fix: validate required MCP tool parameters (content, query, new_content)#222
Open
loveRhythm1990 wants to merge 2 commits into
Open
fix: validate required MCP tool parameters (content, query, new_content)#222loveRhythm1990 wants to merge 2 commits into
loveRhythm1990 wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR tightens server-side validation for MCP tool calls so that required string arguments (content, query, new_content) cannot be missing, empty, or whitespace-only, preventing empty memory writes and undefined retrieval/search behavior.
Changes:
- Added shared parsing helpers in
memoria-mcpto validate required string arguments (and updatedmemory_store,memory_retrieve,memory_search,memory_correctto use them). - Added unit + E2E tests (stdio MCP + HTTP MCP) asserting invalid inputs are rejected and do not create empty memories.
- Adjusted
memory_correctcall path to pass the validatednew_contentthrough as a borrowed string.
Reviewed changes
Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| memoria/crates/memoria-mcp/src/tools.rs | Adds required-string parsing helpers and applies them to MCP tool handlers; includes helper unit tests. |
| memoria/crates/memoria-mcp/tests/tools_unit.rs | Adds unit tests ensuring store/retrieve/search reject missing/blank required args and don’t create records. |
| memoria/crates/memoria-mcp/tests/core_tools_e2e.rs | Adds DB-backed E2E tests for rejecting blank content/query at the MCP tool layer. |
| memoria/crates/memoria-api/tests/api_e2e.rs | Adds HTTP MCP E2E tests asserting validation returns tool text (not JSON-RPC error) and that no empty memories are created. |
Comments suppressed due to low confidence (1)
memoria/crates/memoria-mcp/src/tools.rs:384
- memory_store now returns tool-text (Ok(mcp_text)) for invalid/missing content, but trust_tier validation still returns a Rust error (which becomes a JSON-RPC error in memoria-mcp/src/server.rs). This means clients must handle two different error channels for “validation” failures in the same tool, and it also contradicts the PR description’s claim that validation uses tool text “matching trust_tier validation”. Consider standardizing (either return tool text for invalid trust_tier too, or document that trust_tier remains a JSON-RPC error).
let memory_type = args["memory_type"].as_str().unwrap_or("semantic");
let session_id = args["session_id"].as_str().map(String::from);
let trust_tier = args["trust_tier"]
.as_str()
.map(TrustTier::from_str)
.transpose()
.map_err(|e| anyhow::anyhow!("{e}"))?;
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ba62ce6 to
b38bfea
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Which issue(s) this PR fixes
Fixes #216
Fixes #218
What this PR does / why we need it
Summary
MCP tools previously accepted missing or whitespace-only required arguments without validation:
memory_storecould store empty memories (wasting DB writes and embedding calls)memory_retrieve/memory_searchcould run with an emptyquery(undefined retrieval behavior)memory_correctonly checkedis_empty()onnew_content, allowing whitespace-only correctionsThis PR adds consistent server-side validation at the MCP tool layer. Invalid input is rejected early with a clear tool text response (not a JSON-RPC error), matching existing patterns such as
trust_tiervalidation.What changed
MCP tools (
memoria-mcp/src/tools.rs)parse_required_str(args, key, err)— shared helper that trims input and rejects missing/blank values.memory_store: validatecontentviaparse_store_content()before store/embedding.memory_retrieve/memory_search: validatequeryviaparse_retrieve_query()before retrieval.memory_correct: validatenew_contentviaparse_required_str()(also fixes whitespace-only bypass).Tests
memoria-mcp/tests/tools_unit.rsmemory_store,memory_retrieve,memory_searchreject invalid argsmemoria-mcp/tests/core_tools_e2e.rsmemoria-api/tests/api_e2e.rsPOST /mcptools/call for store/retrieve/searchValidation semantics
memory_storecontent"", whitespace-only"content is required"memory_retrievequery"", whitespace-only"query is required"memory_searchquery"", whitespace-only"query is required"memory_correctnew_content"", whitespace-only"new_content is required"" hello "→"hello").result.content[0].text), not JSON-RPCerrorobjects — consistent with existing tool validation behavior.Backward compatibility
content/query/new_contentwill now receive an explicit error instead of silent/no-op behavior./v1/memoriesendpoints in this PR (MCP layer only).Test plan
cargo check -p memoria-mcpcargo test -p memoria-mcp --test tools_unitcargo test -p memoria-mcp --test core_tools_e2e(requires MatrixOne)cargo test -p memoria-api --test api_e2e(requires MatrixOne)make test(full integration suite)Focused commands: