Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/src/vs/workbench/services/authentication/test/browser/authenticationMcpAccessService.test.ts
3296 views
1
/*---------------------------------------------------------------------------------------------

2
 *  Copyright (c) Microsoft Corporation. All rights reserved.

3
 *  Licensed under the MIT License. See License.txt in the project root for license information.

4
 *--------------------------------------------------------------------------------------------*/

5


6
import assert from 'assert';

7
import { ensureNoDisposablesAreLeakedInTestSuite } from '../../../../../base/test/common/utils.js';

8
import { TestInstantiationService } from '../../../../../platform/instantiation/test/common/instantiationServiceMock.js';

9
import { IStorageService, StorageScope, StorageTarget } from '../../../../../platform/storage/common/storage.js';

10
import { IProductService } from '../../../../../platform/product/common/productService.js';

11
import { TestStorageService, TestProductService } from '../../../../test/common/workbenchTestServices.js';

12
import { AuthenticationMcpAccessService, AllowedMcpServer, IAuthenticationMcpAccessService } from '../../browser/authenticationMcpAccessService.js';

13


14
suite('AuthenticationMcpAccessService', () => {

15
	const disposables = ensureNoDisposablesAreLeakedInTestSuite();

16


17
	let instantiationService: TestInstantiationService;

18
	let storageService: TestStorageService;

19
	let productService: IProductService & { trustedMcpAuthAccess?: string[] | Record<string, string[]> };

20
	let authenticationMcpAccessService: IAuthenticationMcpAccessService;

21


22
	setup(() => {

23
		instantiationService = disposables.add(new TestInstantiationService());

24


25
		// Set up storage service

26
		storageService = disposables.add(new TestStorageService());

27
		instantiationService.stub(IStorageService, storageService);

28


29
		// Set up product service with no trusted servers by default

30
		productService = { ...TestProductService };

31
		instantiationService.stub(IProductService, productService);

32


33
		// Create the service instance

34
		authenticationMcpAccessService = disposables.add(instantiationService.createInstance(AuthenticationMcpAccessService));

35
	});

36


37
	suite('isAccessAllowed', () => {

38
		test('returns undefined for unknown MCP server with no product configuration', () => {

39
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'unknown-server');

40
			assert.strictEqual(result, undefined);

41
		});

42


43
		test('returns true for trusted MCP server from product.json (array format)', () => {

44
			productService.trustedMcpAuthAccess = ['trusted-server-1', 'trusted-server-2'];

45


46
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server-1');

47
			assert.strictEqual(result, true);

48
		});

49


50
		test('returns true for trusted MCP server from product.json (object format)', () => {

51
			productService.trustedMcpAuthAccess = {

52
				'github': ['github-server'],

53
				'microsoft': ['microsoft-server']

54
			};

55


56
			const result1 = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'github-server');

57
			assert.strictEqual(result1, true);

58


59
			const result2 = authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'microsoft-server');

60
			assert.strictEqual(result2, true);

61
		});

62


63
		test('returns undefined for MCP server not in trusted list', () => {

64
			productService.trustedMcpAuthAccess = ['trusted-server'];

65


66
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'untrusted-server');

67
			assert.strictEqual(result, undefined);

68
		});

69


70
		test('returns stored allowed state when server is in storage', () => {

71
			// Add server to storage

72
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

73
				id: 'stored-server',

74
				name: 'Stored Server',

75
				allowed: false

76
			}]);

77


78
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'stored-server');

79
			assert.strictEqual(result, false);

80
		});

81


82
		test('returns true for server in storage with allowed=true', () => {

83
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

84
				id: 'allowed-server',

85
				name: 'Allowed Server',

86
				allowed: true

87
			}]);

88


89
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'allowed-server');

90
			assert.strictEqual(result, true);

91
		});

92


93
		test('returns true for server in storage with undefined allowed property (legacy behavior)', () => {

94
			// Simulate legacy data where allowed property didn't exist

95
			const legacyServer: AllowedMcpServer = {

96
				id: 'legacy-server',

97
				name: 'Legacy Server'

98
				// allowed property is undefined

99
			};

100


101
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [legacyServer]);

102


103
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'legacy-server');

104
			assert.strictEqual(result, true);

105
		});

106


107
		test('product.json trusted servers take precedence over storage', () => {

108
			productService.trustedMcpAuthAccess = ['product-trusted-server'];

109


110
			// Try to store the same server as not allowed

111
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

112
				id: 'product-trusted-server',

113
				name: 'Product Trusted Server',

114
				allowed: false

115
			}]);

116


117
			// Product.json should take precedence

118
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'product-trusted-server');

119
			assert.strictEqual(result, true);

120
		});

121
	});

122


123
	suite('readAllowedMcpServers', () => {

124
		test('returns empty array when no data exists', () => {

125
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

126
			assert.strictEqual(result.length, 0);

127
		});

128


129
		test('returns stored MCP servers', () => {

130
			const servers: AllowedMcpServer[] = [

131
				{ id: 'server1', name: 'Server 1', allowed: true },

132
				{ id: 'server2', name: 'Server 2', allowed: false }

133
			];

134


135
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', servers);

136


137
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

138
			assert.strictEqual(result.length, 2);

139
			assert.strictEqual(result[0].id, 'server1');

140
			assert.strictEqual(result[0].allowed, true);

141
			assert.strictEqual(result[1].id, 'server2');

142
			assert.strictEqual(result[1].allowed, false);

143
		});

144


145
		test('includes trusted servers from product.json (array format)', () => {

146
			productService.trustedMcpAuthAccess = ['trusted-server-1', 'trusted-server-2'];

147


148
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

149
			assert.strictEqual(result.length, 2);

150


151
			const trustedServer1 = result.find(s => s.id === 'trusted-server-1');

152
			assert.ok(trustedServer1);

153
			assert.strictEqual(trustedServer1.allowed, true);

154
			assert.strictEqual(trustedServer1.trusted, true);

155
			assert.strictEqual(trustedServer1.name, 'trusted-server-1'); // Should default to ID

156


157
			const trustedServer2 = result.find(s => s.id === 'trusted-server-2');

158
			assert.ok(trustedServer2);

159
			assert.strictEqual(trustedServer2.allowed, true);

160
			assert.strictEqual(trustedServer2.trusted, true);

161
		});

162


163
		test('includes trusted servers from product.json (object format)', () => {

164
			productService.trustedMcpAuthAccess = {

165
				'github': ['github-server'],

166
				'microsoft': ['microsoft-server']

167
			};

168


169
			const githubResult = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

170
			assert.strictEqual(githubResult.length, 1);

171
			assert.strictEqual(githubResult[0].id, 'github-server');

172
			assert.strictEqual(githubResult[0].trusted, true);

173


174
			const microsoftResult = authenticationMcpAccessService.readAllowedMcpServers('microsoft', '[email protected]');

175
			assert.strictEqual(microsoftResult.length, 1);

176
			assert.strictEqual(microsoftResult[0].id, 'microsoft-server');

177
			assert.strictEqual(microsoftResult[0].trusted, true);

178


179
			// Provider not in trusted list should return empty (no stored servers)

180
			const unknownResult = authenticationMcpAccessService.readAllowedMcpServers('unknown', '[email protected]');

181
			assert.strictEqual(unknownResult.length, 0);

182
		});

183


184
		test('merges stored servers with trusted servers from product.json', () => {

185
			productService.trustedMcpAuthAccess = ['trusted-server'];

186


187
			// Add some stored servers

188
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

189
				{ id: 'stored-server', name: 'Stored Server', allowed: false }

190
			]);

191


192
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

193
			assert.strictEqual(result.length, 2);

194


195
			const trustedServer = result.find(s => s.id === 'trusted-server');

196
			assert.ok(trustedServer);

197
			assert.strictEqual(trustedServer.trusted, true);

198
			assert.strictEqual(trustedServer.allowed, true);

199


200
			const storedServer = result.find(s => s.id === 'stored-server');

201
			assert.ok(storedServer);

202
			assert.strictEqual(storedServer.trusted, undefined);

203
			assert.strictEqual(storedServer.allowed, false);

204
		});

205


206
		test('updates existing stored server to be trusted when it appears in product.json', () => {

207
			// First add a server as stored (not trusted)

208
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

209
				{ id: 'server-1', name: 'Server 1', allowed: false }

210
			]);

211


212
			// Then make it trusted via product.json

213
			productService.trustedMcpAuthAccess = ['server-1'];

214


215
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

216
			assert.strictEqual(result.length, 1);

217


218
			const server = result[0];

219
			assert.strictEqual(server.id, 'server-1');

220
			assert.strictEqual(server.allowed, true); // Should be overridden to true

221
			assert.strictEqual(server.trusted, true); // Should be marked as trusted

222
			assert.strictEqual(server.name, 'Server 1'); // Should keep existing name

223
		});

224


225
		test('handles malformed JSON in storage gracefully', () => {

226
			// Manually corrupt the storage

227
			storageService.store('[email protected]', 'invalid json', StorageScope.APPLICATION, StorageTarget.USER);

228


229
			// Should return empty array instead of throwing

230
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

231
			assert.strictEqual(result.length, 0);

232
		});

233


234
		test('handles non-array product.json configuration gracefully', () => {

235
			// Set up invalid configuration

236
			productService.trustedMcpAuthAccess = 'invalid-string' as any;

237


238
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

239
			assert.strictEqual(result.length, 0);

240
		});

241
	});

242


243
	suite('updateAllowedMcpServers', () => {

244
		test('stores new MCP servers', () => {

245
			const servers: AllowedMcpServer[] = [

246
				{ id: 'server1', name: 'Server 1', allowed: true },

247
				{ id: 'server2', name: 'Server 2', allowed: false }

248
			];

249


250
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', servers);

251


252
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

253
			assert.strictEqual(result.length, 2);

254
			assert.strictEqual(result[0].id, 'server1');

255
			assert.strictEqual(result[1].id, 'server2');

256
		});

257


258
		test('updates existing MCP server allowed status', () => {

259
			// First add a server

260
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

261
				{ id: 'server1', name: 'Server 1', allowed: true }

262
			]);

263


264
			// Then update its allowed status

265
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

266
				{ id: 'server1', name: 'Server 1', allowed: false }

267
			]);

268


269
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

270
			assert.strictEqual(result.length, 1);

271
			assert.strictEqual(result[0].allowed, false);

272
		});

273


274
		test('updates existing MCP server name when new name is provided', () => {

275
			// First add a server with default name

276
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

277
				{ id: 'server1', name: 'server1', allowed: true }

278
			]);

279


280
			// Then update with a proper name

281
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

282
				{ id: 'server1', name: 'My Server', allowed: true }

283
			]);

284


285
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

286
			assert.strictEqual(result.length, 1);

287
			assert.strictEqual(result[0].name, 'My Server');

288
		});

289


290
		test('does not update name when new name is same as ID', () => {

291
			// First add a server with a proper name

292
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

293
				{ id: 'server1', name: 'My Server', allowed: true }

294
			]);

295


296
			// Then try to update with ID as name (should keep existing name)

297
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

298
				{ id: 'server1', name: 'server1', allowed: false }

299
			]);

300


301
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

302
			assert.strictEqual(result.length, 1);

303
			assert.strictEqual(result[0].name, 'My Server'); // Should keep original name

304
			assert.strictEqual(result[0].allowed, false); // But allowed status should update

305
		});

306


307
		test('adds new servers while preserving existing ones', () => {

308
			// First add one server

309
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

310
				{ id: 'server1', name: 'Server 1', allowed: true }

311
			]);

312


313
			// Then add another server

314
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

315
				{ id: 'server2', name: 'Server 2', allowed: false }

316
			]);

317


318
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

319
			assert.strictEqual(result.length, 2);

320


321
			const server1 = result.find(s => s.id === 'server1');

322
			const server2 = result.find(s => s.id === 'server2');

323
			assert.ok(server1);

324
			assert.ok(server2);

325
			assert.strictEqual(server1.allowed, true);

326
			assert.strictEqual(server2.allowed, false);

327
		});

328


329
		test('does not store trusted servers from product.json', () => {

330
			productService.trustedMcpAuthAccess = ['trusted-server'];

331


332
			// Try to update a trusted server

333
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

334
				{ id: 'trusted-server', name: 'Trusted Server', allowed: false, trusted: true },

335
				{ id: 'user-server', name: 'User Server', allowed: true }

336
			]);

337


338
			// Check what's actually stored in storage (not including product.json servers)

339
			const storageKey = '[email protected]';

340
			const storedData = JSON.parse(storageService.get(storageKey, StorageScope.APPLICATION) || '[]');

341


342
			// Should only contain the user-managed server, not the trusted one

343
			assert.strictEqual(storedData.length, 1);

344
			assert.strictEqual(storedData[0].id, 'user-server');

345


346
			// But readAllowedMcpServers should return both (including trusted from product.json)

347
			const allServers = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

348
			assert.strictEqual(allServers.length, 2);

349
		});

350


351
		test('fires onDidChangeMcpSessionAccess event', () => {

352
			let eventFired = false;

353
			let eventData: { providerId: string; accountName: string } | undefined;

354


355
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

356
				eventFired = true;

357
				eventData = event;

358
			});

359


360
			try {

361
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

362
					{ id: 'server1', name: 'Server 1', allowed: true }

363
				]);

364


365
				assert.strictEqual(eventFired, true);

366
				assert.ok(eventData);

367
				assert.strictEqual(eventData.providerId, 'github');

368
				assert.strictEqual(eventData.accountName, '[email protected]');

369
			} finally {

370
				disposable.dispose();

371
			}

372
		});

373
	});

374


375
	suite('removeAllowedMcpServers', () => {

376
		test('removes all stored MCP servers for account', () => {

377
			// First add some servers

378
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

379
				{ id: 'server1', name: 'Server 1', allowed: true },

380
				{ id: 'server2', name: 'Server 2', allowed: false }

381
			]);

382


383
			// Verify they exist

384
			let result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

385
			assert.strictEqual(result.length, 2);

386


387
			// Remove them

388
			authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

389


390
			// Verify they're gone

391
			result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

392
			assert.strictEqual(result.length, 0);

393
		});

394


395
		test('does not affect trusted servers from product.json', () => {

396
			productService.trustedMcpAuthAccess = ['trusted-server'];

397


398
			// Add some user-managed servers

399
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

400
				{ id: 'user-server', name: 'User Server', allowed: true }

401
			]);

402


403
			// Verify both trusted and user servers exist

404
			let result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

405
			assert.strictEqual(result.length, 2);

406


407
			// Remove user servers

408
			authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

409


410
			// Should still have trusted server

411
			result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

412
			assert.strictEqual(result.length, 1);

413
			assert.strictEqual(result[0].id, 'trusted-server');

414
			assert.strictEqual(result[0].trusted, true);

415
		});

416


417
		test('fires onDidChangeMcpSessionAccess event', () => {

418
			let eventFired = false;

419
			let eventData: { providerId: string; accountName: string } | undefined;

420


421
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

422
				eventFired = true;

423
				eventData = event;

424
			});

425


426
			try {

427
				authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

428


429
				assert.strictEqual(eventFired, true);

430
				assert.ok(eventData);

431
				assert.strictEqual(eventData.providerId, 'github');

432
				assert.strictEqual(eventData.accountName, '[email protected]');

433
			} finally {

434
				disposable.dispose();

435
			}

436
		});

437


438
		test('handles removal of non-existent data gracefully', () => {

439
			// Should not throw when trying to remove data that doesn't exist

440
			assert.doesNotThrow(() => {

441
				authenticationMcpAccessService.removeAllowedMcpServers('nonexistent', '[email protected]');

442
			});

443
		});

444
	});

445


446
	suite('onDidChangeMcpSessionAccess event', () => {

447
		test('event is fired for each update operation', () => {

448
			const events: Array<{ providerId: string; accountName: string }> = [];

449


450
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

451
				events.push(event);

452
			});

453


454
			try {

455
				// Should fire for update

456
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

457
					{ id: 'server1', name: 'Server 1', allowed: true }

458
				]);

459


460
				// Should fire for remove

461
				authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

462


463
				// Should fire for different account

464
				authenticationMcpAccessService.updateAllowedMcpServers('microsoft', '[email protected]', [

465
					{ id: 'server2', name: 'Server 2', allowed: false }

466
				]);

467


468
				assert.strictEqual(events.length, 3);

469
				assert.strictEqual(events[0].providerId, 'github');

470
				assert.strictEqual(events[0].accountName, '[email protected]');

471
				assert.strictEqual(events[1].providerId, 'github');

472
				assert.strictEqual(events[1].accountName, '[email protected]');

473
				assert.strictEqual(events[2].providerId, 'microsoft');

474
				assert.strictEqual(events[2].accountName, '[email protected]');

475
			} finally {

476
				disposable.dispose();

477
			}

478
		});

479


480
		test('multiple listeners receive events', () => {

481
			let listener1Fired = false;

482
			let listener2Fired = false;

483


484
			const disposable1 = authenticationMcpAccessService.onDidChangeMcpSessionAccess(() => {

485
				listener1Fired = true;

486
			});

487


488
			const disposable2 = authenticationMcpAccessService.onDidChangeMcpSessionAccess(() => {

489
				listener2Fired = true;

490
			});

491


492
			try {

493
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

494
					{ id: 'server1', name: 'Server 1', allowed: true }

495
				]);

496


497
				assert.strictEqual(listener1Fired, true);

498
				assert.strictEqual(listener2Fired, true);

499
			} finally {

500
				disposable1.dispose();

501
				disposable2.dispose();

502
			}

503
		});

504
	});

505


506
	suite('integration scenarios', () => {

507
		test('complete workflow: add, update, query, remove', () => {

508
			const providerId = 'github';

509
			const accountName = '[email protected]';

510
			const serverId = 'test-server';

511


512
			// Initially unknown

513
			assert.strictEqual(

514
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

515
				undefined

516
			);

517


518
			// Add server as allowed

519
			authenticationMcpAccessService.updateAllowedMcpServers(providerId, accountName, [

520
				{ id: serverId, name: 'Test Server', allowed: true }

521
			]);

522


523
			assert.strictEqual(

524
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

525
				true

526
			);

527


528
			// Update to disallowed

529
			authenticationMcpAccessService.updateAllowedMcpServers(providerId, accountName, [

530
				{ id: serverId, name: 'Test Server', allowed: false }

531
			]);

532


533
			assert.strictEqual(

534
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

535
				false

536
			);

537


538
			// Remove all

539
			authenticationMcpAccessService.removeAllowedMcpServers(providerId, accountName);

540


541
			assert.strictEqual(

542
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

543
				undefined

544
			);

545
		});

546


547
		test('multiple providers and accounts are isolated', () => {

548
			// Add data for different combinations

549
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

550
				{ id: 'server1', name: 'Server 1', allowed: true }

551
			]);

552


553
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

554
				{ id: 'server1', name: 'Server 1', allowed: false }

555
			]);

556


557
			authenticationMcpAccessService.updateAllowedMcpServers('microsoft', '[email protected]', [

558
				{ id: 'server1', name: 'Server 1', allowed: true }

559
			]);

560


561
			// Verify isolation

562
			assert.strictEqual(

563
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'server1'),

564
				true

565
			);

566
			assert.strictEqual(

567
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'server1'),

568
				false

569
			);

570
			assert.strictEqual(

571
				authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'server1'),

572
				true

573
			);

574


575
			// Non-existent combinations should return undefined

576
			assert.strictEqual(

577
				authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'server1'),

578
				undefined

579
			);

580
		});

581


582
		test('product.json configuration takes precedence in all scenarios', () => {

583
			productService.trustedMcpAuthAccess = {

584
				'github': ['trusted-server'],

585
				'microsoft': ['microsoft-trusted']

586
			};

587


588
			// Trusted servers should always return true regardless of storage

589
			assert.strictEqual(

590
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server'),

591
				true

592
			);

593


594
			// Try to override via storage

595
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

596
				{ id: 'trusted-server', name: 'Trusted Server', allowed: false }

597
			]);

598


599
			// Should still return true

600
			assert.strictEqual(

601
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server'),

602
				true

603
			);

604


605
			// But non-trusted servers should still respect storage

606
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

607
				{ id: 'user-server', name: 'User Server', allowed: false }

608
			]);

609


610
			assert.strictEqual(

611
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'user-server'),

612
				false

613
			);

614
		});

615


616
		test('handles edge cases with empty or null values', () => {

617
			// Empty provider/account names

618
			assert.doesNotThrow(() => {

619
				authenticationMcpAccessService.isAccessAllowed('', '', 'server1');

620
			});

621


622
			// Empty server arrays

623
			assert.doesNotThrow(() => {

624
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', []);

625
			});

626


627
			// Empty server ID/name

628
			assert.doesNotThrow(() => {

629
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

630
					{ id: '', name: '', allowed: true }

631
				]);

632
			});

633
		});

634
	});

635
});

636


637