config-audit/tests/knowledge/knowledge-staleness.test.mjs
Kjell Tore Guttormsen b3c572ad46 fix(mcp-config-validator): remove invented trust field (verify-first)
`.mcp.json` has no per-server `trust` key — verified 2026-06-18 against
code.claude.com/docs/en/mcp + /settings. MCP server approval is
dialog/settings-based (enableAllProjectMcpServers / enabledMcpjsonServers /
disabledMcpjsonServers), never a JSON field. The scanner's "Missing trust
level" (CA-MCP-001, medium) and "Invalid trust level" (high) were false
positives flagging a field that does not exist.

- scanner: delete both trust checks + VALID_TRUST_LEVELS; drop `trust` from
  VALID_SERVER_FIELDS so a stray `trust` is now flagged as an unknown field
- humanizer: remove the two trust-level entries
- knowledge (5 files): point to the real approval mechanism, not a trust field
- fixtures: scrub `trust` (incl. the invalid "local" in optimal-setup)
- tests: flip assertions (no trust-level finding; stray trust -> unknown
  field) + add knowledge-staleness re-freeze guards
- snapshots: reseed (marketplace-medium .mcp.json -8 tokens, hermetic)
- gap-matrix: mark the trust verify-first item DONE

Suite: 853/853 green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Ter3E2JSi1Khgmuf2kady8
2026-06-18 14:22:56 +02:00

94 lines
4.8 KiB
JavaScript

// Knowledge-base staleness guard.
//
// The gap-review (CC 2.1.114->181) found config-audit's knowledge corpus frozen
// at ~v2.1.111, so it described an Opus-4.7 world after CC had shipped Opus 4.8
// and Fable 5. These assertions encode facts re-verified against the official
// Claude Code changelog (~/.claude/cache/changelog.md) on 2026-06-18 so the
// corpus cannot silently re-freeze. Each fact carries its verified version.
//
// Verified facts (official changelog, CC 2.1.181):
// Opus 4.8 default + high effort + /effort xhigh ... 2.1.154
// lean system prompt now default (except Haiku/Sonnet/4.7-) 2.1.154
// Claude Fable 5 (Mythos-class) .................... 2.1.170
// /simplify renamed to /code-review ............... 2.1.147
// /config key=value in-session settings ........... 2.1.181
// MessageDisplay hook event ....................... 2.1.152
// post-session lifecycle hook ..................... 2.1.169
// Stop/SubagentStop return additionalContext ...... 2.1.163 (NOT 2.1.165)
import { test } from 'node:test';
import assert from 'node:assert/strict';
import { readFileSync } from 'node:fs';
import { fileURLToPath } from 'node:url';
const read = (rel) =>
readFileSync(fileURLToPath(new URL(`../../knowledge/${rel}`, import.meta.url)), 'utf8');
test('feature-evolution.md records the Opus 4.8 era (not frozen at v2.1.111)', () => {
const md = read('feature-evolution.md');
assert.match(md, /Opus 4\.8/, 'must record Opus 4.8 as the new default');
assert.match(md, /Fable 5/, 'must record Claude Fable 5');
assert.match(md, /2\.1\.170/, 'Fable 5 verified at v2.1.170');
assert.match(md, /2\.1\.154/, 'Opus 4.8 / xhigh / lean prompt verified at v2.1.154');
assert.match(md, /xhigh/, 'must record the /effort xhigh tier');
});
test('feature-evolution.md records the /simplify -> /code-review rename', () => {
const md = read('feature-evolution.md');
assert.match(md, /\/code-review/, 'bundled skill renamed to /code-review (2.1.147)');
});
test('feature-evolution.md records /config key=value', () => {
const md = read('feature-evolution.md');
assert.match(md, /\/config/, '/config key=value in-session settings (2.1.181)');
});
test('hook-events-reference.md header reflects 28 events, not 26', () => {
const md = read('hook-events-reference.md');
assert.match(md, /28 hook events/, 'count must be 28 after MessageDisplay + post-session');
assert.doesNotMatch(md, /26 hook events/, 'stale "26 hook events" must be gone');
});
test('hook-events-reference.md lists MessageDisplay and post-session events', () => {
const md = read('hook-events-reference.md');
assert.match(md, /MessageDisplay/, 'MessageDisplay hook event (2.1.152)');
assert.match(md, /post-session/, 'post-session lifecycle hook (2.1.169)');
});
test('hook-events-reference.md documents Stop/SubagentStop additionalContext at 2.1.163', () => {
const md = read('hook-events-reference.md');
// The feature shipped in 2.1.163 (NOT 2.1.165 — that release was bug fixes only).
assert.match(md, /SubagentStop[\s\S]*additionalContext|additionalContext[\s\S]*SubagentStop/,
'Stop/SubagentStop additionalContext output field must be documented');
assert.match(md, /2\.1\.163/, 'additionalContext for Stop/SubagentStop verified at v2.1.163');
});
test('claude-code-capabilities.md bundled skills use /code-review, not stale /simplify', () => {
const md = read('claude-code-capabilities.md');
assert.match(md, /\/code-review/, 'bundled-skill list must list /code-review');
assert.doesNotMatch(md, /\/simplify/, '/simplify was renamed to /code-review (2.1.147)');
});
test('claude-code-capabilities.md documents /config key=value', () => {
const md = read('claude-code-capabilities.md');
assert.match(md, /\/config/, '/config key=value in-session settings (2.1.181)');
});
// MCP `trust` is NOT a real .mcp.json field (verified 2026-06-18 against
// code.claude.com/docs/en/mcp + /settings). Approval is dialog/settings-based.
// These guards stop the corpus from re-fabricating the field.
test('claude-code-capabilities.md does not resurrect the invented MCP `trust` field', () => {
const md = read('claude-code-capabilities.md');
assert.doesNotMatch(md, /"trust":\s*"workspace/,
'the fabricated `trust` field must not return to the .mcp.json schema example');
assert.match(md, /enableAllProjectMcpServers|enabledMcpjsonServers/,
'must document the real MCP approval mechanism');
});
test('configuration-best-practices.md recommends real MCP approval, not a `trust` field', () => {
const md = read('configuration-best-practices.md');
assert.match(md, /enabledMcpjsonServers|enableAllProjectMcpServers/,
'must point to the real settings-based approval mechanism');
assert.doesNotMatch(md, /Set trust levels explicitly/,
'the invented "set trust levels" advice must be gone');
});