Skip to content

Add e2e tests for MCP server runtime config endpoint display fix#1379

Open
Saadha123 wants to merge 2 commits into
wso2:mainfrom
Saadha123:fix/mcp-server-runtime-endpoint-tests
Open

Add e2e tests for MCP server runtime config endpoint display fix#1379
Saadha123 wants to merge 2 commits into
wso2:mainfrom
Saadha123:fix/mcp-server-runtime-endpoint-tests

Conversation

@Saadha123

@Saadha123 Saadha123 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Description:

  • Adds Cypress regression tests for the fix in fix/mcp-runtime-missing-endpoint-crash that prevented a crash on the Runtime Configuration page when an MCP server's sandbox or production endpoint is removed.

Tests cover two MCP server creation types:

  • From OpenAPI file — creates a server with a production URL, adds a sandbox endpoint via the REST API, deletes it through the Endpoints UI (button click + confirmation dialog),
    then verifies the Runtime Configuration page renders correctly with "-" shown for the sandbox section
  • From existing API — same flow, with the test adapting gracefully if generate-from-api does not auto-create a backend

Utilities added to cypress/support/utils.js:

  • addMCPServer — creates an MCP server via generate-from-openapi
  • addMCPServerFromExistingAPI — creates an MCP server via generate-from-api
  • deleteMCPServer — cleans up after each test

Related Issue:

wso2/api-manager#5096

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@Saadha123, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 48 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 737ee32d-1458-4a79-a85c-70be6cd3635b

📥 Commits

Reviewing files that changed from the base of the PR and between d79c021 and 7b06f43.

📒 Files selected for processing (3)
  • tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js
  • tests/cypress/e2e/publisher/024-mcp-server/01-runtime-config-from-existing-api.cy.js
  • tests/cypress/support/utils.js
📝 Walkthrough
📝 Walkthrough
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes the main change: new e2e tests for the MCP server runtime config endpoint display fix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description accurately matches the added Cypress regression tests and MCP server utility helpers in the changeset.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (3)
tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js (1)

122-129: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

cy.contains('-') is a substring match, not an exact one — weakens the regression check.

Cypress's cy.contains() performs a case-sensitive substring match by default (confirmed against Cypress docs), so this assertion passes if any text node inside #endpoints merely contains a hyphen (e.g. a URL fragment, date, or unrelated label), not necessarily the sandbox placeholder itself. Since the entire point of this regression test is to verify the sandbox section specifically renders - (not a stale URL or a crash), this loose match could pass even if the underlying rendering regresses.

Recommend scoping the assertion more tightly, e.g. anchoring to the sandbox row/section and using an exact-match regex:

🔧 Proposed fix
                            // Sandbox section must show "-" (not crash) because it was deleted.
                            cy.contains('Sandbox').should('be.visible');
-                           cy.contains('-').should('be.visible');
+                           cy.contains('Sandbox').parent().within(() => {
+                               cy.contains(/^-$/).should('be.visible');
+                           });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js`
around lines 122 - 129, The Sandbox placeholder check in the `#endpoints` Cypress
assertion is too loose because cy.contains('-') matches any hyphen substring
anywhere in the container. Tighten the regression test in the
cy.get('`#endpoints`').within() block by scoping the assertion to the Sandbox
row/section and using an exact match for the placeholder, so the test only
passes when the Sandbox value itself renders as "-".
tests/cypress/support/utils.js (2)

236-334: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

No readiness poll before resolving with the new MCP server id.

addAPI/addAPIfromSwagger explicitly call Utils.waitForApiRetrievable before resolving, because "create can return an id before the API is retrievable, causing 500s on follow-ups". addMCPServer and addMCPServerFromExistingAPI resolve immediately with parsed.id, and the consuming specs immediately hit mcp-servers/{id}/backends right after. If MCP servers share the same eventhub-propagation characteristics as APIs (likely, same platform), this can cause intermittent flakiness in CI for these new regression tests.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/cypress/support/utils.js` around lines 236 - 334, Both MCP server
helpers return the new id too early, which can make follow-up backend calls race
the server creation flow. Update addMCPServer and addMCPServerFromExistingAPI in
Utils to wait for the MCP server to become retrievable before resolving, using
the same pattern as addAPI/addAPIfromSwagger with the relevant MCP
retrieval/wait helper or equivalent polling. Keep the existing parsed.id
validation, then only resolve after the readiness check succeeds so specs can
safely call mcp-servers/{id}/backends.

236-286: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Fragile shell escaping for additionalProperties.

additionalProps.replace(/"/g, '\\"') only escapes embedded double quotes. Inside the outer double-quoted -F argument, characters like `, $, and \ in name/version/context are still shell-significant and can corrupt the request or (per static analysis) enable command injection. The file already has a safer pattern for this — the specJson write on line 261 and the body in addMCPServerFromExistingAPI (line 315) use single-quote wrapping with '\\'' escaping, which is the correct technique here too.

🔧 Proposed fix
-                        -F "additionalProperties=${additionalProps.replace(/"/g, '\\"')}" \
+                        -F "additionalProperties=${additionalProps.replace(/'/g, "'\\''")}" \

Note: since this value is embedded via -F (which Cypress/curl expects unquoted or single-quoted form), wrap the whole flag value in single quotes rather than double quotes for consistency with the rest of the file.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tests/cypress/support/utils.js` around lines 236 - 286, The `addMCPServer`
curl command is still vulnerable because `additionalProps` is only escaping
double quotes, leaving shell-significant characters in `name`, `version`, and
`context` unsafe. Update the `cy.exec(curl)` construction in
`Utils.addMCPServer` to use the same single-quote wrapping and `'\''` escaping
pattern already used for `specJson` in this method (and the `body` handling in
`addMCPServerFromExistingAPI`), so the `-F "additionalProperties=..."` payload
is passed safely without command injection risk.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js`:
- Line 43: The spec in the Cypress test currently uses an exclusive test via
it.only, which will skip other tests in the file. Remove the .only from the it
declaration in the runtime configuration test so the suite runs normally
alongside any future tests in this spec. Keep the test name and behavior
unchanged, and only eliminate the exclusivity marker.

In
`@tests/cypress/e2e/publisher/024-mcp-server/01-runtime-config-from-existing-api.cy.js`:
- Line 40: The Cypress spec is using it.only in the runtime configuration test,
which will exclude other tests in this file from running. Update the test in the
existing API MCP server spec to remove the .only call from the it declaration so
the full suite executes normally; use the runtime configuration test block as
the place to make this change.

---

Nitpick comments:
In
`@tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js`:
- Around line 122-129: The Sandbox placeholder check in the `#endpoints` Cypress
assertion is too loose because cy.contains('-') matches any hyphen substring
anywhere in the container. Tighten the regression test in the
cy.get('`#endpoints`').within() block by scoping the assertion to the Sandbox
row/section and using an exact match for the placeholder, so the test only
passes when the Sandbox value itself renders as "-".

In `@tests/cypress/support/utils.js`:
- Around line 236-334: Both MCP server helpers return the new id too early,
which can make follow-up backend calls race the server creation flow. Update
addMCPServer and addMCPServerFromExistingAPI in Utils to wait for the MCP server
to become retrievable before resolving, using the same pattern as
addAPI/addAPIfromSwagger with the relevant MCP retrieval/wait helper or
equivalent polling. Keep the existing parsed.id validation, then only resolve
after the readiness check succeeds so specs can safely call
mcp-servers/{id}/backends.
- Around line 236-286: The `addMCPServer` curl command is still vulnerable
because `additionalProps` is only escaping double quotes, leaving
shell-significant characters in `name`, `version`, and `context` unsafe. Update
the `cy.exec(curl)` construction in `Utils.addMCPServer` to use the same
single-quote wrapping and `'\''` escaping pattern already used for `specJson` in
this method (and the `body` handling in `addMCPServerFromExistingAPI`), so the
`-F "additionalProperties=..."` payload is passed safely without command
injection risk.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 5a89c394-a921-4e19-9dd4-5822f0cc1953

📥 Commits

Reviewing files that changed from the base of the PR and between 449df69 and c97e512.

📒 Files selected for processing (3)
  • tests/cypress/e2e/publisher/024-mcp-server/00-runtime-config-endpoint-display.cy.js
  • tests/cypress/e2e/publisher/024-mcp-server/01-runtime-config-from-existing-api.cy.js
  • tests/cypress/support/utils.js

RakhithaRR
RakhithaRR previously approved these changes Jul 2, 2026
@Saadha123 Saadha123 force-pushed the fix/mcp-server-runtime-endpoint-tests branch from d79c021 to 7b06f43 Compare July 6, 2026 05:54
@sonarqubecloud

sonarqubecloud Bot commented Jul 6, 2026

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants