atlas-chat 0.1.0__py3-none-any.whl

atlas/tests/test_rag_mcp_aggregator.py

@@ -0,0 +1,204 @@
+import os
+import sys
+import types
+
+import pytest
+
+# Ensure backend root is on path (same approach used in other tests)
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
+
+# Patch fastmcp Client usage by MCPToolManager with a fake client/manager
+@pytest.fixture(autouse=True)
+def patch_mcp(monkeypatch):
+    from atlas.modules.mcp_tools.client import MCPToolManager
+
+    class FakeTool:
+        def __init__(self, name, description="", inputSchema=None):
+            self.name = name
+            self.description = description
+            self.inputSchema = inputSchema or {"type": "object", "properties": {"username": {"type": "string"}}}
+
+    class FakeClient:
+        def __init__(self, server_name):
+            self.server_name = server_name
+        async def __aenter__(self):
+            return self
+        async def __aexit__(self, exc_type, exc, tb):
+            return False
+        async def call_tool(self, tool_name, arguments, **kwargs):
+            # Provide deterministic results for test
+            if tool_name == "rag_discover_resources":
+                if self.server_name == "docsRag":
+                    return types.SimpleNamespace(
+                        structured_content={
+                            "results": {
+                                "resources": [
+                                    {"id": "handbook", "name": "Employee Handbook", "authRequired": True, "groups": ["hr"], "defaultSelected": True},
+                                    {"id": "legal", "name": "Legal Docs", "authRequired": True, "groups": ["legal"]},
+                                ]
+                            }
+                        }
+                    )
+                elif self.server_name == "notionRag":
+                    return types.SimpleNamespace(
+                        structured_content={
+                            "results": {
+                                "resources": [
+                                    {"id": "notion-space", "name": "Notion Space", "authRequired": True, "groups": ["notion"]}
+                                ]
+                            }
+                        }
+                    )
+            if tool_name == "rag_get_raw_results":
+                # Return hits with scores
+                return types.SimpleNamespace(
+                    structured_content={
+                        "results": {
+                            "hits": [
+                                {"id": f"{self.server_name}-1", "score": 0.9, "resourceId": arguments.get("sources", [""])[0]},
+                                {"id": f"{self.server_name}-2", "score": 0.5, "resourceId": arguments.get("sources", [""])[-1]},
+                            ],
+                            "stats": {"top_k": arguments.get("top_k", 8)},
+                        }
+                    }
+                )
+            if tool_name == "rag_get_synthesized_results":
+                return types.SimpleNamespace(
+                    structured_content={
+                        "results": {
+                            "answer": f"Answer from {self.server_name}",
+                            "citations": [{"resourceId": r} for r in arguments.get("sources", [])],
+                        }
+                    }
+                )
+            return types.SimpleNamespace(structured_content={})
+
+    async def fake_initialize_clients(self):
+        # Pretend both servers are configured and online
+        self.clients = {"docsRag": FakeClient("docsRag"), "notionRag": FakeClient("notionRag")}
+
+    async def fake_discover_tools(self):
+        # Expose RAG tools on docsRag; notionRag only discovery/raw
+        self.available_tools = {
+            "docsRag": {
+                "tools": [FakeTool("rag_discover_resources"), FakeTool("rag_get_raw_results"), FakeTool("rag_get_synthesized_results")],
+                "config": {"description": "Docs RAG"},
+            },
+            "notionRag": {
+                "tools": [FakeTool("rag_discover_resources"), FakeTool("rag_get_raw_results")],
+                "config": {"description": "Notion RAG"},
+            },
+        }
+        # Also set servers config for UI fields
+        self.servers_config = {
+            "docsRag": {"description": "Docs RAG", "ui": {"icon": "book"}},
+            "notionRag": {"description": "Notion", "ui": {"icon": "notion"}},
+        }
+
+    async def fake_discover_prompts(self):
+        self.available_prompts = {}
+
+    async def fake_get_authorized_servers(self, user_email, auth_check_func):
+        # Simple ACL: allow both for @company.com; only docsRag otherwise
+        return ["docsRag", "notionRag"] if user_email.endswith("@company.com") else ["docsRag"]
+
+    async def fake_call_tool(self, server_name, tool_name, arguments, **kwargs):
+        return await self.clients[server_name].call_tool(tool_name, arguments)
+
+    monkeypatch.setattr(MCPToolManager, "initialize_clients", fake_initialize_clients, raising=False)
+    monkeypatch.setattr(MCPToolManager, "discover_tools", fake_discover_tools, raising=False)
+    monkeypatch.setattr(MCPToolManager, "discover_prompts", fake_discover_prompts, raising=False)
+    monkeypatch.setattr(MCPToolManager, "get_authorized_servers", fake_get_authorized_servers, raising=False)
+    monkeypatch.setattr(MCPToolManager, "call_tool", fake_call_tool, raising=False)
+
+    # Also patch rag_mcp_config to return the test RAG servers
+    # (RAGMCPService uses rag_mcp_config for authorization, not mcp_manager.servers_config)
+    from atlas.modules.config.config_manager import ConfigManager, MCPConfig, MCPServerConfig
+    fake_rag_servers = {
+        "docsRag": MCPServerConfig(
+            description="Docs RAG",
+            enabled=True,
+            groups=["users"],  # Everyone is in users group
+        ),
+        "notionRag": MCPServerConfig(
+            description="Notion RAG",
+            enabled=True,
+            groups=["company"],  # Only company users
+        ),
+    }
+    fake_rag_mcp_config = MCPConfig(servers=fake_rag_servers)
+    monkeypatch.setattr(ConfigManager, "rag_mcp_config", property(lambda self: fake_rag_mcp_config))
+
+    # Patch is_user_in_group to simulate domain-based access
+    # @company.com users are in "company" group, everyone is in "users" group
+    async def fake_is_user_in_group(user_id: str, group_id: str) -> bool:
+        if group_id == "users":
+            return True
+        if group_id == "company":
+            return user_id.endswith("@company.com")
+        return False
+
+    from atlas.core import auth as core_auth
+    monkeypatch.setattr(core_auth, "is_user_in_group", fake_is_user_in_group)
+
+
+@pytest.mark.asyncio
+async def test_discovery_across_multiple_servers():
+    from atlas.infrastructure.app_factory import app_factory
+    # Initialize MCP
+    mcp = app_factory.get_mcp_manager()
+    await mcp.initialize_clients()
+    await mcp.discover_tools()
+    await mcp.discover_prompts()
+
+    from atlas.core.auth import is_user_in_group
+    from atlas.domain.rag_mcp_service import RAGMCPService
+
+    svc = RAGMCPService(mcp, app_factory.get_config_manager(), is_user_in_group)
+    # user with @company.com gets both servers
+    sources = await svc.discover_data_sources("alice@company.com")
+    assert "docsRag:handbook" in sources
+    assert "docsRag:legal" in sources
+    assert "notionRag:notion-space" in sources
+
+    # richer servers
+    servers = await svc.discover_servers("alice@company.com")
+    assert any(s["server"] == "docsRag" and s["sources"] for s in servers)
+
+
+@pytest.mark.asyncio
+async def test_acl_filtering():
+    from atlas.core.auth import is_user_in_group
+    from atlas.domain.rag_mcp_service import RAGMCPService
+    from atlas.infrastructure.app_factory import app_factory
+
+    mcp = app_factory.get_mcp_manager()
+    await mcp.initialize_clients()
+    await mcp.discover_tools()
+    await mcp.discover_prompts()
+
+    svc = RAGMCPService(mcp, app_factory.get_config_manager(), is_user_in_group)
+    # Non-company user only sees docsRag
+    sources = await svc.discover_data_sources("bob@public.net")
+    assert all(s.startswith("docsRag:") for s in sources)
+
+
+@pytest.mark.asyncio
+async def test_search_and_synthesize_merge():
+    from atlas.core.auth import is_user_in_group
+    from atlas.domain.rag_mcp_service import RAGMCPService
+    from atlas.infrastructure.app_factory import app_factory
+
+    mcp = app_factory.get_mcp_manager()
+    await mcp.initialize_clients()
+    await mcp.discover_tools()
+    await mcp.discover_prompts()
+
+    svc = RAGMCPService(mcp, app_factory.get_config_manager(), is_user_in_group)
+    sources = ["docsRag:handbook", "notionRag:notion-space"]
+    res = await svc.search_raw("alice@company.com", "vacation policy", sources, top_k=1)
+    assert "results" in res and "hits" in res["results"]
+    assert len(res["results"]["hits"]) == 1  # limited by top_k
+
+    syn = await svc.synthesize("alice@company.com", "vacation policy", sources, top_k=2)
+    assert "results" in syn and "answer" in syn["results"]

atlas/tests/test_rag_mcp_service.py

@@ -0,0 +1,224 @@
+import os
+import sys
+import types
+from typing import Any, Dict, List
+
+import pytest
+
+# Ensure backend root is on path (same approach used in other tests)
+sys.path.insert(0, os.path.abspath(os.path.join(os.path.dirname(__file__), "..")))
+
+
+class FakeTool:
+    def __init__(self, name: str):
+        self.name = name
+
+
+class FakeMCP:
+    def __init__(self):
+        # Simulate available tools config per server
+        self.available_tools: Dict[str, Dict[str, Any]] = {
+            "docsRag": {"tools": [FakeTool("rag_discover_resources"), FakeTool("rag_get_raw_results")], "config": {"ui": {"icon": "book"}}},
+            "searchRag": {"tools": [FakeTool("rag_discover_resources"), FakeTool("rag_get_raw_results"), FakeTool("rag_get_synthesized_results")], "config": {}},
+            "misc": {"tools": [FakeTool("other")], "config": {}},
+        }
+
+    async def get_authorized_servers(self, user: str, _auth) -> List[str]:
+        # User bob can see all, alice cannot see misc
+        if user.startswith("alice"):
+            return ["docsRag", "searchRag"]
+        return list(self.available_tools.keys())
+
+    async def call_tool(self, server_name: str, tool_name: str, arguments: Dict[str, Any], *_, **__):
+        # Return minimal v2-structured payloads
+        if tool_name == "rag_discover_resources":
+            if server_name == "docsRag":
+                return types.SimpleNamespace(structured_content={
+                    "results": {"resources": [
+                        {"id": "handbook", "name": "Employee Handbook", "authRequired": True, "groups": ["hr"], "defaultSelected": True},
+                        {"id": "legal", "name": "Legal Docs", "authRequired": True, "groups": ["legal"]},
+                    ]}
+                })
+            if server_name == "searchRag":
+                return types.SimpleNamespace(structured_content={
+                    "results": {"resources": [
+                        {"id": "kb", "name": "KB", "authRequired": True, "groups": ["kb"]}
+                    ]}
+                })
+        if tool_name == "rag_get_raw_results":
+            q = arguments.get("query")
+            srcs = arguments.get("sources", [])
+            hits = []
+            for i, s in enumerate(srcs):
+                hits.append({
+                    "id": f"{server_name}-{s}-{i}",
+                    "score": 1.0 - i * 0.01,
+                    "resourceId": f"{server_name}:{s}",
+                    "title": f"{q} in {s}",
+                })
+            return types.SimpleNamespace(structured_content={"results": {"hits": hits}})
+        if tool_name == "rag_get_synthesized_results":
+            return types.SimpleNamespace(structured_content={
+                "results": {"answer": f"Synth for {arguments.get('query')} by {server_name}"}
+            })
+        return types.SimpleNamespace(structured_content={})
+
+
+class FakeMCPServerConfig:
+    """Minimal server config for testing."""
+    def __init__(self, enabled=True, groups=None):
+        self.enabled = enabled
+        self.groups = groups or []
+
+
+class FakeMCPConfig:
+    """Minimal MCP config for testing."""
+    def __init__(self, servers=None):
+        self.servers = servers or {}
+
+
+class FakeConfig:
+    """Fake config manager for testing RAGMCPService."""
+    def __init__(self, rag_servers=None):
+        # Default RAG servers matching FakeMCP.available_tools
+        if rag_servers is None:
+            rag_servers = {
+                "docsRag": FakeMCPServerConfig(enabled=True, groups=["users"]),
+                "searchRag": FakeMCPServerConfig(enabled=True, groups=["users"]),
+                "misc": FakeMCPServerConfig(enabled=True, groups=["users"]),
+            }
+        self._rag_mcp_config = FakeMCPConfig(servers=rag_servers)
+
+    @property
+    def rag_mcp_config(self):
+        return self._rag_mcp_config
+
+
+async def fake_auth_check(user: str, group: str) -> bool:
+    """Default auth check - everyone is in 'users' group."""
+    return group == "users"
+
+
+@pytest.mark.asyncio
+async def test_discovery_flat_and_rich():
+    from atlas.domain.rag_mcp_service import RAGMCPService
+
+    svc = RAGMCPService(FakeMCP(), FakeConfig(), fake_auth_check)
+
+    flat = await svc.discover_data_sources("bob@example.com")
+    # misc has no rag_discover_resources, excluded
+    assert set(flat) == {"docsRag:handbook", "docsRag:legal", "searchRag:kb"}
+
+    rich = await svc.discover_servers("alice@example.com")
+    servers = {d["server"] for d in rich}
+    assert servers == {"docsRag", "searchRag"}
+    # docsRag must include two sources with defaultSelected on handbook
+    dr = next(s for s in rich if s["server"] == "docsRag")
+    assert any(x.get("selected") for x in dr["sources"])  # handbook default selected
+
+
+@pytest.mark.asyncio
+async def test_search_and_synthesize_merge():
+    from atlas.domain.rag_mcp_service import RAGMCPService
+
+    svc = RAGMCPService(FakeMCP(), FakeConfig(), fake_auth_check)
+    res = await svc.search_raw(
+        username="bob@example.com",
+        query="policy",
+        sources=["docsRag:handbook", "searchRag:kb"],
+        top_k=2,
+    )
+    hits = res.get("results", {}).get("hits", [])
+    assert len(hits) == 2
+    # resourceId should be qualified
+    assert all(":" in h.get("resourceId", "") for h in hits)
+
+    syn = await svc.synthesize(
+        username="alice@example.com",
+        query="benefits",
+        sources=["searchRag:kb"],
+    )
+    answer = syn.get("results", {}).get("answer")
+    assert isinstance(answer, str) and "Synth for" in answer
+
+
+@pytest.mark.asyncio
+async def test_rag_authorization_uses_rag_config_not_mcp_servers_config():
+    """
+    Regression test: RAG authorization must use rag_mcp_config, not mcp_manager.servers_config.
+
+    Bug context: RAGMCPService temporarily adds RAG servers to mcp_manager.servers_config
+    for initialization, then restores the original config. If authorization checks
+    use servers_config (which no longer has RAG servers), no RAG sources are returned.
+
+    The fix is to check authorization directly against rag_mcp_config.servers.
+    """
+    from atlas.domain.rag_mcp_service import RAGMCPService
+
+    class MCPWithEmptyServersConfig:
+        """MCP manager with empty servers_config (RAG servers only in rag_mcp_config)."""
+        def __init__(self):
+            # Simulate RAG servers being initialized but NOT in servers_config
+            self.servers_config = {}  # Empty! RAG servers were temporarily added then removed
+            self.clients = {"ragServer": object()}  # Client exists (was initialized)
+            self.available_tools = {
+                "ragServer": {
+                    "tools": [FakeTool("rag_discover_resources")],
+                    "config": {}
+                }
+            }
+
+        async def get_authorized_servers(self, user: str, _auth) -> List[str]:
+            # This would return [] because servers_config is empty
+            return list(self.servers_config.keys())
+
+        async def call_tool(self, server_name: str, tool_name: str, arguments: Dict[str, Any], *_, **__):
+            if tool_name == "rag_discover_resources":
+                return types.SimpleNamespace(structured_content={
+                    "results": {"resources": [
+                        {"id": "doc1", "name": "Document 1"}
+                    ]}
+                })
+            return types.SimpleNamespace(structured_content={})
+
+    # RAG server configured in rag_mcp_config
+    rag_servers = {
+        "ragServer": FakeMCPServerConfig(enabled=True, groups=["users"])
+    }
+    fake_config = FakeConfig(rag_servers=rag_servers)
+
+    svc = RAGMCPService(MCPWithEmptyServersConfig(), fake_config, fake_auth_check)
+
+    # This should find ragServer even though mcp_manager.servers_config is empty
+    flat = await svc.discover_data_sources("user@example.com")
+
+    # Before the fix, this would return [] because authorization checked servers_config
+    # After the fix, this returns the RAG sources because authorization uses rag_mcp_config
+    assert "ragServer:doc1" in flat, \
+        "RAG authorization should use rag_mcp_config, not mcp_manager.servers_config"
+
+
+@pytest.mark.asyncio
+async def test_rag_group_filtering():
+    """Test that RAG sources are properly filtered by group membership."""
+    from atlas.domain.rag_mcp_service import RAGMCPService
+
+    # Server requires 'admin' group, not 'users'
+    rag_servers = {
+        "docsRag": FakeMCPServerConfig(enabled=True, groups=["admin"]),
+        "searchRag": FakeMCPServerConfig(enabled=True, groups=["users"]),
+        "misc": FakeMCPServerConfig(enabled=True, groups=["users"]),
+    }
+
+    async def restricted_auth_check(user: str, group: str) -> bool:
+        # User is only in 'users' group, not 'admin'
+        return group == "users"
+
+    svc = RAGMCPService(FakeMCP(), FakeConfig(rag_servers=rag_servers), restricted_auth_check)
+
+    flat = await svc.discover_data_sources("user@example.com")
+
+    # docsRag requires 'admin' group, user is not in admin
+    assert "docsRag:handbook" not in flat, "Admin-only RAG server should not be visible"
+    # searchRag is in 'users' group
+    assert "searchRag:kb" in flat, "User-accessible RAG server should be visible"

atlas/tests/test_rate_limit_middleware.py

@@ -0,0 +1,45 @@
+from fastapi import FastAPI
+from starlette.testclient import TestClient
+
+from atlas.core.rate_limit_middleware import RateLimitMiddleware
+from atlas.modules.config import config_manager
+
+
+def test_rate_limit_blocks_after_threshold():
+    # Configure very low limits via ConfigManager
+    settings = config_manager.app_settings
+    orig_rpm = settings.rate_limit_rpm
+    orig_window = settings.rate_limit_window_seconds
+    orig_per_path = settings.rate_limit_per_path
+
+    settings.rate_limit_rpm = 2
+    settings.rate_limit_window_seconds = 60
+    settings.rate_limit_per_path = False
+
+    try:
+        app = FastAPI()
+        app.add_middleware(RateLimitMiddleware)
+
+        @app.get("/ping")
+        def ping():
+            return {"ok": True}
+
+        client = TestClient(app)
+
+        # First two requests should pass
+        r1 = client.get("/ping")
+        assert r1.status_code == 200
+        r2 = client.get("/ping")
+        assert r2.status_code == 200
+
+        # Third request within the window should be rate-limited
+        r3 = client.get("/ping")
+        assert r3.status_code == 429
+        data = r3.json()
+        assert "detail" in data
+        assert "Retry-After" in r3.headers
+    finally:
+        # Restore original settings to avoid side effects on other tests
+        settings.rate_limit_rpm = orig_rpm
+        settings.rate_limit_window_seconds = orig_window
+        settings.rate_limit_per_path = orig_per_path

atlas/tests/test_routes_config_smoke.py

@@ -0,0 +1,60 @@
+from unittest.mock import AsyncMock, MagicMock, patch
+
+from main import app
+from starlette.testclient import TestClient
+
+from atlas.infrastructure.app_factory import app_factory
+
+
+def test_config_endpoint_smoke(monkeypatch):
+    client = TestClient(app)
+    resp = client.get("/api/config", headers={"X-User-Email": "test@test.com"})
+    # Endpoint should not crash; tolerate 200 with minimal fields
+    assert resp.status_code == 200
+    data = resp.json()
+    assert "app_name" in data
+    assert "models" in data
+    assert "tools" in data
+    assert "prompts" in data
+    assert "data_sources" in data
+
+
+def test_rag_discovery_skipped_when_feature_disabled(monkeypatch):
+    """Verify RAG discovery is not attempted when feature_rag_enabled is False."""
+    # Create mock unified_rag_service to track if discover_data_sources is called
+    mock_unified_rag = MagicMock()
+    mock_unified_rag.discover_data_sources = AsyncMock(return_value=[])
+
+    # Create mock rag_mcp_service
+    mock_rag_mcp = MagicMock()
+    mock_rag_mcp.discover_data_sources = AsyncMock(return_value=[])
+    mock_rag_mcp.discover_servers = AsyncMock(return_value=[])
+
+    # Patch the app_factory methods
+    with patch.object(app_factory, 'get_unified_rag_service', return_value=mock_unified_rag):
+        with patch.object(app_factory, 'get_rag_mcp_service', return_value=mock_rag_mcp):
+            # Ensure RAG feature is disabled
+            config_manager = app_factory.get_config_manager()
+            original_setting = config_manager.app_settings.feature_rag_enabled
+            # Use object.__setattr__ to bypass Pydantic frozen model protection
+            object.__setattr__(config_manager.app_settings, 'feature_rag_enabled', False)
+
+            try:
+                client = TestClient(app)
+                resp = client.get("/api/config", headers={"X-User-Email": "test@test.com"})
+                assert resp.status_code == 200
+
+                # Verify RAG discovery was NOT called when feature is disabled
+                mock_unified_rag.discover_data_sources.assert_not_called()
+                mock_rag_mcp.discover_data_sources.assert_not_called()
+                mock_rag_mcp.discover_servers.assert_not_called()
+
+                # Verify response still has data_sources field (just empty)
+                data = resp.json()
+                assert "data_sources" in data
+                assert data["data_sources"] == []
+                assert "rag_servers" in data
+                assert data["rag_servers"] == []
+            finally:
+                # Restore original setting
+                object.__setattr__(config_manager.app_settings, 'feature_rag_enabled', original_setting)

atlas/tests/test_routes_files_download_token.py

@@ -0,0 +1,41 @@
+import base64
+
+from main import app
+from starlette.testclient import TestClient
+
+from atlas.core.capabilities import generate_file_token
+
+
+def test_files_download_with_token(monkeypatch):
+    client = TestClient(app)
+
+    # Prepare fake file in mock S3 by monkeypatching S3 client get_file
+    from atlas.infrastructure.app_factory import app_factory
+    s3 = app_factory.get_file_storage()
+
+    async def fake_get_file(user, key):
+        return {
+            "key": key,
+            "filename": "hello.txt",
+            "content_base64": base64.b64encode(b"hello").decode(),
+            "content_type": "text/plain",
+            "size": 5,
+            "last_modified": "",
+            "etag": "",
+            "tags": {},
+            "user_email": user,
+        }
+
+    monkeypatch.setattr(s3, "get_file", fake_get_file)
+
+    token = generate_file_token(user_email="test@test.com", file_key="k1", ttl_seconds=60)
+
+    resp = client.get(
+        "/api/files/download/k1",
+        params={"token": token},
+        headers={"X-User-Email": "ignored@example.com"},  # token overrides
+    )
+    assert resp.status_code == 200
+    assert resp.content == b"hello"
+    ct = resp.headers.get("content-type", "")
+    assert ct.startswith("text/plain")

atlas/tests/test_routes_files_health.py

@@ -0,0 +1,18 @@
+from main import app
+from starlette.testclient import TestClient
+
+
+def test_files_health_endpoint(monkeypatch):
+    # Stub out S3 client call to avoid external dependency sensitivity
+    from atlas.infrastructure.app_factory import app_factory
+    s3 = app_factory.get_file_storage()
+    # No network call is made by files/health; but ensure attributes exist
+    assert hasattr(s3, "endpoint_url")
+
+    client = TestClient(app)
+    resp = client.get("/api/files/healthz", headers={"X-User-Email": "test@test.com"})
+    assert resp.status_code == 200
+    data = resp.json()
+    assert data["status"] == "healthy"
+    assert data["service"] == "files-api"
+    assert "s3_config" in data

atlas/tests/test_runtime_imports.py

@@ -0,0 +1,53 @@
+import os
+import subprocess
+import sys
+from pathlib import Path
+
+
+def run_subprocess(code: str, cwd: Path, project_root: Path = None):
+    env = os.environ.copy()
+    # For the atlas package structure, ensure project root is in PYTHONPATH
+    if project_root:
+        env["PYTHONPATH"] = str(project_root)
+    else:
+        env.pop("PYTHONPATH", None)
+    proc = subprocess.run(
+        [sys.executable, "-c", code],
+        cwd=str(cwd),
+        env=env,
+        capture_output=True,
+        text=True,
+        timeout=30,
+    )
+    return proc
+
+
+def test_backend_dir_imports_work_without_project_root_in_path():
+    """
+    Ensure imports work when running from the atlas directory (the supported run mode).
+    The atlas package requires the project root on PYTHONPATH for proper package imports.
+    This mirrors `bash agent_start.sh` which sets PYTHONPATH before running from ./atlas.
+    """
+    atlas_dir = Path(__file__).resolve().parents[1]
+    project_root = atlas_dir.parent
+
+    code = (
+        "import main; "
+        "from atlas.modules.config import ConfigManager; "
+        "cm=ConfigManager(); "
+        "_ = cm.llm_config; _ = cm.mcp_config; _ = cm.rag_mcp_config; "
+        "print('OK')"
+    )
+
+    proc = run_subprocess(code, atlas_dir, project_root=project_root)
+
+    # Helpful diagnostics on failure
+    if proc.returncode != 0:
+        print("STDOUT:\n" + proc.stdout)
+        print("STDERR:\n" + proc.stderr)
+
+    assert proc.returncode == 0, "Subprocess failed to import and initialize config from atlas dir"
+    # Guard against the specific regression seen in runtime warnings
+    assert "No module named 'atlas'" not in (proc.stdout + proc.stderr)
+    assert "Could not validate LLM compliance levels" not in (proc.stdout + proc.stderr)
+    assert "Could not validate MCP compliance levels" not in (proc.stdout + proc.stderr)