feat: Add CD001-MCP Factory and Provider Coverage Tests (CD001, #27)

[steadhac]

PR #315 — MCP Factory and Provider Coverage

Add full unit test coverage for the MCP server factory (import_factory,
_apply_tool_overrides, create_mcp_server) and the MCPToolProvider class (init, connect,
disconnect, get_tool_definitions, get_callables, call_tool, log_activity) plus
_safe_serialize edge cases.
 
Tests cover the CTF supply chain attack surface (_apply_tool_overrides) and all
_safe_serialize type branches (list, tuple, fallback).
 
Tests follow the established pattern with:
 

• Title / Basically question / Steps / Expected Results
   
  📁 Test Files
  tests/unit/mcp/test_mcp_factory_provider.py
   

TestImportFactory

Test ID	Title
test_fact_imp_001	import_factory imports a known factory function
test_fact_imp_002	import_factory raises on invalid module path
test_fact_imp_003	import_factory raises on missing attribute

TestApplyToolOverrides

Test ID	Title
test_fact_ovr_001	No overrides returns immediately without modification
test_fact_ovr_002	No provider returns immediately
test_fact_ovr_003	Applies description override to matching tool
test_fact_ovr_004	Missing tool name does not crash
test_fact_ovr_005	Override without description key is skipped

TestCreateMCPServer

Test ID	Title
test_fact_srv_001	Unknown server type returns None
test_fact_srv_002	Disabled server returns None
test_fact_srv_003	No DB config creates server with defaults
test_fact_srv_004	Enabled server with no overrides creates server
test_fact_srv_005	Tool overrides applied when present in DB config
test_fact_srv_006	All known server types create successfully

TestMCPToolProviderInit

Test ID	Title
test_prov_init_001	Initial state has empty tools and no server
test_prov_init_002	agent_name defaults to "unknown" when not provided

TestMCPToolProviderConnect

Test ID	Title
test_prov_con_001	connect discovers and registers tools
test_prov_con_002	connect failure does not crash

TestMCPToolProviderDisconnect

Test ID	Title
test_prov_dis_001	disconnect clears tools and server state
test_prov_dis_002	disconnect error does not crash

TestMCPToolProviderDefinitions

Test ID	Title
test_prov_def_001	get_tool_definitions returns OpenAI-format dicts
test_prov_def_002	get_callables returns one callable per registered tool

TestMCPToolProviderCallTool

Test ID	Title
test_prov_call_001	Successful tool call returns output
test_prov_call_002	Tool call failure returns error dict
test_prov_call_003	Call on disconnected server returns error

TestMCPToolProviderActivityLog

Test ID	Title
test_prov_log_001	DB failure in log_activity does not crash

TestSafeSerialize

Test ID	Title
test_prov_ser_001	List is serialized recursively
test_prov_ser_002	Tuple is serialized as list
test_prov_ser_003	Unknown type falls back to str()

PR #316 — FinMail Server Tests
Add a comprehensive unit test suite for the FinMail MCP server — the mock email platform
used by agents to send, list, read, search, and mark emails. Tests cover all 5 tools,
inbox access control, vendor session boundaries, message type handling, and email
address validation.
 
Bug-exposing tests document inbox bypass vulnerabilities, vendor cross-access gaps,
missing input validation, and email address format acceptance.
 
Tests follow the established pattern with:
 

• Title / Basically question / Steps / Expected Results / Impact
• Bug-exposing tests included for each confirmed production defect.
   
  📁 Test Files
  tests/unit/mcp/test_finmail.py
   

TestSendEmail

Test ID	Title
test_fm_send_001	Send to vendor email routes to vendor inbox
test_fm_send_002	Send to admin domain routes to admin inbox
test_fm_send_003	Send to internal department routes to admin inbox
test_fm_send_004	Unknown address routes to external dead drop
test_fm_send_005	Vendor session uses vendor email as from_address
test_fm_send_006 ⚠️	Sender name spoofing accepted without validation
test_fm_send_007 ⚠️	Prompt injection payload in body accepted
test_fm_send_008	related_invoice_id=0 treated as null
test_fm_send_009	CC recipients are delivered
test_fm_send_010 ⚠️	Invalid message_type accepted without validation

TestListInbox

Test ID	Title
test_fm_list_001	Admin can list admin inbox
test_fm_list_002	Admin can list vendor inbox
test_fm_list_003 ⚠️	Vendor session cannot list admin inbox
test_fm_list_004	Vendor inbox without vendor_id returns error
test_fm_list_005 ⚠️	Vendor session can access a different vendor's inbox
test_fm_list_006	Limit parameter respected
test_fm_list_007	Unread-only filter works

TestReadEmail

Test ID	Title
test_fm_read_001	Admin can read admin message
test_fm_read_002	Admin can read vendor message
test_fm_read_003 ⚠️	Vendor cannot read admin message
test_fm_read_004 ⚠️	Vendor can read a different vendor's message
test_fm_read_005	Nonexistent message returns error
test_fm_read_006	message_id=0 returns error

TestSearchEmails

Test ID	Title
test_fm_srch_001	Search admin inbox by subject
test_fm_srch_002	Search vendor inbox
test_fm_srch_003 ⚠️	Vendor session cannot search admin inbox
test_fm_srch_004	Empty query matches all messages
test_fm_srch_005	Prompt injection payload surfaces in search results
test_fm_srch_006	Vendor inbox search without vendor_id returns error

TestMarkAsRead

Test ID	Title
test_fm_mark_001	Admin can mark admin message as read
test_fm_mark_002 ⚠️	Vendor cannot mark admin message as read
test_fm_mark_003	Nonexistent message returns error
test_fm_mark_004	message_id=0 returns error
test_fm_mark_005 ⚠️	Vendor can mark a different vendor's message as read

TestFinMailServerConfig

Test ID	Title
test_fm_cfg_001	Default config has expected keys
test_fm_cfg_002	Custom config overrides max_results
test_fm_cfg_003	Custom default_sender used in emails

TestFinMailToolDiscovery

Test ID	Title
test_fm_tools_001	Server exposes expected 5 tools
test_fm_tools_002	Tool parameter schemas are present

TestIntFieldEdgeCases

Test ID	Title
test_fm_int_001	Negative message_id returns error
test_fm_int_002 ⚠️	list_inbox limit=0 accepted without validation
test_fm_int_003 ⚠️	list_inbox negative limit accepted without validation
test_fm_int_004 ⚠️	search negative limit accepted without validation
test_fm_int_005	Negative vendor_id returns error

TestStrFieldEdgeCases

Test ID	Title
test_fm_str_001 ⚠️	Empty subject accepted without validation
test_fm_str_002 ⚠️	Empty body accepted without validation
test_fm_str_003	Very long subject accepted
test_fm_str_004	HTML injection in body accepted
test_fm_str_005	SQL injection in subject handled safely
test_fm_str_006 ⚠️	Whitespace-only subject accepted without validation
test_fm_str_007	Unicode subject and body stored correctly

TestInboxValidationBypass

Test ID	Title
test_fm_bypass_001 ⚠️	Vendor session bypasses admin check via unrecognised inbox type
test_fm_bypass_002 ⚠️	Vendor session retrieves admin emails via garbage inbox type
test_fm_bypass_003 ⚠️	Vendor session bypasses admin check via inbox type case mismatch
test_fm_bypass_004 ⚠️	send_email with empty to list returns sent=True

TestEmailAddressValidation

Test ID	Title
test_fm_addr_001 ⚠️	Extra-long email address accepted without validation
test_fm_addr_002 ⚠️	Email address without @ symbol accepted
test_fm_addr_003 ⚠️	Large recipient list accepted without cap
test_fm_addr_004 ⚠️	Very long body accepted without size limit
test_fm_addr_005 ⚠️	Very long sender name accepted without validation
Related Bug Tickets
Bug_135, Bug_136, Bug_137, Bug_138, Bug_139