funifier-mcp 0.3.10 → 0.3.12

package/dist/mcp/tools/permissions.test.js

@@ -1,31 +1,94 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 const vitest_1 = require("vitest");
+const fs_1 = __importDefault(require("fs"));
+const os_1 = __importDefault(require("os"));
+const path_1 = __importDefault(require("path"));
 const permissions_1 = require("./permissions");
+const _backup_1 = require("./_backup");
+// Every mutating action now writes a snapshot to backupRoot(); redirect it to a temp dir
+// (via the FUNIFIER_BACKUP_ROOT seam) so tests never touch the real working tree.
+let backupDir;
+(0, vitest_1.beforeEach)(() => {
+    backupDir = fs_1.default.mkdtempSync(path_1.default.join(os_1.default.tmpdir(), "funifier-perm-test-"));
+    process.env.FUNIFIER_BACKUP_ROOT = backupDir;
+});
+(0, vitest_1.afterEach)(() => {
+    delete process.env.FUNIFIER_BACKUP_ROOT;
+    fs_1.default.rmSync(backupDir, { recursive: true, force: true });
+});
+function readNewestSnapshot() {
+    const items = (0, _backup_1.listSnapshots)(backupDir);
+    if (items.length === 0)
+        throw new Error("no snapshot written");
+    return JSON.parse(fs_1.default.readFileSync(items[0].path, "utf8"));
+}
 const SECURITY = {
     _id: "game1",
     apps: [{ name: "Default", app_secret: "old-secret", scope: "read_all" }],
     roles: [{ name: "player", timeout: "1d", scope: "read_all,write_actionlog" }],
 };
 function fakeApi(overrides = {}) {
-    return {
-        queryCollection: vitest_1.vi.fn().mockResolvedValue([structuredClone(SECURITY)]),
-        updateDocument: vitest_1.vi.fn().mockImplementation((_collection, doc) => Promise.resolve(doc)),
-        listRoles: vitest_1.vi.fn().mockResolvedValue([
-            { _id: "r1", name: "Admin", type: "system", item: "system", permissions: [] },
-            { _id: "r2", name: "Game Editor", type: "gamification", item: "game1", permissions: [] },
-        ]),
+    const roles = [
+        { _id: "r1", name: "Admin", type: "system", item: "system", permissions: [] },
+        { _id: "r2", name: "Game Editor", type: "gamification", item: "game1", permissions: [] },
+    ];
+    const assignments = [{ type: "user", item: "u1", role: "r1" }];
+    // Stateful security doc: updateDocument stores the new state so re-reads (verifySecurityPersisted)
+    // see the post-mutation document by default.
+    let securityDoc = structuredClone(SECURITY);
+    const defaultUpdateDocument = vitest_1.vi.fn().mockImplementation(async (collection, doc) => {
+        if (collection === "security")
+            securityDoc = structuredClone(doc);
+        return doc;
+    });
+    // If the caller overrides updateDocument, chain the state update so reads stay consistent.
+    const updateDocument = overrides.updateDocument
+        ? vitest_1.vi.fn().mockImplementation(async (collection, doc) => {
+            if (collection === "security")
+                securityDoc = structuredClone(doc);
+            return overrides.updateDocument(collection, doc);
+        })
+        : defaultUpdateDocument;
+    const base = {
+        aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+            if (collection === "security")
+                return [{ ...securityDoc, _id: String(securityDoc._id) }];
+            return [];
+        }),
+        queryCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+            if (collection === "security")
+                return [securityDoc];
+            return [];
+        }),
+        updateDocument,
+        listRoles: vitest_1.vi.fn().mockResolvedValue(roles),
+        listRolesStrict: vitest_1.vi.fn().mockResolvedValue(roles),
+        getRoleById: vitest_1.vi.fn().mockResolvedValue({ _id: "r1", name: "Admin", type: "system", item: "system", permissions: [] }),
         saveRole: vitest_1.vi.fn().mockImplementation((role) => Promise.resolve({ ...role, _id: role._id ?? "new-role" })),
         deleteRole: vitest_1.vi.fn().mockResolvedValue({ ok: 1 }),
-        listRoleAssignments: vitest_1.vi.fn().mockResolvedValue([{ type: "user", item: "u1", role: "r1" }]),
+        listRoleAssignments: vitest_1.vi.fn().mockResolvedValue(assignments),
+        listRoleAssignmentsStrict: vitest_1.vi.fn().mockResolvedValue(assignments),
         assignRole: vitest_1.vi.fn().mockImplementation((payload) => Promise.resolve(payload)),
         unassignRole: vitest_1.vi.fn().mockResolvedValue({ ok: 1 }),
-        ...overrides,
     };
+    // Apply remaining overrides (except updateDocument which was handled above).
+    const { updateDocument: _ud, ...otherOverrides } = overrides;
+    return { ...base, ...otherOverrides };
 }
-function makeInvoke(overrides = {}) {
+function makeInvoke(overrides = {}, connection = { serverUrl: "https://test.funifier.com" }) {
     const api = fakeApi(overrides);
-    const holder = { requireClient: () => api };
+    const holder = {
+        requireClient: () => api,
+        getConnectionInfo: () => ({
+            connected: true,
+            serverUrl: connection.serverUrl ?? null,
+            name: null,
+        }),
+    };
     let handler;
     const server = {
         registerTool: (_name, _config, h) => { handler = h; },
@@ -38,7 +101,7 @@ function makeInvoke(overrides = {}) {
         const { invoke, api } = makeInvoke();
         const result = await invoke({ action: "list_api_apps" });
         (0, vitest_1.expect)(result.isError).toBeUndefined();
-        (0, vitest_1.expect)(api.queryCollection).toHaveBeenCalledWith("security", {}, { limit: 1, skip: 0 });
+        (0, vitest_1.expect)(api.aggregateCollection).toHaveBeenCalledWith("security", vitest_1.expect.arrayContaining([vitest_1.expect.objectContaining({ $addFields: { _id: { $toString: "$_id" } } })]));
         (0, vitest_1.expect)(result.content[0].text).toContain("old-…cret");
         (0, vitest_1.expect)(result.content[0].text).not.toContain("old-secret");
     });
@@ -96,4 +159,491 @@ function makeInvoke(overrides = {}) {
         (0, vitest_1.expect)(result.content[0].text).toContain("Error in funifier_permissions");
     });
 });
+(0, vitest_1.describe)("funifier_permissions native pre-write backup (no LLM in the loop)", () => {
+    (0, vitest_1.it)("writes a snapshot of the prior security doc BEFORE the mutation fires", async () => {
+        // The mutation mock records how many snapshots exist at the moment it is invoked.
+        let snapshotsWhenMutated = -1;
+        const { invoke, api } = makeInvoke({
+            updateDocument: vitest_1.vi.fn().mockImplementation((_collection, doc) => {
+                snapshotsWhenMutated = (0, _backup_1.listSnapshots)(backupDir).length;
+                return Promise.resolve(doc);
+            }),
+        });
+        // A genuinely new app, so the mutated doc (2 apps) differs from the prior doc (1 app).
+        const result = await invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "New App", app_secret: "brand-new", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.updateDocument).toHaveBeenCalled();
+        (0, vitest_1.expect)(snapshotsWhenMutated).toBe(1); // backup existed before updateDocument ran
+        const snap = readNewestSnapshot();
+        (0, vitest_1.expect)(snap.category).toBe("security");
+        (0, vitest_1.expect)(snap.existedBefore).toBe(true);
+        (0, vitest_1.expect)(snap.preImage).toEqual(SECURITY); // whole PRIOR doc, not the mutated 2-app version
+    });
+    (0, vitest_1.it)("aborts the mutation and returns isError when the backup write fails", async () => {
+        // Point the backup root at a path blocked by a file → mkdir for the category dir throws.
+        const blocker = path_1.default.join(backupDir, "blocker");
+        fs_1.default.writeFileSync(blocker, "not-a-directory");
+        process.env.FUNIFIER_BACKUP_ROOT = path_1.default.join(blocker, "nested");
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "Default", app_secret: "old-secret", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Backup write failed (mutation aborted)");
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled(); // the literal "native, not LLM" guarantee
+    });
+    (0, vitest_1.it)("records existedBefore=false / preImage=null when creating a brand-new studio role", async () => {
+        const { invoke, api } = makeInvoke();
+        const role = {
+            name: "Brand New",
+            type: "gamification",
+            item: "game1",
+            permissions: [{ type: "page", object: "/x", operations: { read: true } }],
+        };
+        const result = await invoke({ action: "save_studio_role", data: JSON.stringify(role) });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.saveRole).toHaveBeenCalledWith(role);
+        const snap = readNewestSnapshot(); // built by a real captureBackup, not a hand-faked fixture
+        (0, vitest_1.expect)(snap.category).toBe("studio-role");
+        (0, vitest_1.expect)(snap.existedBefore).toBe(false);
+        (0, vitest_1.expect)(snap.preImage).toBeNull();
+        (0, vitest_1.expect)(snap.naturalKey).toEqual({ name: "Brand New", type: "gamification", item: "game1" });
+    });
+    vitest_1.it.each([
+        ["save_api_app", { data: JSON.stringify({ name: "X", app_secret: "s", scope: "read_all" }) }],
+        ["delete_api_app", { app_secret: "old-secret" }],
+        ["save_security_role", { data: JSON.stringify({ name: "X", timeout: "1d", scope: "read_all" }) }],
+        ["delete_security_role", { name: "player" }],
+        ["save_studio_role", { data: JSON.stringify({ name: "X", type: "system", item: "system", permissions: [] }) }],
+        ["delete_studio_role", { role_id: "r1" }],
+        ["assign_studio_role", { principal_type: "user", principal_item: "u1", role_id: "r1" }],
+        ["unassign_studio_role", { principal_type: "user", principal_item: "u1", role_id: "r1" }],
+    ])("%s writes exactly one pre-write snapshot", async (action, args) => {
+        const { invoke } = makeInvoke();
+        const result = await invoke({ action, ...args });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(1);
+    });
+    (0, vitest_1.it)("restore_backup reapplies a security snapshot via updateDocument", async () => {
+        // 1. A real mutation captures the prior security doc.
+        const writer = makeInvoke();
+        await writer.invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "Default", app_secret: "old-secret", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(1);
+        const backupPath = (0, _backup_1.listSnapshots)(backupDir)[0].path;
+        // 2. A fresh handler restores it — restore writes its own pre-write backup (BKP-11).
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({ action: "restore_backup", backup_path: backupPath });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.updateDocument).toHaveBeenCalledWith("security", vitest_1.expect.objectContaining({ _id: "game1" }));
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(2);
+    });
+    (0, vitest_1.it)("restore_backup rejects cross-server snapshots when serverUrl differs", async () => {
+        const writer = makeInvoke({}, { serverUrl: "https://tenant-a.funifier.com" });
+        await writer.invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "Default", app_secret: "old-secret", scope: "read_all" }),
+        });
+        const backupPath = (0, _backup_1.listSnapshots)(backupDir)[0].path;
+        const { invoke, api } = makeInvoke({}, { serverUrl: "https://tenant-b.funifier.com" });
+        const result = await invoke({ action: "restore_backup", backup_path: backupPath });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toMatch(/serverUrl mismatch/i);
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("delete_studio_role aborts when getRoleById fails to read the role", async () => {
+        const { invoke, api } = makeInvoke({
+            getRoleById: vitest_1.vi.fn().mockResolvedValue(undefined),
+        });
+        const result = await invoke({ action: "delete_studio_role", role_id: "r1" });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("not found or unreadable");
+        (0, vitest_1.expect)(api.deleteRole).not.toHaveBeenCalled();
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(0);
+    });
+    (0, vitest_1.it)("save_studio_role aborts when listRolesStrict fails (avoids false absent snapshot)", async () => {
+        const { invoke, api } = makeInvoke({
+            listRolesStrict: vitest_1.vi.fn().mockRejectedValue(new Error("network down")),
+        });
+        const result = await invoke({
+            action: "save_studio_role",
+            data: JSON.stringify({
+                name: "Editor",
+                type: "gamification",
+                item: "game1",
+                permissions: [{ type: "page", object: "/x", operations: { read: true } }],
+            }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Failed to capture pre-image");
+        (0, vitest_1.expect)(api.saveRole).not.toHaveBeenCalled();
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(0);
+    });
+    (0, vitest_1.it)("assign_studio_role aborts when listRoleAssignmentsStrict fails (avoids false absent snapshot)", async () => {
+        const { invoke, api } = makeInvoke({
+            listRoleAssignmentsStrict: vitest_1.vi.fn().mockRejectedValue(new Error("network down")),
+        });
+        const result = await invoke({
+            action: "assign_studio_role",
+            principal_type: "user",
+            principal_item: "u1",
+            role_id: "r1",
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Failed to capture pre-image");
+        (0, vitest_1.expect)(api.assignRole).not.toHaveBeenCalled();
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(0);
+    });
+    (0, vitest_1.it)("restore_backup of an absent studio role resolves the _id via natural key and deletes it", async () => {
+        // 1. Create-path snapshot from a real save of a role absent in listRoles → existedBefore=false.
+        const writer = makeInvoke();
+        await writer.invoke({
+            action: "save_studio_role",
+            data: JSON.stringify({
+                name: "Brand New",
+                type: "gamification",
+                item: "game1",
+                permissions: [{ type: "page", object: "/x", operations: { read: true } }],
+            }),
+        });
+        const backupPath = (0, _backup_1.listSnapshots)(backupDir)[0].path;
+        // 2. At restore time the role now exists with a server-assigned _id.
+        const { invoke, api } = makeInvoke({
+            listRoles: vitest_1.vi.fn().mockResolvedValue([
+                { _id: "created-id", name: "Brand New", type: "gamification", item: "game1", permissions: [] },
+            ]),
+        });
+        const result = await invoke({ action: "restore_backup", backup_path: backupPath });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.deleteRole).toHaveBeenCalledWith("created-id");
+    });
+    (0, vitest_1.it)("restore_backup with a missing path errors and performs no remote write", async () => {
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({ action: "restore_backup", backup_path: path_1.default.join(backupDir, "missing.json") });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+        (0, vitest_1.expect)(api.deleteRole).not.toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("restore_backup rejects path traversal outside the backup root", async () => {
+        const outside = path_1.default.join(backupDir, "..", "outside-backup.json");
+        fs_1.default.writeFileSync(outside, JSON.stringify({
+            version: 1,
+            action: "save_api_app",
+            category: "security",
+            resourceId: "game1",
+            existedBefore: true,
+            capturedAt: "2026-05-28T14:31:02.123Z",
+            serverUrl: null,
+            preImage: SECURITY,
+        }));
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({ action: "restore_backup", backup_path: outside });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toMatch(/must be within/i);
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+        fs_1.default.rmSync(outside, { force: true });
+    });
+    (0, vitest_1.it)("restore_backup succeeds when the live security document is truncated (no apps/roles)", async () => {
+        // Critical #1: a truncated live doc must NOT block restore — that is exactly the recovery scenario.
+        // Step 1: capture a healthy snapshot via a normal mutation.
+        const writer = makeInvoke();
+        await writer.invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "Default", app_secret: "old-secret", scope: "read_all" }),
+        });
+        const backupPath = (0, _backup_1.listSnapshots)(backupDir)[0].path;
+        // Step 2: stateful mock — starts with a truncated doc, reflects the write so verifySecurityPersisted passes.
+        let currentDoc = { _id: "game1" };
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection === "security")
+                    return [{ ...currentDoc, _id: String(currentDoc._id) }];
+                return [];
+            }),
+            queryCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection === "security")
+                    return [currentDoc];
+                return [];
+            }),
+            updateDocument: vitest_1.vi.fn().mockImplementation(async (collection, doc) => {
+                if (collection === "security")
+                    currentDoc = structuredClone(doc);
+                return doc;
+            }),
+        });
+        const result = await invoke({ action: "restore_backup", backup_path: backupPath });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.updateDocument).toHaveBeenCalledWith("security", vitest_1.expect.objectContaining({ _id: "game1" }));
+        // Two snapshots: original mutation + restore's own pre-backup of the truncated state.
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(2);
+    });
+    (0, vitest_1.it)("restore_backup rejects a security snapshot whose preImage is missing apps/roles", async () => {
+        // Critical #2: a malformed snapshot must be refused before any write side effects.
+        const malformedPath = path_1.default.join(backupDir, "security", "malformed.json");
+        fs_1.default.mkdirSync(path_1.default.dirname(malformedPath), { recursive: true });
+        fs_1.default.writeFileSync(malformedPath, JSON.stringify({
+            version: 1,
+            action: "save_api_app",
+            category: "security",
+            resourceId: "game1",
+            existedBefore: true,
+            capturedAt: new Date().toISOString(),
+            serverUrl: "https://test.funifier.com",
+            preImage: { _id: "game1" }, // missing apps and roles
+        }));
+        const { invoke, api } = makeInvoke();
+        // listSnapshots counts the malformed file itself — record before so we can assert no NEW snapshot.
+        const snapshotsBefore = (0, _backup_1.listSnapshots)(backupDir).length;
+        const result = await invoke({ action: "restore_backup", backup_path: malformedPath });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toMatch(/malformed|missing.*apps|missing.*roles/i);
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+        // Fast-fail fires before backupBeforeMutation — no new snapshot written.
+        (0, vitest_1.expect)((0, _backup_1.listSnapshots)(backupDir).length).toBe(snapshotsBefore);
+    });
+    (0, vitest_1.it)("restore_backup errors when a studio-role snapshot lacks naturalKey", async () => {
+        const badPath = path_1.default.join(backupDir, "studio-role", "missing-key.json");
+        fs_1.default.mkdirSync(path_1.default.dirname(badPath), { recursive: true });
+        fs_1.default.writeFileSync(badPath, JSON.stringify({
+            version: 1,
+            action: "save_studio_role",
+            category: "studio-role",
+            resourceId: "r1",
+            existedBefore: false,
+            capturedAt: "2026-05-28T14:31:02.123Z",
+            serverUrl: null,
+            preImage: null,
+        }));
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({ action: "restore_backup", backup_path: badPath });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Studio-role snapshot missing naturalKey");
+        (0, vitest_1.expect)(api.saveRole).not.toHaveBeenCalled();
+        (0, vitest_1.expect)(api.deleteRole).not.toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("list_backups returns captured snapshots newest-first", async () => {
+        const writer = makeInvoke();
+        await writer.invoke({ action: "delete_security_role", name: "player" });
+        const { invoke } = makeInvoke();
+        const result = await invoke({ action: "list_backups" });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(result.content[0].text).toContain("Backups (1)");
+        (0, vitest_1.expect)(result.content[0].text).toContain("security");
+    });
+});
+(0, vitest_1.describe)("funifier_permissions — T3: loadSecurityDocument normalization", () => {
+    (0, vitest_1.it)("succeeds when aggregateCollection returns a string _id", async () => {
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockResolvedValue([{ ...SECURITY, _id: "game1" }]),
+        });
+        const result = await invoke({ action: "list_api_apps" });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.aggregateCollection).toHaveBeenCalledWith("security", vitest_1.expect.any(Array));
+    });
+    (0, vitest_1.it)("falls back to queryCollection when aggregateCollection returns empty", async () => {
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockResolvedValue([]),
+        });
+        const result = await invoke({ action: "list_api_apps" });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.queryCollection).toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("falls back to queryCollection when aggregateCollection throws", async () => {
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockRejectedValue(new Error("aggregate not supported")),
+        });
+        const result = await invoke({ action: "list_api_apps" });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+        (0, vitest_1.expect)(api.queryCollection).toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("aborts with isError when _id cannot be resolved to a string after both read paths", async () => {
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockResolvedValue([{ ...SECURITY, _id: { timestamp: 1 } }]),
+            queryCollection: vitest_1.vi.fn().mockResolvedValue([{ ...SECURITY, _id: { timestamp: 1 } }]),
+        });
+        const result = await invoke({ action: "list_api_apps" });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Could not resolve a string _id");
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+    });
+});
+(0, vitest_1.describe)("funifier_permissions — T4: backup integrity gate", () => {
+    (0, vitest_1.it)("aborts with integrity-check message when security preImage is missing apps/roles", async () => {
+        // Security doc without apps/roles array — integrity check will fail after snapshot write.
+        const { invoke, api } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockResolvedValue([{ _id: "game1" }]), // no apps or roles
+            queryCollection: vitest_1.vi.fn().mockResolvedValue([{ _id: "game1" }]),
+        });
+        const result = await invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "X", app_secret: "s", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Backup integrity check failed (mutation aborted)");
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+    });
+    (0, vitest_1.it)("preserves 'Backup write failed' message for genuine IO failures", async () => {
+        const blocker = path_1.default.join(backupDir, "blocker2");
+        fs_1.default.writeFileSync(blocker, "not-a-directory");
+        process.env.FUNIFIER_BACKUP_ROOT = path_1.default.join(blocker, "nested");
+        const { invoke, api } = makeInvoke();
+        const result = await invoke({ action: "save_security_role", data: JSON.stringify({ name: "X", timeout: "1d", scope: "read_all" }) });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Backup write failed (mutation aborted)");
+        (0, vitest_1.expect)(api.updateDocument).not.toHaveBeenCalled();
+    });
+});
+(0, vitest_1.describe)("funifier_permissions — T5: post-write verification", () => {
+    (0, vitest_1.it)("returns isError naming the backup path when post-write re-read is missing an app", async () => {
+        // Sequence: 1st aggregate call → full SECURITY, 2nd call (verification re-read) → truncated (no apps).
+        let callCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                callCount++;
+                if (callCount === 1)
+                    return [{ ...SECURITY, _id: SECURITY._id }]; // initial read
+                return [{ _id: SECURITY._id, roles: SECURITY.roles }]; // truncated: no apps
+            }),
+        });
+        const result = await invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "New", app_secret: "new-s", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        const text = result.content[0].text;
+        (0, vitest_1.expect)(text).toContain("Post-write verification FAILED");
+        (0, vitest_1.expect)(text).toContain("apps");
+        (0, vitest_1.expect)(text).toContain("restore with funifier_permissions restore_backup");
+    });
+    (0, vitest_1.it)("returns isError naming backup path when post-write re-read is missing a role", async () => {
+        let callCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                callCount++;
+                if (callCount === 1)
+                    return [{ ...SECURITY, _id: SECURITY._id }];
+                return [{ _id: SECURITY._id, apps: SECURITY.apps }]; // no roles
+            }),
+        });
+        const result = await invoke({
+            action: "save_security_role",
+            data: JSON.stringify({ name: "newrole", timeout: "1d", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Post-write verification FAILED");
+        (0, vitest_1.expect)(result.content[0].text).toContain("roles");
+    });
+    (0, vitest_1.it)("detects missing app when name matches but app_secret differs (secret corruption)", async () => {
+        let callCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                callCount++;
+                if (callCount === 1)
+                    return [{ ...SECURITY, _id: SECURITY._id }];
+                // Post-write re-read: same name, different secret — stable key mismatch.
+                return [{ _id: SECURITY._id, apps: [{ name: "Default", app_secret: "tampered-secret", scope: "read_all" }], roles: SECURITY.roles }];
+            }),
+        });
+        const result = await invoke({
+            action: "save_api_app",
+            data: JSON.stringify({ name: "Default", app_secret: "old-secret", scope: "read_all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Post-write verification FAILED");
+        (0, vitest_1.expect)(result.content[0].text).toContain("apps");
+    });
+    (0, vitest_1.it)("detects role count shortfall when expected name appears via duplicate (cardinality)", async () => {
+        let callCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                callCount++;
+                // Initial doc has two distinct roles.
+                if (callCount === 1)
+                    return [{ _id: SECURITY._id, apps: SECURITY.apps, roles: [{ name: "player", timeout: "1d", scope: "all" }, { name: "admin", timeout: "1d", scope: "all" }] }];
+                // Post-write: "admin" silently replaced by a second "player" — same names present but count drops.
+                return [{ _id: SECURITY._id, apps: SECURITY.apps, roles: [{ name: "player", timeout: "1d", scope: "all" }] }];
+            }),
+        });
+        const result = await invoke({
+            action: "save_security_role",
+            data: JSON.stringify({ name: "admin", timeout: "1d", scope: "all" }),
+        });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Post-write verification FAILED");
+        (0, vitest_1.expect)(result.content[0].text).toContain("roles");
+    });
+    (0, vitest_1.it)("does not false-alarm when expected apps is empty after delete", async () => {
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                // Both reads return a doc with no apps (the delete made it empty).
+                return [{ _id: SECURITY._id, apps: [], roles: SECURITY.roles }];
+            }),
+        });
+        const result = await invoke({ action: "delete_api_app", app_secret: "old-secret" });
+        (0, vitest_1.expect)(result.isError).toBeUndefined();
+    });
+    (0, vitest_1.it)("returns isError with 'could not verify' when post-write re-read throws", async () => {
+        let callCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                callCount++;
+                if (callCount === 1)
+                    return [{ ...SECURITY, _id: SECURITY._id }];
+                throw new Error("network failure");
+            }),
+            queryCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                throw new Error("network failure");
+            }),
+        });
+        const result = await invoke({ action: "save_security_role", data: JSON.stringify({ name: "X", timeout: "1d", scope: "x" }) });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Could not verify the write persisted");
+    });
+});
+(0, vitest_1.describe)("funifier_permissions — T8: restore_backup post-write verification", () => {
+    (0, vitest_1.it)("returns isError when restored security doc is missing apps on re-read", async () => {
+        // Write a security snapshot to restore from.
+        const writer = makeInvoke();
+        await writer.invoke({ action: "save_security_role", data: JSON.stringify({ name: "player", timeout: "1d", scope: "read_all" }) });
+        const backupPath = (0, _backup_1.listSnapshots)(backupDir)[0].path;
+        let restoreCallCount = 0;
+        const { invoke } = makeInvoke({
+            aggregateCollection: vitest_1.vi.fn().mockImplementation(async (collection) => {
+                if (collection !== "security")
+                    return [];
+                restoreCallCount++;
+                // Call 1: loadSecurityDocument in currentPreImage (pre-restore backup)
+                // Call 2: applySecuritySnapshot reads live doc for _id match
+                // Call 3: verifySecurityPersisted re-read → return truncated to trigger failure
+                if (restoreCallCount < 3)
+                    return [{ ...SECURITY, _id: SECURITY._id }];
+                return [{ _id: SECURITY._id, roles: SECURITY.roles }]; // no apps
+            }),
+        });
+        const result = await invoke({ action: "restore_backup", backup_path: backupPath });
+        (0, vitest_1.expect)(result.isError).toBe(true);
+        (0, vitest_1.expect)(result.content[0].text).toContain("Post-write verification FAILED");
+        (0, vitest_1.expect)(result.content[0].text).toContain("apps");
+    });
+});
 //# sourceMappingURL=permissions.test.js.map