feat: include project token in tool call responses (#6)

Copilot · joshuap · web-flow · commit d646e1cb5887 · 2025-07-04T09:38:44.000-07:00
Co-authored-by: copilot-swe-agent[bot] &lt;198982749+Copilot@users.noreply.github.com&gt;
Co-authored-by: Joshua Wood &lt;josh@joshuawood.net&gt;
diff --git a/internal/hbmcp/projects.go b/internal/hbmcp/projects.go
@@ -216,11 +216,6 @@ func handleListProjects(ctx context.Context, client *hbapi.Client, req mcp.CallT
 		return mcp.NewToolResultError(fmt.Sprintf("Failed to list projects: %v", err)), nil
 	}
 
-	// Sanitize the response to remove API tokens
-	for i := range response.Results {
-		sanitizeProject(&response.Results[i])
-	}
-
 	// Return JSON response
 	jsonBytes, err := json.Marshal(response)
 	if err != nil {
@@ -241,9 +236,6 @@ func handleGetProject(ctx context.Context, client *hbapi.Client, req mcp.CallToo
 		return mcp.NewToolResultError(fmt.Sprintf("Failed to get project: %v", err)), nil
 	}
 
-	// Sanitize the response to remove API tokens
-	sanitizeProject(project)
-
 	// Return JSON response
 	jsonBytes, err := json.Marshal(project)
 	if err != nil {
@@ -293,9 +285,6 @@ func handleCreateProject(ctx context.Context, client *hbapi.Client, req mcp.Call
 		return mcp.NewToolResultError(fmt.Sprintf("Failed to create project: %v", err)), nil
 	}
 
-	// Sanitize the response to remove API tokens
-	sanitizeProject(project)
-
 	// Return JSON response
 	jsonBytes, err := json.Marshal(project)
 	if err != nil {
@@ -469,10 +458,3 @@ func handleGetProjectReport(ctx context.Context, client *hbapi.Client, req mcp.C
 
 	return mcp.NewToolResultText(string(jsonBytes)), nil
 }
-
-// Sanitization functions to remove sensitive data like API tokens
-
-func sanitizeProject(project *hbapi.Project) {
-	// Remove token field
-	project.Token = ""
-}
diff --git a/internal/hbmcp/projects_test.go b/internal/hbmcp/projects_test.go
@@ -8,7 +8,6 @@ import (
 	"net/http/httptest"
 	"strings"
 	"testing"
-	"time"
 
 	"github.com/honeybadger-io/honeybadger-mcp-server/internal/hbapi"
 	"github.com/mark3labs/mcp-go/mcp"
@@ -67,15 +66,23 @@ func TestHandleListProjects(t *testing.T) {
 		t.Fatal("expected successful result, got error")
 	}
 
-	// Check that tokens are sanitized
+	// Verify the response can be unmarshaled as a projects list response
 	resultText := getResultText(result)
-	if strings.Contains(resultText, "secret123") {
-		t.Error("Token should be sanitized from response")
+	var response hbapi.ProjectsResponse
+	if err := json.Unmarshal([]byte(resultText), &response); err != nil {
+		t.Errorf("Response should be valid JSON projects list response: %v", err)
+	}
+
+	if len(response.Results) != 2 {
+		t.Errorf("expected 2 projects, got %d", len(response.Results))
+	}
+
+	if response.Results[0].Name != "Project 1" {
+		t.Errorf("expected first project name 'Project 1', got %s", response.Results[0].Name)
 	}
 
-	// Check that project data is still present
-	if !strings.Contains(resultText, "Project 1") {
-		t.Error("Project name should be present in response")
+	if response.Results[1].Name != "Project 2" {
+		t.Errorf("expected second project name 'Project 2', got %s", response.Results[1].Name)
 	}
 }
 
@@ -136,7 +143,6 @@ func TestHandleListProjects_WithAccountID(t *testing.T) {
 		WithBaseURL(server.URL).
 		WithAuthToken("test-token")
 
-	// Test with account_id parameter
 	req := mcp.CallToolRequest{
 		Params: mcp.CallToolParams{
 			Arguments: map[string]interface{}{
@@ -154,15 +160,23 @@ func TestHandleListProjects_WithAccountID(t *testing.T) {
 		t.Fatal("expected successful result, got error")
 	}
 
-	// Check that tokens are sanitized
+	// Verify the response can be unmarshaled as a projects list response
 	resultText := getResultText(result)
-	if strings.Contains(resultText, "secret123") {
-		t.Error("Token should be sanitized from response")
+	var response hbapi.ProjectsResponse
+	if err := json.Unmarshal([]byte(resultText), &response); err != nil {
+		t.Errorf("Response should be valid JSON projects list response: %v", err)
+	}
+
+	if len(response.Results) != 1 {
+		t.Errorf("expected 1 project, got %d", len(response.Results))
+	}
+
+	if response.Results[0].Name != "Project 1" {
+		t.Errorf("expected project name 'Project 1', got %s", response.Results[0].Name)
 	}
 
-	// Check that project data is still present
-	if !strings.Contains(resultText, "Project 1") {
-		t.Error("Project name should be present in response")
+	if response.Results[0].ID != 1 {
+		t.Errorf("expected project ID 1, got %d", response.Results[0].ID)
 	}
 }
 
@@ -203,14 +217,23 @@ func TestHandleGetProject(t *testing.T) {
 		t.Fatal("expected successful result, got error")
 	}
 
-	// Check that token is sanitized
-	if strings.Contains(getResultText(result), "secret123") {
-		t.Error("Token should be sanitized from response")
+	// Verify the response can be unmarshaled as a project
+	resultText := getResultText(result)
+	var project hbapi.Project
+	if err := json.Unmarshal([]byte(resultText), &project); err != nil {
+		t.Errorf("Response should be valid JSON project: %v", err)
 	}
 
-	// Check that project data is still present
-	if !strings.Contains(getResultText(result), "Test Project") {
-		t.Error("Project name should be present in response")
+	if project.ID != 123 {
+		t.Errorf("expected project ID 123, got %d", project.ID)
+	}
+
+	if project.Name != "Test Project" {
+		t.Errorf("expected project name 'Test Project', got %s", project.Name)
+	}
+
+	if !project.Active {
+		t.Error("expected project to be active")
 	}
 }
 
@@ -319,14 +342,27 @@ func TestHandleCreateProject(t *testing.T) {
 		t.Fatal("expected successful result, got error")
 	}
 
-	// Check that API key is sanitized
-	if strings.Contains(getResultText(result), "secret789") {
-		t.Error("API key should be sanitized from response")
+	// Verify the response can be unmarshaled as a project
+	resultText := getResultText(result)
+	var project hbapi.Project
+	if err := json.Unmarshal([]byte(resultText), &project); err != nil {
+		t.Errorf("Response should be valid JSON project: %v", err)
+	}
+
+	if project.ID != 456 {
+		t.Errorf("expected project ID 456, got %d", project.ID)
+	}
+
+	if project.Name != "New Project" {
+		t.Errorf("expected project name 'New Project', got %s", project.Name)
+	}
+
+	if !project.Active {
+		t.Error("expected created project to be active")
 	}
 
-	// Check that project data is still present
-	if !strings.Contains(getResultText(result), "New Project") {
-		t.Error("Project name should be present in response")
+	if project.Owner.Email != "user@example.com" {
+		t.Errorf("expected owner email 'user@example.com', got %s", project.Owner.Email)
 	}
 }
 
@@ -617,35 +653,6 @@ func TestHandleDeleteProject_Error(t *testing.T) {
 	}
 }
 
-func TestSanitizeProject(t *testing.T) {
-	project := &hbapi.Project{
-		ID:        123,
-		Name:      "Test Project",
-		Active:    true,
-		CreatedAt: time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC),
-		Token:     "secret123",
-		Owner:     hbapi.Account{ID: 1, Email: "user@example.com", Name: "User 1"},
-	}
-
-	sanitizeProject(project)
-
-	// Check that token field is removed
-	if project.Token != "" {
-		t.Error("token field should be cleared")
-	}
-
-	// Check that non-sensitive fields remain
-	if project.ID != 123 {
-		t.Error("project id should remain")
-	}
-	if project.Name != "Test Project" {
-		t.Error("project name should remain")
-	}
-	if project.Owner.Email != "user@example.com" {
-		t.Error("owner fields should remain")
-	}
-}
-
 func TestHandleGetProjectReport(t *testing.T) {
 	mockResponse := `[["RuntimeError", 8347], ["SocketError", 4651]]`
 
