Skip to content

fix(cli,mcp): harden MCP probe and call params#85

Merged
linfangw merged 1 commit into
QVerisAI:mainfrom
sheep-cloud12138:codex/fix-cli-mcp-validation-contracts
May 31, 2026
Merged

fix(cli,mcp): harden MCP probe and call params#85
linfangw merged 1 commit into
QVerisAI:mainfrom
sheep-cloud12138:codex/fix-cli-mcp-validation-contracts

Conversation

@sheep-cloud12138
Copy link
Copy Markdown
Collaborator

@sheep-cloud12138 sheep-cloud12138 commented May 30, 2026

Summary

  • avoid Node 24 DEP0190 warnings during CLI MCP live probes on Windows
  • keep MCP call params aligned with the published object schema
  • reject string, null, and array params_to_tool inputs with tests

Tests

  • packages/cli: npm test
  • packages/mcp: npm test
  • packages/mcp: npm run typecheck
  • packages/mcp: npm run build

Copilot AI review requested due to automatic review settings May 30, 2026 09:22
Copilot AI reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens MCP handling by aligning params_to_tool with the published object schema and adjusting CLI MCP live probes on Windows to avoid Node 24 shell/args deprecation warnings.

Changes:

  • Reject non-object MCP params_to_tool values instead of parsing legacy JSON strings.
  • Add public interface and unit coverage for invalid MCP call params.
  • Change CLI probe spawning to use shell: false and wrap Windows command shims through cmd.exe.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
packages/mcp/src/tools/execute.ts Enforces object-only params_to_tool before calling the API client.
packages/mcp/src/tools/execute.test.ts Updates execute-tool tests for object params and rejection of non-object values.
packages/mcp/src/index.ts Allows invalid non-undefined params to reach schema-aligned validation.
packages/mcp/src/index.test.ts Adds integration coverage for rejecting string call params.
packages/cli/src/commands/mcp.mjs Changes MCP live probe spawn behavior and adds Windows command wrapping.
packages/cli/test/mcp.test.mjs Updates spawn option expectations and adds Windows command wrapping tests.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread packages/cli/src/commands/mcp.mjs Outdated
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors MCP command spawning on Windows by disabling shell execution and manually wrapping command shims through cmd.exe. It also updates the MCP tool execution to require params_to_tool to be a JSON object directly, removing legacy JSON string parsing. Feedback was provided warning that manually spawning cmd.exe with shell: false on Windows is highly prone to quote-stripping issues and execution failures, suggesting instead to use shell: true for command shims or to pass the /s switch.

Comment thread packages/cli/src/commands/mcp.mjs
@sheep-cloud12138 sheep-cloud12138 force-pushed the codex/fix-cli-mcp-validation-contracts branch from 9597b0f to bbf1246 Compare May 30, 2026 09:46
ax2
ax2 approved these changes May 30, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@ax2 ax2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved: Gemini code review passed with no high-priority or security issues.

@linfangw linfangw merged commit 254ae30 into QVerisAI:main May 31, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ax2 ax2 ax2 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sheep-cloud12138 @ax2 @linfangw