feat: add comprehensive foreign key validation with test coverage

jpicklyk · claude · jpicklyk · commit 81d2d7a7b119 · 2025-06-12T11:14:16.000-04:00
UpdateTaskTool fixes: - Add foreign key validation for featureId to prevent database schema exposure - Only validate when featureId is being changed to optimize performance - Add comprehensive test coverage for validation scenarios UpdateFeatureTool enhancements: - Add projectId parameter support to schema and validation - Add foreign key validation for projectId with proper error handling - Include projectId in feature.update() call for complete functionality - Add comprehensive test coverage for new projectId validation Test improvements: - Add foreign key validation tests for both valid and invalid scenarios - Test that validation only triggers when foreign keys are being changed - Ensure proper error messages and codes are returned - Verify successful updates with valid foreign keys Security fixes: - Replace raw SQL constraint errors with proper RESOURCE_NOT_FOUND responses - Prevent information disclosure of database schema details - Consistent error handling across all update tools 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/src/main/kotlin/io/github/jpicklyk/mcptask/application/tools/feature/UpdateFeatureTool.kt b/src/main/kotlin/io/github/jpicklyk/mcptask/application/tools/feature/UpdateFeatureTool.kt
@@ -56,6 +56,13 @@ class UpdateFeatureTool : BaseToolDefinition() {
                         "description" to JsonPrimitive("New priority level (high, medium, low)")
                     )
                 ),
+                "projectId" to JsonObject(
+                    mapOf(
+                        "type" to JsonPrimitive("string"),
+                        "description" to JsonPrimitive("New project ID (UUID) to associate this feature with"),
+                        "format" to JsonPrimitive("uuid")
+                    )
+                ),
                 "tags" to JsonObject(
                     mapOf(
                         "type" to JsonPrimitive("string"),
@@ -103,6 +110,17 @@ class UpdateFeatureTool : BaseToolDefinition() {
                 throw ToolValidationException("Invalid priority: $priority. Must be one of: high, medium, low")
             }
         }
+
+        // Validate projectId if present
+        optionalString(params, "projectId")?.let { projectId ->
+            if (projectId.isNotEmpty()) {
+                try {
+                    UUID.fromString(projectId)
+                } catch (_: IllegalArgumentException) {
+                    throw ToolValidationException("Invalid project ID format. Must be a valid UUID")
+                }
+            }
+        }
     }
 
     override suspend fun execute(params: JsonElement, context: ToolExecutionContext): JsonElement {
@@ -126,13 +144,32 @@ class UpdateFeatureTool : BaseToolDefinition() {
                     val status = optionalString(params, "status")?.let { parseStatus(it) } ?: feature.status
                     val priority = optionalString(params, "priority")?.let { parsePriority(it) } ?: feature.priority
 
+                    val projectId = optionalString(params, "projectId")?.let {
+                        if (it.isEmpty()) null else UUID.fromString(it)
+                    } ?: feature.projectId
+
+                    // Validate that referenced project exists if projectId is being set/changed
+                    if (projectId != null && projectId != feature.projectId) {
+                        when (val projectResult = context.repositoryProvider.projectRepository().getById(projectId)) {
+                            is Result.Error -> {
+                                return errorResponse(
+                                    message = "Project not found",
+                                    code = ErrorCodes.RESOURCE_NOT_FOUND,
+                                    details = "No project exists with ID $projectId"
+                                )
+                            }
+                            is Result.Success -> { /* Project exists, continue */ }
+                        }
+                    }
+
                     val tags = optionalString(params, "tags")?.let {
                         it.split(",").map { tag -> tag.trim() }.filter { tag -> tag.isNotBlank() }
                     } ?: feature.tags
 
                     // Create an updated feature
                     val updatedFeature = feature.update(
                         name = name,
+                        projectId = projectId,
                         summary = summary,
                         status = status,
                         priority = priority,
diff --git a/src/test/kotlin/io/github/jpicklyk/mcptask/application/tools/feature/UpdateFeatureToolTest.kt b/src/test/kotlin/io/github/jpicklyk/mcptask/application/tools/feature/UpdateFeatureToolTest.kt
@@ -6,16 +6,17 @@ import io.github.jpicklyk.mcptask.domain.model.EntityType
 import io.github.jpicklyk.mcptask.domain.model.Feature
 import io.github.jpicklyk.mcptask.domain.model.FeatureStatus
 import io.github.jpicklyk.mcptask.domain.model.Priority
+import io.github.jpicklyk.mcptask.domain.model.Project
 import io.github.jpicklyk.mcptask.domain.repository.FeatureRepository
+import io.github.jpicklyk.mcptask.domain.repository.ProjectRepository
 import io.github.jpicklyk.mcptask.domain.repository.RepositoryError
 import io.github.jpicklyk.mcptask.domain.repository.Result
 import io.github.jpicklyk.mcptask.infrastructure.repository.RepositoryProvider
 import io.mockk.coEvery
 import io.mockk.every
 import io.mockk.mockk
 import kotlinx.coroutines.runBlocking
-import kotlinx.serialization.json.JsonObject
-import kotlinx.serialization.json.JsonPrimitive
+import kotlinx.serialization.json.*
 import org.junit.jupiter.api.Assertions.*
 import org.junit.jupiter.api.BeforeEach
 import org.junit.jupiter.api.Test
@@ -26,16 +27,19 @@ class UpdateFeatureToolTest {
     private lateinit var tool: UpdateFeatureTool
     private lateinit var context: ToolExecutionContext
     private lateinit var mockFeatureRepository: FeatureRepository
+    private lateinit var mockProjectRepository: ProjectRepository
     private val testFeatureId = UUID.randomUUID()
 
     @BeforeEach
     fun setup() {
         // Create mock repositories
         mockFeatureRepository = mockk<FeatureRepository>()
+        mockProjectRepository = mockk<ProjectRepository>()
         val mockRepositoryProvider = mockk<RepositoryProvider>()
 
         // Configure the repository provider to return the mock repositories
         every { mockRepositoryProvider.featureRepository() } returns mockFeatureRepository
+        every { mockRepositoryProvider.projectRepository() } returns mockProjectRepository
 
         // Create an original feature
         val originalFeature = Feature(
@@ -208,4 +212,129 @@ class UpdateFeatureToolTest {
         assertEquals(false, (resultObj["success"] as JsonPrimitive).content.toBoolean())
         assertTrue((resultObj["message"] as JsonPrimitive).content.contains("Feature not found"))
     }
+
+    @Test
+    fun `test invalid projectId foreign key validation`() = runBlocking {
+        val invalidProjectId = UUID.randomUUID().toString()
+        
+        // Mock project repository to return not found for invalid project ID
+        coEvery {
+            mockProjectRepository.getById(UUID.fromString(invalidProjectId))
+        } returns Result.Error(
+            RepositoryError.NotFound(
+                UUID.fromString(invalidProjectId),
+                EntityType.PROJECT,
+                "Project not found"
+            )
+        )
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(testFeatureId.toString()),
+                "projectId" to JsonPrimitive(invalidProjectId)
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: true
+        assertFalse(success, "Success should be false for invalid projectId")
+
+        val message = responseObj["message"]?.jsonPrimitive?.content
+        assertEquals("Project not found", message, "Should return proper project not found message")
+
+        val error = responseObj["error"]?.jsonObject
+        assertNotNull(error, "Error object should not be null")
+        assertEquals("RESOURCE_NOT_FOUND", error!!["code"]?.jsonPrimitive?.content)
+        
+        val details = error["details"]?.jsonPrimitive?.content
+        assertTrue(
+            details?.contains("No project exists with ID $invalidProjectId") ?: false,
+            "Error details should mention the specific project ID"
+        )
+    }
+
+    @Test
+    fun `test valid projectId foreign key validation`() = runBlocking {
+        val validProjectId = UUID.randomUUID().toString()
+        val mockProject = mockk<Project>()
+        
+        // Mock project repository to return success for valid project ID
+        coEvery {
+            mockProjectRepository.getById(UUID.fromString(validProjectId))
+        } returns Result.Success(mockProject)
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(testFeatureId.toString()),
+                "projectId" to JsonPrimitive(validProjectId)
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: false
+        assertTrue(success, "Success should be true for valid projectId")
+
+        val message = responseObj["message"]?.jsonPrimitive?.content
+        assertTrue(
+            message?.contains("updated successfully") ?: false,
+            "Message should contain 'updated successfully'"
+        )
+    }
+
+    @Test
+    fun `test projectId validation only triggered when changing project`() = runBlocking {
+        // Feature already has a project ID - updating without changing it should not trigger validation
+        val existingProjectId = UUID.randomUUID()
+        val featureWithProject = Feature(
+            id = testFeatureId,
+            projectId = existingProjectId,
+            name = "Original Feature",
+            summary = "Original description",
+            status = FeatureStatus.PLANNING,
+            priority = Priority.MEDIUM,
+            createdAt = Instant.now(),
+            modifiedAt = Instant.now(),
+            tags = emptyList()
+        )
+        
+        coEvery {
+            mockFeatureRepository.getById(testFeatureId)
+        } returns Result.Success(featureWithProject)
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(testFeatureId.toString()),
+                "name" to JsonPrimitive("Updated Name") // Only updating name, not projectId
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: false
+        assertTrue(success, "Success should be true when not changing projectId")
+    }
+
+    @Test
+    fun `test projectId parameter validation`() {
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(testFeatureId.toString()),
+                "projectId" to JsonPrimitive("not-a-uuid")
+            )
+        )
+
+        // Should throw an exception for invalid projectId format
+        val exception = assertThrows(ToolValidationException::class.java) {
+            tool.validateParams(params)
+        }
+        assertTrue(exception.message!!.contains("Invalid project ID format"))
+    }
 }
diff --git a/src/test/kotlin/io/github/jpicklyk/mcptask/application/tools/task/UpdateTaskToolTest.kt b/src/test/kotlin/io/github/jpicklyk/mcptask/application/tools/task/UpdateTaskToolTest.kt
@@ -3,9 +3,11 @@ package io.github.jpicklyk.mcptask.application.tools.task
 import io.github.jpicklyk.mcptask.application.tools.ToolExecutionContext
 import io.github.jpicklyk.mcptask.application.tools.ToolValidationException
 import io.github.jpicklyk.mcptask.domain.model.EntityType
+import io.github.jpicklyk.mcptask.domain.model.Feature
 import io.github.jpicklyk.mcptask.domain.model.Priority
 import io.github.jpicklyk.mcptask.domain.model.Task
 import io.github.jpicklyk.mcptask.domain.model.TaskStatus
+import io.github.jpicklyk.mcptask.domain.repository.FeatureRepository
 import io.github.jpicklyk.mcptask.domain.repository.RepositoryError
 import io.github.jpicklyk.mcptask.domain.repository.Result
 import io.github.jpicklyk.mcptask.domain.repository.TaskRepository
@@ -28,17 +30,20 @@ class UpdateTaskToolTest {
     private lateinit var context: ToolExecutionContext
     private lateinit var validTaskId: String
     private lateinit var mockTaskRepository: TaskRepository
+    private lateinit var mockFeatureRepository: FeatureRepository
     private lateinit var mockTask: Task
 
     @BeforeEach
     fun setup() {
         tool = UpdateTaskTool()
         // Create a mock repository provider and repositories
         mockTaskRepository = mockk<TaskRepository>()
+        mockFeatureRepository = mockk<FeatureRepository>()
         val mockRepositoryProvider = mockk<RepositoryProvider>()
 
-        // Configure the repository provider to return the mock task repository
+        // Configure the repository provider to return the mock repositories
         every { mockRepositoryProvider.taskRepository() } returns mockTaskRepository
+        every { mockRepositoryProvider.featureRepository() } returns mockFeatureRepository
 
         // Create the execution context with the mock repository provider
         context = ToolExecutionContext(mockRepositoryProvider)
@@ -335,4 +340,103 @@ class UpdateTaskToolTest {
         assertNotNull(error, "Error object should not be null")
         assertEquals("DATABASE_ERROR", error!!["code"]?.jsonPrimitive?.content)
     }
+
+    @Test
+    fun `test invalid featureId foreign key validation`() = runBlocking {
+        val invalidFeatureId = UUID.randomUUID().toString()
+        
+        // Mock feature repository to return not found for invalid feature ID
+        coEvery {
+            mockFeatureRepository.getById(UUID.fromString(invalidFeatureId))
+        } returns Result.Error(
+            RepositoryError.NotFound(
+                UUID.fromString(invalidFeatureId),
+                EntityType.FEATURE,
+                "Feature not found"
+            )
+        )
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(validTaskId),
+                "featureId" to JsonPrimitive(invalidFeatureId)
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: true
+        assertFalse(success, "Success should be false for invalid featureId")
+
+        val message = responseObj["message"]?.jsonPrimitive?.content
+        assertEquals("Feature not found", message, "Should return proper feature not found message")
+
+        val error = responseObj["error"]?.jsonObject
+        assertNotNull(error, "Error object should not be null")
+        assertEquals("RESOURCE_NOT_FOUND", error!!["code"]?.jsonPrimitive?.content)
+        
+        val details = error["details"]?.jsonPrimitive?.content
+        assertTrue(
+            details?.contains("No feature exists with ID $invalidFeatureId") ?: false,
+            "Error details should mention the specific feature ID"
+        )
+    }
+
+    @Test
+    fun `test valid featureId foreign key validation`() = runBlocking {
+        val validFeatureId = UUID.randomUUID().toString()
+        val mockFeature = mockk<Feature>()
+        
+        // Mock feature repository to return success for valid feature ID
+        coEvery {
+            mockFeatureRepository.getById(UUID.fromString(validFeatureId))
+        } returns Result.Success(mockFeature)
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(validTaskId),
+                "featureId" to JsonPrimitive(validFeatureId)
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: false
+        assertTrue(success, "Success should be true for valid featureId")
+
+        val message = responseObj["message"]?.jsonPrimitive?.content
+        assertTrue(
+            message?.contains("updated successfully") ?: false,
+            "Message should contain 'updated successfully'"
+        )
+    }
+
+    @Test
+    fun `test featureId validation only triggered when changing feature`() = runBlocking {
+        // Task already has a feature ID - updating without changing it should not trigger validation
+        val existingFeatureId = UUID.randomUUID()
+        val taskWithFeature = mockTask.copy(featureId = existingFeatureId)
+        
+        coEvery {
+            mockTaskRepository.getById(UUID.fromString(validTaskId))
+        } returns Result.Success(taskWithFeature)
+
+        val params = JsonObject(
+            mapOf(
+                "id" to JsonPrimitive(validTaskId),
+                "title" to JsonPrimitive("Updated Title") // Only updating title, not featureId
+            )
+        )
+
+        val result = tool.execute(params, context)
+        assertTrue(result is JsonObject, "Response should be a JsonObject")
+
+        val responseObj = result as JsonObject
+        val success = responseObj["success"]?.jsonPrimitive?.boolean ?: false
+        assertTrue(success, "Success should be true when not changing featureId")
+    }
 }
