Local LLM MCP Server

TEST_REPORT.md•7.53 kB

# Test Report: Security and Metadata Fixes Validation **Branch:** `fix/security-and-metadata-issues` **Date:** 2025-10-09 **Commit:** b9af7de ## Executive Summary ✅ **All fixes validated and working correctly** - **Build Status:** ✅ PASS (no TypeScript errors) - **Existing Tests:** ✅ 12/12 PASS (no regressions) - **Fix Validation Tests:** ✅ 8/8 PASS (all fixes working) --- ## Fixes Implemented ### 🔴 HIGH - Privacy Leak in secureRewrite **Location:** `src/privacy-tools.ts:23-25` **Issue:** Only first occurrence of sensitive data was replaced, leaving duplicates exposed to LLM **Fix:** ```javascript // Before: preprocessedContent.replace(item.value, placeholder) // After: Global regex replacement const escapedValue = item.value.replace(/[.*+?^${}()|[\]\\]/g, '\\$&'); preprocessedContent = preprocessedContent.replace(new RegExp(escapedValue, 'g'), placeholder); ``` **Validation:** ✅ PASS - ✅ Duplicate names removed (tested: "Sarah Johnson" appears twice) - ✅ Duplicate emails removed (tested: john@example.com appears twice) - ✅ Duplicate phones removed (tested: 555-123-4567 appears twice) --- ### 🟡 MEDIUM - Incorrect previousDefault Reporting **Location:** `src/index.ts:791-802` **Issue:** `previousDefault` was fetched AFTER setting new model, returning wrong value **Fix:** ```javascript // Capture previous default BEFORE setting new one const previousDefault = this.lmStudio.getDefaultModel(); this.lmStudio.setDefaultModel(model); // Now return correct previousDefault ``` **Validation:** ✅ PASS - ✅ previousDefault shows old model: `openai/gpt-oss-120b` - ✅ defaultModel shows new model: `qwen3-next-80b-a3b-thinking-mlx` - ✅ Values are different (not the same) --- ### 🟡 MEDIUM - Undefined Metadata Fields **Locations:** `src/index.ts:318-323, 554-559, 641-647` **Issue:** Metadata exposed non-existent fields (`created`, `ownedBy`) that were always undefined **Fix:** Removed undefined fields and added real LM Studio API fields: ```javascript // Before: metadata: { created: model.created, // undefined ownedBy: model.ownedBy, // undefined architecture: modelInfo.architecture } // After: metadata: { architecture: modelInfo.architecture, publisher: model.publisher, // Real field quantization: model.quantization, // Real field maxContextLength: model.maxContextLength // Real field } ``` **Validation:** ✅ PASS **get_model_info tool metadata:** ```json { "publisher": "openai", "quantization": "MXFP4", "maxContextLength": 131072, "loadedContextLength": 10102, "compatibilityType": "gguf" } ``` **local://models resource metadata:** ```json { "architecture": "Transformer", "publisher": "openai", "quantization": "MXFP4", "maxContextLength": 131072 } ``` - ✅ No undefined fields present - ✅ Real LM Studio fields exposed - ✅ Consistent across tools and resources --- ### 🟢 LOW - Version String Inconsistency **Locations:** `src/index.ts:23, 36, 376` **Issue:** Version hardcoded as `1.0.0` in some places, `2.0.0` in others **Fix:** Created constant and unified all references ```javascript const SERVER_VERSION = '2.0.0'; // Used in: // - Server constructor (line 36) // - local://config resource (line 376) // - Handshake already correct at 2.0.0 ``` **Validation:** ✅ PASS - ✅ Config resource reports: `2.0.0` - ✅ Server name consistent: `local-llm-mcp-server` --- ## Test Execution Details ### 1. Build Verification ```bash npm run build ``` **Result:** ✅ PASS - No TypeScript compilation errors --- ### 2. Existing Test Suite (Regression Testing) ```bash npm run test:client:verbose ``` **Results:** ✅ 12/12 tests passed | Category | Tests | Status | |----------|-------|--------| | Protocol | 1 | ✅ PASS | | Resources | 5 | ✅ PASS | | Tools | 4 | ✅ PASS | | Prompts | 1 | ✅ PASS | | Integration | 1 | ✅ PASS | | **TOTAL** | **12** | **✅ PASS** | **Tested:** - ✅ Protocol handshake - ✅ List resources (local://models, local://status, local://config, local://capabilities) - ✅ Read all resources - ✅ List tools (8 tools) - ✅ Call list_models, get_model_info - ✅ Error handling (structured errors) - ✅ List prompts (12 prompts) - ✅ Discovery workflow integration **Conclusion:** No regressions detected --- ### 3. Fix Validation Tests **Test File:** `test-fixes-validation.js` ```bash node test-fixes-validation.js ``` **Results:** ✅ 8/8 tests passed #### Test 1: Metadata Fields Validation - ✅ Metadata Fields Correctness - Verified NO undefined fields (created, ownedBy) - Verified real LM Studio fields present (publisher, quantization, maxContextLength) - ✅ Resource Metadata Correctness - Same validation for local://models resource #### Test 2: previousDefault Capture - ✅ previousDefault Correctness - Original default: `openai/gpt-oss-120b` - New default: `qwen3-next-80b-a3b-thinking-mlx` - Response previousDefault: `openai/gpt-oss-120b` ✅ - Response defaultModel: `qwen3-next-80b-a3b-thinking-mlx` ✅ #### Test 3: secure_rewrite Duplicate Handling - ✅ Duplicate Sensitive Data Removal (names) - Input: "Sarah Johnson called today. Sarah Johnson wants to discuss her account." - Output: "The client called today and would like to discuss their account." - Contains "Sarah": NO ✅ - Contains "Johnson": NO ✅ - ✅ Duplicate Email Removal - Input: "Contact john@example.com for info. Email john@example.com directly." - Output: Generic reference with no email - Contains email: NO ✅ - ✅ Duplicate Phone Removal - Input: "Call 555-123-4567 today. Our number is 555-123-4567." - Output: Generic reference with no phone - Contains phone: NO ✅ #### Test 4: Version Consistency - ✅ Config Resource Version - Expected: `2.0.0` - Actual: `2.0.0` ✅ - ✅ Server Name Consistency - Server name: `local-llm-mcp-server` ✅ --- ## Test Coverage Summary ### Code Changes Tested - ✅ `src/privacy-tools.ts` - Global regex replacement - ✅ `src/index.ts` - previousDefault capture - ✅ `src/index.ts` - Metadata field corrections (3 locations) - ✅ `src/index.ts` - Version constant usage (2 locations) ### Functional Areas Tested - ✅ Privacy protection (secureRewrite with duplicates) - ✅ Model management (set_default_model) - ✅ Metadata exposure (tools and resources) - ✅ Version reporting (resources) - ✅ All existing functionality (regression suite) ### Edge Cases Tested - ✅ Multiple occurrences of same sensitive data - ✅ Different types of sensitive data (names, emails, phones) - ✅ Model switching between different models - ✅ Metadata consistency across different endpoints - ✅ Special characters in sensitive data (regex escaping) --- ## Performance All tests completed successfully with acceptable performance: - Individual tests: 1-5ms - Full validation suite: ~2 seconds - Existing test suite: ~500ms --- ## Conclusion ### Summary ✅ **All fixes implemented correctly and validated** - No regressions introduced - All security issues resolved - All metadata issues corrected - Version consistency achieved ### Recommendations 1. ✅ Code is ready for merge 2. ✅ All tests passing 3. ✅ No additional fixes required ### Files Changed - `src/privacy-tools.ts` - Privacy leak fix - `src/index.ts` - Metadata, version, and previousDefault fixes ### Files Added - `test-fixes-validation.js` - Comprehensive validation test suite --- **Test Engineer:** Claude Code **Status:** ✅ **APPROVED FOR MERGE**

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/georgepok/local-llm-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

TEST_REPORT.md•7.53 kB