Skip to content

test(mcp): reject control-padded submit_work_proof format (#819)#1189

Open
yanyishuai wants to merge 1 commit into
ramimbo:mainfrom
yanyishuai:fix/issue-819-mcp-format-control-padded
Open

test(mcp): reject control-padded submit_work_proof format (#819)#1189
yanyishuai wants to merge 1 commit into
ramimbo:mainfrom
yanyishuai:fix/issue-819-mcp-format-control-padded

Conversation

@yanyishuai

@yanyishuai yanyishuai commented Jun 30, 2026

Copy link
Copy Markdown

Summary

Adds focused regression coverage for #819: submit_work_proof must reject raw control-padded format values such as \u0085json instead of normalizing them to json.

Changes

  • tests/test_api_mcp.py — assert /mcp tools/call returns the existing invalid tool arguments envelope for control-padded format input

Verification

pytest tests/test_api_mcp.py::test_mcp_submit_work_proof_rejects_control_padded_format -q
pytest tests/test_api_mcp.py -q

Fixes #819

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

Summary by CodeRabbit

  • Tests
    • Added coverage for an MCP API request that uses a control-padded format value.
    • Verified the API returns the expected invalid tool arguments response for this malformed input.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds one test, test_mcp_submit_work_proof_rejects_control_padded_format, that posts a submit_work_proof MCP tool call with format: "\x85json" and asserts the response matches the -32602 invalid tool arguments error envelope.

Changes

Control-padded format rejection test

Layer / File(s) Summary
Regression test for control-padded format
tests/test_api_mcp.py
New test creates schema, calls submit_work_proof with format="\x85json", asserts HTTP 200, and verifies the invalid tool arguments envelope via _assert_invalid_tool_arguments_envelope.

Possibly related PRs

  • ramimbo/mergework#839: Adds the production-side control-character guard in output_format_arg() that this test exercises.
  • ramimbo/mergework#317: Introduced format: "json" structured output and initial invalid format checks for submit_work_proof.
  • ramimbo/mergework#856: Tightened submit_work_proof argument/schema validation, directly related to the boundary this test covers.
🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR only adds regression coverage; it does not implement the required control-character guard for #819. Add the contains_control_character(value) guard in output_format_arg() before strip().lower(), while keeping the regression test.
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is short, concrete, and matches the changed MCP test surface.
Description check ✅ Passed It includes a summary, changes, verification commands, and an issue reference, so it is mostly aligned with the template.
Out of Scope Changes check ✅ Passed Only a focused test was added in tests/test_api_mcp.py, which matches the stated MCP regression scope.
Mergework Public Artifact Hygiene ✅ Passed Only a test file was added; no README/docs/public-comment text with investment, price, cash-out, or private-security claims was introduced.
Bounty Pr Focus ✅ Passed The PR is scoped to tests/test_api_mcp.py and adds a focused submit_work_proof format-rejection regression; I found no unrelated surfaces in the change.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: c8bca4c6-35ac-41e0-92fa-27562739cd55

📥 Commits

Reviewing files that changed from the base of the PR and between 3bc87d2 and 4b41819.

📒 Files selected for processing (1)
  • tests/test_api_mcp.py

Comment thread tests/test_api_mcp.py
Comment on lines +2484 to +2485
assert response.status_code == 200
_assert_invalid_tool_arguments_envelope(response.json(), request_id=37)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Assert the field-level validation payload too.

Line 2485 only checks the legacy -32602 envelope, so this test still passes if submit_work_proof fails for some other invalid-arguments path. Please also assert the safe error.data payload for tool="submit_work_proof", field="format", and the control-character message so the regression stays tied to this guard.

Suggested tightening
     assert response.status_code == 200
-    _assert_invalid_tool_arguments_envelope(response.json(), request_id=37)
+    response_json = response.json()
+    _assert_invalid_tool_arguments_envelope(response_json, request_id=37)
+    error = response_json["error"]
+    assert isinstance(error, dict)
+    data = error["data"]
+    assert isinstance(data, dict)
+    assert data["tool"] == "submit_work_proof"
+    assert data["field"] == "format"
+    assert data["message"] == "format must not contain control characters"

As per coding guidelines, "Add or update tests for changed behavior." As per path instructions, "Focus on whether tests prove the changed behavior and include negative, replay, boundary, or regression cases where relevant."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
assert response.status_code == 200
_assert_invalid_tool_arguments_envelope(response.json(), request_id=37)
assert response.status_code == 200
response_json = response.json()
_assert_invalid_tool_arguments_envelope(response_json, request_id=37)
error = response_json["error"]
assert isinstance(error, dict)
data = error["data"]
assert isinstance(data, dict)
assert data["tool"] == "submit_work_proof"
assert data["field"] == "format"
assert data["message"] == "format must not contain control characters"

Sources: Coding guidelines, Path instructions

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 This is a focused regression test for #819 — rejects control-padded submit_work_proof format values (\u0085json) via the existing invalid tool arguments envelope.

CI is green on the latest head and this is the only open PR for the issue. Merge-ready whenever maintainers have bandwidth.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@qingfeng312 qingfeng312 left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed current head 4b41819784f9b5fb28ab3094e9c3950077d93655.

Approved. This is a focused regression for the submit_work_proof format boundary: the new test sends a raw control-padded format value and verifies the existing invalid tool arguments envelope. Hosted quality checks pass on the exact head, so the current runtime path already rejects this input. The change is tests-only and does not touch ledger, payout, wallet, treasury, or public artifact behavior.

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

2 similar comments
@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 This is a focused regression test for #819 — rejects control-padded submit_work_proof format values (\u0085json) via the existing invalid tool arguments envelope.

CI is green on the latest head and this is the only open PR for the issue. Merge-ready whenever maintainers have bandwidth.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 This is a focused regression test for #819 — rejects control-padded submit_work_proof format values (\u0085json) via the existing invalid tool arguments envelope.

CI is green on the latest head and this is the only open PR for the issue. Merge-ready whenever maintainers have bandwidth.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

1 similar comment
@yanyishuai

Copy link
Copy Markdown
Author

@qingfeng312 Follow-up on #819 — the control-padded submit_work_proof format regression test is still green on 4b41819784f9 with your prior approval.

Only open PR for the issue; ready to merge when convenient.

Wallet: Do4v7foHJvRJLpRRoGaVPWX6DDEjX3yTK7J91gpwUQpE

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Proposed work: reject control-padded MCP work-proof format

2 participants