memory-journal-mcp 4.4.2 → 5.0.0

package/tests/e2e/scheduler.spec.ts

@@ -0,0 +1,79 @@
+/**
+ * E2E Tests: Scheduler Activation
+ *
+ * Verifies that the automated scheduler is active and visible
+ * in the memory://health resource when the server is started
+ * with scheduler flags (--backup-interval, --vacuum-interval, etc.)
+ */
+
+import { test, expect } from '@playwright/test'
+import { Client } from '@modelcontextprotocol/sdk/client/index.js'
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js'
+
+test.describe('Scheduler Activation (HTTP Only)', () => {
+    let client: Client
+
+    test.beforeAll(async () => {
+        const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3100/mcp'))
+        client = new Client(
+            { name: 'playwright-scheduler-test', version: '1.0.0' },
+            { capabilities: {} }
+        )
+        await client.connect(transport)
+    })
+
+    test.afterAll(async () => {
+        await client.close()
+    })
+
+    test('memory://health should show scheduler.active as true', async () => {
+        const response = await client.readResource({ uri: 'memory://health' })
+
+        expect(response.contents).toBeDefined()
+        expect(response.contents.length).toBeGreaterThan(0)
+
+        const text = response.contents[0]!.text as string
+        const health = JSON.parse(text)
+
+        expect(health).toHaveProperty('scheduler')
+        expect(health.scheduler).toHaveProperty('active', true)
+    })
+
+    test('memory://health should show 3 scheduler jobs', async () => {
+        const response = await client.readResource({ uri: 'memory://health' })
+        const health = JSON.parse(response.contents[0]!.text as string)
+
+        expect(health.scheduler).toHaveProperty('jobs')
+        expect(Array.isArray(health.scheduler.jobs)).toBe(true)
+        expect(health.scheduler.jobs.length).toBe(3)
+
+        const jobNames = health.scheduler.jobs.map((j: { name: string }) => j.name)
+        expect(jobNames).toContain('backup')
+        expect(jobNames).toContain('vacuum')
+        expect(jobNames).toContain('rebuild-index')
+    })
+
+    test('scheduler jobs should have nextRun timestamps', async () => {
+        const response = await client.readResource({ uri: 'memory://health' })
+        const health = JSON.parse(response.contents[0]!.text as string)
+
+        for (const job of health.scheduler.jobs) {
+            expect(job).toHaveProperty('nextRun')
+            // nextRun should be a valid ISO 8601 timestamp
+            const nextRun = new Date(job.nextRun)
+            expect(nextRun.toISOString()).toBe(job.nextRun)
+            // nextRun should be in the future (or very close to now)
+            expect(nextRun.getTime()).toBeGreaterThan(Date.now() - 60000)
+        }
+    })
+
+    test('scheduler jobs should have run count fields', async () => {
+        const response = await client.readResource({ uri: 'memory://health' })
+        const health = JSON.parse(response.contents[0]!.text as string)
+
+        for (const job of health.scheduler.jobs) {
+            expect(job).toHaveProperty('runCount')
+            expect(typeof job.runCount).toBe('number')
+        }
+    })
+})

package/tests/e2e/security.spec.ts

@@ -0,0 +1,91 @@
+/**
+ * E2E Tests: Security & Limits
+ *
+ * Tests HTTP transport security hardening: security headers,
+ * body size limits, 404 handler, CORS, and HSTS.
+ */
+
+import { test, expect } from '@playwright/test'
+
+test.describe('HTTP Transport Security & Limits', () => {
+    test('should return 404 Not Found for unknown endpoints', async ({ request }) => {
+        const response = await request.get('/non-existent-path')
+        expect(response.status()).toBe(404)
+
+        const body = await response.json()
+        expect(body).toHaveProperty('error', 'Not found')
+    })
+
+    test('should return 413 Payload Too Large for excessive POST bodies', async ({ request }) => {
+        // Generate a payload over 1 MB (1,048,576 bytes)
+        const bulkyData = 'A'.repeat(1024 * 1025) // ~1.025 MB string
+
+        const response = await request.post('/mcp', {
+            headers: {
+                Accept: 'application/json, text/event-stream',
+            },
+            data: {
+                jsonrpc: '2.0',
+                id: 1,
+                method: 'initialize',
+                params: { testData: bulkyData },
+            },
+        })
+
+        expect(response.status()).toBe(413)
+    })
+
+    test('should inject security headers on responses', async ({ request }) => {
+        const response = await request.get('/health')
+        expect(response.status()).toBe(200)
+
+        const headers = response.headers()
+        expect(headers['x-content-type-options']).toBe('nosniff')
+        expect(headers['x-frame-options']).toBe('DENY')
+        expect(headers['cache-control']).toBe('no-store')
+        expect(headers['content-security-policy']).toBe(
+            "default-src 'none'; frame-ancestors 'none'"
+        )
+        expect(headers['referrer-policy']).toBe('no-referrer')
+        expect(headers['permissions-policy']).toBe('camera=(), microphone=(), geolocation=()')
+    })
+
+    test('should respond with 204 to CORS preflight OPTIONS requests', async ({ request }) => {
+        const response = await request.fetch('/mcp', {
+            method: 'OPTIONS',
+        })
+
+        expect(response.status()).toBe(204)
+    })
+
+    test('should include CORS headers on responses', async ({ request }) => {
+        const response = await request.get('/health')
+        const headers = response.headers()
+
+        // Default CORS origin is * (configurable via --cors-origin)
+        expect(headers['access-control-allow-origin']).toBe('*')
+        expect(headers['access-control-allow-methods']).toContain('POST')
+        expect(headers['access-control-allow-methods']).toContain('GET')
+        expect(headers['access-control-expose-headers']).toContain('mcp-session-id')
+    })
+
+    test('should include HSTS header when X-Forwarded-Proto is https', async ({ request }) => {
+        const response = await request.get('/health', {
+            headers: {
+                'X-Forwarded-Proto': 'https',
+            },
+        })
+
+        expect(response.status()).toBe(200)
+        const headers = response.headers()
+        expect(headers['strict-transport-security']).toBe('max-age=31536000; includeSubDomains')
+    })
+
+    test('should NOT include HSTS header without X-Forwarded-Proto', async ({ request }) => {
+        const response = await request.get('/health')
+        expect(response.status()).toBe(200)
+
+        const headers = response.headers()
+        expect(headers['strict-transport-security']).toBeUndefined()
+    })
+})

package/tests/e2e/sessions.spec.ts

@@ -0,0 +1,95 @@
+/**
+ * E2E Tests: Session Lifecycle
+ *
+ * Tests the full Streamable HTTP session lifecycle: initialization,
+ * tool calls with session ID, session termination (DELETE /mcp),
+ * and rejection of stale/invalid sessions.
+ */
+
+import { test, expect } from '@playwright/test'
+
+test.describe.configure({ mode: 'serial' })
+
+test.describe('Session Lifecycle', () => {
+    let sessionId: string
+
+    test('should initialize a session and return session ID', async ({ request }) => {
+        const response = await request.post('/mcp', {
+            headers: {
+                Accept: 'application/json, text/event-stream',
+            },
+            data: {
+                jsonrpc: '2.0',
+                id: 1,
+                method: 'initialize',
+                params: {
+                    protocolVersion: '2025-03-26',
+                    capabilities: {},
+                    clientInfo: {
+                        name: 'playwright-session-test',
+                        version: '1.0.0',
+                    },
+                },
+            },
+        })
+
+        expect(response.status()).toBe(200)
+        sessionId = response.headers()['mcp-session-id']!
+        expect(sessionId).toBeDefined()
+        expect(sessionId.length).toBeGreaterThan(0)
+    })
+
+    test('should accept requests with valid session ID', async ({ request }) => {
+        // Send initialized notification (required by MCP protocol after init)
+        const response = await request.post('/mcp', {
+            headers: {
+                Accept: 'application/json, text/event-stream',
+                'mcp-session-id': sessionId,
+            },
+            data: {
+                jsonrpc: '2.0',
+                method: 'notifications/initialized',
+            },
+        })
+
+        // Notifications return 202 (accepted, no response body) or 200
+        expect([200, 202, 204]).toContain(response.status())
+    })
+
+    test('should allow tool calls with valid session ID', async ({ request }) => {
+        const response = await request.post('/mcp', {
+            headers: {
+                Accept: 'application/json, text/event-stream',
+                'mcp-session-id': sessionId,
+            },
+            data: {
+                jsonrpc: '2.0',
+                id: 2,
+                method: 'tools/list',
+            },
+        })
+
+        expect(response.status()).toBe(200)
+    })
+
+    test('GET /mcp (SSE) should reject without session ID', async ({ request }) => {
+        const response = await request.get('/mcp')
+        expect(response.status()).toBe(400)
+    })
+
+    test('DELETE /mcp should reject without session ID', async ({ request }) => {
+        const response = await request.delete('/mcp')
+        expect(response.status()).toBe(400)
+    })
+
+    test('DELETE /mcp should terminate a valid session', async ({ request }) => {
+        const response = await request.delete('/mcp', {
+            headers: {
+                'mcp-session-id': sessionId,
+            },
+        })
+
+        // DELETE returns 200 or 204
+        expect([200, 204]).toContain(response.status())
+    })
+})

package/tests/e2e/stateless.spec.ts

@@ -0,0 +1,121 @@
+/**
+ * E2E Tests: Stateless HTTP Mode
+ *
+ * Tests the --stateless mode behavior. Uses a test-local server
+ * on port 3102 to avoid conflicting with the main webServer.
+ */
+
+import { test, expect } from '@playwright/test'
+import { type ChildProcess, spawn } from 'node:child_process'
+import { setTimeout as delay } from 'node:timers/promises'
+
+const STATELESS_PORT = 3102
+const STATELESS_BASE = `http://localhost:${STATELESS_PORT}`
+
+let serverProcess: ChildProcess | null = null
+
+async function startStatelessServer(): Promise<void> {
+    serverProcess = spawn(
+        'node',
+        [
+            'dist/cli.js',
+            '--transport',
+            'http',
+            '--port',
+            String(STATELESS_PORT),
+            '--db',
+            './test-e2e-stateless.db',
+            '--stateless',
+        ],
+        {
+            cwd: process.cwd(),
+            stdio: 'pipe',
+        }
+    )
+
+    const maxAttempts = 30
+    for (let i = 0; i < maxAttempts; i++) {
+        try {
+            const res = await fetch(`${STATELESS_BASE}/health`)
+            if (res.ok) return
+        } catch {
+            // Server not ready yet
+        }
+        await delay(500)
+    }
+    throw new Error('Stateless server did not start within timeout')
+}
+
+function stopStatelessServer(): void {
+    if (serverProcess) {
+        serverProcess.kill('SIGTERM')
+        serverProcess = null
+    }
+}
+
+test.describe('Stateless HTTP Mode', () => {
+    test.beforeAll(async () => {
+        await startStatelessServer()
+    })
+
+    test.afterAll(() => {
+        stopStatelessServer()
+    })
+
+    test('POST /mcp should accept requests without session ID (stateless)', async () => {
+        const response = await fetch(`${STATELESS_BASE}/mcp`, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                Accept: 'application/json, text/event-stream',
+            },
+            body: JSON.stringify({
+                jsonrpc: '2.0',
+                id: 1,
+                method: 'initialize',
+                params: {
+                    protocolVersion: '2025-03-26',
+                    capabilities: {},
+                    clientInfo: { name: 'stateless-test', version: '1.0' },
+                },
+            }),
+        })
+
+        expect(response.status).toBe(200)
+    })
+
+    test('GET /mcp should return 405 (SSE not available in stateless)', async () => {
+        const response = await fetch(`${STATELESS_BASE}/mcp`)
+
+        expect(response.status).toBe(405)
+        const body = await response.json()
+        expect(body.error).toHaveProperty(
+            'message',
+            'SSE streaming not available in stateless mode'
+        )
+    })
+
+    test('DELETE /mcp should return 204 (no-op in stateless)', async () => {
+        const response = await fetch(`${STATELESS_BASE}/mcp`, {
+            method: 'DELETE',
+        })
+
+        expect(response.status).toBe(204)
+    })
+
+    test('GET /sse should return 404 (legacy SSE not available in stateless)', async () => {
+        const response = await fetch(`${STATELESS_BASE}/sse`)
+
+        expect(response.status).toBe(404)
+        const body = await response.json()
+        expect(body).toHaveProperty('error', 'Not found')
+    })
+
+    test('/health should still work in stateless mode', async () => {
+        const response = await fetch(`${STATELESS_BASE}/health`)
+        expect(response.status).toBe(200)
+
+        const body = await response.json()
+        expect(body).toHaveProperty('status', 'healthy')
+    })
+})

package/tests/e2e/tools.spec.ts

@@ -0,0 +1,111 @@
+/**
+ * E2E Tests: MCP Tool Execution via SDK Client
+ *
+ * Uses the official @modelcontextprotocol/sdk client to connect
+ * via Streamable HTTP transport and execute tools end-to-end.
+ */
+
+import { test, expect } from '@playwright/test'
+import { Client } from '@modelcontextprotocol/sdk/client/index.js'
+import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js'
+
+test.describe.configure({ mode: 'serial' })
+
+test.describe('E2E Tool Execution (via MCP SDK Client)', () => {
+    let client: Client
+
+    test.beforeAll(async () => {
+        const transport = new StreamableHTTPClientTransport(new URL('http://localhost:3100/mcp'))
+        client = new Client(
+            { name: 'playwright-tool-test', version: '1.0.0' },
+            { capabilities: {} }
+        )
+        await client.connect(transport)
+    })
+
+    test.afterAll(async () => {
+        await client.close()
+    })
+
+    test('should list available tools', async () => {
+        const listResponse = await client.listTools()
+
+        expect(listResponse.tools).toBeDefined()
+        expect(Array.isArray(listResponse.tools)).toBe(true)
+        expect(listResponse.tools.length).toBeGreaterThan(0)
+
+        const toolNames = listResponse.tools.map((t) => t.name)
+        expect(toolNames).toContain('create_entry')
+        expect(toolNames).toContain('search_entries')
+        expect(toolNames).toContain('test_simple')
+        expect(toolNames).toContain('get_recent_entries')
+    })
+
+    test('should execute test_simple tool', async () => {
+        const response = await client.callTool({
+            name: 'test_simple',
+            arguments: { message: 'Playwright E2E' },
+        })
+
+        expect(response.isError).toBeUndefined()
+        expect(Array.isArray(response.content)).toBe(true)
+        expect(response.content.length).toBeGreaterThan(0)
+        expect(response.content[0]).toHaveProperty('type', 'text')
+
+        const text = (response.content[0] as { type: string; text: string }).text
+        expect(text).toContain('Playwright E2E')
+    })
+
+    test('should execute create_entry_minimal and get structured response', async () => {
+        const response = await client.callTool({
+            name: 'create_entry_minimal',
+            arguments: { content: 'Playwright e2e test entry' },
+        })
+
+        expect(response.isError).toBeUndefined()
+        expect(Array.isArray(response.content)).toBe(true)
+        expect(response.content.length).toBeGreaterThan(0)
+
+        const text = (response.content[0] as { type: string; text: string }).text
+        const parsed = JSON.parse(text)
+        expect(parsed).toHaveProperty('success', true)
+        expect(parsed).toHaveProperty('entry')
+        expect(parsed.entry).toHaveProperty('id')
+    })
+
+    test('should execute get_recent_entries and return entries array', async () => {
+        const response = await client.callTool({
+            name: 'get_recent_entries',
+            arguments: { limit: 3 },
+        })
+
+        expect(response.isError).toBeUndefined()
+        expect(Array.isArray(response.content)).toBe(true)
+        expect(response.content.length).toBeGreaterThan(0)
+
+        const text = (response.content[0] as { type: string; text: string }).text
+        const parsed = JSON.parse(text)
+        expect(parsed).toHaveProperty('entries')
+        expect(Array.isArray(parsed.entries)).toBe(true)
+    })
+
+    test('should return structured error for invalid entry_type', async () => {
+        const response = await client.callTool({
+            name: 'create_entry',
+            arguments: {
+                content: 'test validation',
+                entry_type: 'invalid_type',
+            },
+        })
+
+        // Should NOT be a raw MCP error — should be structured handler error
+        expect(response.isError).toBeUndefined()
+        expect(Array.isArray(response.content)).toBe(true)
+
+        const text = (response.content[0] as { type: string; text: string }).text
+        const parsed = JSON.parse(text)
+        expect(parsed).toHaveProperty('success', false)
+        expect(parsed).toHaveProperty('error')
+        expect(parsed.error).toContain('entry_type')
+    })
+})

package/tests/filtering/tool-filter.test.ts

@@ -264,3 +264,49 @@ describe('getFilterSummary', () => {
         expect(summary.length).toBeGreaterThan(0)
     })
 })
+
+// ============================================================================
+// parseToolFilter edge cases
+// ============================================================================
+
+describe('parseToolFilter edge cases', () => {
+    it('should handle blacklist-first mode (-admin = all except admin)', () => {
+        const config = parseToolFilter('-admin')
+        // Should have all tools EXCEPT admin tools
+        expect(config.enabledTools.has('create_entry')).toBe(true)
+        expect(config.enabledTools.has('search_entries')).toBe(true)
+        expect(config.enabledTools.has('backup_journal')).toBe(true)
+        // Admin tools should be excluded
+        expect(config.enabledTools.has('delete_entry')).toBe(false)
+    })
+
+    it('should handle single tool name whitelist', () => {
+        const config = parseToolFilter('create_entry')
+        expect(config.enabledTools.has('create_entry')).toBe(true)
+        expect(config.enabledTools.size).toBe(1)
+    })
+
+    it('should handle meta-group in non-first position', () => {
+        const config = parseToolFilter('backup,starter')
+        // starter = core + search, plus backup group
+        expect(config.enabledTools.has('create_entry')).toBe(true)
+        expect(config.enabledTools.has('search_entries')).toBe(true)
+        expect(config.enabledTools.has('backup_journal')).toBe(true)
+    })
+
+    it('should handle combined meta-group with tool exclusion', () => {
+        const config = parseToolFilter('starter,-create_entry_minimal')
+        expect(config.enabledTools.has('create_entry')).toBe(true)
+        expect(config.enabledTools.has('create_entry_minimal')).toBe(false)
+    })
+
+    it('should handle multiple exclusions', () => {
+        const config = parseToolFilter('full,-admin,-backup,-github')
+        expect(config.enabledTools.has('create_entry')).toBe(true)
+        expect(config.enabledTools.has('search_entries')).toBe(true)
+        // Excluded groups
+        expect(config.enabledTools.has('delete_entry')).toBe(false)
+        expect(config.enabledTools.has('backup_journal')).toBe(false)
+        expect(config.enabledTools.has('get_github_issues')).toBe(false)
+    })
+})