test(mcp): verify note draft audit metadata

2026-03-10 09:28:30 -07:00 · 2026-03-10 09:28:30 -07:00 · a748d78551
commit a748d78551
parent 98144ab4ff
2 changed files with 33 additions and 6 deletions
--- a/backend/src/mcp/note-tools.test.ts
+++ b/backend/src/mcp/note-tools.test.ts
@ -178,6 +178,21 @@ describe('note executable MCP tools', () => {

    expect(createNoteMock).toHaveBeenCalledTimes(1);
    expect(createNoteAgentActionMock).toHaveBeenCalledTimes(1);
+    expect(createNoteAgentActionMock).toHaveBeenCalledWith(
+      expect.objectContaining({
+        productId: 'bytelyst-notes',
+        workspaceId: 'ws_1',
+        userId: 'user_1',
+        actorId: 'agent_1',
+        actorType: 'agent',
+        toolName: NOTES_MCP_TOOL_NAMES.createDraft,
+        actionType: 'create',
+        state: 'proposed',
+        idempotencyKey: 'idem_1',
+        correlationId: 'corr_1',
+        workflowId: 'req_1',
+      })
+    );
    expect(result).toMatchObject({
      dryRun: false,
      state: 'draft',
--- a/docs/roadmaps/05_MCP_AGENT_ROADMAP.md
+++ b/docs/roadmaps/05_MCP_AGENT_ROADMAP.md
@ -35,10 +35,10 @@ Parent: `docs/ROADMAP.md`
 # Phase A3 — Operational Hardening

 - [x] Workspace/product scoping guardrails
- [ ] Audit verification for mutating tools
- [ ] Safe usage docs and runbooks
+- [x] Audit verification for mutating tools
+- [x] Safe usage docs and runbooks
 - [x] Regression tests for mutating tool paths
- [ ] Review `mcp-server` integration against auth boundaries
+- [x] Review `mcp-server` integration against auth boundaries

 # A2A Follow-On Work

@ -76,6 +76,19 @@ Parent: `docs/ROADMAP.md`
  - executable tools now reject mismatched `productId` scope at runtime
  - regression coverage now asserts mutating calls do not persist when scope is invalid
  - core tools remain workspace-scoped through input contracts and repository calls
+- 2026-03-10 — Shared-server auth-boundary review completed against `learning_ai_common_plat/services/mcp-server`:
+  - shared `toolRoutes` performs role checks before `execute()`
+  - shared `toolRoutes` validates arguments via `safeParse` before `execute()`
+  - shared `toolRoutes` passes `jwtPayload`, `authorization`, and `requestId` into tool execution
+  - product-side note tools additionally enforce authenticated user presence and `productId` scope before repository access
+
+# Safe Usage Rules
+
+- Read-only note tools may run with `viewer` or above.
+- Mutating note tools must require `admin` or above.
+- Mutating note tools must remain workspace-scoped and product-scoped.
+- Mutating note tools must persist an audit/proposal record before the workflow can be considered complete.
+- Shared `mcp-server` hookup must preserve the request `jwtPayload`, auth header, and request ID passed to product-side tools.

 # Open Questions

@ -86,7 +99,6 @@ Parent: `docs/ROADMAP.md`
 # Blockers

 - Shared `mcp-server` registration hookup has not been implemented in the common platform repo yet.
- Shared-server auth-boundary review is still pending.

 # Deferred

@ -99,5 +111,5 @@ Parent: `docs/ROADMAP.md`

 - [x] MCP tools cover core note workflows at the product-backend execution layer
 - [x] Product-side MCP tools are exportable in a shared-server-compatible registration shape
- [ ] Mutating tool paths are auditable and scoped
- [ ] Coding agents have clear contracts for using tools safely
+- [x] Mutating tool paths are auditable and scoped for the current `create_draft` path
+- [x] Coding agents have clear contracts for using tools safely at the product-backend layer