mcp-github-agent 0.1.0__py3-none-any.whl

tests/test_audit.py

@@ -0,0 +1,181 @@
+"""Tests for audit.py — JSONL logging & redaction."""
+import io
+import json
+import os
+from datetime import datetime
+import tempfile
+import unittest
+from unittest.mock import Mock, patch
+
+from src.audit import AuditLogger
+
+
+class TestAuditLogger(unittest.TestCase):
+
+    def test_log_to_file(self):
+        path = tempfile.mktemp(suffix=".jsonl")
+        try:
+            logger = AuditLogger(sink=path)
+            logger.log(
+                tool="create_pr", action="pull_request.create",
+                repo="owner/repo",
+                policy_decision="allow", policy_rule="repo_allowlist:owner/*",
+                request_body={"title": "fix bug", "head": "patch", "base": "main"},
+                response={"number": 42, "html_url": "https://github.com/owner/repo/pull/42"},
+            )
+            logger.close()
+
+            with open(path, "r") as f:
+                entry = json.loads(f.readline())
+
+            self.assertEqual(entry["tool"], "create_pr")
+            self.assertEqual(entry["repo"], "owner/repo")
+            self.assertEqual(entry["policy"]["decision"], "allow")
+            self.assertIn("matched_rule", entry["policy"])
+            self.assertEqual(entry["request"]["title"], "fix bug")
+            self.assertEqual(entry["response"]["number"], 42)
+            self.assertEqual(entry["dry_run"], False)
+            self.assertIn("timestamp", entry)
+            self.assertIn("request_id", entry)
+        finally:
+            logger.close()
+            if os.path.exists(path):
+                os.unlink(path)
+
+    def test_log_dry_run(self):
+        path = tempfile.mktemp(suffix=".jsonl")
+        try:
+            logger = AuditLogger(sink=path)
+            logger.log(
+                tool="create_issue", action="issue.create",
+                repo="owner/repo", dry_run=True,
+                policy_decision="allow", policy_rule="default-allow",
+                request_body={"title": "test", "body": "test body"},
+            )
+            logger.close()
+
+            with open(path, "r") as f:
+                entry = json.loads(f.readline())
+
+            self.assertTrue(entry["dry_run"])
+            self.assertIsNone(entry["response"])
+        finally:
+            logger.close()
+            if os.path.exists(path):
+                os.unlink(path)
+
+    def test_log_denied(self):
+        path = tempfile.mktemp(suffix=".jsonl")
+        try:
+            logger = AuditLogger(sink=path)
+            logger.log(
+                tool="create_pr", action="pull_request.create",
+                repo="forbidden/repo",
+                policy_decision="deny",
+                policy_rule="repo_allowlist:deny_unlisted",
+                error="repo forbidden/repo not in allowlist",
+            )
+            logger.close()
+
+            with open(path, "r") as f:
+                entry = json.loads(f.readline())
+
+            self.assertEqual(entry["policy"]["decision"], "deny")
+            self.assertEqual(entry["error"], "repo forbidden/repo not in allowlist")
+        finally:
+            logger.close()
+            if os.path.exists(path):
+                os.unlink(path)
+
+    def test_redaction(self):
+        """Sensitive keys are redacted in audit logs."""
+        path = tempfile.mktemp(suffix=".jsonl")
+        try:
+            logger = AuditLogger(sink=path)
+            logger.log(
+                tool="create_pr", action="pull_request.create",
+                repo="owner/repo",
+                request_body={
+                    "title": "test",
+                    "token": "ghp_should_be_redacted",
+                    "password": "secret123",
+                },
+                response={
+                    "status": 201,
+                    "authorization": "bearer xyz",
+                },
+            )
+            logger.close()
+
+            with open(path, "r") as f:
+                entry = json.loads(f.readline())
+
+            self.assertEqual(entry["request"]["token"], "***REDACTED***")
+            self.assertEqual(entry["request"]["password"], "***REDACTED***")
+            self.assertEqual(entry["response"]["authorization"], "***REDACTED***")
+        finally:
+            logger.close()
+            if os.path.exists(path):
+                os.unlink(path)
+
+    def test_log_format_redacts_nested_values_and_truncates_long_strings(self):
+        stream = io.StringIO()
+        with patch("src.audit.sys.stdout", stream):
+            logger = AuditLogger(sink="stdout")
+            logger.log(
+                tool="create_issue",
+                action="issue.create",
+                repo="owner/repo",
+                request_body={
+                    "nested": {"api_key": "secret"},
+                    "items": [{"auth": "bearer"}],
+                    "body": "x" * 250,
+                },
+            )
+
+        entry = json.loads(stream.getvalue())
+        datetime.fromisoformat(entry["timestamp"])
+        self.assertEqual(len(entry["request_id"]), 12)
+        self.assertEqual(entry["request"]["nested"]["api_key"], "***REDACTED***")
+        self.assertEqual(entry["request"]["items"][0]["auth"], "***REDACTED***")
+        self.assertEqual(entry["request"]["body"], "x" * 200 + "...")
+
+    def test_multiple_operations_write_json_lines(self):
+        path = tempfile.mktemp(suffix=".jsonl")
+        try:
+            logger = AuditLogger(sink=path)
+            logger.log("tool1", "action1", "owner/repo")
+            logger.log("tool2", "action2", "owner/repo", error="failed")
+            logger.close()
+
+            with open(path, "r", encoding="utf-8") as f:
+                entries = [json.loads(line) for line in f]
+
+            self.assertEqual([e["tool"] for e in entries], ["tool1", "tool2"])
+            self.assertEqual(entries[1]["error"], "failed")
+        finally:
+            logger.close()
+            if os.path.exists(path):
+                os.unlink(path)
+
+    def test_invalid_relative_sink_and_allowlist_rejection(self):
+        with self.assertRaises(ValueError):
+            AuditLogger(sink="relative.jsonl")
+
+        with patch.dict(os.environ, {"GITHUB_AUDIT_DIR_ALLOWLIST": "/allowed"}, clear=False):
+            with self.assertRaises(ValueError):
+                AuditLogger(sink="/tmp/audit.jsonl")
+
+    def test_logging_errors_are_suppressed(self):
+        logger = AuditLogger(sink="stdout")
+        broken = Mock()
+        broken.write.side_effect = RuntimeError("disk full")
+
+        with patch.object(logger, "_get_stream", return_value=broken):
+            logger.log("tool", "action", "owner/repo")
+
+        broken.write.assert_called_once()
+
+
+if __name__ == "__main__":
+    unittest.main()

tests/test_config.py

@@ -0,0 +1,41 @@
+"""Tests for config.py."""
+import pytest
+
+from src import config
+
+
+def test_get_github_token_reads_env(monkeypatch):
+    monkeypatch.setenv("GITHUB_TOKEN", "ghp_token")
+    assert config.get_github_token() == "ghp_token"
+
+
+def test_get_github_token_raises_when_missing(monkeypatch):
+    monkeypatch.delenv("GITHUB_TOKEN", raising=False)
+    with pytest.raises(ValueError, match="GITHUB_TOKEN not set"):
+        config.get_github_token()
+
+
+def test_config_defaults_and_boolean_envs(monkeypatch):
+    monkeypatch.delenv("GITHUB_API_BASE", raising=False)
+    monkeypatch.delenv("GITHUB_POLICY_PATH", raising=False)
+    monkeypatch.delenv("GITHUB_POLICY_REQUIRED", raising=False)
+    monkeypatch.delenv("GITHUB_AUDIT_LOG", raising=False)
+    monkeypatch.delenv("GITHUB_DRY_RUN", raising=False)
+
+    assert config.get_github_api_base() == "https://api.github.com"
+    assert config.get_policy_path() == "policy.json"
+    assert config.get_policy_required() is False
+    assert config.get_audit_sink() == "stdout"
+    assert config.get_dry_run_enabled() is False
+
+    monkeypatch.setenv("GITHUB_API_BASE", "https://api.example")
+    monkeypatch.setenv("GITHUB_POLICY_PATH", "/tmp/policy.json")
+    monkeypatch.setenv("GITHUB_POLICY_REQUIRED", "yes")
+    monkeypatch.setenv("GITHUB_AUDIT_LOG", "stderr")
+    monkeypatch.setenv("GITHUB_DRY_RUN", "1")
+
+    assert config.get_github_api_base() == "https://api.example"
+    assert config.get_policy_path() == "/tmp/policy.json"
+    assert config.get_policy_required() is True
+    assert config.get_audit_sink() == "stderr"
+    assert config.get_dry_run_enabled() is True

tests/test_diff_parser.py

@@ -0,0 +1,74 @@
+"""Tests for diff_parser.py"""
+from src.diff_parser import parse_diff
+
+
+def test_parse_diff_single_file():
+    diff = """diff --git a/src/app.py b/src/app.py
+index 123..456 100644
+--- a/src/app.py
++++ b/src/app.py
+@@ -1,3 +1,4 @@
+ def hello():
++    print("debug")
+     return True"""
+    files = parse_diff(diff)
+    assert len(files) == 1
+    assert files[0].path == "src/app.py"
+    assert 2 in files[0].added_lines  # line 2: print("debug")
+
+
+def test_parse_diff_multiple_files():
+    diff = """diff --git a/a.py b/a.py
+--- a/a.py
++++ b/a.py
+@@ -1,1 +1,2 @@
++import os
+diff --git a/b.py b/b.py
+--- a/b.py
++++ b/b.py
+@@ -3,0 +4,1 @@
++logger.info("start")"""
+    files = parse_diff(diff)
+    assert len(files) == 2
+    assert {f.path for f in files} == {"a.py", "b.py"}
+
+
+def test_parse_diff_no_added_lines():
+    diff = """diff --git a/x.py b/x.py
+--- a/x.py
++++ b/x.py
+@@ -1,1 +1,1 @@
+-print("old")
++print("new")"""
+    files = parse_diff(diff)
+    assert len(files) == 1
+    assert len(files[0].added_lines) == 1  # "new" is an addition
+
+
+def test_parse_diff_tracks_removed_lines_without_returning_delete_only_file():
+    diff = """diff --git a/x.py b/x.py
+--- a/x.py
++++ b/x.py
+@@ -10,2 +10,1 @@
+ context
+-old
+"""
+    files = parse_diff(diff)
+    assert files == []
+
+
+def test_parse_diff_line_numbers_advance_over_context_and_removals():
+    diff = """diff --git a/src/app.py b/src/app.py
+--- a/src/app.py
++++ b/src/app.py
+@@ -20,4 +20,5 @@
+ line 20
+-old line
++new line
+ line 22
++another new line
+"""
+    files = parse_diff(diff)
+    assert len(files) == 1
+    assert files[0].added_lines == {21, 23}
+    assert files[0].removed_lines == {21}

tests/test_github_client.py

@@ -0,0 +1,173 @@
+"""Tests for github_client.py."""
+from types import SimpleNamespace
+from unittest.mock import Mock, patch
+
+from src.github_client import GitHubClient
+
+
+class FakeHttpxClient:
+    def __init__(self, response=None, error=None):
+        self.response = response
+        self.error = error
+        self.get_calls = []
+        self.post_calls = []
+
+    def __enter__(self):
+        if self.error:
+            raise self.error
+        return self
+
+    def __exit__(self, exc_type, exc, tb):
+        return False
+
+    def get(self, *args, **kwargs):
+        self.get_calls.append((args, kwargs))
+        return self.response
+
+    def post(self, *args, **kwargs):
+        self.post_calls.append((args, kwargs))
+        return self.response
+
+
+def test_client_initializes_headers_and_base_url():
+    client = GitHubClient("token", "https://api.example/")
+    assert client.base_url == "https://api.example"
+    assert client.headers["Authorization"] == "Bearer token"
+    assert client.headers["Accept"] == "application/vnd.github+json"
+
+
+def test_search_code_formats_items_and_query_scope():
+    response = Mock()
+    response.json.return_value = {
+        "items": [
+            {
+                "path": "src/app.py",
+                "repository": {"full_name": "owner/repo"},
+                "html_url": "https://example/blob/src/app.py",
+            }
+        ]
+    }
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token", "https://api.example").search_code("def main", "owner/repo")
+
+    assert result == {
+        "items": [
+            {
+                "path": "src/app.py",
+                "repo": "owner/repo",
+                "url": "https://example/blob/src/app.py",
+            }
+        ]
+    }
+    args, kwargs = fake.get_calls[0]
+    assert args[0] == "https://api.example/search/code"
+    assert kwargs["params"] == {"q": "repo:owner/repo def main"}
+    response.raise_for_status.assert_called_once()
+
+
+def test_list_issues_success_and_error():
+    response = Mock()
+    response.json.return_value = [{"number": 1}]
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token").list_issues("owner/repo", "closed")
+
+    assert result == [{"number": 1}]
+    assert fake.get_calls[0][1]["params"] == {"state": "closed"}
+
+    response.raise_for_status.side_effect = RuntimeError("401 Unauthorized")
+    with patch("src.github_client.httpx.Client", return_value=FakeHttpxClient(response=response)):
+        error = GitHubClient("token").list_issues("owner/repo")
+    assert error["error"].startswith("List issues failed: 401 Unauthorized")
+
+
+def test_create_issue_posts_payload_and_handles_error():
+    response = Mock()
+    response.json.return_value = {"number": 2}
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token").create_issue("owner/repo", "Title", "Body")
+
+    assert result == {"number": 2}
+    assert fake.post_calls[0][1]["json"] == {"title": "Title", "body": "Body"}
+
+    with patch("src.github_client.httpx.Client", return_value=FakeHttpxClient(error=RuntimeError("down"))):
+        error = GitHubClient("token").create_issue("owner/repo", "Title", "Body")
+    assert error == {"error": "Create issue failed: down"}
+
+
+def test_get_pr_diff_uses_diff_accept_header_and_handles_error():
+    response = Mock()
+    response.text = "diff text"
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token", "https://api.example").get_pr_diff("owner/repo", 3)
+
+    assert result == {"diff": "diff text"}
+    args, kwargs = fake.get_calls[0]
+    assert args[0] == "https://api.example/repos/owner/repo/pulls/3"
+    assert kwargs["headers"]["Accept"] == "application/vnd.github.v3.diff"
+
+    response.raise_for_status.side_effect = RuntimeError("404")
+    with patch("src.github_client.httpx.Client", return_value=FakeHttpxClient(response=response)):
+        error = GitHubClient("token").get_pr_diff("owner/repo", 3)
+    assert error == {"error": "Get PR diff failed: 404"}
+
+
+def test_create_pr_posts_payload_and_handles_error():
+    response = Mock()
+    response.json.return_value = {"number": 4}
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token").create_pr(
+            "owner/repo", "Title", "Body", "feature", "main"
+        )
+
+    assert result == {"number": 4}
+    assert fake.post_calls[0][1]["json"] == {
+        "title": "Title",
+        "body": "Body",
+        "head": "feature",
+        "base": "main",
+    }
+
+    with patch("src.github_client.httpx.Client", return_value=FakeHttpxClient(error=RuntimeError("403"))):
+        error = GitHubClient("token").create_pr("owner/repo", "Title", "Body", "h", "b")
+    assert error == {"error": "Create PR failed: 403"}
+
+
+def test_create_review_comment_payload_variants_and_error():
+    response = Mock()
+    response.json.return_value = {"id": 10}
+    fake = FakeHttpxClient(response=response)
+
+    with patch("src.github_client.httpx.Client", return_value=fake):
+        result = GitHubClient("token").create_review_comment(
+            "owner/repo", 5, "body", commit_id="abc", path="src/app.py", line=7
+        )
+
+    assert result == {"id": 10}
+    assert fake.post_calls[0][1]["json"] == {
+        "body": "body",
+        "commit_id": "abc",
+        "path": "src/app.py",
+        "line": 7,
+    }
+
+    response2 = Mock()
+    response2.json.return_value = {"id": 11}
+    fake2 = FakeHttpxClient(response=response2)
+    with patch("src.github_client.httpx.Client", return_value=fake2):
+        GitHubClient("token").create_review_comment("owner/repo", 5, "body")
+    assert fake2.post_calls[0][1]["json"] == {"body": "body"}
+
+    response2.raise_for_status.side_effect = RuntimeError("validation")
+    with patch("src.github_client.httpx.Client", return_value=FakeHttpxClient(response=response2)):
+        error = GitHubClient("token").create_review_comment("owner/repo", 5, "body")
+    assert error == {"error": "Review comment failed: validation"}

tests/test_main.py

@@ -0,0 +1,48 @@
+"""Tests for main.py."""
+from unittest.mock import patch
+
+import pytest
+
+from src import main as main_module
+
+
+def test_main_runs_mcp_stdio_transport():
+    with patch("src.main.signal.signal") as mock_signal, \
+            patch.object(main_module.mcp, "run") as mock_run:
+        main_module.main()
+
+    mock_signal.assert_called_once()
+    mock_run.assert_called_once_with(transport="stdio")
+
+
+def test_main_exits_cleanly_on_keyboard_interrupt():
+    with patch.object(main_module.mcp, "run", side_effect=KeyboardInterrupt), \
+            patch("src.main.sys.exit") as mock_exit:
+        main_module.main()
+
+    mock_exit.assert_called_once_with(0)
+
+
+def test_main_prints_and_exits_on_startup_error(capsys):
+    with patch.object(main_module.mcp, "run", side_effect=RuntimeError("boom")), \
+            patch("src.main.sys.exit") as mock_exit:
+        main_module.main()
+
+    assert "Error starting MCP server: boom" in capsys.readouterr().err
+    mock_exit.assert_called_once_with(1)
+
+
+def test_sigterm_handler_exits_cleanly():
+    captured = {}
+
+    def capture_handler(_signum, handler):
+        captured["handler"] = handler
+
+    with patch("src.main.signal.signal", side_effect=capture_handler), \
+            patch.object(main_module.mcp, "run"), \
+            patch("src.main.sys.exit", side_effect=SystemExit(0)) as mock_exit:
+        main_module.main()
+        with pytest.raises(SystemExit):
+            captured["handler"](15, None)
+
+    mock_exit.assert_called_once_with(0)

tests/test_policy.py

@@ -0,0 +1,133 @@
+"""Tests for policy.py — allowlist & branch protection."""
+import json
+import os
+import tempfile
+import unittest
+
+from src.policy import PolicyConfig, resolve_dry_run
+
+
+class TestPolicyConfig(unittest.TestCase):
+
+    def _write_policy(self, data: dict) -> str:
+        """Write a temporary policy.json and return its path."""
+        f = tempfile.NamedTemporaryFile(
+            mode="w", suffix=".json", delete=False, encoding="utf-8"
+        )
+        json.dump(data, f)
+        f.close()
+        return f.name
+
+    def test_empty_config_default_allow(self):
+        cfg = PolicyConfig()
+        # not loaded → allows everything
+        self.assertEqual(cfg.check_repo("anything/here").action, "allow")
+        self.assertEqual(cfg.check_branch_for_pr("main").action, "allow")
+
+    def test_load_missing_file_not_required(self):
+        cfg = PolicyConfig().load("/nonexistent/path.json", required=False)
+        # no crash, default allow
+        self.assertEqual(cfg.check_repo("x/y").action, "allow")
+
+    def test_load_missing_file_required_raises(self):
+        with self.assertRaises(FileNotFoundError):
+            PolicyConfig().load("/nonexistent/path.json", required=True)
+
+    def test_repo_allowlist_exact_match(self):
+        path = self._write_policy({"repo_allowlist": ["FMorgan-111/test"]})
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.check_repo("FMorgan-111/test").action, "allow")
+            self.assertEqual(cfg.check_repo("other/repo").action, "deny")
+        finally:
+            os.unlink(path)
+
+    def test_repo_allowlist_wildcard(self):
+        path = self._write_policy({"repo_allowlist": ["FMorgan-111/*"]})
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.check_repo("FMorgan-111/foo").action, "allow")
+            self.assertEqual(cfg.check_repo("FMorgan-111/bar").action, "allow")
+            self.assertEqual(cfg.check_repo("other/repo").action, "deny")
+        finally:
+            os.unlink(path)
+
+    def test_wildcard_match_is_anchored(self):
+        path = self._write_policy({"repo_allowlist": ["org/*-service"]})
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.check_repo("org/api-service").action, "allow")
+            self.assertEqual(cfg.check_repo("prefix/org/api-service").action, "deny")
+            self.assertEqual(cfg.check_repo("org/api-service-extra").action, "deny")
+        finally:
+            os.unlink(path)
+
+    def test_single_string_policy_values_are_wrapped(self):
+        path = self._write_policy({
+            "repo_allowlist": "owner/repo",
+            "protected_branches": {"deny_pr_base": "release/*"},
+        })
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.repo_allowlist, ["owner/repo"])
+            self.assertEqual(cfg.deny_pr_base, ["release/*"])
+            self.assertEqual(cfg.check_branch_for_pr("release/1.0").action, "deny")
+        finally:
+            os.unlink(path)
+
+    def test_invalid_policy_required_raises_and_optional_keeps_defaults(self):
+        f = tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False)
+        f.write("{invalid")
+        f.close()
+        try:
+            with self.assertRaises(RuntimeError):
+                PolicyConfig().load(f.name, required=True)
+            cfg = PolicyConfig().load(f.name, required=False)
+            self.assertEqual(cfg.check_repo("owner/repo").action, "deny")
+        finally:
+            os.unlink(f.name)
+
+    def test_non_list_values_are_wrapped(self):
+        path = self._write_policy({
+            "repo_allowlist": 123,
+            "protected_branches": {"deny_force_push": False},
+        })
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.repo_allowlist, [123])
+            self.assertFalse(cfg.deny_force_push)
+        finally:
+            os.unlink(path)
+
+    def test_allowlist_empty_means_allow_all(self):
+        path = self._write_policy({"repo_allowlist": []})
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.check_repo("anything/goes").action, "allow")
+        finally:
+            os.unlink(path)
+
+    def test_branch_protection_deny_main_master(self):
+        path = self._write_policy({
+            "repo_allowlist": [],
+            "protected_branches": {"deny_pr_base": ["main", "master"]},
+        })
+        try:
+            cfg = PolicyConfig().load(path)
+            self.assertEqual(cfg.check_branch_for_pr("main").action, "deny")
+            self.assertEqual(cfg.check_branch_for_pr("master").action, "deny")
+            self.assertEqual(cfg.check_branch_for_pr("develop").action, "allow")
+        finally:
+            os.unlink(path)
+
+    def test_resolve_dry_run(self):
+        # explicit arg wins
+        self.assertTrue(resolve_dry_run(True, False))
+        self.assertFalse(resolve_dry_run(False, True))
+        # None falls back to env
+        self.assertTrue(resolve_dry_run(None, True))
+        self.assertFalse(resolve_dry_run(None, False))
+
+
+if __name__ == "__main__":
+    unittest.main()