mirror of
https://github.com/shankar0123/certctl.git
synced 2026-06-07 23:31:39 +00:00
cowork
91ad07f768
internal/mcp line coverage 28.0% -> 93.1% (+65.1pp; +8.1 above target)
via internal/mcp/tools_per_tool_test.go (~580 LoC, 4 top-level + 174 sub-tests).
Strategy: gomcp.NewInMemoryTransports() wires an in-process client +
server pair; RegisterTools(server, client) is invoked against a mock
certctl API; every one of 87 registered tools is dispatched via
clientSession.CallTool. This is the first test in the package that
exercises the closure bodies inside register*Tools — existing tests
(tools_test.go, injection_regression_test.go, fence_guardrail_test.go,
retire_agent_test.go) tested the wrapper + HTTP client in isolation.
Tests:
TestMCP_AllTools_HappyPath: 87 sub-tests, mock 'ok' mode,
asserts response fence end-to-end.
TestMCP_AllTools_ErrorPath: 87 sub-tests, mock '5xx' mode,
asserts MCP_ERROR fence.
TestMCP_FenceInjectionResistance: 50 dispatches; asserts per-call
nonce uniqueness (security property).
TestMCP_FenceWithPlantedEndMarker: planted attacker nonce does not
collide with real RNG nonce.
TestMCP_RegisterTools_DispatchableToolCount: tool-inventory check
(87 registered == 87 covered).
Per-register*Tools coverage:
registerCertificateTools: 11.2% -> 84.1%
registerCRLOCSPTools: 20.0% -> 100.0%
registerIssuerTools: 20.0% -> 100.0%
registerTargetTools: 20.0% -> 100.0%
registerAgentTools: 13.5% -> 86.5%
registerJobTools: 15.2% -> 90.9%
registerPolicyTools: 19.4% -> 100.0%
registerProfileTools: 20.0% -> 100.0%
registerTeamTools: 20.0% -> 100.0%
registerOwnerTools: 20.0% -> 100.0%
registerAgentGroupTools: 20.0% -> 100.0%
registerAuditTools: 20.0% -> 100.0%
registerNotificationTools: 17.4% -> 95.7%
registerStatsTools: 14.7% -> 91.2%
registerDigestTools: 20.0% -> 100.0%
registerMetricsTools: 20.0% -> 100.0%
registerHealthTools: 19.4% -> 100.0%
Binary-blob tools (certctl_get_der_crl, certctl_ocsp_check) bypass
textResult by design — they return human-readable summaries instead
of fenced JSON. Matches the existing fence_guardrail_test.go allowlist.
Verification:
go vet ./internal/mcp/... clean
gofmt -l internal/mcp/ clean
staticcheck -checks all clean (only pre-existing S1009 +
ST1000 hits in master remain)
go test -short -cover 93.1% coverage
go test -race -count=1 PASS, 0 races
Audit deliverables:
findings.yaml: C-002 status open -> closed
gap-backlog.md: closure log + C-002 strikethrough
coverage-matrix.md: MCP row at 93.1%
closure-plan.md: Bundle K [x] closed
CHANGELOG.md: [unreleased] Bundle K entry