fix: add foreign key validation to prevent database schema exposure

- Add pre-validation for featureId in CreateTaskTool to check feature exists
- Add pre-validation for projectId in CreateFeatureTool to check project exists
- Replace raw SQL foreign key constraint errors with proper RESOURCE_NOT_FOUND responses
- Update CreateTaskToolTest to mock feature repository validation
- Resolves security vulnerability where invalid foreign keys exposed database internals

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

Author: jpicklyk

src/main/kotlin/io/github/jpicklyk/mcptask/application/tools/feature/CreateFeatureTool.kt

@@ -315,6 +315,20 @@ class CreateFeatureTool : BaseToolDefinition() {
                 if (it.isEmpty()) null else UUID.fromString(it)
             }
 
+            // Validate that referenced project exists before attempting to create feature
+            if (projectId != null) {
+                when (val projectResult = context.repositoryProvider.projectRepository().getById(projectId)) {
+                    is Result.Error -> {
+                        return errorResponse(
+                            message = "Project not found",
+                            code = ErrorCodes.RESOURCE_NOT_FOUND,
+                            details = "No project exists with ID $projectId"
+                        )
+                    }
+                    is Result.Success -> { /* Project exists, continue */ }
+                }
+            }
+            
             // Convert string parameters to appropriate types
             val status = parseStatus(statusStr)
             val priority = parsePriority(priorityStr)

src/main/kotlin/io/github/jpicklyk/mcptask/application/tools/task/CreateTaskTool.kt

@@ -324,6 +324,33 @@ class CreateTaskTool : BaseToolDefinition() {
                 if (it.isEmpty()) null else UUID.fromString(it)
             }
 
+            // Validate that referenced entities exist before attempting to create task
+            if (projectId != null) {
+                when (val projectResult = context.repositoryProvider.projectRepository().getById(projectId)) {
+                    is Result.Error -> {
+                        return errorResponse(
+                            message = "Project not found",
+                            code = ErrorCodes.RESOURCE_NOT_FOUND,
+                            details = "No project exists with ID $projectId"
+                        )
+                    }
+                    is Result.Success -> { /* Project exists, continue */ }
+                }
+            }
+
+            if (featureId != null) {
+                when (val featureResult = context.repositoryProvider.featureRepository().getById(featureId)) {
+                    is Result.Error -> {
+                        return errorResponse(
+                            message = "Feature not found", 
+                            code = ErrorCodes.RESOURCE_NOT_FOUND,
+                            details = "No feature exists with ID $featureId"
+                        )
+                    }
+                    is Result.Success -> { /* Feature exists, continue */ }
+                }
+            }
+
             // Parse tags
             val tags = optionalString(params, "tags")?.let {
                 if (it.isEmpty()) emptyList()

src/test/kotlin/io/github/jpicklyk/mcptask/application/tools/task/CreateTaskToolTest.kt

@@ -300,6 +300,11 @@ class CreateTaskToolTest {
             mockTaskRepository.create(any())
         } returns Result.Success(taskWithFeature)
 
+        // Setup feature repository to return success for the feature ID validation
+        coEvery {
+            mockRepositoryProvider.featureRepository().getById(featureId)
+        } returns Result.Success(mockk())
+
         val result = tool.execute(params, context)
 
         // Check that the result is a success response