Test_GetCommit_IFC_FeatureFlag verifies that the IFC security label is only attached to get_commit results when the ifc_labels feature flag is enabled, and that the label content matches the commit-contents rule (untrusted on public repos, trusted on private). It also confirms the label is omitted w
(t *testing.T)
| 630 | // misclassified. get_commit is representative of every tool wired through the |
| 631 | // shared attachRepoVisibilityIFCLabel helper. |
| 632 | func Test_GetCommit_IFC_FeatureFlag(t *testing.T) { |
| 633 | t.Parallel() |
| 634 | |
| 635 | serverTool := GetCommit(translations.NullTranslationHelper) |
| 636 | |
| 637 | mockCommit := &github.RepositoryCommit{ |
| 638 | SHA: github.Ptr("abc123def456"), |
| 639 | Commit: &github.Commit{Message: github.Ptr("First commit")}, |
| 640 | HTMLURL: github.Ptr("https://github.com/owner/repo/commit/abc123def456"), |
| 641 | } |
| 642 | |
| 643 | makeMockClient := func(isPrivate bool) *http.Client { |
| 644 | return MockHTTPClientWithHandlers(map[string]http.HandlerFunc{ |
| 645 | GetReposCommitsByOwnerByRepoByRef: mockResponse(t, http.StatusOK, mockCommit), |
| 646 | GetReposByOwnerByRepo: mockResponse(t, http.StatusOK, map[string]any{ |
| 647 | "name": "repo", |
| 648 | "private": isPrivate, |
| 649 | }), |
| 650 | }) |
| 651 | } |
| 652 | |
| 653 | reqParams := map[string]any{ |
| 654 | "owner": "owner", |
| 655 | "repo": "repo", |
| 656 | "sha": "abc123def456", |
| 657 | } |
| 658 | |
| 659 | t.Run("feature flag disabled omits ifc label from result meta", func(t *testing.T) { |
| 660 | deps := BaseDeps{ |
| 661 | Client: mustNewGHClient(t, makeMockClient(false)), |
| 662 | } |
| 663 | handler := serverTool.Handler(deps) |
| 664 | |
| 665 | request := createMCPRequest(reqParams) |
| 666 | result, err := handler(ContextWithDeps(context.Background(), deps), &request) |
| 667 | require.NoError(t, err) |
| 668 | require.False(t, result.IsError) |
| 669 | |
| 670 | assert.Nil(t, result.Meta, "result meta should be nil when IFC labels are disabled") |
| 671 | }) |
| 672 | |
| 673 | t.Run("feature flag enabled on public repo emits public untrusted label", func(t *testing.T) { |
| 674 | deps := BaseDeps{ |
| 675 | Client: mustNewGHClient(t, makeMockClient(false)), |
| 676 | featureChecker: featureCheckerFor(FeatureFlagIFCLabels), |
| 677 | } |
| 678 | handler := serverTool.Handler(deps) |
| 679 | |
| 680 | request := createMCPRequest(reqParams) |
| 681 | result, err := handler(ContextWithDeps(context.Background(), deps), &request) |
| 682 | require.NoError(t, err) |
| 683 | require.False(t, result.IsError) |
| 684 | |
| 685 | require.NotNil(t, result.Meta) |
| 686 | ifcLabel, ok := result.Meta["ifc"] |
| 687 | require.True(t, ok, "result meta should contain ifc key") |
| 688 | |
| 689 | ifcJSON, err := json.Marshal(ifcLabel) |
nothing calls this directly
no test coverage detected