Skip to content

Codebase quality, security & performance improvements#52

Merged
danielealbano merged 9 commits intomainfrom
feat/codebase-quality-security-perf-improvements
Mar 11, 2026
Merged

Codebase quality, security & performance improvements#52
danielealbano merged 9 commits intomainfrom
feat/codebase-quality-security-perf-improvements

Conversation

@danielealbano
Copy link
Owner

@danielealbano danielealbano commented Mar 11, 2026

Summary

Comprehensive codebase improvements covering security hardening, code quality, performance optimizations, infrastructure enhancements, and expanded test coverage. Implements plan docs/plans/2_codebase_quality_security_perf_20260311224036.md.

Security (US1-US2)

  • URL-encode all user-controlled path/query parameters in Azure DevOps API calls to prevent injection
  • Escape single quotes in WIQL query construction (project + 6 date fields) to prevent WIQL injection
  • Apply RFC 6901 JSON Pointer escaping to all JSON Patch path fields in work item create/update
  • Add CSV formula injection mitigation (=, +, -, @ prefix sanitization) to both CSV output utilities

Code Quality (US3)

  • Remove duplicate board types from models.rs (already defined in boards.rs)
  • Replace all .unwrap() on serialization calls in 11 MCP tool files with proper McpError propagation
  • Add deserialize_non_empty_string validation to 9 additional Args struct fields

Performance (US4)

  • Parallelize comment fetching in get_work_items with bounded concurrency (10 concurrent requests)
  • Add recursion depth limits (64) to compact_llm serializer and simplify_work_item_json to prevent stack overflow
  • Add HTTP server connection limits (256 via semaphore) and per-connection timeout (60s)
  • Use HashSet for O(1) work item type deduplication in BoardDetail::get_work_item_types

Infrastructure (US5)

  • Run Docker container as non-root user (appuser)
  • Add cargo clippy with -D warnings to CI pipeline
  • Add cargo audit security scanning job to CI pipeline
  • Add Linux aarch64 binary to CD release workflow

Test Coverage (US6-US8)

  • 9 new compact_llm edge case tests (empty structures, unicode, control chars, deep nesting, max depth)
  • 25 error-propagation integration tests covering all MCP tools
  • 27 content-verification integration tests checking actual CSV/JSON output
  • 2 HTTP server integration tests (connection acceptance, invalid method rejection)
  • 4 CLI argument parsing unit tests

Test Plan

  • make fmt — no formatting issues
  • make lint (cargo clippy --features test-support -- -D warnings) — zero warnings
  • make test (cargo test --features test-support) — all 134 tests pass
  • make build (cargo build) — zero warnings
  • Code review in plan compliance mode — zero CRITICAL/WARNING findings
  • Every checkbox in plan document verified and checked

@danielealbano
Add plan 2: codebase quality, security & performance improvements
54aa4e4 
Comprehensive plan covering URL encoding, WIQL escaping, JSON Pointer
escaping, CSV formula injection mitigation, error handling improvements,
input validation, performance optimizations, Docker security, CI/CD
enhancements, and expanded test coverage.
@danielealbano
Implement US1-US5: security, quality, performance, infrastructure
a5e254c 
US1: URL-encode all user-controlled path segments in Azure API client
and modules; escape WIQL project/date fields; add RFC 6901 JSON Pointer
escaping for patch paths.

US2: Add CSV formula injection mitigation via sanitize_csv_value helper
that prefixes dangerous characters (=, +, -, @) with a single quote.

US3: Remove duplicate board types from models.rs; replace all unwrap()
on serialization in 11 MCP tool files with map_err; add non-empty
string validation to team_id, board_id, work_item_type, title, link_type.

US4: Parallelize comment fetching with bounded concurrency (10); add
recursion depth limits (64) to JSON processing; add HTTP connection
limits (256) and timeouts (60s) with semaphore; use HashSet for board
work item type deduplication.

US5: Add non-root user to Docker runtime; add clippy and cargo-audit
to CI; add Linux aarch64 to CD release with cleanup steps.
@danielealbano
Implement US6-US8: comprehensive test coverage
72e4f55 
US6: Add 9 new compact_llm unit tests covering empty structures, Unicode,
control characters, deeply nested objects, max depth truncation, long
strings, empty string values, and mixed arrays.

US7: Add 24 new error-propagation tests and ~25 content-verification
tests across all 8 integration test files, covering every MCP tool's
error paths and output structure.

US8: Add HTTP server integration tests (connection acceptance, invalid
method rejection) and 4 CLI argument parsing unit tests.
@danielealbano
Apply cargo fmt formatting
c7c70b4
@danielealbano
Fix HTTP server test and add test-support constructor
31d6a20 
Add new_with_api constructor to AzureMcpServer (behind test-support
feature flag) to enable HTTP server integration tests with MockAzureDevOpsApi.
Fix Accept header in HTTP test and work item Type assertion.
@danielealbano
Mark US9 final verification complete in plan
77bab64 
All T9.1 verification checkboxes confirmed and marked complete.
make all passes with zero warnings, all 134 tests green.
@danielealbano
Update Cargo.lock for futures dependency
bfba0a9
@danielealbano
Fix rustfmt formatting for Rust 1.94.0
dff2f68 
Reformat build.rs and test_tools_work_items.rs to match the latest
stable rustfmt (1.94.0) line-length rules for push_str and assert!.
@danielealbano danielealbano enabled auto-merge (squash) March 11, 2026 23:24
@danielealbano danielealbano disabled auto-merge March 11, 2026 23:24
@danielealbano
Remove dead code, fix SSE timeout, and correct GET test
51a17fa 
- Remove unused `BoardDetail::get_work_item_types()` and `HashSet` import
- Remove 60s connection timeout that would kill SSE streams; MCP
  Streamable HTTP uses GET for long-lived SSE connections
- Fix invalid-method test to use PUT instead of GET (GET is valid for SSE)
- Add `test_http_server_accepts_get_for_sse` verifying GET is accepted
@danielealbano danielealbano enabled auto-merge (squash) March 11, 2026 23:43
@danielealbano danielealbano merged commit 0eabf30 into main Mar 11, 2026
8 checks passed
@danielealbano danielealbano deleted the feat/codebase-quality-security-perf-improvements branch March 11, 2026 23:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danielealbano