memory-journal-mcp 6.1.2 → 6.2.1

package/tests/auth/oauth-resource-server.test.ts

@@ -1,173 +0,0 @@
-/**
- * memory-journal-mcp — OAuth Resource Server Unit Tests
- *
- * Tests for RFC 9728 Protected Resource Metadata.
- */
-
-import { describe, it, expect } from 'vitest'
-import {
-    OAuthResourceServer,
-    createOAuthResourceServer,
-} from '../../src/auth/oauth-resource-server.js'
-
-describe('OAuthResourceServer', () => {
-    const config = {
-        resource: 'http://localhost:3000',
-        authorizationServers: ['https://auth.example.com'],
-        scopesSupported: ['read', 'write', 'admin'],
-    }
-
-    describe('construction', () => {
-        it('should create instance with config', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server).toBeInstanceOf(OAuthResourceServer)
-        })
-
-        it('should default bearerMethodsSupported to [header]', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata = server.getMetadata()
-            expect(metadata.bearer_methods_supported).toEqual(['header'])
-        })
-    })
-
-    describe('createOAuthResourceServer factory', () => {
-        it('should create OAuthResourceServer instance', () => {
-            const server = createOAuthResourceServer(config)
-            expect(server).toBeInstanceOf(OAuthResourceServer)
-        })
-    })
-
-    describe('getMetadata', () => {
-        it('should return RFC 9728 compliant metadata', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata = server.getMetadata()
-
-            expect(metadata.resource).toBe('http://localhost:3000')
-            expect(metadata.authorization_servers).toEqual(['https://auth.example.com'])
-            expect(metadata.scopes_supported).toEqual(['read', 'write', 'admin'])
-            expect(metadata.bearer_methods_supported).toEqual(['header'])
-        })
-
-        it('should include signing algorithms', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata = server.getMetadata()
-
-            expect(metadata.resource_signing_alg_values_supported).toEqual(['RS256', 'ES256'])
-        })
-
-        it('should include documentation link', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata = server.getMetadata()
-
-            expect(metadata.resource_documentation).toBe('http://localhost:3000/docs')
-        })
-
-        it('should cache metadata', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata1 = server.getMetadata()
-            const metadata2 = server.getMetadata()
-
-            expect(metadata1).toBe(metadata2) // Same reference (cached)
-        })
-    })
-
-    describe('getWWWAuthenticateHeader', () => {
-        it('should return Bearer realm header', () => {
-            const server = new OAuthResourceServer(config)
-            const header = server.getWWWAuthenticateHeader()
-            expect(header).toContain('Bearer realm="http://localhost:3000"')
-        })
-
-        it('should include error when provided', () => {
-            const server = new OAuthResourceServer(config)
-            const header = server.getWWWAuthenticateHeader('invalid_token')
-            expect(header).toContain('error="invalid_token"')
-        })
-
-        it('should include error description when provided', () => {
-            const server = new OAuthResourceServer(config)
-            const header = server.getWWWAuthenticateHeader('invalid_token', 'Token has expired')
-            expect(header).toContain('error_description="Token has expired"')
-        })
-    })
-
-    describe('accessor methods', () => {
-        it('should return resource URI', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.getResourceUri()).toBe('http://localhost:3000')
-        })
-
-        it('should return authorization servers', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.getAuthorizationServers()).toEqual(['https://auth.example.com'])
-        })
-
-        it('should return supported scopes', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.getSupportedScopes()).toEqual(['read', 'write', 'admin'])
-        })
-
-        it('should return well-known path', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.getWellKnownPath()).toBe('/.well-known/oauth-protected-resource')
-        })
-    })
-
-    describe('isScopeSupported', () => {
-        it('should return true for base scopes', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.isScopeSupported('read')).toBe(true)
-            expect(server.isScopeSupported('write')).toBe(true)
-            expect(server.isScopeSupported('admin')).toBe(true)
-            expect(server.isScopeSupported('full')).toBe(true)
-        })
-
-        it('should return false for unsupported scopes', () => {
-            const server = new OAuthResourceServer(config)
-            expect(server.isScopeSupported('unknown')).toBe(false)
-        })
-    })
-
-    describe('clearCache', () => {
-        it('should clear cached metadata', () => {
-            const server = new OAuthResourceServer(config)
-            const metadata1 = server.getMetadata()
-            server.clearCache()
-            const metadata2 = server.getMetadata()
-
-            // Different references after cache clear
-            expect(metadata1).not.toBe(metadata2)
-            // But same content
-            expect(metadata1).toEqual(metadata2)
-        })
-    })
-
-    describe('getMetadataHandler', () => {
-        it('should return a function', () => {
-            const server = new OAuthResourceServer(config)
-            const handler = server.getMetadataHandler()
-            expect(typeof handler).toBe('function')
-        })
-
-        it('should serve metadata with correct headers', () => {
-            const server = new OAuthResourceServer(config)
-            const handler = server.getMetadataHandler()
-
-            const mockReq = {} as any
-            const mockRes = {
-                setHeader: vi.fn(),
-                json: vi.fn(),
-            } as any
-
-            handler(mockReq, mockRes, vi.fn())
-
-            expect(mockRes.setHeader).toHaveBeenCalledWith('Content-Type', 'application/json')
-            expect(mockRes.setHeader).toHaveBeenCalledWith('Cache-Control', 'public, max-age=3600')
-            expect(mockRes.json).toHaveBeenCalled()
-
-            // Check that it sent the actual metadata
-            const metadata = mockRes.json.mock.calls[0][0]
-            expect(metadata.resource).toBe(config.resource)
-        })
-    })
-})

package/tests/auth/scope-map.test.ts

@@ -1,66 +0,0 @@
-/**
- * memory-journal-mcp — Scope Map Unit Tests
- *
- * Tests for the tool-to-scope reverse lookup.
- */
-
-import { describe, it, expect } from 'vitest'
-import { getRequiredScope, getToolScopeMap } from '../../src/auth/scope-map.js'
-import { TOOL_GROUPS } from '../../src/filtering/tool-filter.js'
-import { TOOL_GROUP_SCOPES } from '../../src/auth/scopes.js'
-import type { ToolGroup } from '../../src/types/index.js'
-
-describe('scope-map', () => {
-    describe('getRequiredScope', () => {
-        it('should return read for core tools', () => {
-            const coreTools = TOOL_GROUPS['core']
-            if (coreTools && coreTools.length > 0) {
-                const firstTool = coreTools[0]!
-                expect(getRequiredScope(firstTool)).toBe('read')
-            }
-        })
-
-        it('should return write for github tools', () => {
-            const githubTools = TOOL_GROUPS['github']
-            if (githubTools && githubTools.length > 0) {
-                const firstTool = githubTools[0]!
-                expect(getRequiredScope(firstTool)).toBe('write')
-            }
-        })
-
-        it('should return admin for admin tools', () => {
-            const adminTools = TOOL_GROUPS['admin']
-            if (adminTools && adminTools.length > 0) {
-                const firstTool = adminTools[0]!
-                expect(getRequiredScope(firstTool)).toBe('admin')
-            }
-        })
-
-        it('should return read as safe default for unknown tools', () => {
-            expect(getRequiredScope('nonexistent_tool_xyz')).toBe('read')
-        })
-    })
-
-    describe('getToolScopeMap', () => {
-        it('should return a ReadonlyMap', () => {
-            const map = getToolScopeMap()
-            expect(map).toBeInstanceOf(Map)
-        })
-
-        it('should contain entries for every tool in TOOL_GROUPS', () => {
-            const map = getToolScopeMap()
-
-            for (const [group, tools] of Object.entries(TOOL_GROUPS)) {
-                const expectedScope = TOOL_GROUP_SCOPES[group as ToolGroup]
-                for (const tool of tools) {
-                    expect(map.get(tool)).toBe(expectedScope)
-                }
-            }
-        })
-
-        it('should not be empty', () => {
-            const map = getToolScopeMap()
-            expect(map.size).toBeGreaterThan(0)
-        })
-    })
-})

package/tests/auth/scopes.test.ts

@@ -1,347 +0,0 @@
-/**
- * memory-journal-mcp — OAuth Scopes Unit Tests
- *
- * Tests for scope definitions, hierarchy, and enforcement utilities.
- */
-
-import { describe, it, expect } from 'vitest'
-import {
-    SCOPES,
-    parseScopes,
-    hasScope,
-    hasAnyScope,
-    hasAllScopes,
-    hasAdminScope,
-    hasWriteScope,
-    hasReadScope,
-    isValidScope,
-    getScopeForToolGroup,
-    getScopeDisplayName,
-    getRequiredScopeForGroup,
-    getAccessibleToolGroups,
-    getAccessibleTools,
-    TOOL_GROUP_SCOPES,
-    READ_SCOPE_GROUPS,
-    WRITE_SCOPE_GROUPS,
-    ADMIN_SCOPE_GROUPS,
-} from '../../src/auth/scopes.js'
-
-// =============================================================================
-// parseScopes
-// =============================================================================
-
-describe('parseScopes', () => {
-    it('should parse space-delimited scope string', () => {
-        expect(parseScopes('read write admin')).toEqual(['read', 'write', 'admin'])
-    })
-
-    it('should return empty array for empty string', () => {
-        expect(parseScopes('')).toEqual([])
-    })
-
-    it('should handle single scope', () => {
-        expect(parseScopes('read')).toEqual(['read'])
-    })
-
-    it('should strip extra whitespace', () => {
-        expect(parseScopes('  read   write  ')).toEqual(['read', 'write'])
-    })
-})
-
-// =============================================================================
-// hasScope (hierarchy: full ⊃ admin ⊃ write ⊃ read)
-// =============================================================================
-
-describe('hasScope', () => {
-    it('should return true for direct match', () => {
-        expect(hasScope(['read', 'write'], 'read')).toBe(true)
-    })
-
-    it('should return false when scope not present', () => {
-        expect(hasScope(['read'], 'write')).toBe(false)
-    })
-
-    it('should grant all scopes when full is present', () => {
-        expect(hasScope(['full'], 'read')).toBe(true)
-        expect(hasScope(['full'], 'write')).toBe(true)
-        expect(hasScope(['full'], 'admin')).toBe(true)
-    })
-
-    it('should grant read and write when admin is present', () => {
-        expect(hasScope(['admin'], 'read')).toBe(true)
-        expect(hasScope(['admin'], 'write')).toBe(true)
-    })
-
-    it('should NOT grant admin when only write is present', () => {
-        expect(hasScope(['write'], 'admin')).toBe(false)
-    })
-
-    it('should grant read when write is present', () => {
-        expect(hasScope(['write'], 'read')).toBe(true)
-    })
-
-    it('should NOT grant write when only read is present', () => {
-        expect(hasScope(['read'], 'write')).toBe(false)
-    })
-
-    it('should return false for empty scopes', () => {
-        expect(hasScope([], 'read')).toBe(false)
-    })
-})
-
-// =============================================================================
-// hasAnyScope / hasAllScopes
-// =============================================================================
-
-describe('hasAnyScope', () => {
-    it('should return true if any scope matches', () => {
-        expect(hasAnyScope(['read'], ['read', 'write'])).toBe(true)
-    })
-
-    it('should return false if no scopes match', () => {
-        expect(hasAnyScope(['read'], ['write', 'admin'])).toBe(false)
-    })
-
-    it('should handle hierarchy (full grants any)', () => {
-        expect(hasAnyScope(['full'], ['admin'])).toBe(true)
-    })
-})
-
-describe('hasAllScopes', () => {
-    it('should return true if all scopes match', () => {
-        expect(hasAllScopes(['read', 'write', 'admin'], ['read', 'write'])).toBe(true)
-    })
-
-    it('should return false if not all scopes match', () => {
-        expect(hasAllScopes(['read'], ['read', 'write'])).toBe(false)
-    })
-
-    it('should respect hierarchy for all checks', () => {
-        expect(hasAllScopes(['full'], ['read', 'write', 'admin'])).toBe(true)
-    })
-})
-
-// =============================================================================
-// Convenience scope checks
-// =============================================================================
-
-describe('hasAdminScope', () => {
-    it('should return true for admin', () => {
-        expect(hasAdminScope(['admin'])).toBe(true)
-    })
-
-    it('should return true for full (which includes admin)', () => {
-        expect(hasAdminScope(['full'])).toBe(true)
-    })
-
-    it('should return false for write/read only', () => {
-        expect(hasAdminScope(['write'])).toBe(false)
-        expect(hasAdminScope(['read'])).toBe(false)
-    })
-})
-
-describe('hasWriteScope', () => {
-    it('should return true for write', () => {
-        expect(hasWriteScope(['write'])).toBe(true)
-    })
-
-    it('should return true for admin (which includes write)', () => {
-        expect(hasWriteScope(['admin'])).toBe(true)
-    })
-
-    it('should return true for full', () => {
-        expect(hasWriteScope(['full'])).toBe(true)
-    })
-
-    it('should return false for read only', () => {
-        expect(hasWriteScope(['read'])).toBe(false)
-    })
-})
-
-describe('hasReadScope', () => {
-    it('should return true for read', () => {
-        expect(hasReadScope(['read'])).toBe(true)
-    })
-
-    it('should return true for write (which includes read)', () => {
-        expect(hasReadScope(['write'])).toBe(true)
-    })
-
-    it('should return true for full', () => {
-        expect(hasReadScope(['full'])).toBe(true)
-    })
-})
-
-// =============================================================================
-// isValidScope
-// =============================================================================
-
-describe('isValidScope', () => {
-    it('should validate base scopes', () => {
-        expect(isValidScope('read')).toBe(true)
-        expect(isValidScope('write')).toBe(true)
-        expect(isValidScope('admin')).toBe(true)
-        expect(isValidScope('full')).toBe(true)
-    })
-
-    it('should reject invalid scopes', () => {
-        expect(isValidScope('unknown')).toBe(false)
-        expect(isValidScope('database:mydb')).toBe(false)
-        expect(isValidScope('db:mydb')).toBe(false)
-    })
-})
-
-// =============================================================================
-// TOOL_GROUP_SCOPES & getScopeForToolGroup
-// =============================================================================
-
-describe('TOOL_GROUP_SCOPES', () => {
-    it('should map read-only groups to read', () => {
-        expect(TOOL_GROUP_SCOPES['core']).toBe(SCOPES.READ)
-        expect(TOOL_GROUP_SCOPES['search']).toBe(SCOPES.READ)
-        expect(TOOL_GROUP_SCOPES['analytics']).toBe(SCOPES.READ)
-        expect(TOOL_GROUP_SCOPES['relationships']).toBe(SCOPES.READ)
-        expect(TOOL_GROUP_SCOPES['export']).toBe(SCOPES.READ)
-    })
-
-    it('should map write groups to write', () => {
-        expect(TOOL_GROUP_SCOPES['github']).toBe(SCOPES.WRITE)
-        expect(TOOL_GROUP_SCOPES['team']).toBe(SCOPES.WRITE)
-    })
-
-    it('should map admin groups to admin', () => {
-        expect(TOOL_GROUP_SCOPES['admin']).toBe(SCOPES.ADMIN)
-        expect(TOOL_GROUP_SCOPES['backup']).toBe(SCOPES.ADMIN)
-        expect(TOOL_GROUP_SCOPES['codemode']).toBe(SCOPES.ADMIN)
-    })
-})
-
-describe('getScopeForToolGroup', () => {
-    it('should return correct scope for each group', () => {
-        expect(getScopeForToolGroup('core')).toBe('read')
-        expect(getScopeForToolGroup('github')).toBe('write')
-        expect(getScopeForToolGroup('admin')).toBe('admin')
-    })
-})
-
-// =============================================================================
-// Derived group arrays
-// =============================================================================
-
-describe('scope group arrays', () => {
-    it('READ_SCOPE_GROUPS should contain only read groups', () => {
-        expect(READ_SCOPE_GROUPS).toContain('core')
-        expect(READ_SCOPE_GROUPS).toContain('search')
-        expect(READ_SCOPE_GROUPS).not.toContain('github')
-        expect(READ_SCOPE_GROUPS).not.toContain('admin')
-    })
-
-    it('WRITE_SCOPE_GROUPS should contain read + write groups', () => {
-        expect(WRITE_SCOPE_GROUPS).toContain('core')
-        expect(WRITE_SCOPE_GROUPS).toContain('github')
-        expect(WRITE_SCOPE_GROUPS).toContain('team')
-        expect(WRITE_SCOPE_GROUPS).not.toContain('admin')
-    })
-
-    it('ADMIN_SCOPE_GROUPS should contain all groups', () => {
-        expect(ADMIN_SCOPE_GROUPS).toContain('core')
-        expect(ADMIN_SCOPE_GROUPS).toContain('github')
-        expect(ADMIN_SCOPE_GROUPS).toContain('admin')
-        expect(ADMIN_SCOPE_GROUPS).toContain('codemode')
-    })
-})
-
-// =============================================================================
-// getRequiredScopeForGroup / getAccessibleToolGroups
-// =============================================================================
-
-describe('getRequiredScopeForGroup', () => {
-    it('should return read for read-only groups', () => {
-        expect(getRequiredScopeForGroup('core')).toBe('read')
-    })
-
-    it('should return write for write groups', () => {
-        expect(getRequiredScopeForGroup('github')).toBe('write')
-    })
-
-    it('should return admin for admin groups', () => {
-        expect(getRequiredScopeForGroup('admin')).toBe('admin')
-        expect(getRequiredScopeForGroup('codemode')).toBe('admin')
-    })
-})
-
-describe('getAccessibleToolGroups', () => {
-    it('should return all groups for full scope', () => {
-        const groups = getAccessibleToolGroups(['full'])
-        expect(groups).toContain('admin')
-        expect(groups).toContain('core')
-        expect(groups).toContain('codemode')
-    })
-
-    it('should return all groups for admin scope', () => {
-        const groups = getAccessibleToolGroups(['admin'])
-        expect(groups).toContain('admin')
-        expect(groups).toContain('github')
-        expect(groups).toContain('core')
-    })
-
-    it('should return write+read groups for write scope', () => {
-        const groups = getAccessibleToolGroups(['write'])
-        expect(groups).toContain('core')
-        expect(groups).toContain('github')
-        expect(groups).not.toContain('admin')
-    })
-
-    it('should return read groups for read scope', () => {
-        const groups = getAccessibleToolGroups(['read'])
-        expect(groups).toContain('core')
-        expect(groups).not.toContain('github')
-        expect(groups).not.toContain('admin')
-    })
-
-    it('should return empty for no scopes', () => {
-        expect(getAccessibleToolGroups([])).toEqual([])
-    })
-})
-
-// =============================================================================
-// getAccessibleTools
-// =============================================================================
-
-describe('getAccessibleTools', () => {
-    it('should return tools for accessible groups', () => {
-        const tools = getAccessibleTools(['read'])
-        expect(tools.length).toBeGreaterThan(0)
-        // Should include core tools
-        expect(tools).toContain('create_entry')
-    })
-
-    it('should return all tools for full scope', () => {
-        const tools = getAccessibleTools(['full'])
-        expect(tools).toContain('create_entry') // core
-        expect(tools).toContain('mj_execute_code') // codemode
-    })
-
-    it('should deduplicate tools', () => {
-        const tools = getAccessibleTools(['full'])
-        const uniqueTools = [...new Set(tools)]
-        expect(tools.length).toBe(uniqueTools.length)
-    })
-})
-
-// =============================================================================
-// getScopeDisplayName
-// =============================================================================
-
-describe('getScopeDisplayName', () => {
-    it('should return display names for standard scopes', () => {
-        expect(getScopeDisplayName('read')).toBe('Read Only')
-        expect(getScopeDisplayName('write')).toBe('Read/Write')
-        expect(getScopeDisplayName('admin')).toBe('Administrative')
-        expect(getScopeDisplayName('full')).toBe('Full Access')
-    })
-
-    it('should return unknown scopes as-is', () => {
-        expect(getScopeDisplayName('custom_scope')).toBe('custom_scope')
-    })
-})