IntelliTect
diff --git a/‎Directory.Packages.props‎
Lines changed: 2 additions & 2 deletions b/‎Directory.Packages.props‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎EssentialCSharp.Web.Tests/McpTests.cs‎
Lines changed: 122 additions & 29 deletions b/‎EssentialCSharp.Web.Tests/McpTests.cs‎
Lines changed: 122 additions & 29 deletions
diff --git a/‎EssentialCSharp.Web.Tests/WebApplicationFactory.cs‎
Lines changed: 0 additions & 5 deletions b/‎EssentialCSharp.Web.Tests/WebApplicationFactory.cs‎
Lines changed: 0 additions & 5 deletions
diff --git a/‎EssentialCSharp.Web/Areas/Identity/Data/EssentialCSharpWebContext.cs‎
Lines changed: 2 additions & 0 deletions b/‎EssentialCSharp.Web/Areas/Identity/Data/EssentialCSharpWebContext.cs‎
Lines changed: 2 additions & 0 deletions
@@ -50,8 +50,8 @@
     <PackageVersion Include="Microsoft.VisualStudio.Azure.Containers.Tools.Targets" Version="1.23.0" />
     <PackageVersion Include="Microsoft.VisualStudio.Web.CodeGeneration.Design" Version="10.0.2" />
     <PackageVersion Include="Microsoft.Extensions.AI.OpenAI" Version="10.0.1-preview.1.25571.5" />
-    <PackageVersion Include="ModelContextProtocol" Version="0.3.0-preview.4" />
-    <PackageVersion Include="ModelContextProtocol.AspNetCore" Version="0.3.0-preview.4" />
+    <PackageVersion Include="ModelContextProtocol" Version="1.2.0" />
+    <PackageVersion Include="ModelContextProtocol.AspNetCore" Version="1.2.0" />
     <PackageVersion Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.3" />
     <PackageVersion Include="Moq" Version="4.20.72" />
     <PackageVersion Include="Moq.AutoMock" Version="4.0.2" />
 
@@ -1,62 +1,80 @@
 using System.Net;
 using System.Net.Http.Headers;
 using System.Text;
+using EssentialCSharp.Web.Areas.Identity.Data;
+using EssentialCSharp.Web.Data;
 using EssentialCSharp.Web.Services;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.Extensions.DependencyInjection;
-using System.Threading.Tasks;
 
 namespace EssentialCSharp.Web.Tests;
 
-public class McpTests
+[NotInParallel("McpTests")]
+[ClassDataSource<WebApplicationFactory>(Shared = SharedType.PerClass)]
+public class McpTests(WebApplicationFactory factory)
 {
-    [Fact]
+    [Test]
     public async Task McpTokenEndpoint_WithoutAuth_Returns401()
     {
-        using WebApplicationFactory factory = new();
         HttpClient client = factory.CreateClient(new WebApplicationFactoryClientOptions
         {
             AllowAutoRedirect = false
         });
 
         using HttpResponseMessage response = await client.PostAsync("/api/McpToken", null);
 
-        // [ApiController] returns 401 directly; it does not redirect to login like Razor Pages
-        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
     }
 
-    [Fact]
+    [Test]
     public async Task McpEndpoint_WithoutToken_Returns401()
     {
-        using WebApplicationFactory factory = new();
         HttpClient client = factory.CreateClient();
 
         var request = CreateMcpInitializeRequest("/mcp");
         using HttpResponseMessage response = await client.SendAsync(request);
 
-        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
     }
 
-    [Fact]
+    [Test]
     public async Task McpEndpoint_WithValidToken_Returns200AndListsTools()
     {
-        using WebApplicationFactory factory = new();
-
-        McpTokenService? tokenService = factory.Services.GetService<McpTokenService>();
-        Assert.NotNull(tokenService);
-
-        var (token, _) = tokenService.GenerateToken("test-user-id", "testuser", "test@example.com");
+        // Seed a minimal user row to satisfy the FK on McpApiToken.UserId, then
+        // create an opaque token via McpApiTokenService (replaces old JWT path).
+        string testUserId = Guid.NewGuid().ToString();
+        string rawToken;
+        using (var scope = factory.Services.CreateScope())
+        {
+            var db = scope.ServiceProvider.GetRequiredService<EssentialCSharpWebContext>();
+            db.Users.Add(new EssentialCSharpWebUser
+            {
+                Id = testUserId,
+                UserName = "mcp-testuser",
+                NormalizedUserName = "MCP-TESTUSER",
+                Email = "mcp-test@example.com",
+                NormalizedEmail = "MCP-TEST@EXAMPLE.COM",
+                SecurityStamp = Guid.NewGuid().ToString(),
+            });
+            await db.SaveChangesAsync();
+
+            var tokenService = scope.ServiceProvider.GetRequiredService<McpApiTokenService>();
+            (rawToken, _) = await tokenService.CreateTokenAsync(testUserId, "integration-test");
+        }
 
         HttpClient client = factory.CreateClient();
 
         // Step 1: Initialize the MCP session
         var initRequest = CreateMcpInitializeRequest("/mcp");
-        initRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        initRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", rawToken);
 
         using HttpResponseMessage initResponse = await client.SendAsync(initRequest);
-        Assert.Equal(HttpStatusCode.OK, initResponse.StatusCode);
+        await Assert.That(initResponse.StatusCode).IsEqualTo(HttpStatusCode.OK);
 
-        string sessionId = initResponse.Headers.GetValues("Mcp-Session-Id").First();
+        // Session ID is optional in stateless transport mode
+        string? sessionId = null;
+        if (initResponse.Headers.TryGetValues("Mcp-Session-Id", out IEnumerable<string>? sessionIdValues))
+            sessionId = sessionIdValues.First();
 
         // Step 2: List tools
         var listToolsRequest = new HttpRequestMessage(HttpMethod.Post, "/mcp")
@@ -65,31 +83,106 @@ public async Task McpEndpoint_WithValidToken_Returns200AndListsTools()
                 """{"jsonrpc":"2.0","id":2,"method":"tools/list","params":{}}""",
                 Encoding.UTF8, "application/json")
         };
-        listToolsRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token);
+        listToolsRequest.Headers.Authorization = new AuthenticationHeaderValue("Bearer", rawToken);
         listToolsRequest.Headers.Accept.ParseAdd("application/json");
         listToolsRequest.Headers.Accept.ParseAdd("text/event-stream");
-        listToolsRequest.Headers.Add("Mcp-Session-Id", sessionId);
+        if (sessionId is not null)
+            listToolsRequest.Headers.Add("Mcp-Session-Id", sessionId);
 
         using HttpResponseMessage toolsResponse = await client.SendAsync(
             listToolsRequest, HttpCompletionOption.ResponseHeadersRead);
-        Assert.Equal(HttpStatusCode.OK, toolsResponse.StatusCode);
+        await Assert.That(toolsResponse.StatusCode).IsEqualTo(HttpStatusCode.OK);
 
-        // SSE streams arrive line-by-line; read until we find the data line or timeout
+        // Streamable HTTP response: read until we find the tool names or timeout
         using Stream stream = await toolsResponse.Content.ReadAsStreamAsync();
         using StreamReader reader = new(stream);
         using CancellationTokenSource cts = new(TimeSpan.FromSeconds(10));
-        string body = "";
+        var body = new StringBuilder();
         string? line;
         while ((line = await reader.ReadLineAsync(cts.Token)) is not null)
         {
-            body += line + "\n";
-            if (body.Contains("search_book_content") && body.Contains("get_chapter_list"))
+            body.AppendLine(line);
+            if (body.ToString().Contains("search_book_content") &&
+                body.ToString().Contains("get_chapter_list"))
                 break;
         }
 
-        // The MCP C# SDK converts PascalCase method names to snake_case for the wire protocol
-        Assert.Contains("search_book_content", body);
-        Assert.Contains("get_chapter_list", body);
+        string bodyText = body.ToString();
+        await Assert.That(bodyText).Contains("search_book_content");
+        await Assert.That(bodyText).Contains("get_chapter_list");
+    }
+
+    [Test]
+    public async Task McpEndpoint_WithInvalidToken_Returns401()
+    {
+        HttpClient client = factory.CreateClient();
+        var request = CreateMcpInitializeRequest("/mcp");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "mcp_invalid_token_that_does_not_exist");
+        using HttpResponseMessage response = await client.SendAsync(request);
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+    }
+
+    [Test]
+    public async Task McpEndpoint_WithRevokedToken_Returns401()
+    {
+        string testUserId = Guid.NewGuid().ToString();
+        string rawToken;
+        using (var scope = factory.Services.CreateScope())
+        {
+            var db = scope.ServiceProvider.GetRequiredService<EssentialCSharpWebContext>();
+            db.Users.Add(new EssentialCSharpWebUser
+            {
+                Id = testUserId,
+                UserName = $"revoked-user-{testUserId[..8]}",
+                NormalizedUserName = $"REVOKED-USER-{testUserId[..8].ToUpperInvariant()}",
+                Email = $"revoked-{testUserId[..8]}@example.com",
+                NormalizedEmail = $"REVOKED-{testUserId[..8].ToUpperInvariant()}@EXAMPLE.COM",
+                SecurityStamp = Guid.NewGuid().ToString(),
+            });
+            await db.SaveChangesAsync();
+
+            var tokenService = scope.ServiceProvider.GetRequiredService<McpApiTokenService>();
+            (rawToken, var entity) = await tokenService.CreateTokenAsync(testUserId, "revoke-test");
+            await tokenService.RevokeTokenAsync(entity.Id, testUserId);
+        }
+
+        HttpClient client = factory.CreateClient();
+        var request = CreateMcpInitializeRequest("/mcp");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", rawToken);
+        using HttpResponseMessage response = await client.SendAsync(request);
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
+    }
+
+    [Test]
+    public async Task McpEndpoint_WithExpiredToken_Returns401()
+    {
+        string testUserId = Guid.NewGuid().ToString();
+        string rawToken;
+        using (var scope = factory.Services.CreateScope())
+        {
+            var db = scope.ServiceProvider.GetRequiredService<EssentialCSharpWebContext>();
+            db.Users.Add(new EssentialCSharpWebUser
+            {
+                Id = testUserId,
+                UserName = $"expired-user-{testUserId[..8]}",
+                NormalizedUserName = $"EXPIRED-USER-{testUserId[..8].ToUpperInvariant()}",
+                Email = $"expired-{testUserId[..8]}@example.com",
+                NormalizedEmail = $"EXPIRED-{testUserId[..8].ToUpperInvariant()}@EXAMPLE.COM",
+                SecurityStamp = Guid.NewGuid().ToString(),
+            });
+            await db.SaveChangesAsync();
+
+            var tokenService = scope.ServiceProvider.GetRequiredService<McpApiTokenService>();
+            // Create with an expiry in the past (1 second ago)
+            DateTime pastExpiry = DateTime.UtcNow.AddSeconds(-1);
+            (rawToken, _) = await tokenService.CreateTokenAsync(testUserId, "expired-test", pastExpiry);
+        }
+
+        HttpClient client = factory.CreateClient();
+        var request = CreateMcpInitializeRequest("/mcp");
+        request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", rawToken);
+        using HttpResponseMessage response = await client.SendAsync(request);
+        await Assert.That(response.StatusCode).IsEqualTo(HttpStatusCode.Unauthorized);
     }
 
     private static HttpRequestMessage CreateMcpInitializeRequest(string path)
 
@@ -28,11 +28,6 @@ public Task InitializeAsync()
 
     protected override void ConfigureWebHost(IWebHostBuilder builder)
     {
-        // Inject a stable test signing key so MCP services are registered during
-        // service registration in Program.cs (which reads configuration["Mcp:SigningKey"]
-        // before builder.Build() is called — ConfigureAppConfiguration fires too late).
-        builder.UseSetting("Mcp:SigningKey", "TestOnly-EssentialCSharp-MCP-SigningKey-For-Integration-Tests!");
-
         builder.ConfigureServices(services =>
         {
             ServiceDescriptor? dbContextDescriptor = services.SingleOrDefault(
 
@@ -1,4 +1,5 @@
 using EssentialCSharp.Web.Areas.Identity.Data;
+using EssentialCSharp.Web.Models;
 using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
@@ -9,6 +10,7 @@ public class EssentialCSharpWebContext(DbContextOptions<EssentialCSharpWebContex
     : IdentityDbContext<EssentialCSharpWebUser>(options), IDataProtectionKeyContext
 {
     public DbSet<DataProtectionKey> DataProtectionKeys { get; set; } = null!;
+    public DbSet<McpApiToken> McpApiTokens { get; set; } = null!;
 
     protected override void OnModelCreating(ModelBuilder builder)
     {
Original file line number	Diff line number	Diff line change
`@@ -28,11 +28,6 @@ public Task InitializeAsync()`
`28`	`28`
`29`	`29`	`protected override void ConfigureWebHost(IWebHostBuilder builder)`
`30`	`30`	`{`
`31`		`- // Inject a stable test signing key so MCP services are registered during`
`32`		`- // service registration in Program.cs (which reads configuration["Mcp:SigningKey"]`
`33`		`- // before builder.Build() is called — ConfigureAppConfiguration fires too late).`
`34`		`- builder.UseSetting("Mcp:SigningKey", "TestOnly-EssentialCSharp-MCP-SigningKey-For-Integration-Tests!");`
`35`		`-`
`36`	`31`	`builder.ConfigureServices(services =>`
`37`	`32`	`{`
`38`	`33`	`ServiceDescriptor? dbContextDescriptor = services.SingleOrDefault(`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,5 @@`
`1`	`1`	`using EssentialCSharp.Web.Areas.Identity.Data;`
	`2`	`+using EssentialCSharp.Web.Models;`
`2`	`3`	`using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;`
`3`	`4`	`using Microsoft.AspNetCore.Identity.EntityFrameworkCore;`
`4`	`5`	`using Microsoft.EntityFrameworkCore;`
`@@ -9,6 +10,7 @@ public class EssentialCSharpWebContext(DbContextOptions<EssentialCSharpWebContex`
`9`	`10`	`: IdentityDbContext<EssentialCSharpWebUser>(options), IDataProtectionKeyContext`
`10`	`11`	`{`
`11`	`12`	`public DbSet<DataProtectionKey> DataProtectionKeys { get; set; } = null!;`
	`13`	`+ public DbSet<McpApiToken> McpApiTokens { get; set; } = null!;`
`12`	`14`
`13`	`15`	`protected override void OnModelCreating(ModelBuilder builder)`
`14`	`16`	`{`