feat(mcp): add a loopover_get_bounty_advisory CLI mirror#6954
Conversation
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #6954 +/- ##
=======================================
Coverage 93.71% 93.71%
=======================================
Files 685 685
Lines 68373 68373
Branches 18729 18729
=======================================
Hits 64074 64074
Misses 3302 3302
Partials 997 997
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
Tip ✅ LoopOver review result - approve/merge recommendedReview updated: 2026-07-17 15:33:59 UTC
Review summary Nits — 3 non-blocking
Decision drivers
Context & advisory signals — never blocks the verdict
Linked issue satisfactionPartially addressed Review context
Contributor next steps
Signal definitions
🧪 Chat with LoopOverAsk LoopOver a question about this PR directly in a comment — grounded only in the same cached, public-safe facts shown above, never a new claim.
Full command reference: https://loopover.ai/docs/loopover-commands 🧪 Experimental — new and may change. 🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by LoopOver, a quiet PR intelligence layer for OSS maintainers.
|
Closes #6736
Problem
The MCP tool
loopover_get_bounty_advisory(src/mcp/server.ts:2232, viagetBountyAdvisory) mirrors the fully public REST routeGET /v1/bounties/:id/advisory(src/api/routes.ts:3611, no auth gate). No CLI stdio tool exposed it, even though every other read-only report in this server already has a CLI mirror.Fix
Add
registerStdioTool("loopover_get_bounty_advisory", { inputSchema: { id: z.string().min(1) } }, ...)toloopover-mcp.js, proxying the same unauthenticatedGET /v1/bounties/:id/advisoryviaapiGet(the id isencodeURIComponent-escaped so a reserved char can't break the path segment), plus its registry entry (category: "discovery"). It mirrors the remote tool'sbountyShapeexactly — a single cached-bounty id, no new route or fetch shape. The optionalbounty <id>top-level alias is left out to keep the diff to the required surface.Tests
New
test/unit/mcp-cli-bounty-advisory.test.ts:GET /v1/bounties/:id/advisorypath + verb (the proxy contract the remote tool wraps);acme/bounty 7→acme%2Fbounty%207) so it can't escape the path segment;and never leaks a private/reward term in its output.
mcp-tool-rename-aliases.test.ts's exact tool-count assertions are updated 73 → 74 (asserted against both the live server andloopover-mcp tools --json).Validation
npx vitest run test/unit/mcp-cli-bounty-advisory.test.ts test/unit/mcp-tool-rename-aliases.test.ts→ 14/14 passnpm run typecheck→ clean (0 errors);npm run build:mcppasses;command-reference:checkpasses.packages/loopover-mcp/**is outside the Codecovinclude(onlysrc/**+ the two workspacepackages/**/src|libroots), so this change carries nocodecov/patchobligation.