mcp-context-protector

test_granular_approval_coverage_summary.md•5.42 kB

# Granular Approval System Test Coverage Summary This document summarizes the test coverage for the granular approval system implemented in the MCP wrapper. ## ✅ **Covered Scenarios** ### 1. **New Server Blocking** (Requirement: New server → totally blocked) **Files:** `test_config_approval_security.py`, `test_mcp_wrapper.py`, existing tests - ✅ New servers are completely blocked until approved - ✅ Only `config_instructions` tool is available for new servers - ✅ All downstream tools and prompts are blocked - ✅ Zero information leakage from unapproved servers ### 2. **Tool Addition** (Requirement: New tool → only that tool is blocked) **Files:** `test_granular_tool_approval.py` - ✅ `test_granular_approval_database_logic()` - Tests that adding a new tool to an approved server: - Instructions remain approved (unchanged) - Original tools remain approved - New tool is not approved - Database correctly tracks granular approval status ### 3. **Tool Modification** (Requirement: Changed tool → only that tool is blocked) **Files:** `test_granular_tool_approval.py` - ✅ `test_tool_modification_granular_blocking()` - Tests tool description changes - ✅ `test_tool_parameter_modification_blocking()` - Tests parameter changes - Tests verify that: - Modified tools lose approval status - Unchanged tools retain approval status - Cryptographic hashing detects all tool changes ### 4. **Tool Removal** (Requirement: Removed tool → disappears with no reapproval) **Files:** `test_granular_tool_approval.py` - ✅ `test_tool_removal_no_reapproval_needed()` - Tests that: - Removed tools simply disappear from approval tracking - Remaining tools stay approved without reapproval - No security approval process needed for removal ### 5. **Server Instructions Change** (Requirement: Instructions change → whole thing blocked) **Files:** `test_granular_tool_approval.py`, `test_tool_modification_scenarios.py` - ✅ `test_server_instructions_change_blocks_everything()` - Tests that: - Changed instructions are detected via hash comparison - Individual tool approvals are preserved but instructions are not approved - Wrapper logic blocks entire server when instructions change ### 6. **Mixed Approval States** **Files:** `test_granular_tool_approval.py` - ✅ `test_mixed_approval_states()` - Tests scenarios where: - Some tools are approved, others are not - Instructions are approved separately from tools - Database correctly tracks partial approval states ### 7. **Full Workflow Testing** **Files:** `test_tool_modification_scenarios.py` - ✅ `test_dynamic_tool_addition_with_existing_server()` - End-to-end workflow test - ✅ `test_instruction_change_blocks_all_tools()` - Database-level instruction change test ## ✅ **Core System Components Tested** ### Database Layer (`MCPConfigDatabase`) - ✅ Granular approval tracking (instructions + individual tools) - ✅ Cryptographic hashing for change detection - ✅ Approval status queries (`get_server_approval_status`) - ✅ Tool-level approval methods (`approve_tool`, `is_tool_approved`) - ✅ Instruction approval methods (`approve_instructions`, `are_instructions_approved`) ### Wrapper Layer (`MCPWrapperServer`) - ✅ Granular tool blocking in `call_tool()` - ✅ Selective tool listing in `list_tools()` - ✅ Approval preservation in review process - ✅ Connection-time approval evaluation ### Security Layer - ✅ Information leakage prevention for unapproved components - ✅ Error message consistency across approval states - ✅ Unknown tool pass-through vs. known-but-unapproved tool blocking ## ✅ **Test Quality & Coverage** ### Test Types - **Unit Tests**: Database logic, approval algorithms, hash functions - **Integration Tests**: Wrapper behavior with approval system - **End-to-End Tests**: Full approval workflow with review process - **Security Tests**: Information leakage prevention ### Edge Cases Covered - ✅ None/empty instructions handling - ✅ Tool parameter type changes - ✅ Tool description modifications - ✅ Mixed approval states - ✅ Server approval status preservation during updates - ✅ Nonexistent tool vs. unapproved tool handling ### Test Infrastructure - ✅ Reusable test utilities in `test_utils.py` - ✅ Temporary file handling for config databases - ✅ Mock server interactions for predictable testing - ✅ Clear test naming and documentation ## 📊 **Summary Statistics** - **Total Granular Approval Tests**: 8 new tests - **Approval Scenarios Covered**: 5/5 required scenarios ✅ - **Test Files**: 2 new dedicated test files - **Overall Test Suite**: 78 tests passing - **Coverage Areas**: Database, Wrapper, Security, Workflows ## 🎯 **All Requirements Met** | Requirement | Status | Test Evidence | |-------------|--------|---------------| | New server → totally blocked | ✅ | Existing security tests + new tests | | New tool → only that tool blocked | ✅ | `test_granular_approval_database_logic` | | Changed tool → only that tool blocked | ✅ | `test_tool_modification_granular_blocking` | | Removed tool → disappears with no reapproval | ✅ | `test_tool_removal_no_reapproval_needed` | | Instructions change → whole thing blocked | ✅ | `test_server_instructions_change_blocks_everything` | The granular approval system is **comprehensively tested** with appropriate coverage for all specified behaviors.

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/trailofbits/mcp-context-protector'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

test_granular_approval_coverage_summary.md•5.42 kB