Modularize MCP bridge, add functional tests, fix version drift#27
Conversation
Split the monolithic 1126-line mcp-bridge/main.js into focused modules: - lib/security.js: injection detection, rate limiting, input validation, error sanitization with unicode normalization for bypass prevention - lib/api-clients.js: GitHub, GitLab API passthroughs and BoJ REST wrappers - lib/tools.js: MCP tool schema definitions - lib/logger.js: structured JSON logging to stderr - lib/version.js: single source of truth for server version (0.3.1) - lib/offline-menu.js: static cartridge manifest for offline mode Add 44 functional tests (tests/security_test.js) exercising actual code paths: injection detection, unicode bypass prevention, rate limiting, input validation, tool name validation, and error sanitization. Fix version drift: sync 0.3.1 across package.json, mcp-bridge/package.json, Justfile, and version.js. Fix cartridge count (92 -> 96) in TOPOLOGY.md. Fix internal dev machine paths in EXPLAINME.adoc. Update file map to reflect actual repo structure. Wire npm test to run real tests. https://claude.ai/code/session_01FJczaDsKEoetZGKrZ1fdtc
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a27083aa2d
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| { name: "ml-mcp", version: "0.1.0", domain: "ML/AI", protocols: ["MCP","REST"], status: "Available", available: true }, | ||
| { name: "research-mcp", version: "0.1.0", domain: "Research", protocols: ["MCP","REST"], status: "Available", available: true }, | ||
| { name: "codeseeker-mcp", version: "0.1.0", domain: "Code Intelligence", protocols: ["MCP","REST"], status: "Available", available: true }, | ||
| { name: "lang-mcp", version: "0.1.0", domain: "Languages", protocols: ["MCP","REST"], status: "Available", available: true }, |
There was a problem hiding this comment.
The lang-mcp entry in the new offline manifest dropped its languages array, so when the REST API is unreachable both boj_menu and boj_cartridge_info now return less data than before for that cartridge. This is a functional regression for offline clients that rely on supported-language metadata (the API spec also documents this field as available for lang-mcp), and it makes capability discovery incomplete exactly in the fallback path this file is meant to support.
Useful? React with 👍 / 👎.
3 participants
Summary
main.jsinto 7 focused modules (security.js,api-clients.js,tools.js,logger.js,version.js,offline-menu.js,generate-offline-menu.js), reducingmain.jsto ~230 lines of transport + dispatch logictests/security_test.jsexercising actual code paths — injection detection (including unicode bypass prevention via zero-width chars, Cyrillic confusables, fullwidth chars), rate limiting, input validation, tool/cartridge name validation, and error sanitization0.3.1acrosspackage.json,mcp-bridge/package.json,Justfile, and newlib/version.jssingle source of truthEXPLAINME.adoc, update cartridge count (92→96) inTOPOLOGY.md, update file map to reflect actual repo structureBOJ_LOG_LEVELnpm test: Now runs real tests instead ofechono-op; adds ESLint config for the MCP bridgeTest plan
npm test)node mcp-bridge/main.jsstarts and responds to MCP initializehttps://claude.ai/code/session_01FJczaDsKEoetZGKrZ1fdtc