Codebase quality, security & performance improvements (#52)

* Add plan 2: codebase quality, security & performance improvements

Comprehensive plan covering URL encoding, WIQL escaping, JSON Pointer
escaping, CSV formula injection mitigation, error handling improvements,
input validation, performance optimizations, Docker security, CI/CD
enhancements, and expanded test coverage.

* Implement US1-US5: security, quality, performance, infrastructure

US1: URL-encode all user-controlled path segments in Azure API client
and modules; escape WIQL project/date fields; add RFC 6901 JSON Pointer
escaping for patch paths.

US2: Add CSV formula injection mitigation via sanitize_csv_value helper
that prefixes dangerous characters (=, +, -, @) with a single quote.

US3: Remove duplicate board types from models.rs; replace all unwrap()
on serialization in 11 MCP tool files with map_err; add non-empty
string validation to team_id, board_id, work_item_type, title, link_type.

US4: Parallelize comment fetching with bounded concurrency (10); add
recursion depth limits (64) to JSON processing; add HTTP connection
limits (256) and timeouts (60s) with semaphore; use HashSet for board
work item type deduplication.

US5: Add non-root user to Docker runtime; add clippy and cargo-audit
to CI; add Linux aarch64 to CD release with cleanup steps.

* Implement US6-US8: comprehensive test coverage

US6: Add 9 new compact_llm unit tests covering empty structures, Unicode,
control characters, deeply nested objects, max depth truncation, long
strings, empty string values, and mixed arrays.

US7: Add 24 new error-propagation tests and ~25 content-verification
tests across all 8 integration test files, covering every MCP tool's
error paths and output structure.

US8: Add HTTP server integration tests (connection acceptance, invalid
method rejection) and 4 CLI argument parsing unit tests.

* Apply cargo fmt formatting

* Fix HTTP server test and add test-support constructor

Add new_with_api constructor to AzureMcpServer (behind test-support
feature flag) to enable HTTP server integration tests with MockAzureDevOpsApi.
Fix Accept header in HTTP test and work item Type assertion.

* Mark US9 final verification complete in plan

All T9.1 verification checkboxes confirmed and marked complete.
make all passes with zero warnings, all 134 tests green.

* Update Cargo.lock for futures dependency

* Fix rustfmt formatting for Rust 1.94.0

Reformat build.rs and test_tools_work_items.rs to match the latest
stable rustfmt (1.94.0) line-length rules for push_str and assert!.

* Remove dead code, fix SSE timeout, and correct GET test

- Remove unused `BoardDetail::get_work_item_types()` and `HashSet` import
- Remove 60s connection timeout that would kill SSE streams; MCP
  Streamable HTTP uses GET for long-lived SSE connections
- Fix invalid-method test to use PUT instead of GET (GET is valid for SSE)
- Add `test_http_server_accepts_get_for_sse` verifying GET is accepted

Author: danielealbano

.github/workflows/cd-tag-build-and-release.yml

@@ -75,14 +75,24 @@ jobs:
       - name: List downloaded files (debug)
         run: ls -R dist
 
+      - name: Prepare Linux tar.gz
+        run: |
+          set -eux
+          TAG="${GITHUB_REF_NAME}"
+          LINUX_DIR="dist/mcp-for-azure-devops-boards-ubuntu-24.04-aarch64"
+          cp "${LINUX_DIR}/mcp-for-azure-devops-boards-ubuntu-24.04-aarch64" mcp-for-azure-devops-boards
+          tar czf "mcp-for-azure-devops-boards-${TAG}-linux-aarch64.tar.gz" mcp-for-azure-devops-boards
+          rm mcp-for-azure-devops-boards
+          ls -l "mcp-for-azure-devops-boards-${TAG}-linux-aarch64.tar.gz"
+
       - name: Prepare macOS tar.gz
         run: |
           set -eux
           TAG="${GITHUB_REF_NAME}"
-          # artifact directory is dist/<artifact-name>/...
           MAC_DIR="dist/mcp-for-azure-devops-boards-macos-aarch64"
           cp "${MAC_DIR}/mcp-for-azure-devops-boards-macos-aarch64" mcp-for-azure-devops-boards
           tar czf "mcp-for-azure-devops-boards-${TAG}-macos-aarch64.tar.gz" mcp-for-azure-devops-boards
+          rm mcp-for-azure-devops-boards
           ls -l "mcp-for-azure-devops-boards-${TAG}-macos-aarch64.tar.gz"
 
       - name: Prepare Windows zip
@@ -105,6 +115,7 @@ jobs:
           name: ${{ github.ref_name }}
           generate_release_notes: true
           files: |
+            mcp-for-azure-devops-boards-${{ github.ref_name }}-linux-aarch64.tar.gz
             mcp-for-azure-devops-boards-${{ github.ref_name }}-macos-aarch64.tar.gz
             mcp-for-azure-devops-boards-${{ github.ref_name }}-windows-x86_64.zip
         env:

.github/workflows/ci-pr-build-and-test.yml

@@ -34,13 +34,34 @@ jobs:
 
       - name: Setup Rust
         uses: actions-rust-lang/setup-rust-toolchain@v1
+        with:
+          components: clippy
 
       - name: Build
         run: cargo build --release --locked
 
+      - name: Clippy
+        run: cargo clippy --features test-support --locked -- -D warnings
+
       - name: Test
         run: cargo test --release --locked --all-features
 
+  security-audit:
+    name: Security Audit
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit --locked
+
+      - name: Security audit
+        run: cargo audit
+
   formatting:
     name: cargo fmt
     runs-on: ubuntu-latest

Cargo.lock

@@ -40,6 +40,7 @@ csv = "1.4"
 regex = "1.11"
 once_cell = "1.20"
 urlencoding = "2.1"
+futures = "0.3"
 
 [dev-dependencies]
 

Cargo.toml

@@ -33,8 +33,12 @@ LABEL maintainer="Daniele Salvatore Albano <d.albano@gmail.com>"
 
 RUN apk update && apk add --no-cache ca-certificates tzdata
 
+RUN adduser -D -g '' appuser
+
 WORKDIR /app
 
 COPY --from=builder /app/target/release/mcp-for-azure-devops-boards /usr/local/bin/mcp-for-azure-devops-boards
 
+USER appuser
+
 ENTRYPOINT ["mcp-for-azure-devops-boards"]

Dockerfile

@@ -171,6 +171,15 @@ fn generate_tool_router_code(tools: &[ToolInfo]) -> String {
     code.push_str("            tool_router: Self::tool_router(),\n");
     code.push_str("        }\n");
     code.push_str("    }\n\n");
+    code.push_str("    #[cfg(feature = \"test-support\")]\n");
+    code.push_str(
+        "    pub fn new_with_api(client: impl AzureDevOpsApi + Send + Sync + 'static) -> Self {\n",
+    );
+    code.push_str("        Self {\n");
+    code.push_str("            client: Arc::new(client),\n");
+    code.push_str("            tool_router: Self::tool_router(),\n");
+    code.push_str("        }\n");
+    code.push_str("    }\n\n");
 
     for tool in tools {
         code.push_str(&format!(