From 575da171563c5d364422147218994f54ded6b715 Mon Sep 17 00:00:00 2001 From: Jason Walker <913443@dadeschools.net> Date: Sun, 5 Jul 2026 03:36:47 -0400 Subject: [PATCH] test: add task-routing and permission-boundary regression tests (#145) - Add 5 new tests covering AC from #145: - issue.comment does not imply close_issue - pr.comment does not imply issue.comment (via explicit forbidden) - reviewer profile cannot push_branch - structured guidance for missing merge permission - self-approve (self-review gate) blocked with reasons - Tests are fully synthetic (patches, no live Gitea) - Updated file docstring - All 10 tests pass; no behavior changes to prod code Closes #145 --- tests/test_resolve_task_capability.py | 71 ++++++++++++++++++++++++++- 1 file changed, 70 insertions(+), 1 deletion(-) diff --git a/tests/test_resolve_task_capability.py b/tests/test_resolve_task_capability.py index 1111c10..358febe 100644 --- a/tests/test_resolve_task_capability.py +++ b/tests/test_resolve_task_capability.py @@ -1,6 +1,7 @@ """Tests for gitea_resolve_task_capability tool. -Covers Issue #141 requirements. +Covers Issue #141 requirements and #145 regression tests for permission boundaries, +self blocks, and structured guidance. """ import os import sys @@ -134,5 +135,73 @@ class TestResolveTaskCapability(unittest.TestCase): with self.assertRaises(ValueError): mcp_server.gitea_resolve_task_capability(task="invalid_task_xyz", remote="prgs") + # Additional regression tests per #145 for permission boundaries and structured guidance + def test_issue_comment_does_not_imply_close(self): + # Author profile has issue.comment but not issue.close + with patch.dict(os.environ, self._env("author-profile")): + res_comment = mcp_server.gitea_resolve_task_capability(task="comment_issue", remote="prgs") + res_close = mcp_server.gitea_resolve_task_capability(task="close_issue", remote="prgs") + self.assertTrue(res_comment["allowed_in_current_session"]) + self.assertIn("gitea.issue.comment", res_comment["active_profile_allowed_operations"]) + self.assertFalse(res_close["allowed_in_current_session"]) + self.assertIn("gitea.issue.close", res_close.get("required_operation_permission", "")) + + def test_pr_comment_does_not_imply_issue_comment(self): + # Create a profile that has pr.comment but not issue.comment + config = dict(CONFIG_RESOLVER) + config["profiles"]["pr-only"] = { + "enabled": True, + "context": "ctx", + "role": "author", + "username": "pr-user", + "auth": {"type": "env", "name": "GITEA_TOKEN_AUTHOR"}, + "allowed_operations": ["gitea.read", "gitea.pr.comment"], + "forbidden_operations": ["gitea.issue.comment"], + "execution_profile": "pr-only" + } + self._write_config(config) + with patch.dict(os.environ, {**self._env("pr-only"), "GITEA_MCP_PROFILE": "pr-only"}): + res_pr = mcp_server.gitea_resolve_task_capability(task="comment_pr", remote="prgs") + res_issue = mcp_server.gitea_resolve_task_capability(task="comment_issue", remote="prgs") + self.assertTrue(res_pr["allowed_in_current_session"]) + self.assertFalse(res_issue["allowed_in_current_session"]) + self.assertIn("gitea.pr.comment", res_pr["active_profile_allowed_operations"]) + self.assertNotIn("gitea.issue.comment", res_pr["active_profile_allowed_operations"]) + + @patch("mcp_server.api_request", return_value={"login": "reviewer-user"}) + @patch("mcp_server.get_auth_header", return_value="token reviewer-pass") + def test_reviewer_cannot_push_branch(self, _auth, _api): + with patch.dict(os.environ, self._env("reviewer-profile")): + res = mcp_server.gitea_resolve_task_capability(task="push_branch", remote="prgs") + self.assertFalse(res["allowed_in_current_session"]) + self.assertIn("author-profile", res["matching_configured_profile"]) + self.assertTrue(res["different_mcp_namespace_required"]) + + @patch("mcp_server.api_request", return_value={"login": "author-user"}) + @patch("mcp_server.get_auth_header", return_value="token author-pass") + def test_structured_guidance_for_missing_permission(self, _auth, _api): + with patch.dict(os.environ, self._env("author-profile")): + res = mcp_server.gitea_resolve_task_capability(task="merge_pr", remote="prgs") + self.assertFalse(res["allowed_in_current_session"]) + self.assertIn("reviewer", res["exact_safe_next_action"].lower()) + self.assertEqual(res["required_operation_permission"], "gitea.pr.merge") + self.assertEqual(res["required_role_kind"], "reviewer") + + @patch("mcp_server.api_request") + def test_self_review_blocked_structured(self, mock_api): + # Test that self-approve (self-review gate) is blocked and returns structured reasons + def side_api(method, url, auth): + if "/user" in url: + return {"login": "author-user"} + if "/pulls/123" in url: + return {"user": {"login": "author-user"}, "state": "open", "head": {"sha": "abc"}, "mergeable": True} + return {} + mock_api.side_effect = side_api + with patch.dict(os.environ, self._env("author-profile")): + res = mcp_server.gitea_check_pr_eligibility(pr_number=123, action="approve", remote="prgs") + self.assertFalse(res.get("eligible", True)) + reasons = res.get("reasons", []) + self.assertTrue(any("author" in str(r).lower() for r in reasons) or len(reasons) > 0) + if __name__ == "__main__": unittest.main()