Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
microsoft
GitHub Repository: microsoft/vscode
 Path: blob/main/src/vs/workbench/services/authentication/test/browser/authenticationMcpAccessService.test.ts
5221 views
1
/*---------------------------------------------------------------------------------------------

2
 *  Copyright (c) Microsoft Corporation. All rights reserved.

3
 *  Licensed under the MIT License. See License.txt in the project root for license information.

4
 *--------------------------------------------------------------------------------------------*/

5


6
import assert from 'assert';

7
import { ensureNoDisposablesAreLeakedInTestSuite } from '../../../../../base/test/common/utils.js';

8
import { TestInstantiationService } from '../../../../../platform/instantiation/test/common/instantiationServiceMock.js';

9
import { IStorageService, StorageScope, StorageTarget } from '../../../../../platform/storage/common/storage.js';

10
import { IProductService } from '../../../../../platform/product/common/productService.js';

11
import { TestStorageService, TestProductService } from '../../../../test/common/workbenchTestServices.js';

12
import { AuthenticationMcpAccessService, AllowedMcpServer, IAuthenticationMcpAccessService } from '../../browser/authenticationMcpAccessService.js';

13


14
suite('AuthenticationMcpAccessService', () => {

15
	const disposables = ensureNoDisposablesAreLeakedInTestSuite();

16


17
	let instantiationService: TestInstantiationService;

18
	let storageService: TestStorageService;

19
	let productService: IProductService & { trustedMcpAuthAccess?: string[] | Record<string, string[]> };

20
	let authenticationMcpAccessService: IAuthenticationMcpAccessService;

21


22
	setup(() => {

23
		instantiationService = disposables.add(new TestInstantiationService());

24


25
		// Set up storage service

26
		storageService = disposables.add(new TestStorageService());

27
		instantiationService.stub(IStorageService, storageService);

28


29
		// Set up product service with no trusted servers by default

30
		productService = { ...TestProductService };

31
		instantiationService.stub(IProductService, productService);

32


33
		// Create the service instance

34
		authenticationMcpAccessService = disposables.add(instantiationService.createInstance(AuthenticationMcpAccessService));

35
	});

36


37
	suite('isAccessAllowed', () => {

38
		test('returns undefined for unknown MCP server with no product configuration', () => {

39
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'unknown-server');

40
			assert.strictEqual(result, undefined);

41
		});

42


43
		test('returns true for trusted MCP server from product.json (array format)', () => {

44
			productService.trustedMcpAuthAccess = ['trusted-server-1', 'trusted-server-2'];

45


46
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server-1');

47
			assert.strictEqual(result, true);

48
		});

49


50
		test('returns true for trusted MCP server from product.json (object format)', () => {

51
			productService.trustedMcpAuthAccess = {

52
				'github': ['github-server'],

53
				'microsoft': ['microsoft-server']

54
			};

55


56
			const result1 = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'github-server');

57
			assert.strictEqual(result1, true);

58


59
			const result2 = authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'microsoft-server');

60
			assert.strictEqual(result2, true);

61
		});

62


63
		test('returns undefined for MCP server not in trusted list', () => {

64
			productService.trustedMcpAuthAccess = ['trusted-server'];

65


66
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'untrusted-server');

67
			assert.strictEqual(result, undefined);

68
		});

69


70
		test('returns stored allowed state when server is in storage', () => {

71
			// Add server to storage

72
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

73
				id: 'stored-server',

74
				name: 'Stored Server',

75
				allowed: false

76
			}]);

77


78
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'stored-server');

79
			assert.strictEqual(result, false);

80
		});

81


82
		test('returns true for server in storage with allowed=true', () => {

83
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

84
				id: 'allowed-server',

85
				name: 'Allowed Server',

86
				allowed: true

87
			}]);

88


89
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'allowed-server');

90
			assert.strictEqual(result, true);

91
		});

92


93
		test('returns true for server in storage with undefined allowed property (legacy behavior)', () => {

94
			// Simulate legacy data where allowed property didn't exist

95
			const legacyServer: AllowedMcpServer = {

96
				id: 'legacy-server',

97
				name: 'Legacy Server'

98
				// allowed property is undefined

99
			};

100


101
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [legacyServer]);

102


103
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'legacy-server');

104
			assert.strictEqual(result, true);

105
		});

106


107
		test('product.json trusted servers take precedence over storage', () => {

108
			productService.trustedMcpAuthAccess = ['product-trusted-server'];

109


110
			// Try to store the same server as not allowed

111
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [{

112
				id: 'product-trusted-server',

113
				name: 'Product Trusted Server',

114
				allowed: false

115
			}]);

116


117
			// Product.json should take precedence

118
			const result = authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'product-trusted-server');

119
			assert.strictEqual(result, true);

120
		});

121
	});

122


123
	suite('readAllowedMcpServers', () => {

124
		test('returns empty array when no data exists', () => {

125
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

126
			assert.strictEqual(result.length, 0);

127
		});

128


129
		test('returns stored MCP servers', () => {

130
			const servers: AllowedMcpServer[] = [

131
				{ id: 'server1', name: 'Server 1', allowed: true },

132
				{ id: 'server2', name: 'Server 2', allowed: false }

133
			];

134


135
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', servers);

136


137
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

138
			assert.strictEqual(result.length, 2);

139
			assert.strictEqual(result[0].id, 'server1');

140
			assert.strictEqual(result[0].allowed, true);

141
			assert.strictEqual(result[1].id, 'server2');

142
			assert.strictEqual(result[1].allowed, false);

143
		});

144


145
		test('includes trusted servers from product.json (array format)', () => {

146
			productService.trustedMcpAuthAccess = ['trusted-server-1', 'trusted-server-2'];

147


148
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

149
			assert.strictEqual(result.length, 2);

150


151
			const trustedServer1 = result.find(s => s.id === 'trusted-server-1');

152
			assert.ok(trustedServer1);

153
			assert.strictEqual(trustedServer1.allowed, true);

154
			assert.strictEqual(trustedServer1.trusted, true);

155
			assert.strictEqual(trustedServer1.name, 'trusted-server-1'); // Should default to ID

156


157
			const trustedServer2 = result.find(s => s.id === 'trusted-server-2');

158
			assert.ok(trustedServer2);

159
			assert.strictEqual(trustedServer2.allowed, true);

160
			assert.strictEqual(trustedServer2.trusted, true);

161
		});

162


163
		test('includes trusted servers from product.json (object format)', () => {

164
			productService.trustedMcpAuthAccess = {

165
				'github': ['github-server'],

166
				'microsoft': ['microsoft-server']

167
			};

168


169
			const githubResult = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

170
			assert.strictEqual(githubResult.length, 1);

171
			assert.strictEqual(githubResult[0].id, 'github-server');

172
			assert.strictEqual(githubResult[0].trusted, true);

173


174
			const microsoftResult = authenticationMcpAccessService.readAllowedMcpServers('microsoft', '[email protected]');

175
			assert.strictEqual(microsoftResult.length, 1);

176
			assert.strictEqual(microsoftResult[0].id, 'microsoft-server');

177
			assert.strictEqual(microsoftResult[0].trusted, true);

178


179
			// Provider not in trusted list should return empty (no stored servers)

180
			const unknownResult = authenticationMcpAccessService.readAllowedMcpServers('unknown', '[email protected]');

181
			assert.strictEqual(unknownResult.length, 0);

182
		});

183


184
		test('merges stored servers with trusted servers from product.json', () => {

185
			productService.trustedMcpAuthAccess = ['trusted-server'];

186


187
			// Add some stored servers

188
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

189
				{ id: 'stored-server', name: 'Stored Server', allowed: false }

190
			]);

191


192
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

193
			assert.strictEqual(result.length, 2);

194


195
			const trustedServer = result.find(s => s.id === 'trusted-server');

196
			assert.ok(trustedServer);

197
			assert.strictEqual(trustedServer.trusted, true);

198
			assert.strictEqual(trustedServer.allowed, true);

199


200
			const storedServer = result.find(s => s.id === 'stored-server');

201
			assert.ok(storedServer);

202
			assert.strictEqual(storedServer.trusted, undefined);

203
			assert.strictEqual(storedServer.allowed, false);

204
		});

205


206
		test('updates existing stored server to be trusted when it appears in product.json', () => {

207
			// First add a server as stored (not trusted)

208
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

209
				{ id: 'server-1', name: 'Server 1', allowed: false }

210
			]);

211


212
			// Then make it trusted via product.json

213
			productService.trustedMcpAuthAccess = ['server-1'];

214


215
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

216
			assert.strictEqual(result.length, 1);

217


218
			const server = result[0];

219
			assert.strictEqual(server.id, 'server-1');

220
			assert.strictEqual(server.allowed, true); // Should be overridden to true

221
			assert.strictEqual(server.trusted, true); // Should be marked as trusted

222
			assert.strictEqual(server.name, 'Server 1'); // Should keep existing name

223
		});

224


225
		test('handles malformed JSON in storage gracefully', () => {

226
			// Manually corrupt the storage

227
			storageService.store('[email protected]', 'invalid json', StorageScope.APPLICATION, StorageTarget.USER);

228


229
			// Should return empty array instead of throwing

230
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

231
			assert.strictEqual(result.length, 0);

232
		});

233


234
		test('handles non-array product.json configuration gracefully', () => {

235
			// Set up invalid configuration

236
			// eslint-disable-next-line local/code-no-any-casts

237
			productService.trustedMcpAuthAccess = 'invalid-string' as any;

238


239
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

240
			assert.strictEqual(result.length, 0);

241
		});

242
	});

243


244
	suite('updateAllowedMcpServers', () => {

245
		test('stores new MCP servers', () => {

246
			const servers: AllowedMcpServer[] = [

247
				{ id: 'server1', name: 'Server 1', allowed: true },

248
				{ id: 'server2', name: 'Server 2', allowed: false }

249
			];

250


251
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', servers);

252


253
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

254
			assert.strictEqual(result.length, 2);

255
			assert.strictEqual(result[0].id, 'server1');

256
			assert.strictEqual(result[1].id, 'server2');

257
		});

258


259
		test('updates existing MCP server allowed status', () => {

260
			// First add a server

261
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

262
				{ id: 'server1', name: 'Server 1', allowed: true }

263
			]);

264


265
			// Then update its allowed status

266
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

267
				{ id: 'server1', name: 'Server 1', allowed: false }

268
			]);

269


270
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

271
			assert.strictEqual(result.length, 1);

272
			assert.strictEqual(result[0].allowed, false);

273
		});

274


275
		test('updates existing MCP server name when new name is provided', () => {

276
			// First add a server with default name

277
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

278
				{ id: 'server1', name: 'server1', allowed: true }

279
			]);

280


281
			// Then update with a proper name

282
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

283
				{ id: 'server1', name: 'My Server', allowed: true }

284
			]);

285


286
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

287
			assert.strictEqual(result.length, 1);

288
			assert.strictEqual(result[0].name, 'My Server');

289
		});

290


291
		test('does not update name when new name is same as ID', () => {

292
			// First add a server with a proper name

293
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

294
				{ id: 'server1', name: 'My Server', allowed: true }

295
			]);

296


297
			// Then try to update with ID as name (should keep existing name)

298
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

299
				{ id: 'server1', name: 'server1', allowed: false }

300
			]);

301


302
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

303
			assert.strictEqual(result.length, 1);

304
			assert.strictEqual(result[0].name, 'My Server'); // Should keep original name

305
			assert.strictEqual(result[0].allowed, false); // But allowed status should update

306
		});

307


308
		test('adds new servers while preserving existing ones', () => {

309
			// First add one server

310
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

311
				{ id: 'server1', name: 'Server 1', allowed: true }

312
			]);

313


314
			// Then add another server

315
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

316
				{ id: 'server2', name: 'Server 2', allowed: false }

317
			]);

318


319
			const result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

320
			assert.strictEqual(result.length, 2);

321


322
			const server1 = result.find(s => s.id === 'server1');

323
			const server2 = result.find(s => s.id === 'server2');

324
			assert.ok(server1);

325
			assert.ok(server2);

326
			assert.strictEqual(server1.allowed, true);

327
			assert.strictEqual(server2.allowed, false);

328
		});

329


330
		test('does not store trusted servers from product.json', () => {

331
			productService.trustedMcpAuthAccess = ['trusted-server'];

332


333
			// Try to update a trusted server

334
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

335
				{ id: 'trusted-server', name: 'Trusted Server', allowed: false, trusted: true },

336
				{ id: 'user-server', name: 'User Server', allowed: true }

337
			]);

338


339
			// Check what's actually stored in storage (not including product.json servers)

340
			const storageKey = '[email protected]';

341
			const storedData = JSON.parse(storageService.get(storageKey, StorageScope.APPLICATION) || '[]');

342


343
			// Should only contain the user-managed server, not the trusted one

344
			assert.strictEqual(storedData.length, 1);

345
			assert.strictEqual(storedData[0].id, 'user-server');

346


347
			// But readAllowedMcpServers should return both (including trusted from product.json)

348
			const allServers = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

349
			assert.strictEqual(allServers.length, 2);

350
		});

351


352
		test('fires onDidChangeMcpSessionAccess event', () => {

353
			let eventFired = false;

354
			let eventData: { providerId: string; accountName: string } | undefined;

355


356
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

357
				eventFired = true;

358
				eventData = event;

359
			});

360


361
			try {

362
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

363
					{ id: 'server1', name: 'Server 1', allowed: true }

364
				]);

365


366
				assert.strictEqual(eventFired, true);

367
				assert.ok(eventData);

368
				assert.strictEqual(eventData.providerId, 'github');

369
				assert.strictEqual(eventData.accountName, '[email protected]');

370
			} finally {

371
				disposable.dispose();

372
			}

373
		});

374
	});

375


376
	suite('removeAllowedMcpServers', () => {

377
		test('removes all stored MCP servers for account', () => {

378
			// First add some servers

379
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

380
				{ id: 'server1', name: 'Server 1', allowed: true },

381
				{ id: 'server2', name: 'Server 2', allowed: false }

382
			]);

383


384
			// Verify they exist

385
			let result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

386
			assert.strictEqual(result.length, 2);

387


388
			// Remove them

389
			authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

390


391
			// Verify they're gone

392
			result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

393
			assert.strictEqual(result.length, 0);

394
		});

395


396
		test('does not affect trusted servers from product.json', () => {

397
			productService.trustedMcpAuthAccess = ['trusted-server'];

398


399
			// Add some user-managed servers

400
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

401
				{ id: 'user-server', name: 'User Server', allowed: true }

402
			]);

403


404
			// Verify both trusted and user servers exist

405
			let result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

406
			assert.strictEqual(result.length, 2);

407


408
			// Remove user servers

409
			authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

410


411
			// Should still have trusted server

412
			result = authenticationMcpAccessService.readAllowedMcpServers('github', '[email protected]');

413
			assert.strictEqual(result.length, 1);

414
			assert.strictEqual(result[0].id, 'trusted-server');

415
			assert.strictEqual(result[0].trusted, true);

416
		});

417


418
		test('fires onDidChangeMcpSessionAccess event', () => {

419
			let eventFired = false;

420
			let eventData: { providerId: string; accountName: string } | undefined;

421


422
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

423
				eventFired = true;

424
				eventData = event;

425
			});

426


427
			try {

428
				authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

429


430
				assert.strictEqual(eventFired, true);

431
				assert.ok(eventData);

432
				assert.strictEqual(eventData.providerId, 'github');

433
				assert.strictEqual(eventData.accountName, '[email protected]');

434
			} finally {

435
				disposable.dispose();

436
			}

437
		});

438


439
		test('handles removal of non-existent data gracefully', () => {

440
			// Should not throw when trying to remove data that doesn't exist

441
			assert.doesNotThrow(() => {

442
				authenticationMcpAccessService.removeAllowedMcpServers('nonexistent', '[email protected]');

443
			});

444
		});

445
	});

446


447
	suite('onDidChangeMcpSessionAccess event', () => {

448
		test('event is fired for each update operation', () => {

449
			const events: Array<{ providerId: string; accountName: string }> = [];

450


451
			const disposable = authenticationMcpAccessService.onDidChangeMcpSessionAccess(event => {

452
				events.push(event);

453
			});

454


455
			try {

456
				// Should fire for update

457
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

458
					{ id: 'server1', name: 'Server 1', allowed: true }

459
				]);

460


461
				// Should fire for remove

462
				authenticationMcpAccessService.removeAllowedMcpServers('github', '[email protected]');

463


464
				// Should fire for different account

465
				authenticationMcpAccessService.updateAllowedMcpServers('microsoft', '[email protected]', [

466
					{ id: 'server2', name: 'Server 2', allowed: false }

467
				]);

468


469
				assert.strictEqual(events.length, 3);

470
				assert.strictEqual(events[0].providerId, 'github');

471
				assert.strictEqual(events[0].accountName, '[email protected]');

472
				assert.strictEqual(events[1].providerId, 'github');

473
				assert.strictEqual(events[1].accountName, '[email protected]');

474
				assert.strictEqual(events[2].providerId, 'microsoft');

475
				assert.strictEqual(events[2].accountName, '[email protected]');

476
			} finally {

477
				disposable.dispose();

478
			}

479
		});

480


481
		test('multiple listeners receive events', () => {

482
			let listener1Fired = false;

483
			let listener2Fired = false;

484


485
			const disposable1 = authenticationMcpAccessService.onDidChangeMcpSessionAccess(() => {

486
				listener1Fired = true;

487
			});

488


489
			const disposable2 = authenticationMcpAccessService.onDidChangeMcpSessionAccess(() => {

490
				listener2Fired = true;

491
			});

492


493
			try {

494
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

495
					{ id: 'server1', name: 'Server 1', allowed: true }

496
				]);

497


498
				assert.strictEqual(listener1Fired, true);

499
				assert.strictEqual(listener2Fired, true);

500
			} finally {

501
				disposable1.dispose();

502
				disposable2.dispose();

503
			}

504
		});

505
	});

506


507
	suite('integration scenarios', () => {

508
		test('complete workflow: add, update, query, remove', () => {

509
			const providerId = 'github';

510
			const accountName = '[email protected]';

511
			const serverId = 'test-server';

512


513
			// Initially unknown

514
			assert.strictEqual(

515
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

516
				undefined

517
			);

518


519
			// Add server as allowed

520
			authenticationMcpAccessService.updateAllowedMcpServers(providerId, accountName, [

521
				{ id: serverId, name: 'Test Server', allowed: true }

522
			]);

523


524
			assert.strictEqual(

525
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

526
				true

527
			);

528


529
			// Update to disallowed

530
			authenticationMcpAccessService.updateAllowedMcpServers(providerId, accountName, [

531
				{ id: serverId, name: 'Test Server', allowed: false }

532
			]);

533


534
			assert.strictEqual(

535
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

536
				false

537
			);

538


539
			// Remove all

540
			authenticationMcpAccessService.removeAllowedMcpServers(providerId, accountName);

541


542
			assert.strictEqual(

543
				authenticationMcpAccessService.isAccessAllowed(providerId, accountName, serverId),

544
				undefined

545
			);

546
		});

547


548
		test('multiple providers and accounts are isolated', () => {

549
			// Add data for different combinations

550
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

551
				{ id: 'server1', name: 'Server 1', allowed: true }

552
			]);

553


554
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

555
				{ id: 'server1', name: 'Server 1', allowed: false }

556
			]);

557


558
			authenticationMcpAccessService.updateAllowedMcpServers('microsoft', '[email protected]', [

559
				{ id: 'server1', name: 'Server 1', allowed: true }

560
			]);

561


562
			// Verify isolation

563
			assert.strictEqual(

564
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'server1'),

565
				true

566
			);

567
			assert.strictEqual(

568
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'server1'),

569
				false

570
			);

571
			assert.strictEqual(

572
				authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'server1'),

573
				true

574
			);

575


576
			// Non-existent combinations should return undefined

577
			assert.strictEqual(

578
				authenticationMcpAccessService.isAccessAllowed('microsoft', '[email protected]', 'server1'),

579
				undefined

580
			);

581
		});

582


583
		test('product.json configuration takes precedence in all scenarios', () => {

584
			productService.trustedMcpAuthAccess = {

585
				'github': ['trusted-server'],

586
				'microsoft': ['microsoft-trusted']

587
			};

588


589
			// Trusted servers should always return true regardless of storage

590
			assert.strictEqual(

591
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server'),

592
				true

593
			);

594


595
			// Try to override via storage

596
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

597
				{ id: 'trusted-server', name: 'Trusted Server', allowed: false }

598
			]);

599


600
			// Should still return true

601
			assert.strictEqual(

602
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'trusted-server'),

603
				true

604
			);

605


606
			// But non-trusted servers should still respect storage

607
			authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

608
				{ id: 'user-server', name: 'User Server', allowed: false }

609
			]);

610


611
			assert.strictEqual(

612
				authenticationMcpAccessService.isAccessAllowed('github', '[email protected]', 'user-server'),

613
				false

614
			);

615
		});

616


617
		test('handles edge cases with empty or null values', () => {

618
			// Empty provider/account names

619
			assert.doesNotThrow(() => {

620
				authenticationMcpAccessService.isAccessAllowed('', '', 'server1');

621
			});

622


623
			// Empty server arrays

624
			assert.doesNotThrow(() => {

625
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', []);

626
			});

627


628
			// Empty server ID/name

629
			assert.doesNotThrow(() => {

630
				authenticationMcpAccessService.updateAllowedMcpServers('github', '[email protected]', [

631
					{ id: '', name: '', allowed: true }

632
				]);

633
			});

634
		});

635
	});

636
});

637


638