ReviewMCP

Overview Schema Related Servers Score Discussions

review.test-mapfile

Test and validate #@mapfile macros with security checks to ensure proper configuration and prevent unauthorized tags in Re:VIEW manuscripts.

Instructions

Test #@mapfile macro with security validation (developer tool)

Input Schema

TableJSON Schema

Name	Required	Description	Default
`cwd`	Yes
`file`	Yes

Implementation Reference

src/index.ts:581-629 (handler)

Primary handler case for the review.test-mapfile tool in the CallToolRequestSchema switch statement. Performs security validations and delegates to hybridCommands.testMapfile.

case "review.test-mapfile": {
  const securityConfig = await loadSecurityConfig(args.cwd as string);
  const pathValidation = validateMapfilePath(args.file as string, securityConfig);
  
  if (!pathValidation.valid) {
    return {
      content: [
        { 
          type: "text", 
          text: JSON.stringify({ 
            success: false, 
            error: `Security validation failed: ${pathValidation.reason}` 
          }) 
        }
      ]
    };
  }

  const sizeValidation = await validateMapfileSize(
    args.file as string, 
    args.cwd as string, 
    securityConfig
  );
  
  if (!sizeValidation.valid) {
    return {
      content: [
        { 
          type: "text", 
          text: JSON.stringify({ 
            success: false, 
            error: `File size validation failed: ${sizeValidation.reason}` 
          }) 
        }
      ]
    };
  }

  const result = await hybridCommands.testMapfile({
    file: args.file as string,
    cwd: args.cwd as string
  });
  
  return {
    content: [
      { type: "text", text: JSON.stringify(result) }
    ]
  };
}

src/index.ts:353-364 (schema)

Tool schema definition, including name, description, and input schema. Part of the tools array returned by ListToolsRequestHandler.

{
  name: "review.test-mapfile",
  description: "Test #@mapfile macro with security validation (developer tool)",
  inputSchema: {
    type: "object",
    properties: {
      cwd: { type: "string" },
      file: { type: "string" }
    },
    required: ["cwd", "file"]
  }
},

src/commands/hybrid-pipeline.ts:132-173 (handler)

Core implementation of the mapfile test: creates a temporary Re:VIEW file using the #@mapfile macro, preprocesses it, and returns the processed content.

export async function testMapfileCommand(options: TestMapfileOptions) {
  const { file, cwd } = options;

  const testFile = path.join(cwd, "test-mapfile.re");
  const testContent = `//list[test]{
#@mapfile(${file})
#@end
//}
`;

  try {
    await fs.writeFile(testFile, testContent, "utf-8");
    
    const result = await preprocessCommand({
      pattern: "test-mapfile.re",
      output: ".out",
      stats: true,
      cwd
    });

    await fs.unlink(testFile).catch(() => {});

    if (result.success) {
      const outputFile = path.join(cwd, ".out", "test-mapfile.re");
      const processedContent = await fs.readFile(outputFile, "utf-8").catch(() => "");
      
      return {
        success: true,
        processedContent,
        stats: result.stats
      };
    }

    return result;
  } catch (error: any) {
    await fs.unlink(testFile).catch(() => {});
    return {
      success: false,
      error: error.message
    };
  }
}

src/config/security.ts:147-180 (helper)

Security helper function validateMapfilePath used in the tool handler to check mapfile path against security policy.

export function validateMapfilePath(
  filepath: string,
  config: SecurityConfig
): { valid: boolean; reason?: string } {
  
  if (config.blockAbsolutePaths && path.isAbsolute(filepath)) {
    return { valid: false, reason: "Absolute paths are not allowed" };
  }

  if (config.blockTraversal && (filepath.includes("../") || filepath.includes("..\\"))) {
    return { valid: false, reason: "Path traversal is not allowed" };
  }

  const ext = path.extname(filepath).toLowerCase();
  if (config.allowedExtensions.length > 0 && !config.allowedExtensions.includes(ext)) {
    return { 
      valid: false, 
      reason: `File extension '${ext}' is not allowed. Allowed: ${config.allowedExtensions.join(", ")}` 
    };
  }

  const normalizedPath = filepath.replace(/\\/g, "/");
  const isInAllowedPath = config.allowedPaths.length === 0 || 
    config.allowedPaths.some(allowed => normalizedPath.startsWith(allowed));
  
  if (!isInAllowedPath) {
    return { 
      valid: false, 
      reason: `Path must be within allowed directories: ${config.allowedPaths.join(", ")}` 
    };
  }

  return { valid: true };
}

src/config/security.ts:182-208 (helper)

Security helper function validateMapfileSize used in the tool handler to check mapfile size against security policy.

export async function validateMapfileSize(
  filepath: string,
  cwd: string,
  config: SecurityConfig
): Promise<{ valid: boolean; reason?: string; size?: number }> {
  
  const fullPath = path.join(cwd, filepath);
  
  try {
    const stats = await fs.stat(fullPath);
    
    if (stats.size > config.maxFileSize) {
      return {
        valid: false,
        reason: `File size (${stats.size} bytes) exceeds maximum allowed size (${config.maxFileSize} bytes)`,
        size: stats.size
      };
    }
    
    return { valid: true, size: stats.size };
  } catch (error: any) {
    return {
      valid: false,
      reason: `Cannot access file: ${error.message}`
    };
  }
}

Tool Definition Quality

C2.4/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions 'security validation', hinting at safety checks, but doesn't clarify if it's read-only, destructive, requires specific permissions, or has rate limits. The term 'test' is ambiguous—it could imply execution or analysis without detailing outcomes or risks.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is concise and front-loaded in a single sentence, with no wasted words. However, it's slightly under-specified, as it could benefit from more detail given the lack of annotations and schema coverage, but it's not overly verbose.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness2/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the complexity (a developer tool with security validation), no annotations, no output schema, and low parameter coverage, the description is incomplete. It doesn't explain what the tool returns, how security validation works, or provide enough context for safe and effective use, leaving significant gaps for an AI agent.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters2/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

The input schema has 2 parameters (cwd and file) with 0% description coverage, meaning they are undocumented. The description adds no semantic information about these parameters—it doesn't explain what 'cwd' or 'file' represent, their formats, or how they relate to testing the macro. This fails to compensate for the low schema coverage.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose3/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description states the tool tests the #@mapfile macro with security validation, which provides a general purpose. However, it's vague about what 'test' entails (e.g., validation, execution, analysis) and doesn't distinguish it from sibling tools like 'review.security.validate-mapfile' or 'review.security.compare', which may have overlapping security functions.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It labels it as a 'developer tool', implying it's for development contexts, but doesn't specify scenarios, prerequisites, or exclusions compared to other security or review tools in the sibling list.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Lightport: Open-Sourcing Glama's AI Gateway
By punkpeye on April 27, 2026.
open source
OpenAI
Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dsgarage/ReviewMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server