Fix projects_get required params and harden status update tools

elijahstr · JoannaaKL · commit fdbf83483cb5 · 2026-02-13T16:43:52.000+01:00
Loosen projects_get schema to only require "method", since
get_project_status_update only needs status_update_id and never uses
owner or project_number. Also use pointer types for optional
statusUpdateNode fields, add owner_type validation for list/create
status updates, clamp negative per_page values, and fix
resolveProjectNodeID to return "" instead of nil on error.
diff --git a/pkg/github/__toolsnaps__/projects_get.snap b/pkg/github/__toolsnaps__/projects_get.snap
@@ -53,9 +53,7 @@
       }
     },
     "required": [
-      "method",
-      "owner",
-      "project_number"
+      "method"
     ],
     "type": "object"
   },
diff --git a/pkg/github/projects.go b/pkg/github/projects.go
@@ -55,11 +55,11 @@ const (
 
 type statusUpdateNode struct {
 	ID         githubv4.ID
-	Body       githubv4.String
-	Status     githubv4.String
+	Body       *githubv4.String
+	Status     *githubv4.String
 	CreatedAt  githubv4.DateTime
-	StartDate  githubv4.String
-	TargetDate githubv4.String
+	StartDate  *githubv4.String
+	TargetDate *githubv4.String
 	Creator    struct {
 		Login githubv4.String
 	}
@@ -123,15 +123,22 @@ func convertToMinimalStatusUpdate(node statusUpdateNode) MinimalProjectStatusUpd
 
 	return MinimalProjectStatusUpdate{
 		ID:         fmt.Sprintf("%v", node.ID),
-		Body:       string(node.Body),
-		Status:     string(node.Status),
+		Body:       derefString(node.Body),
+		Status:     derefString(node.Status),
 		CreatedAt:  node.CreatedAt.Time.Format(time.RFC3339),
-		StartDate:  string(node.StartDate),
-		TargetDate: string(node.TargetDate),
+		StartDate:  derefString(node.StartDate),
+		TargetDate: derefString(node.TargetDate),
 		Creator:    creator,
 	}
 }
 
+func derefString(s *githubv4.String) string {
+	if s == nil {
+		return ""
+	}
+	return string(*s)
+}
+
 func ListProjects(t translations.TranslationHelperFunc) inventory.ServerTool {
 	tool := NewTool(
 		ToolsetMetadataProjects,
@@ -1482,7 +1489,7 @@ Use this tool to get details about individual projects, project fields, and proj
 						Description: "The node ID of the project status update. Required for 'get_project_status_update' method.",
 					},
 				},
-				Required: []string{"method", "owner", "project_number"},
+				Required: []string{"method"},
 			},
 		},
 		[]scopes.Scope{scopes.ReadProject},
@@ -2213,14 +2220,14 @@ func resolveProjectNodeID(ctx context.Context, gqlClient *githubv4.Client, owner
 	if ownerType == "org" {
 		err := gqlClient.Query(ctx, &projectIDQueryOrg, queryVars)
 		if err != nil {
-			return nil, fmt.Errorf("%s: %w", ProjectResolveIDFailedError, err)
+			return "", fmt.Errorf("%s: %w", ProjectResolveIDFailedError, err)
 		}
 		return projectIDQueryOrg.Organization.ProjectV2.ID, nil
 	}
 
 	err := gqlClient.Query(ctx, &projectIDQueryUser, queryVars)
 	if err != nil {
-		return nil, fmt.Errorf("%s: %w", ProjectResolveIDFailedError, err)
+		return "", fmt.Errorf("%s: %w", ProjectResolveIDFailedError, err)
 	}
 	return projectIDQueryUser.User.ProjectV2.ID, nil
 }
@@ -2293,6 +2300,9 @@ func validateDateFormat(value, fieldName string) error {
 // createProjectStatusUpdate creates a new status update for a project via GraphQL.
 func createProjectStatusUpdate(ctx context.Context, gqlClient *githubv4.Client, owner, ownerType string, projectNumber int, body, status, startDate, targetDate string) (*mcp.CallToolResult, any, error) {
 	// Validate inputs
+	if ownerType != "user" && ownerType != "org" {
+		return utils.NewToolResultError(fmt.Sprintf("invalid owner_type %q: must be \"user\" or \"org\"", ownerType)), nil, nil
+	}
 	if status != "" && !validProjectV2StatusUpdateStatuses[status] {
 		return utils.NewToolResultError(fmt.Sprintf("invalid status %q: must be one of INACTIVE, ON_TRACK, AT_RISK, OFF_TRACK, COMPLETE", status)), nil, nil
 	}
@@ -2360,6 +2370,10 @@ func createProjectStatusUpdate(ctx context.Context, gqlClient *githubv4.Client,
 
 // listProjectStatusUpdates lists status updates for a project via GraphQL.
 func listProjectStatusUpdates(ctx context.Context, gqlClient *githubv4.Client, args map[string]any, owner, ownerType string) (*mcp.CallToolResult, any, error) {
+	if ownerType != "user" && ownerType != "org" {
+		return utils.NewToolResultError(fmt.Sprintf("invalid owner_type %q: must be \"user\" or \"org\"", ownerType)), nil, nil
+	}
+
 	projectNumber, err := RequiredInt(args, "project_number")
 	if err != nil {
 		return utils.NewToolResultError(err.Error()), nil, nil
@@ -2372,6 +2386,9 @@ func listProjectStatusUpdates(ctx context.Context, gqlClient *githubv4.Client, a
 	if perPage > MaxProjectsPerPage {
 		perPage = MaxProjectsPerPage
 	}
+	if perPage < 1 {
+		perPage = MaxProjectsPerPage
+	}
 
 	afterCursor, err := OptionalParam[string](args, "after")
 	if err != nil {
diff --git a/pkg/github/projects_test.go b/pkg/github/projects_test.go
@@ -236,7 +236,7 @@ func Test_ProjectsGet(t *testing.T) {
 	assert.Contains(t, inputSchema.Properties, "project_number")
 	assert.Contains(t, inputSchema.Properties, "field_id")
 	assert.Contains(t, inputSchema.Properties, "item_id")
-	assert.ElementsMatch(t, inputSchema.Required, []string{"method", "owner", "project_number"})
+	assert.ElementsMatch(t, inputSchema.Required, []string{"method"})
 }
 
 func Test_ProjectsGet_GetProject(t *testing.T) {
@@ -1907,3 +1907,116 @@ func Test_ProjectsWrite_CreateProjectStatusUpdate(t *testing.T) {
 		assert.Equal(t, "AT_RISK", response["status"])
 	})
 }
+
+func Test_ListProjectStatusUpdates_NegativePerPage(t *testing.T) {
+	serverTool := ListProjectStatusUpdates(translations.NullTranslationHelper)
+
+	// With a negative per_page, the handler should clamp to MaxProjectsPerPage (50)
+	mockedClient := githubv4mock.NewMockedHTTPClient(
+		githubv4mock.NewQueryMatcher(
+			statusUpdatesUserQuery{},
+			map[string]any{
+				"owner":         githubv4.String("octocat"),
+				"projectNumber": githubv4.Int(1),
+				"first":         githubv4.Int(50), // clamped to default
+				"after":         (*githubv4.String)(nil),
+			},
+			githubv4mock.DataResponse(map[string]any{
+				"user": map[string]any{
+					"projectV2": map[string]any{
+						"statusUpdates": map[string]any{
+							"nodes": []map[string]any{
+								{
+									"id":         "SU_neg",
+									"body":       "Negative per_page test",
+									"status":     "ON_TRACK",
+									"createdAt":  "2026-01-15T10:00:00Z",
+									"startDate":  "2026-01-01",
+									"targetDate": "2026-03-01",
+									"creator":    map[string]any{"login": "octocat"},
+								},
+							},
+							"pageInfo": map[string]any{
+								"hasNextPage":     false,
+								"hasPreviousPage": false,
+								"startCursor":     "cursor1",
+								"endCursor":       "cursor1",
+							},
+						},
+					},
+				},
+			}),
+		),
+	)
+
+	client := githubv4.NewClient(mockedClient)
+	deps := BaseDeps{
+		GQLClient: client,
+	}
+	handler := serverTool.Handler(deps)
+	request := createMCPRequest(map[string]any{
+		"owner":          "octocat",
+		"owner_type":     "user",
+		"project_number": float64(1),
+		"per_page":       float64(-5),
+	})
+	result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+
+	require.NoError(t, err)
+	require.False(t, result.IsError)
+
+	textContent := getTextResult(t, result)
+	var response map[string]any
+	err = json.Unmarshal([]byte(textContent.Text), &response)
+	require.NoError(t, err)
+	updates, ok := response["statusUpdates"].([]any)
+	require.True(t, ok)
+	assert.Len(t, updates, 1)
+}
+
+func Test_CreateProjectStatusUpdate_InvalidOwnerType(t *testing.T) {
+	serverTool := CreateProjectStatusUpdate(translations.NullTranslationHelper)
+
+	mockedClient := githubv4mock.NewMockedHTTPClient()
+	client := githubv4.NewClient(mockedClient)
+	deps := BaseDeps{
+		GQLClient: client,
+	}
+	handler := serverTool.Handler(deps)
+	request := createMCPRequest(map[string]any{
+		"owner":          "octocat",
+		"owner_type":     "invalid",
+		"project_number": float64(2),
+		"body":           "Test",
+	})
+	result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+
+	require.NoError(t, err)
+	require.True(t, result.IsError)
+
+	textContent := getTextResult(t, result)
+	assert.Contains(t, textContent.Text, `invalid owner_type "invalid"`)
+}
+
+func Test_ListProjectStatusUpdates_InvalidOwnerType(t *testing.T) {
+	serverTool := ListProjectStatusUpdates(translations.NullTranslationHelper)
+
+	mockedClient := githubv4mock.NewMockedHTTPClient()
+	client := githubv4.NewClient(mockedClient)
+	deps := BaseDeps{
+		GQLClient: client,
+	}
+	handler := serverTool.Handler(deps)
+	request := createMCPRequest(map[string]any{
+		"owner":          "octocat",
+		"owner_type":     "invalid",
+		"project_number": float64(1),
+	})
+	result, err := handler(ContextWithDeps(context.Background(), deps), &request)
+
+	require.NoError(t, err)
+	require.True(t, result.IsError)
+
+	textContent := getTextResult(t, result)
+	assert.Contains(t, textContent.Text, `invalid owner_type "invalid"`)
+}
