diff --git a/workspace-server/go.mod b/workspace-server/go.mod index b585328c..6c50916a 100644 --- a/workspace-server/go.mod +++ b/workspace-server/go.mod @@ -4,7 +4,7 @@ go 1.25.0 require ( github.com/DATA-DOG/go-sqlmock v1.5.2 - github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260416194734-2cd28737f845 + github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d github.com/alicebob/miniredis/v2 v2.37.0 github.com/creack/pty v1.1.18 github.com/docker/docker v28.2.2+incompatible @@ -16,6 +16,7 @@ require ( github.com/google/uuid v1.6.0 github.com/gorilla/websocket v1.5.3 github.com/lib/pq v1.10.9 + github.com/opencontainers/image-spec v1.1.1 github.com/redis/go-redis/v9 v9.7.0 github.com/robfig/cron/v3 v3.0.1 golang.org/x/crypto v0.49.0 @@ -56,7 +57,6 @@ require ( github.com/modern-go/reflect2 v1.0.2 // indirect github.com/morikuni/aec v1.1.0 // indirect github.com/opencontainers/go-digest v1.0.0 // indirect - github.com/opencontainers/image-spec v1.1.1 // indirect github.com/pelletier/go-toml/v2 v2.2.2 // indirect github.com/pkg/errors v0.9.1 // indirect github.com/twitchyliquid64/golang-asm v0.15.1 // indirect @@ -78,4 +78,3 @@ require ( google.golang.org/protobuf v1.36.11 // indirect gotest.tools/v3 v3.5.2 // indirect ) - diff --git a/workspace-server/go.sum b/workspace-server/go.sum index 0e897247..681bb0cd 100644 --- a/workspace-server/go.sum +++ b/workspace-server/go.sum @@ -4,8 +4,8 @@ github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7Oputl github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ+JlNzwDqpNU= github.com/Microsoft/go-winio v0.4.21 h1:+6mVbXh4wPzUrl1COX9A+ZCvEpYsOBZ6/+kwDnvLyro= github.com/Microsoft/go-winio v0.4.21/go.mod h1:JPGBdM1cNvN/6ISo+n8V5iA4v8pBzdOpzfwIujj1a84= -github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260416194734-2cd28737f845 h1:Pae8GmpJOP/Bpf2KE1FhdN3zoPSbV/tl25yiAqEc4lM= -github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260416194734-2cd28737f845/go.mod h1:3a6LR/zd7FjR9ZwLTbytwYlWuCBsbCOVFlEg0WnoYiM= +github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d h1:GpYhP6FxaJZc1Ljy5/YJ9ZIVGvfOqZBmDolNr2S5x2g= +github.com/Molecule-AI/molecule-ai-plugin-github-app-auth v0.0.0-20260421064811-7d98ae51e31d/go.mod h1:3a6LR/zd7FjR9ZwLTbytwYlWuCBsbCOVFlEg0WnoYiM= github.com/alicebob/miniredis/v2 v2.37.0 h1:RheObYW32G1aiJIj81XVt78ZHJpHonHLHW7OLIshq68= github.com/alicebob/miniredis/v2 v2.37.0/go.mod h1:TcL7YfarKPGDAthEtl5NBeHZfeUQj6OXMm/+iu5cLMM= github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs= diff --git a/workspace-server/internal/handlers/terminal_test.go b/workspace-server/internal/handlers/terminal_test.go index 930d1a28..326354c6 100644 --- a/workspace-server/internal/handlers/terminal_test.go +++ b/workspace-server/internal/handlers/terminal_test.go @@ -105,6 +105,183 @@ func TestTerminalConnect_KI005_RejectsUnauthorizedCrossWorkspace(t *testing.T) { } } +// TestKI005_SelfAccess_AlwaysAllowed — when callerID equals the target workspace +// ID the request always passes (self-access: workspace's own token reaches its +// own terminal without needing the hierarchy check). +func TestKI005_SelfAccess_AlwaysAllowed(t *testing.T) { + mock := setupTestDB(t) + setupTestRedis(t) + + mock.ExpectQuery("SELECT COALESCE"). + WithArgs("ws-self"). + WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow("")) + + h := NewTerminalHandler(nil) + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Params = gin.Params{{Key: "id", Value: "ws-self"}} + c.Request = httptest.NewRequest("GET", "/workspaces/ws-self/terminal", nil) + // Self-access: X-Workspace-ID matches the route param, no auth needed. + c.Request.Header.Set("X-Workspace-ID", "ws-self") + + h.HandleConnect(c) + + // Self-access passes without any token check or CanCommunicate query. + if w.Code != http.StatusServiceUnavailable { + t.Errorf("self-access: expected 503 (Docker unavailable), got %d: %s", w.Code, w.Body.String()) + } + if err := mock.ExpectationsWereMet(); err != nil { + t.Errorf("unmet sqlmock expectations: %v", err) + } +} + +// TestKI005_CanCommunicatePeer_Allowed — when the caller and target are siblings +// (share a parent), CanCommunicate returns true and the terminal access is granted. +func TestKI005_CanCommunicatePeer_Allowed(t *testing.T) { + mock := setupTestDB(t) + setupTestRedis(t) + + // DB: caller workspace row for token validation. + mock.ExpectQuery("SELECT t.id, t.workspace_id"). + WithArgs(sqlmock.AnyArg()). + WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id"}). + AddRow("tok-caller", "ws-peer-a")) + + // DB: caller and target are siblings → CanCommunicate queries both. + mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id"). + WithArgs("ws-peer-a"). + WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}). + AddRow("ws-peer-a", "org-lead")) + mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id"). + WithArgs("ws-peer-b"). + WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}). + AddRow("ws-peer-b", "org-lead")) + + // DB: target workspace has no instance_id → local Docker path. + mock.ExpectQuery("SELECT COALESCE"). + WithArgs("ws-peer-b"). + WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow("")) + + h := NewTerminalHandler(nil) + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Params = gin.Params{{Key: "id", Value: "ws-peer-b"}} + c.Request = httptest.NewRequest("GET", "/workspaces/ws-peer-b/terminal", nil) + c.Request.Header.Set("X-Workspace-ID", "ws-peer-a") + c.Request.Header.Set("Authorization", "Bearer peer-token") + + h.HandleConnect(c) + + if w.Code != http.StatusServiceUnavailable { + t.Errorf("peer access: expected 503 (Docker unavailable), got %d: %s", w.Code, w.Body.String()) + } + if err := mock.ExpectationsWereMet(); err != nil { + t.Errorf("unmet sqlmock expectations: %v", err) + } +} + +// TestKI005_CanCommunicateNonPeer_Forbidden — when caller and target have +// different parents (not siblings, not root-level), CanCommunicate returns +// false and the terminal access is blocked with 403. +func TestKI005_CanCommunicateNonPeer_Forbidden(t *testing.T) { + mock := setupTestDB(t) + setupTestRedis(t) + + // DB: caller workspace row for token validation. + mock.ExpectQuery("SELECT t.id, t.workspace_id"). + WithArgs(sqlmock.AnyArg()). + WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id"}). + AddRow("tok-attacker", "ws-attacker")) + + // DB: caller and target have different parents → CanCommunicate denies. + mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id"). + WithArgs("ws-attacker"). + WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}). + AddRow("ws-attacker", "org-a")) + mock.ExpectQuery("SELECT id, parent_id FROM workspaces WHERE id"). + WithArgs("ws-victim"). + WillReturnRows(sqlmock.NewRows([]string{"id", "parent_id"}). + AddRow("ws-victim", "org-b")) + + h := NewTerminalHandler(nil) + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Params = gin.Params{{Key: "id", Value: "ws-victim"}} + c.Request = httptest.NewRequest("GET", "/workspaces/ws-victim/terminal", nil) + c.Request.Header.Set("X-Workspace-ID", "ws-attacker") + c.Request.Header.Set("Authorization", "Bearer attacker-token") + + h.HandleConnect(c) + + if w.Code != http.StatusForbidden { + t.Errorf("cross-workspace: expected 403, got %d: %s", w.Code, w.Body.String()) + } + if err := mock.ExpectationsWereMet(); err != nil { + t.Errorf("unmet sqlmock expectations: %v", err) + } +} + +// TestKI005_TokenMismatch_Unauthorized — when the bearer token belongs to a +// different workspace than the claimed X-Workspace-ID, ValidateToken fails +// and the request is rejected with 401 before CanCommunicate is checked. +func TestKI005_TokenMismatch_Unauthorized(t *testing.T) { + mock := setupTestDB(t) + setupTestRedis(t) + + // DB: token belongs to a different workspace than claimed — ValidateToken + // returns ErrInvalidToken (workspaceID mismatch). + mock.ExpectQuery("SELECT t.id, t.workspace_id"). + WithArgs(sqlmock.AnyArg()). + WillReturnRows(sqlmock.NewRows([]string{"id", "workspace_id"})) + + h := NewTerminalHandler(nil) + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Params = gin.Params{{Key: "id", Value: "ws-target"}} + c.Request = httptest.NewRequest("GET", "/workspaces/ws-target/terminal", nil) + c.Request.Header.Set("X-Workspace-ID", "ws-claimed") + c.Request.Header.Set("Authorization", "Bearer wrong-workspace-token") + + h.HandleConnect(c) + + if w.Code != http.StatusUnauthorized { + t.Errorf("token mismatch: expected 401, got %d: %s", w.Code, w.Body.String()) + } + if err := mock.ExpectationsWereMet(); err != nil { + t.Errorf("unmet sqlmock expectations: %v", err) + } +} + +// TestKI005_NoXWorkspaceIDHeader_LegacyAllowed — when no X-Workspace-ID header +// is present (legacy canvas, direct browser access), the hierarchy check is +// skipped and the request proceeds to the container (standard WorkspaceAuth +// gates apply upstream). +func TestKI005_NoXWorkspaceIDHeader_LegacyAllowed(t *testing.T) { + mock := setupTestDB(t) + setupTestRedis(t) + + // DB: no instance_id → local Docker path. + mock.ExpectQuery("SELECT COALESCE"). + WithArgs("ws-legacy"). + WillReturnRows(sqlmock.NewRows([]string{"instance_id"}).AddRow("")) + + h := NewTerminalHandler(nil) + w := httptest.NewRecorder() + c, _ := gin.CreateTestContext(w) + c.Params = gin.Params{{Key: "id", Value: "ws-legacy"}} + c.Request = httptest.NewRequest("GET", "/workspaces/ws-legacy/terminal", nil) + // No X-Workspace-ID header: legacy access, no hierarchy check. + + h.HandleConnect(c) + + if w.Code != http.StatusServiceUnavailable { + t.Errorf("legacy access: expected 503 (Docker unavailable), got %d: %s", w.Code, w.Body.String()) + } + if err := mock.ExpectationsWereMet(); err != nil { + t.Errorf("unmet sqlmock expectations: %v", err) + } +} + // TestOpenTunnelCmd_BuildsArgv guards against silent drift in the EIC // tunnel invocation (e.g. someone flipping --local-port to --port). func TestOpenTunnelCmd_BuildsArgv(t *testing.T) { diff --git a/workspace-server/internal/handlers/workspace_provision.go b/workspace-server/internal/handlers/workspace_provision.go index 5e74ee73..0ebb0503 100644 --- a/workspace-server/internal/handlers/workspace_provision.go +++ b/workspace-server/internal/handlers/workspace_provision.go @@ -402,6 +402,17 @@ func (h *WorkspaceHandler) issueAndInjectToken(ctx context.Context, workspaceID cfg.ConfigFiles = make(map[string][]byte) } cfg.ConfigFiles[".auth_token"] = []byte(token) + // Option B (issue #1877): write token to volume BEFORE ContainerStart. + // Pre-write eliminates the race window where a restarted container could + // read a stale /configs/.auth_token before WriteFilesToContainer runs. + // This call is best-effort — if it fails (or provisioner is nil in tests) + // we still log and fall through; the runtime's heartbeat.py will retry + // on 401 if needed. + if h.provisioner != nil { + if writeErr := h.provisioner.WriteAuthTokenToVolume(ctx, workspaceID, token); writeErr != nil { + log.Printf("Provisioner: warning — pre-write token to volume failed for %s: %v (token still injected via WriteFilesToContainer after start)", workspaceID, writeErr) + } + } log.Printf("Provisioner: injected fresh auth token for workspace %s into config volume", workspaceID) } diff --git a/workspace-server/internal/handlers/workspace_restart.go b/workspace-server/internal/handlers/workspace_restart.go index 9c12b22a..ab1723cf 100644 --- a/workspace-server/internal/handlers/workspace_restart.go +++ b/workspace-server/internal/handlers/workspace_restart.go @@ -132,6 +132,17 @@ func (h *WorkspaceHandler) Restart(c *gin.Context) { RebuildConfig: body.RebuildConfig, }) + // #239: rebuild_config=true — try org-templates as last-resort source so a + // workspace with a destroyed config volume can self-recover without admin + // intervention. Only fires when no other template was resolved above. + if templatePath == "" && body.RebuildConfig { + if p, label := resolveOrgTemplate(h.configsDir, wsName); p != "" { + templatePath = p + configLabel = label + log.Printf("Restart: rebuild_config — using org-template %s for %s (%s)", label, wsName, id) + } + } + if templatePath == "" { log.Printf("Restart: reusing existing config volume for %s (%s)", wsName, id) } else { diff --git a/workspace-server/internal/provisioner/provisioner.go b/workspace-server/internal/provisioner/provisioner.go index 481f09b7..ac04b15f 100644 --- a/workspace-server/internal/provisioner/provisioner.go +++ b/workspace-server/internal/provisioner/provisioner.go @@ -749,6 +749,41 @@ func (p *Provisioner) ReadFromVolume(ctx context.Context, volumeName, filePath s return clean, nil } +// WriteAuthTokenToVolume writes the workspace auth token into the config volume +// BEFORE the container starts, eliminating the token-injection race window where +// a restarted container could read a stale token from /configs/.auth_token before +// WriteFilesToContainer writes the new one. Issue #1877. +// +// Uses a throwaway alpine container to write directly to the named volume, +// bypassing the container lifecycle entirely. +func (p *Provisioner) WriteAuthTokenToVolume(ctx context.Context, workspaceID, token string) error { + volName := ConfigVolumeName(workspaceID) + resp, err := p.cli.ContainerCreate(ctx, &container.Config{ + Image: "alpine", + Cmd: []string{"sh", "-c", "mkdir -p /vol && printf '%s' $TOKEN > /vol/.auth_token && chmod 0600 /vol/.auth_token"}, + Env: []string{"TOKEN=" + token}, + }, &container.HostConfig{ + Binds: []string{volName + ":/vol"}, + }, nil, nil, "") + if err != nil { + return fmt.Errorf("failed to create token-write container: %w", err) + } + defer p.cli.ContainerRemove(ctx, resp.ID, container.RemoveOptions{Force: true}) + if err := p.cli.ContainerStart(ctx, resp.ID, container.StartOptions{}); err != nil { + return fmt.Errorf("failed to start token-write container: %w", err) + } + waitCh, errCh := p.cli.ContainerWait(ctx, resp.ID, container.WaitConditionNotRunning) + select { + case <-waitCh: + case writeErr := <-errCh: + if writeErr != nil { + return fmt.Errorf("token-write container exited with error: %w", writeErr) + } + } + log.Printf("Provisioner: wrote auth token to volume %s/.auth_token", volName) + return nil +} + // execInContainer runs a command inside a running container as root. // Best-effort: logs errors but does not fail the caller. func (p *Provisioner) execInContainer(ctx context.Context, containerID string, cmd []string) { diff --git a/workspace/heartbeat.py b/workspace/heartbeat.py index a67bec7b..1eb5b4fd 100644 --- a/workspace/heartbeat.py +++ b/workspace/heartbeat.py @@ -17,7 +17,7 @@ from pathlib import Path import httpx -from platform_auth import auth_headers +from platform_auth import auth_headers, refresh_cache logger = logging.getLogger(__name__) @@ -102,6 +102,35 @@ class HeartbeatLoop: self._consecutive_failures = 0 except Exception as e: self._consecutive_failures += 1 + # Issue #1877: if heartbeat 401'd, re-read the token from disk + # and retry once. This handles the platform's token-rotation race + # where WriteFilesToContainer hasn't finished writing the new + # token before the runtime boots and caches the old value. + is_401 = False + if isinstance(e, httpx.HTTPStatusError) and e.response.status_code == 401: + is_401 = True + if is_401: + logger.warning("Heartbeat 401 for %s — refreshing token cache and retrying once", self.workspace_id) + refresh_cache() + try: + await client.post( + f"{self.platform_url}/registry/heartbeat", + json={ + "workspace_id": self.workspace_id, + "error_rate": self.error_rate, + "sample_error": self.sample_error, + "active_tasks": self.active_tasks, + "current_task": self.current_task, + "uptime_seconds": int(time.time() - self.start_time), + }, + headers=auth_headers(), + ) + self._consecutive_failures = 0 + self.request_count += 1 + except Exception: + # Retry also failed — fall through to the normal + # failure tracking below. + pass if self._consecutive_failures <= 3 or self._consecutive_failures % MAX_CONSECUTIVE_FAILURES == 0: logger.warning("Heartbeat failed (%d consecutive): %s", self._consecutive_failures, e) if self._consecutive_failures >= MAX_CONSECUTIVE_FAILURES: diff --git a/workspace/platform_auth.py b/workspace/platform_auth.py index d4a1e180..39a17075 100644 --- a/workspace/platform_auth.py +++ b/workspace/platform_auth.py @@ -103,3 +103,14 @@ def clear_cache() -> None: files between cases.""" global _cached_token _cached_token = None + + +def refresh_cache() -> str | None: + """Force re-read of the token from disk, discarding the in-process cache. + + Use this when a 401 response suggests the cached token is stale — + e.g. after the platform rotates tokens during a restart (issue #1877). + Returns the (new) token value or None if not found/error.""" + global _cached_token + _cached_token = None + return get_token() diff --git a/workspace/plugins_registry/builtins.py b/workspace/plugins_registry/builtins.py index 9816ee85..c065aaff 100644 --- a/workspace/plugins_registry/builtins.py +++ b/workspace/plugins_registry/builtins.py @@ -24,7 +24,7 @@ Planned as the ecosystem matures (none are implemented yet — rule of three: promote a class here only after 3+ plugins ship the same custom shape via their own ``adapters/.py``): -* ``MCPServerAdaptor`` — install a plugin as an MCP server *(TODO)* +* :class:`MCPServerAdaptor` — install a plugin as an MCP server ✅ (issue #847) * ``DeepAgentsSubagentAdaptor`` — register a DeepAgents sub-agent (runtime-locked to deepagents) *(TODO)* * ``LangGraphSubgraphAdaptor`` — install a LangGraph sub-graph *(TODO)* @@ -339,5 +339,95 @@ def _deep_merge_hooks(existing: dict, fragment: dict) -> dict: for top_key, val in fragment.items(): if top_key == "hooks": continue - out.setdefault(top_key, val) + # mcpServers must be deep-merged: plugin A ships "firecrawl" and + # plugin B ships "github" → both entries land in settings.json. + # Using setdefault would skip the fragment's value when the key + # already exists, so we explicitly handle the dict case. + if top_key in out and isinstance(out[top_key], dict) and isinstance(val, dict): + out[top_key] = {**out[top_key], **val} + else: + out.setdefault(top_key, val) return out + + +# ---------------------------------------------------------------------- +# MCPServerAdaptor — issue #847. +# Promoted from custom adapters after 4 plugin proposals (molecule-firecrawl +# #512, molecule-github-mcp #520, molecule-browser-use #553, mcp-connector +# #573) all shipped the same pattern independently. +# ---------------------------------------------------------------------- + + +class MCPServerAdaptor: + """Sub-type adaptor for plugins that wrap an MCP server. + + The plugin ships: + + * ``settings-fragment.json`` with an ``mcpServers`` block — standard + Claude Code ``claude_desktop_config`` format, e.g.: + + .. code-block:: json + + { + "mcpServers": { + "my-server": { + "command": "npx", + "args": ["-y", "@org/my-mcp-server"] + } + } + } + + * ``skills//SKILL.md`` (optional) — agentskills.io skill docs; + ``AgentskillsAdaptor`` logic handles these. + * ``rules/*.md`` (optional) — always-on prose appended to CLAUDE.md; + ``AgentskillsAdaptor`` logic handles these. + * ``setup.sh`` (optional) — install npm packages, build binaries, etc.; + ``AgentskillsAdaptor`` logic handles these. + + On ``install()``: + + 1. ``settings-fragment.json`` → ``_install_claude_layer()`` merges the + ``mcpServers`` block into ``/.claude/settings.json``. + Hooks are also merged via the same path (so MCP-server plugins + can also ship hooks if they need them). + 2. Skills + rules + setup.sh → delegated to ``AgentskillsAdaptor``. + + On ``uninstall()``: + + 1. Skills + rules → delegated to ``AgentskillsAdaptor.uninstall()``. + 2. ``mcpServers`` entries are intentionally **not** removed from + ``settings.json`` on uninstall. MCP server configurations are + often shared with other tools or manually curated, so removing + them could break a user's setup. The user must remove them + manually if desired. + + Usage — in the plugin's per-runtime adapter file: + + .. code-block:: python + + # plugins//adapters/claude_code.py + from plugins_registry.builtins import MCPServerAdaptor as Adaptor + """ + + def __init__(self, plugin_name: str, runtime: str) -> None: + self.plugin_name = plugin_name + self.runtime = runtime + + async def install(self, ctx: InstallContext) -> InstallResult: + result = InstallResult( + plugin_name=self.plugin_name, + runtime=self.runtime, + source="plugin", + ) + # 1. Merge mcpServers (and any hooks) from settings-fragment.json. + _install_claude_layer(ctx, result, self.plugin_name) + # 2. Skills + rules + setup.sh — reuse AgentskillsAdaptor logic. + sub = await AgentskillsAdaptor(self.plugin_name, self.runtime).install(ctx) + result.files_written.extend(sub.files_written) + result.warnings.extend(sub.warnings) + return result + + async def uninstall(self, ctx: InstallContext) -> None: + # Delegate to AgentskillsAdaptor for skills + rules cleanup. + # NOTE: mcpServers entries are intentionally NOT removed (see class docstring). + await AgentskillsAdaptor(self.plugin_name, self.runtime).uninstall(ctx) diff --git a/workspace/tests/test_plugins_builtins.py b/workspace/tests/test_plugins_builtins.py index 31d14cae..fe6b5607 100644 --- a/workspace/tests/test_plugins_builtins.py +++ b/workspace/tests/test_plugins_builtins.py @@ -481,3 +481,234 @@ def test_deep_merge_hooks_top_level_keys_merged(): # setdefault semantics: existing keys win, new keys are added assert result["someKey"] == "old" assert result["anotherKey"] == "value" + + +def test_deep_merge_hooks_mcpServers_deep_merged(): + """mcpServers dicts from two plugins must be merged, not replaced. + + Plugin A ships firecrawl, plugin B ships github → both land in the + final settings.json (issue #847 motivation). + """ + existing = { + "mcpServers": { + "firecrawl": { + "command": "npx", + "args": ["-y", "@org/firecrawl-mcp"], + } + } + } + fragment = { + "mcpServers": { + "github": { + "command": "npx", + "args": ["-y", "@github/github-mcp-server"], + } + }, + "hooks": {}, + } + result = _deep_merge_hooks(existing, fragment) + assert "firecrawl" in result["mcpServers"] + assert "github" in result["mcpServers"] + # existing entries must not be overwritten + assert result["mcpServers"]["firecrawl"]["command"] == "npx" + + +def test_deep_merge_hooks_mcpServers_idempotent(): + """Re-merging the same mcpServers fragment must not duplicate entries.""" + fragment = { + "mcpServers": { + "firecrawl": {"command": "npx", "args": ["-y", "@org/firecrawl-mcp"]} + }, + "hooks": {}, + } + state = _deep_merge_hooks({}, fragment) + state = _deep_merge_hooks(state, fragment) + state = _deep_merge_hooks(state, fragment) + assert len(state["mcpServers"]) == 1 + + +def test_deep_merge_hooks_mcpServers_three_plugins(): + """Three plugins each contributing one mcpServer all land in final output.""" + state = {} + for name in ["firecrawl", "github", "browser-use"]: + fragment = { + "mcpServers": {name: {"command": "npx", "args": [f"-y @{name}"]}}, + "hooks": {}, + } + state = _deep_merge_hooks(state, fragment) + + assert set(state["mcpServers"].keys()) == {"firecrawl", "github", "browser-use"} + + +# --------------------------------------------------------------------------- +# MCPServerAdaptor tests — issue #847 +# --------------------------------------------------------------------------- + +from plugins_registry.builtins import MCPServerAdaptor # noqa: E402 + + +async def test_mcp_server_adaptor_install_writes_mcpServers(tmp_path: Path): + """install() must merge mcpServers from settings-fragment.json into settings.json.""" + plugin = tmp_path / "my-mcp-plugin" + plugin.mkdir() + (plugin / "settings-fragment.json").write_text( + json.dumps({ + "mcpServers": { + "my-server": { + "command": "npx", + "args": ["-y", "@org/my-mcp-server"], + } + } + }) + ) + # Also add a skill so we can verify AgentskillsAdaptor delegation. + (plugin / "skills" / "docs").mkdir(parents=True) + (plugin / "skills" / "docs" / "SKILL.md").write_text("# docs skill\n") + + configs = tmp_path / "configs" + configs.mkdir() + result = await MCPServerAdaptor("my-mcp-plugin", "claude_code").install( + _make_ctx(configs, plugin) + ) + + settings = json.loads((configs / ".claude" / "settings.json").read_text()) + assert "mcpServers" in settings + assert "my-server" in settings["mcpServers"] + assert settings["mcpServers"]["my-server"]["command"] == "npx" + # Skills were also installed (AgentskillsAdaptor delegation). + assert (configs / "skills" / "docs" / "SKILL.md").exists() + assert ".claude/settings.json" in result.files_written + + +async def test_mcp_server_adaptor_install_no_fragment_no_warning(tmp_path: Path): + """Plugin without settings-fragment.json must install silently (no settings.json created).""" + plugin = tmp_path / "bare-mcp" + plugin.mkdir() + configs = tmp_path / "configs" + configs.mkdir() + + result = await MCPServerAdaptor("bare-mcp", "claude_code").install( + _make_ctx(configs, plugin) + ) + # _install_claude_layer creates .claude dir, but no settings.json when + # there's no settings-fragment.json. + assert not (configs / ".claude" / "settings.json").exists() + assert result.warnings == [] + + +async def test_mcp_server_adaptor_uninstall_does_not_remove_mcpServers(tmp_path: Path): + """uninstall() must remove skills/rules but leave mcpServers in settings.json. + + Rationale: MCP server configs are often shared or manually curated; + removing them on plugin uninstall could break the user's environment. + """ + plugin = tmp_path / "my-mcp-plugin" + plugin.mkdir() + (plugin / "settings-fragment.json").write_text( + json.dumps({ + "mcpServers": { + "my-server": { + "command": "npx", + "args": ["-y", "@org/my-mcp-server"], + } + } + }) + ) + (plugin / "rules").mkdir(parents=True) + (plugin / "rules" / "r.md").write_text("- my rule\n") + (plugin / "skills" / "s").mkdir(parents=True) + (plugin / "skills" / "s" / "SKILL.md").write_text("# skill\n") + + configs = tmp_path / "configs" + configs.mkdir() + adaptor = MCPServerAdaptor("my-mcp-plugin", "claude_code") + + await adaptor.install(_make_ctx(configs, plugin)) + assert (configs / "skills" / "s").exists() + assert "my-server" in json.loads((configs / ".claude" / "settings.json").read_text()).get("mcpServers", {}) + + await adaptor.uninstall(_make_ctx(configs, plugin)) + + # Skills and rules removed by AgentskillsAdaptor delegation. + assert not (configs / "skills" / "s").exists() + assert not (configs / "CLAUDE.md").exists() or "# Plugin: my-mcp-plugin" not in (configs / "CLAUDE.md").read_text() + # mcpServers intentionally kept. + settings = json.loads((configs / ".claude" / "settings.json").read_text()) + assert "mcpServers" in settings + assert "my-server" in settings["mcpServers"] + + +async def test_mcp_server_adaptor_install_merges_with_existing_settings(tmp_path: Path): + """install() must deep-merge mcpServers with an already-populated settings.json.""" + plugin = tmp_path / "second-mcp" + plugin.mkdir() + (plugin / "settings-fragment.json").write_text( + json.dumps({ + "mcpServers": { + "github": { + "command": "npx", + "args": ["-y", "@github/github-mcp-server"], + } + } + }) + ) + + configs = tmp_path / "configs" + configs.mkdir() + # Pre-existing settings.json with an mcpServer already present. + claude_dir = configs / ".claude" + claude_dir.mkdir(parents=True) + (claude_dir / "settings.json").write_text( + json.dumps({ + "mcpServers": { + "firecrawl": { + "command": "npx", + "args": ["-y", "@firecrawl/firecrawl-mcp"], + } + } + }) + ) + + await MCPServerAdaptor("second-mcp", "claude_code").install(_make_ctx(configs, plugin)) + + settings = json.loads((claude_dir / "settings.json").read_text()) + assert "firecrawl" in settings["mcpServers"] + assert "github" in settings["mcpServers"] + + +async def test_mcp_server_adaptor_install_also_handles_hooks(tmp_path: Path): + """An MCPServer plugin can also ship PreToolUse/PostToolUse hooks via the + same settings-fragment.json; they must be merged without duplication.""" + plugin = tmp_path / "mcp-with-hooks" + plugin.mkdir() + (plugin / "hooks").mkdir(parents=True) + (plugin / "hooks" / "lint.sh").write_text("#!/bin/bash\necho ok\n") + (plugin / "hooks" / "lint.sh").chmod(0o755) + (plugin / "settings-fragment.json").write_text( + json.dumps({ + "mcpServers": { + "my-server": {"command": "npx", "args": ["-y", "@x/server"]} + }, + "hooks": { + "PreToolUse": [ + { + "matcher": "Bash", + "hooks": [{"type": "command", "command": "${CLAUDE_DIR}/hooks/lint.sh"}], + } + ] + }, + }) + ) + + configs = tmp_path / "configs" + configs.mkdir() + await MCPServerAdaptor("mcp-with-hooks", "claude_code").install(_make_ctx(configs, plugin)) + + settings = json.loads((configs / ".claude" / "settings.json").read_text()) + assert "my-server" in settings["mcpServers"] + assert len(settings["hooks"]["PreToolUse"]) == 1 + assert settings["hooks"]["PreToolUse"][0]["matcher"] == "Bash" + + +import json # noqa: E402 — also used in new tests above +