e4a94df4fc
api.WriteNote captures the file-write logic that was previously inline in Handler.Write. The existing HTTP endpoint now delegates to it; the new MCP brain_write tool reuses the same function. Path-traversal guard is strengthened to explicitly reject filenames containing path separators or "..", so the rejection is surfaced before filepath.Base strips the suspicious component (the previous defense-in-depth prefix check became unreachable for these inputs after Base normalisation). HTTP error code for caller-input errors shifts from 500 to 400, which is semantically correct and not exercised by any existing test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
97 lines
2.7 KiB
Go
97 lines
2.7 KiB
Go
package mcp_test
|
|
|
|
import (
|
|
"bytes"
|
|
"encoding/json"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/mathiasbq/hyperguild/ingestion/internal/mcp"
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func toolCall(t *testing.T, srv http.Handler, name string, args map[string]any) map[string]any {
|
|
t.Helper()
|
|
bodyBytes, err := json.Marshal(map[string]any{
|
|
"jsonrpc": "2.0", "id": 1, "method": "tools/call",
|
|
"params": map[string]any{"name": name, "arguments": args},
|
|
})
|
|
require.NoError(t, err)
|
|
req := httptest.NewRequest(http.MethodPost, "/mcp", bytes.NewReader(bodyBytes))
|
|
rr := httptest.NewRecorder()
|
|
srv.ServeHTTP(rr, req)
|
|
require.Equal(t, http.StatusOK, rr.Code)
|
|
var resp map[string]any
|
|
require.NoError(t, json.Unmarshal(rr.Body.Bytes(), &resp))
|
|
return resp
|
|
}
|
|
|
|
func TestBrainQueryReturnsResults(t *testing.T) {
|
|
brainDir := t.TempDir()
|
|
knowledge := filepath.Join(brainDir, "knowledge")
|
|
require.NoError(t, os.MkdirAll(knowledge, 0o755))
|
|
require.NoError(t, os.WriteFile(
|
|
filepath.Join(knowledge, "tdd.md"),
|
|
[]byte("# TDD\n\nTest-driven development is iterative.\n"),
|
|
0o644,
|
|
))
|
|
|
|
srv := mcp.NewServer(brainDir, nil, nil)
|
|
resp := toolCall(t, srv, "brain_query", map[string]any{"query": "tdd"})
|
|
|
|
require.Nil(t, resp["error"])
|
|
result := resp["result"].(map[string]any)
|
|
content := result["content"].([]any)
|
|
require.NotEmpty(t, content)
|
|
text := content[0].(map[string]any)["text"].(string)
|
|
assert.Contains(t, text, "tdd.md")
|
|
}
|
|
|
|
func TestBrainWriteCreatesFile(t *testing.T) {
|
|
brainDir := t.TempDir()
|
|
srv := mcp.NewServer(brainDir, nil, nil)
|
|
|
|
resp := toolCall(t, srv, "brain_write", map[string]any{
|
|
"content": "# Test\n\nbody",
|
|
"filename": "test.md",
|
|
"type": "note",
|
|
"domain": "personal",
|
|
})
|
|
require.Nil(t, resp["error"])
|
|
|
|
got, err := os.ReadFile(filepath.Join(brainDir, "knowledge", "test.md"))
|
|
require.NoError(t, err)
|
|
assert.Contains(t, string(got), "type: note")
|
|
assert.Contains(t, string(got), "domain: personal")
|
|
assert.Contains(t, string(got), "# Test")
|
|
}
|
|
|
|
func TestBrainWriteRejectsTraversal(t *testing.T) {
|
|
brainDir := t.TempDir()
|
|
srv := mcp.NewServer(brainDir, nil, nil)
|
|
|
|
resp := toolCall(t, srv, "brain_write", map[string]any{
|
|
"content": "x",
|
|
"filename": "../escape.md",
|
|
})
|
|
require.NotNil(t, resp["error"])
|
|
}
|
|
|
|
func TestBrainWriteAcceptsDoubleDotInName(t *testing.T) {
|
|
brainDir := t.TempDir()
|
|
srv := mcp.NewServer(brainDir, nil, nil)
|
|
|
|
resp := toolCall(t, srv, "brain_write", map[string]any{
|
|
"content": "x",
|
|
"filename": "notes..draft.md",
|
|
})
|
|
require.Nil(t, resp["error"])
|
|
|
|
_, err := os.Stat(filepath.Join(brainDir, "knowledge", "notes..draft.md"))
|
|
require.NoError(t, err, "filename with embedded .. should be allowed")
|
|
}
|