Skip to content

Draft: Remove SDK private validation override and canonicalize inventory checks#54

Merged
Trailgenic merged 1 commit into
mainfrom
codex/create-draft-pr-for-sdk-hardening-changes
Jul 16, 2026
Merged

Draft: Remove SDK private validation override and canonicalize inventory checks#54
Trailgenic merged 1 commit into
mainfrom
codex/create-draft-pr-for-sdk-hardening-changes

Conversation

@Trailgenic

Copy link
Copy Markdown
Owner

Motivation

  • Remove the SDK-private validateToolInput override per the post-merge audit and rely on the SDK for schema-level validation while retaining handler-level Zod safeParse as defense-in-depth.
  • Replace brittle hard-coded tool/resource count assertions with expectations derived from canonical registry data to avoid fragile literals.
  • Apply a small canonicalization and metadata bump (build/package patch version) as part of the hardening change.

Description

  • Removed the server.validateToolInput = ... assignment from lib/mcp-server.js and preserved the handler-bound toolSchemas.get(tool.id).safeParse(args) path that returns an isError corrective result on schema failures.
  • Relaxed schema-level failure assertions in tests/worker.vitest.mjs to check semantic failure signals (e.g., isError: true and meaningful mention of field/tool) instead of exact prose, added an enum-invalid test, and preserved exact-message assertions for TrailGenic-controlled business-rule failures.
  • Replaced hard-coded 19 (tools) and 35 (resources) expectations with comparisons derived from DATA_TOOLS, mcpTools(), resourceInventory() and root-discovery equivalence in tests/worker.vitest.mjs, tests/registry.test.mjs, scripts/validate-registry.mjs, and scripts/live-acceptance.mjs.
  • Added a source-level guard in tests/worker.vitest.mjs that asserts the Worker runtime bundle contains no Ajv import and no SDK-private assignments matching server.<identifier> = or ._<identifier> =.
  • Bumped BUILD.version and package metadata from 1.4.2 to 1.4.3 in lib/registry.js, package.json, and package-lock.json, while leaving @modelcontextprotocol/sdk pinned at 1.29.0.
  • Files changed: lib/mcp-server.js, lib/registry.js, package.json, package-lock.json, scripts/live-acceptance.mjs, scripts/validate-registry.mjs, tests/registry.test.mjs, and tests/worker.vitest.mjs.

Testing

  • Ran npm ci and the install completed successfully.
  • Ran npm run lint, npm test, npm run test:workers, npm run validate:json, npm run validate:registry, and npm run wrangler:dry-run, and all completed successfully in the container.
  • Attempted live acceptance with node scripts/live-acceptance.mjs but it failed due to outbound network ENETUNREACH so full live acceptance could not be executed from this environment.
  • Could not push the branch or poll GitHub Actions from this container because the repository has no configured origin remote, so CI status on the PR head could not be confirmed here.

Codex Task

@vercel

vercel Bot commented Jul 16, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
workers Ready Ready Preview, Comment Jul 16, 2026 3:02am

Request Review

@Trailgenic
Trailgenic merged commit 52e7f2d into main Jul 16, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant