You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Raised during review of PR #1077 (fix(http): validate Host and Origin for every MCP endpoint method).
Observation
mcp_server/test/ptc_runner_mcp/http_router_test.exs is ~902 lines. The auth/Host/Origin/content-type gate tests (the security-critical request-validation path) are scattered across top-level test blocks rather than grouped. As the suite grows, the security gate coverage gets harder to locate and reason about as a unit.
Only one describe block exists today: describe "failed auth rate limiting" (~line 696), which already groups the rate-limiter tests including the Host/Origin "do not increment the failure counter" cases.
All tests share a single non-trivial setup block (stops/starts SessionRegistry, inits ConcurrencyGate, snapshots/restores TraceConfig/Log level, on_exit teardown).
Gate tests that would move into a grouping (by current name)
unauthenticated GET /mcp returns 401 bearer challenge (auth)
health and ready are unauthenticated (auth)
missing and bad auth return bearer challenges (auth)
GET /mcp with bad Host returns 403 before 405 (Host)
loopback bind rejects hostile Host before reading MCP POST body (Host)
loopback bind rejects hostile Host on DELETE (Host)
GET /mcp with invalid Origin returns 403 before 405 (Origin)
missing Origin is allowed when Host is loopback (Origin/Host)
invalid browser Origin is rejected even with loopback Host (Origin)
POST rejects present non-JSON content types (content-type gate)
Suggested Approach
Prefer a clearly-named top-level describe "security gates (auth / Host / Origin / content-type)" block within the existing file, rather than a separate http_security_gates_test.exs.
Rationale: the shared setup block is non-trivial. A separate file would force either duplicating that setup or extracting it into a shared test-support helper — extra complexity for a purely cosmetic reorganization. A describe block reuses the existing setup for free and achieves the navigability goal. Only split into a separate file if a shared setup helper is later introduced for other reasons.
Acceptance Criteria
The gate tests listed above are grouped under one clearly-named describe block (or a separate file with shared setup, if that path is chosen).
No test assertions are changed — this is a pure move/regroup.
mix test (in mcp_server/) passes with the same number of tests as before.
The existing describe "failed auth rate limiting" block is left intact (or, optionally, nested logically near the gate block).
Decision / Priority
Deferred by the PR #1077 reviewer: "not worth splitting for a one-test addition. Revisit if the file continues to grow."
As of 2026-06-03 the file is still 902 lines — the deferral condition (file growth) has not been met. This remains a low-value, low-risk cosmetic tech-debt item. Recommend keeping it deferred until the file grows materially or a contributor picks it up as a quick cleanup; the acceptance criteria above make it actionable whenever that happens.
Background
Raised during review of PR #1077 (fix(http): validate Host and Origin for every MCP endpoint method).
Observation
mcp_server/test/ptc_runner_mcp/http_router_test.exsis ~902 lines. The auth/Host/Origin/content-type gate tests (the security-critical request-validation path) are scattered across top-leveltestblocks rather than grouped. As the suite grows, the security gate coverage gets harder to locate and reason about as a unit.Current State (verified 2026-06-03)
mcp_server/test/ptc_runner_mcp/http_router_test.exs, 902 lines — unchanged since PR fix(http): validate Host and Origin for every MCP endpoint method #1077 merged.describeblock exists today:describe "failed auth rate limiting"(~line 696), which already groups the rate-limiter tests including the Host/Origin "do not increment the failure counter" cases.setupblock (stops/startsSessionRegistry, initsConcurrencyGate, snapshots/restoresTraceConfig/Loglevel,on_exitteardown).Gate tests that would move into a grouping (by current name)
unauthenticated GET /mcp returns 401 bearer challenge(auth)health and ready are unauthenticated(auth)missing and bad auth return bearer challenges(auth)GET /mcp with bad Host returns 403 before 405(Host)loopback bind rejects hostile Host before reading MCP POST body(Host)loopback bind rejects hostile Host on DELETE(Host)GET /mcp with invalid Origin returns 403 before 405(Origin)missing Origin is allowed when Host is loopback(Origin/Host)invalid browser Origin is rejected even with loopback Host(Origin)POST rejects present non-JSON content types(content-type gate)Suggested Approach
Prefer a clearly-named top-level
describe "security gates (auth / Host / Origin / content-type)"block within the existing file, rather than a separatehttp_security_gates_test.exs.Rationale: the shared
setupblock is non-trivial. A separate file would force either duplicating that setup or extracting it into a shared test-support helper — extra complexity for a purely cosmetic reorganization. Adescribeblock reuses the existingsetupfor free and achieves the navigability goal. Only split into a separate file if a shared setup helper is later introduced for other reasons.Acceptance Criteria
describeblock (or a separate file with shared setup, if that path is chosen).mix test(inmcp_server/) passes with the same number of tests as before.describe "failed auth rate limiting"block is left intact (or, optionally, nested logically near the gate block).Decision / Priority
Deferred by the PR #1077 reviewer: "not worth splitting for a one-test addition. Revisit if the file continues to grow."
As of 2026-06-03 the file is still 902 lines — the deferral condition (file growth) has not been met. This remains a low-value, low-risk cosmetic tech-debt item. Recommend keeping it deferred until the file grows materially or a contributor picks it up as a quick cleanup; the acceptance criteria above make it actionable whenever that happens.
Source: PR #1077 reviewer suggestion