fixtures/docmgmt.js";
+
+const SINGLE_POLICY = `permit (
+  principal in DocMgmt::Role::"admin",
+  action,
+  resource
+);`;
+
+describe("cedar_translate", () => {
+  describe("policy translation", () => {
+    it("translates Cedar policy text to JSON", async () => {
+      const result = await handleTranslate({
+        input: SINGLE_POLICY,
+        type: "policy",
+        direction: "to_json",
+      });
+
+      expect(result.error).toBeNull();
+      const json = JSON.parse(result.output!);
+      expect(json.effect).toBe("permit");
+      expect(json.principal.op).toBe("in");
+    });
+
+    it("translates policy JSON back to Cedar text", async () => {
+      const policyJson = {
+        effect: "permit",
+        principal: { op: "in", entity: { type: "DocMgmt::Role", id: "admin" } },
+        action: { op: "All" },
+        resource: { op: "All" },
+        conditions: [],
+      };
+
+      const result = await handleTranslate({
+        input: JSON.stringify(policyJson),
+        type: "policy",
+        direction: "to_cedar",
+      });
+
+      expect(result.error).toBeNull();
+      expect(result.output).toContain("permit");
+      expect(result.output).toContain('DocMgmt::Role::"admin"');
+    });
+  });
+
+  describe("schema translation", () => {
+    it("translates Cedar schema JSON to Cedar text", async () => {
+      const result = await handleTranslate({
+        input: JSON.stringify(SCHEMA_JSON),
+        type: "schema",
+        direction: "to_cedar",
+      });
+
+      expect(result.error).toBeNull();
+      expect(result.output).toContain("namespace DocMgmt");
+      expect(result.output).toContain("entity User");
+    });
+
+    it("translates Cedar schema text to JSON", async () => {
+      const cedarSchema = `namespace DocMgmt {
+        entity User in [Role] = { name: String, email: String };
+        entity Role;
+        action read appliesTo { principal: [User], resource: [User], context: {} };
+      }`;
+
+      const result = await handleTranslate({
+        input: cedarSchema,
+        type: "schema",
+        direction: "to_json",
+      });
+
+      expect(result.error).toBeNull();
+      const json = JSON.parse(result.output!);
+      expect(json.DocMgmt).toBeDefined();
+    });
+
+    it("returns error for invalid input", async () => {
+      const result = await handleTranslate({
+        input: "this is not a policy",
+        type: "policy",
+        direction: "to_json",
+      });
+
+      expect(result.error).not.toBeNull();
+      expect(result.output).toBeNull();
+    });
+  });
+});

package/test/tools/validate-entities.test.ts

@@ -0,0 +1,178 @@
+import { describe, it, expect } from "vitest";
+import { handleValidateEntities } from "../../src/tools/validate-entities.js";
+import { SCHEMA_JSON, ENTITIES } from "../fixtures/docmgmt.js";
+
+const SCHEMA_STR = JSON.stringify(SCHEMA_JSON);
+
+describe("cedar_validate_entities", () => {
+  it("VE1: valid entities + schema → valid:true, no errors", async () => {
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(ENTITIES),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(true);
+    expect(result.errors).toHaveLength(0);
+    expect(result.entity_count).toBe(ENTITIES.length);
+  });
+
+  it("VE2: entity of unknown type → unknown_type error with entity_uid", async () => {
+    const bad = [
+      { uid: { type: "DocMgmt::Unicorn", id: "rainbow" }, attrs: {}, parents: [] },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    const e = result.errors[0];
+    expect(e.error_kind).toBe("unknown_type");
+    expect(e.entity_uid).toContain("DocMgmt::Unicorn");
+    expect(e.entity_uid).toContain("rainbow");
+  });
+
+  it("VE3: missing required attribute → missing_required_attribute error", async () => {
+    const bad = [
+      { uid: { type: "DocMgmt::User", id: "alice" }, attrs: { name: "Alice" }, parents: [] },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    const e = result.errors[0];
+    expect(e.error_kind).toBe("missing_required_attribute");
+    expect(e.attribute).toBe("email");
+    expect(e.entity_uid).toContain("alice");
+  });
+
+  it("VE4: wrong attribute type → type_mismatch error", async () => {
+    const bad = [
+      {
+        uid: { type: "DocMgmt::User", id: "alice" },
+        attrs: { name: 42, email: "alice@example.com" },
+        parents: [],
+      },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    const e = result.errors[0];
+    expect(e.error_kind).toBe("type_mismatch");
+    expect(e.attribute).toBe("name");
+    expect(e.entity_uid).toContain("alice");
+  });
+
+  it("VE5: unknown attribute → unknown_attribute error", async () => {
+    const bad = [
+      {
+        uid: { type: "DocMgmt::User", id: "alice" },
+        attrs: { name: "Alice", email: "a@b.c", bogus: "x" },
+        parents: [],
+      },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    const e = result.errors[0];
+    expect(e.error_kind).toBe("unknown_attribute");
+    expect(e.attribute).toBe("bogus");
+  });
+
+  it("VE6: entity with parent of unknown/disallowed type → disallowed_parent_type error", async () => {
+    const bad = [
+      {
+        uid: { type: "DocMgmt::User", id: "alice" },
+        attrs: { name: "Alice", email: "a@b.c" },
+        parents: [{ type: "DocMgmt::Unicorn", id: "rainbow" }],
+      },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    const e = result.errors[0];
+    expect(e.error_kind).toBe("disallowed_parent_type");
+    expect(e.entity_uid).toContain("alice");
+  });
+
+  it("VE7: malformed entities JSON → parse_error", async () => {
+    const result = await handleValidateEntities({
+      entities: "{ not valid json",
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors[0].error_kind).toBe("parse_error");
+  });
+
+  it("VE8: no schema provided → JSON shape only, no type validation", async () => {
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(ENTITIES),
+    });
+
+    expect(result.valid).toBe(true);
+    expect(result.entity_count).toBe(ENTITIES.length);
+  });
+
+  it("VE9: classifyError tags unknown patterns with a self-documenting prefix on the message", async () => {
+    const { classifyError } = await import("../../src/tools/validate-entities.js");
+    const synthetic = "some future Cedar 5.x error wording the current regex set does not recognize";
+
+    const result = classifyError(synthetic);
+
+    expect(result.error_kind).toBe("other");
+    expect(result.message).toContain("unrecognized error pattern");
+    expect(result.message).toContain(synthetic);
+  });
+
+  it("VE9b: classifyError still classifies a known pattern correctly (regression guard)", async () => {
+    const { classifyError } = await import("../../src/tools/validate-entities.js");
+    const known = `attribute \`bogus\` on \`DocMgmt::User::"alice"\` should not exist according to the schema`;
+
+    const result = classifyError(known);
+
+    expect(result.error_kind).toBe("unknown_attribute");
+    expect(result.attribute).toBe("bogus");
+    expect(result.message).not.toContain("unrecognized error pattern");
+  });
+
+  it("VEF: falsification — entity with three violations surfaces all three", async () => {
+    // wrong type, missing required, unknown attr — all in one entity.
+    // WASM may return them as a single error or multiple — test that the
+    // collective surface mentions all three concerns somewhere.
+    const bad = [
+      {
+        uid: { type: "DocMgmt::User", id: "alice" },
+        attrs: { name: 42, bogus: "x" }, // wrong type + missing email + unknown attr
+        parents: [],
+      },
+    ];
+
+    const result = await handleValidateEntities({
+      entities: JSON.stringify(bad),
+      schema: SCHEMA_STR,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    // At minimum, the surfaced error must clearly attribute the violation to 'alice'
+    expect(result.errors[0].entity_uid).toContain("alice");
+  });
+});

package/test/tools/validate-schema.test.ts

@@ -0,0 +1,86 @@
+import { describe, it, expect } from "vitest";
+import { handleValidateSchema } from "../../src/tools/validate-schema.js";
+import { SCHEMA_JSON } from "../fixtures/docmgmt.js";
+
+const SCHEMA_JSON_STR = JSON.stringify(SCHEMA_JSON);
+
+const CEDARSCHEMA_TEXT = `
+namespace DocMgmt {
+  entity User in [Role] = { name: String, email: String };
+  entity Role;
+  entity Document in [Folder] = { owner: String, classification: String };
+  entity Folder;
+  action READ, WRITE, DELETE appliesTo {
+    principal: [User],
+    resource: [Document]
+  };
+}
+`.trim();
+
+describe("cedar_validate_schema", () => {
+  it("VS1: returns valid:true and detected JSON format for a well-formed JSON schema", async () => {
+    const result = await handleValidateSchema({ schema: SCHEMA_JSON_STR });
+
+    expect(result.valid).toBe(true);
+    expect(result.format).toBe("json");
+    expect(result.errors).toHaveLength(0);
+  });
+
+  it("VS2: returns valid:true and detected cedarschema format for cedarschema text", async () => {
+    const result = await handleValidateSchema({ schema: CEDARSCHEMA_TEXT });
+
+    expect(result.valid).toBe(true);
+    expect(result.format).toBe("cedarschema");
+    expect(result.errors).toHaveLength(0);
+  });
+
+  it("VS3: returns structured errors for malformed cedarschema", async () => {
+    const result = await handleValidateSchema({ schema: "not a schema" });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+    expect(result.errors[0].message).toBeTruthy();
+  });
+
+  it("VS4: reports namespaces from a JSON schema", async () => {
+    const result = await handleValidateSchema({ schema: SCHEMA_JSON_STR });
+
+    expect(result.namespaces).toContain("DocMgmt");
+  });
+
+  it("VS5: reports counts of entity types, actions, and common types", async () => {
+    const result = await handleValidateSchema({ schema: SCHEMA_JSON_STR });
+
+    expect(result.entity_type_count).toBe(4);
+    expect(result.action_count).toBe(3);
+    expect(result.common_type_count).toBe(0);
+  });
+
+  it("VS6: returns structured error with source location for syntactically broken cedarschema", async () => {
+    const broken = "namespace DocMgmt { entity User { name String } }"; // missing colon
+    const result = await handleValidateSchema({ schema: broken });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+  });
+
+  it("VS7: handles an empty string by returning a parse error, not a crash", async () => {
+    const result = await handleValidateSchema({ schema: "" });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+  });
+
+  it("VS8: handles namespace-less JSON schema (top-level entityTypes)", async () => {
+    const flatSchema = JSON.stringify({
+      "": {
+        entityTypes: { Foo: { memberOfTypes: [], shape: { type: "Record", attributes: {} } } },
+        actions: {},
+      },
+    });
+    const result = await handleValidateSchema({ schema: flatSchema });
+
+    expect(result.valid).toBe(true);
+    expect(result.namespaces).toEqual([""]);
+  });
+});

package/test/tools/validate-template.test.ts

@@ -0,0 +1,89 @@
+import { describe, it, expect } from "vitest";
+import { handleValidateTemplate } from "../../src/tools/validate-template.js";
+
+const SCHEMA = `namespace App {
+  entity User;
+  entity Document;
+  action read appliesTo { principal: [User], resource: [Document], context: {} };
+  action write appliesTo { principal: [User], resource: [Document], context: {} };
+}`;
+
+const VALID_TEMPLATE = `permit(
+  principal == ?principal,
+  action == App::Action::"read",
+  resource == ?resource
+);`;
+
+const RESOURCE_ONLY_TEMPLATE = `permit(
+  principal,
+  action == App::Action::"read",
+  resource == ?resource
+);`;
+
+describe("cedar_validate_template", () => {
+  it("VT1 — valid template returns valid:true and detected slots", async () => {
+    const result = await handleValidateTemplate({ template: VALID_TEMPLATE, schema: SCHEMA });
+
+    expect(result.error).toBeUndefined();
+    expect(result.valid).toBe(true);
+    expect(result.errors).toHaveLength(0);
+    expect(result.slots_detected).toContain("?principal");
+    expect(result.slots_detected).toContain("?resource");
+  });
+
+  it("VT2 — template with only ?resource slot detected", async () => {
+    const result = await handleValidateTemplate({ template: RESOURCE_ONLY_TEMPLATE, schema: SCHEMA });
+
+    expect(result.valid).toBe(true);
+    expect(result.slots_detected).toContain("?resource");
+    expect(result.slots_detected).not.toContain("?principal");
+  });
+
+  it("VT3 — invalid Cedar syntax returns valid:false with errors", async () => {
+    const result = await handleValidateTemplate({
+      template: "this is not cedar !!@#$",
+      schema: SCHEMA,
+    });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+  });
+
+  it("VT4 — template with unknown action in schema returns validation error", async () => {
+    const badTemplate = `permit(
+      principal == ?principal,
+      action == App::Action::"nonexistent",
+      resource == ?resource
+    );`;
+
+    const result = await handleValidateTemplate({ template: badTemplate, schema: SCHEMA });
+
+    expect(result.valid).toBe(false);
+    expect(result.errors.length).toBeGreaterThan(0);
+  });
+
+  it("VT5 — missing schema returns error", async () => {
+    const result = await handleValidateTemplate({ template: VALID_TEMPLATE, schema: "" });
+
+    expect(result.error).toBeDefined();
+  });
+
+  it("VT6 — accepts JSON schema format (not just cedarschema text)", async () => {
+    const jsonSchema = JSON.stringify({
+      App: {
+        entityTypes: {
+          User: { memberOfTypes: [], shape: { type: "Record", attributes: {} } },
+          Document: { memberOfTypes: [], shape: { type: "Record", attributes: {} } },
+        },
+        actions: {
+          read: { appliesTo: { principalTypes: ["User"], resourceTypes: ["Document"], context: { type: "Record", attributes: {} } } },
+        },
+      },
+    });
+
+    const result = await handleValidateTemplate({ template: VALID_TEMPLATE, schema: jsonSchema });
+
+    expect(result.error).toBeUndefined();
+    expect(result.valid).toBe(true);
+  });
+});