test: add task-routing and permission-boundary regression tests (#145)

- Add 5 new tests covering AC from #145:
  - issue.comment does not imply close_issue
  - pr.comment does not imply issue.comment (via explicit forbidden)
  - reviewer profile cannot push_branch
  - structured guidance for missing merge permission
  - self-approve (self-review gate) blocked with reasons
- Tests are fully synthetic (patches, no live Gitea)
- Updated file docstring
- All 10 tests pass; no behavior changes to prod code

Closes #145
This commit is contained in:
2026-07-05 03:36:47 -04:00
parent d73d238c37
commit 575da17156
+70 -1
View File
@@ -1,6 +1,7 @@
"""Tests for gitea_resolve_task_capability tool.
Covers Issue #141 requirements.
Covers Issue #141 requirements and #145 regression tests for permission boundaries,
self blocks, and structured guidance.
"""
import os
import sys
@@ -134,5 +135,73 @@ class TestResolveTaskCapability(unittest.TestCase):
with self.assertRaises(ValueError):
mcp_server.gitea_resolve_task_capability(task="invalid_task_xyz", remote="prgs")
# Additional regression tests per #145 for permission boundaries and structured guidance
def test_issue_comment_does_not_imply_close(self):
# Author profile has issue.comment but not issue.close
with patch.dict(os.environ, self._env("author-profile")):
res_comment = mcp_server.gitea_resolve_task_capability(task="comment_issue", remote="prgs")
res_close = mcp_server.gitea_resolve_task_capability(task="close_issue", remote="prgs")
self.assertTrue(res_comment["allowed_in_current_session"])
self.assertIn("gitea.issue.comment", res_comment["active_profile_allowed_operations"])
self.assertFalse(res_close["allowed_in_current_session"])
self.assertIn("gitea.issue.close", res_close.get("required_operation_permission", ""))
def test_pr_comment_does_not_imply_issue_comment(self):
# Create a profile that has pr.comment but not issue.comment
config = dict(CONFIG_RESOLVER)
config["profiles"]["pr-only"] = {
"enabled": True,
"context": "ctx",
"role": "author",
"username": "pr-user",
"auth": {"type": "env", "name": "GITEA_TOKEN_AUTHOR"},
"allowed_operations": ["gitea.read", "gitea.pr.comment"],
"forbidden_operations": ["gitea.issue.comment"],
"execution_profile": "pr-only"
}
self._write_config(config)
with patch.dict(os.environ, {**self._env("pr-only"), "GITEA_MCP_PROFILE": "pr-only"}):
res_pr = mcp_server.gitea_resolve_task_capability(task="comment_pr", remote="prgs")
res_issue = mcp_server.gitea_resolve_task_capability(task="comment_issue", remote="prgs")
self.assertTrue(res_pr["allowed_in_current_session"])
self.assertFalse(res_issue["allowed_in_current_session"])
self.assertIn("gitea.pr.comment", res_pr["active_profile_allowed_operations"])
self.assertNotIn("gitea.issue.comment", res_pr["active_profile_allowed_operations"])
@patch("mcp_server.api_request", return_value={"login": "reviewer-user"})
@patch("mcp_server.get_auth_header", return_value="token reviewer-pass")
def test_reviewer_cannot_push_branch(self, _auth, _api):
with patch.dict(os.environ, self._env("reviewer-profile")):
res = mcp_server.gitea_resolve_task_capability(task="push_branch", remote="prgs")
self.assertFalse(res["allowed_in_current_session"])
self.assertIn("author-profile", res["matching_configured_profile"])
self.assertTrue(res["different_mcp_namespace_required"])
@patch("mcp_server.api_request", return_value={"login": "author-user"})
@patch("mcp_server.get_auth_header", return_value="token author-pass")
def test_structured_guidance_for_missing_permission(self, _auth, _api):
with patch.dict(os.environ, self._env("author-profile")):
res = mcp_server.gitea_resolve_task_capability(task="merge_pr", remote="prgs")
self.assertFalse(res["allowed_in_current_session"])
self.assertIn("reviewer", res["exact_safe_next_action"].lower())
self.assertEqual(res["required_operation_permission"], "gitea.pr.merge")
self.assertEqual(res["required_role_kind"], "reviewer")
@patch("mcp_server.api_request")
def test_self_review_blocked_structured(self, mock_api):
# Test that self-approve (self-review gate) is blocked and returns structured reasons
def side_api(method, url, auth):
if "/user" in url:
return {"login": "author-user"}
if "/pulls/123" in url:
return {"user": {"login": "author-user"}, "state": "open", "head": {"sha": "abc"}, "mergeable": True}
return {}
mock_api.side_effect = side_api
with patch.dict(os.environ, self._env("author-profile")):
res = mcp_server.gitea_check_pr_eligibility(pr_number=123, action="approve", remote="prgs")
self.assertFalse(res.get("eligible", True))
reasons = res.get("reasons", [])
self.assertTrue(any("author" in str(r).lower() for r in reasons) or len(reasons) > 0)
if __name__ == "__main__":
unittest.main()