feat: Add CD001-MCP FinMail Server Tests (CD001, #27)

[steadhac]

Add a comprehensive unit test suite for the FinMail MCP server — the mock email platform
used by agents to send, list, read, search, and mark emails. Tests cover all 5 tools,
inbox access control, vendor session boundaries, message type handling, and email
address validation.
 
Bug-exposing tests document inbox bypass vulnerabilities, vendor cross-access gaps,
missing input validation, and email address format acceptance.
 
Tests follow the established pattern with:
 

• Title / Basically question / Steps / Expected Results / Impact
• Bug-exposing tests included for each confirmed production defect.
   
  📁 Test Files
  tests/unit/mcp/test_finmail.py
   

TestSendEmail

Test ID	Title
test_fm_send_001	Send to vendor email routes to vendor inbox
test_fm_send_002	Send to admin domain routes to admin inbox
test_fm_send_003	Send to internal department routes to admin inbox
test_fm_send_004	Unknown address routes to external dead drop
test_fm_send_005	Vendor session uses vendor email as from_address
test_fm_send_006 ⚠️	Sender name spoofing accepted without validation
test_fm_send_007 ⚠️	Prompt injection payload in body accepted
test_fm_send_008	related_invoice_id=0 treated as null
test_fm_send_009	CC recipients are delivered
test_fm_send_010 ⚠️	Invalid message_type accepted without validation

TestListInbox

Test ID	Title
test_fm_list_001	Admin can list admin inbox
test_fm_list_002	Admin can list vendor inbox
test_fm_list_003 ⚠️	Vendor session cannot list admin inbox
test_fm_list_004	Vendor inbox without vendor_id returns error
test_fm_list_005 ⚠️	Vendor session can access a different vendor's inbox
test_fm_list_006	Limit parameter respected
test_fm_list_007	Unread-only filter works

TestReadEmail

Test ID	Title
test_fm_read_001	Admin can read admin message
test_fm_read_002	Admin can read vendor message
test_fm_read_003 ⚠️	Vendor cannot read admin message
test_fm_read_004 ⚠️	Vendor can read a different vendor's message
test_fm_read_005	Nonexistent message returns error
test_fm_read_006	message_id=0 returns error

TestSearchEmails

Test ID	Title
test_fm_srch_001	Search admin inbox by subject
test_fm_srch_002	Search vendor inbox
test_fm_srch_003 ⚠️	Vendor session cannot search admin inbox
test_fm_srch_004	Empty query matches all messages
test_fm_srch_005	Prompt injection payload surfaces in search results
test_fm_srch_006	Vendor inbox search without vendor_id returns error

TestMarkAsRead

Test ID	Title
test_fm_mark_001	Admin can mark admin message as read
test_fm_mark_002 ⚠️	Vendor cannot mark admin message as read
test_fm_mark_003	Nonexistent message returns error
test_fm_mark_004	message_id=0 returns error
test_fm_mark_005 ⚠️	Vendor can mark a different vendor's message as read

TestFinMailServerConfig

Test ID	Title
test_fm_cfg_001	Default config has expected keys
test_fm_cfg_002	Custom config overrides max_results
test_fm_cfg_003	Custom default_sender used in emails

TestFinMailToolDiscovery

Test ID	Title
test_fm_tools_001	Server exposes expected 5 tools
test_fm_tools_002	Tool parameter schemas are present

TestIntFieldEdgeCases

Test ID	Title
test_fm_int_001	Negative message_id returns error
test_fm_int_002 ⚠️	list_inbox limit=0 accepted without validation
test_fm_int_003 ⚠️	list_inbox negative limit accepted without validation
test_fm_int_004 ⚠️	search negative limit accepted without validation
test_fm_int_005	Negative vendor_id returns error

TestStrFieldEdgeCases

Test ID	Title
test_fm_str_001 ⚠️	Empty subject accepted without validation
test_fm_str_002 ⚠️	Empty body accepted without validation
test_fm_str_003	Very long subject accepted
test_fm_str_004	HTML injection in body accepted
test_fm_str_005	SQL injection in subject handled safely
test_fm_str_006 ⚠️	Whitespace-only subject accepted without validation
test_fm_str_007	Unicode subject and body stored correctly

TestInboxValidationBypass

Test ID	Title
test_fm_bypass_001 ⚠️	Vendor session bypasses admin check via unrecognised inbox type
test_fm_bypass_002 ⚠️	Vendor session retrieves admin emails via garbage inbox type
test_fm_bypass_003 ⚠️	Vendor session bypasses admin check via inbox type case mismatch
test_fm_bypass_004 ⚠️	send_email with empty to list returns sent=True

TestEmailAddressValidation

Test ID	Title
test_fm_addr_001 ⚠️	Extra-long email address accepted without validation
test_fm_addr_002 ⚠️	Email address without @ symbol accepted
test_fm_addr_003 ⚠️	Large recipient list accepted without cap
test_fm_addr_004 ⚠️	Very long body accepted without size limit
test_fm_addr_005 ⚠️	Very long sender name accepted without validation