@jgardner04/ghost-mcp-server 1.11.0 → 1.12.1

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -128,24 +128,9 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockCreatedMember);
     });
 
-    it('should throw validation error for missing email', async () => {
-      await expect(createMember({})).rejects.toThrow('Member validation failed');
-    });
-
-    it('should throw validation error for invalid email', async () => {
-      await expect(createMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
-
-    it('should throw validation error for invalid labels type', async () => {
-      await expect(
-        createMember({
-          email: 'test@example.com',
-          labels: 'premium',
-        })
-      ).rejects.toThrow('Member validation failed');
-    });
+    // NOTE: Input validation tests (missing email, invalid email, invalid labels)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should handle Ghost API errors', async () => {
       const memberData = {
@@ -225,11 +210,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid email in update', async () => {
-      await expect(updateMember('member-1', { email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
+    // NOTE: Input validation tests (invalid email in update) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error if member does not exist', async () => {
       api.members.read.mockRejectedValue({
@@ -345,14 +327,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid limit', async () => {
-      await expect(getMembers({ limit: 0 })).rejects.toThrow('Member query validation failed');
-      await expect(getMembers({ limit: 101 })).rejects.toThrow('Member query validation failed');
-    });
-
-    it('should throw validation error for invalid page', async () => {
-      await expect(getMembers({ page: 0 })).rejects.toThrow('Member query validation failed');
-    });
+    // NOTE: Input validation tests (invalid limit, invalid page) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should return empty array when no members found', async () => {
       api.members.browse.mockResolvedValue([]);
@@ -407,15 +383,8 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockMember);
     });
 
-    it('should throw validation error when neither id nor email provided', async () => {
-      await expect(getMember({})).rejects.toThrow('Member lookup validation failed');
-    });
-
-    it('should throw validation error for invalid email format', async () => {
-      await expect(getMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member lookup validation failed'
-      );
-    });
+    // NOTE: Input validation tests (missing id/email, invalid email format) have been
+    // moved to MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error when member not found by ID', async () => {
       api.members.read.mockRejectedValue({
@@ -493,27 +462,9 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for empty query', async () => {
-      await expect(searchMembers('')).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers('   ')).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for non-string query', async () => {
-      await expect(searchMembers(123)).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers(null)).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for invalid limit', async () => {
-      await expect(searchMembers('test', { limit: 0 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 51 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 100 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-    });
+    // NOTE: Input validation tests (empty query, non-string query, invalid limit)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should sanitize query to prevent NQL injection', async () => {
       const mockMembers = [];

package/src/services/__tests__/postService.test.js

@@ -26,7 +26,11 @@ describe('postService', () => {
     vi.clearAllMocks();
   });
 
-  describe('createPostService - validation', () => {
+  // NOTE: Input validation tests have been moved to MCP layer tests.
+  // The postService no longer performs Joi validation - input is validated
+  // by Zod schemas at the MCP tool layer (see mcp_server_improved.js).
+
+  describe('createPostService - basic functionality', () => {
     it('should accept valid input and create a post', async () => {
       const validInput = {
         title: 'Test Post',
@@ -47,41 +51,6 @@ describe('postService', () => {
       );
     });
 
-    it('should reject input with missing title', async () => {
-      const invalidInput = {
-        html: '<p>Test content</p>',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "title" is required'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject input with missing html', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "html" is required'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject input with invalid status', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        status: 'invalid-status',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow(
-        'Invalid post input: "status" must be one of [draft, published, scheduled]'
-      );
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
     it('should accept valid status values', async () => {
       const statuses = ['draft', 'published', 'scheduled'];
       createPost.mockResolvedValue({ id: '1', title: 'Test' });
@@ -100,39 +69,6 @@ describe('postService', () => {
       }
     });
 
-    it('should validate tags array with maximum length', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: Array(11).fill('tag'), // 11 tags exceeds max of 10
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should validate tag string max length', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: ['a'.repeat(51)], // 51 chars exceeds max of 50
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should validate feature_image is a valid URI', async () => {
-      const invalidInput = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        feature_image: 'not-a-valid-url',
-      };
-
-      await expect(createPostService(invalidInput)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
     it('should accept valid feature_image URI', async () => {
       const validInput = {
         title: 'Test Post',
@@ -217,27 +153,7 @@ describe('postService', () => {
       );
     });
 
-    it('should reject tags array with non-string values', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: [null, 'valid-tag'],
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
-
-    it('should reject tags array with empty strings', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '<p>Content</p>',
-        tags: ['', 'valid-tag'],
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
+    // NOTE: Tag validation tests (non-string values, empty strings) moved to MCP layer
 
     it('should trim whitespace from tag names', async () => {
       const input = {
@@ -383,15 +299,7 @@ describe('postService', () => {
       expect(calledDescription).toBe('a'.repeat(497) + '...');
     });
 
-    it('should reject empty HTML content', async () => {
-      const input = {
-        title: 'Test Post',
-        html: '',
-      };
-
-      await expect(createPostService(input)).rejects.toThrow('Invalid post input:');
-      expect(createPost).not.toHaveBeenCalled();
-    });
+    // NOTE: Empty HTML validation test moved to MCP layer
 
     it('should strip HTML tags and truncate when generating meta_description', async () => {
       const longHtml = '<p>' + 'word '.repeat(200) + '</p>';

package/src/services/ghostServiceImproved.js

@@ -792,10 +792,7 @@ export async function deleteTag(tagId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function createMember(memberData, options = {}) {
-  // Import and validate input
-  const { validateMemberData } = await import('./memberService.js');
-  validateMemberData(memberData);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   try {
     return await handleApiRequest('members', 'add', memberData, options);
   } catch (error) {
@@ -825,14 +822,11 @@ export async function createMember(memberData, options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function updateMember(memberId, updateData, options = {}) {
+  // Input validation is performed at the MCP tool layer using Zod schemas
   if (!memberId) {
     throw new ValidationError('Member ID is required for update');
   }
 
-  // Import and validate update data
-  const { validateMemberUpdateData } = await import('./memberService.js');
-  validateMemberUpdateData(updateData);
-
   try {
     // Get existing member to retrieve updated_at for conflict resolution
     const existingMember = await handleApiRequest('members', 'read', { id: memberId });
@@ -889,10 +883,7 @@ export async function deleteMember(memberId) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMembers(options = {}) {
-  // Import and validate query options
-  const { validateMemberQueryOptions } = await import('./memberService.js');
-  validateMemberQueryOptions(options);
-
+  // Input validation is performed at the MCP tool layer using Zod schemas
   const defaultOptions = {
     limit: 15,
     ...options,
@@ -918,12 +909,12 @@ export async function getMembers(options = {}) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function getMember(params) {
-  // Import and validate lookup parameters
-  const { validateMemberLookup, sanitizeNqlValue } = await import('./memberService.js');
-  const { lookupType, id, email } = validateMemberLookup(params);
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const { id, email } = params;
 
   try {
-    if (lookupType === 'id') {
+    if (id) {
       // Lookup by ID using read endpoint
       return await handleApiRequest('members', 'read', { id }, { id });
     } else {
@@ -960,11 +951,9 @@ export async function getMember(params) {
  * @throws {GhostAPIError} If the API request fails
  */
 export async function searchMembers(query, options = {}) {
-  // Import and validate search query and options
-  const { validateSearchQuery, validateSearchOptions, sanitizeNqlValue } =
-    await import('./memberService.js');
-  validateSearchOptions(options);
-  const sanitizedQuery = sanitizeNqlValue(validateSearchQuery(query));
+  // Input validation is performed at the MCP tool layer using Zod schemas
+  const { sanitizeNqlValue } = await import('./memberService.js');
+  const sanitizedQuery = sanitizeNqlValue(query.trim());
 
   const limit = options.limit || 15;
 

package/src/services/postService.js

@@ -1,12 +1,10 @@
 import sanitizeHtml from 'sanitize-html';
-import Joi from 'joi';
 import { createContextLogger } from '../utils/logger.js';
 import {
   createPost as createGhostPost,
   getTags as getGhostTags,
   createTag as createGhostTag,
-  // Import other necessary functions from ghostService later
-} from './ghostService.js'; // Note the relative path
+} from './ghostService.js';
 
 /**
  * Helper to generate a simple meta description from HTML content.
@@ -37,37 +35,13 @@ const generateSimpleMetaDescription = (htmlContent, maxLength = 500) => {
 /**
  * Service layer function to handle the business logic of creating a post.
  * Transforms input data, handles/resolves tags, includes feature image and metadata.
- * @param {object} postInput - Data received from the controller.
+ * Input validation is handled at the MCP layer using Zod schemas.
+ * @param {object} postInput - Validated data received from the MCP tool.
  * @returns {Promise<object>} The created post object from the Ghost API.
  */
-// Validation schema for post input
-const postInputSchema = Joi.object({
-  title: Joi.string().max(255).required(),
-  html: Joi.string().required(),
-  custom_excerpt: Joi.string().max(500).optional(),
-  status: Joi.string().valid('draft', 'published', 'scheduled').optional(),
-  published_at: Joi.string().isoDate().optional(),
-  tags: Joi.array().items(Joi.string().max(50)).max(10).optional(),
-  feature_image: Joi.string().uri().optional(),
-  feature_image_alt: Joi.string().max(255).optional(),
-  feature_image_caption: Joi.string().max(500).optional(),
-  meta_title: Joi.string().max(70).optional(),
-  meta_description: Joi.string().max(160).optional(),
-});
-
 const createPostService = async (postInput) => {
   const logger = createContextLogger('post-service');
 
-  // Validate input to prevent format string vulnerabilities
-  const { error, value: validatedInput } = postInputSchema.validate(postInput);
-  if (error) {
-    logger.error('Post input validation failed', {
-      error: error.details[0].message,
-      inputKeys: Object.keys(postInput),
-    });
-    throw new Error(`Invalid post input: ${error.details[0].message}`);
-  }
-
   const {
     title,
     html,
@@ -80,7 +54,7 @@ const createPostService = async (postInput) => {
     feature_image_caption,
     meta_title,
     meta_description,
-  } = validatedInput;
+  } = postInput;
 
   // --- Resolve Tag Names to Tag Objects (ID/Slug/Name) ---
   let resolvedTags = [];