Description Suggested Changes for github-pr-review-mcp-server
1) Security & Input Validation
Call validate_repo_params(owner, repo, branch) at the start of resolve_pr_url.
Replace regex-only PR URL parsing with urllib.parse.urlparse:
Require https.
Allow optional trailing slash / query.
Ensure path matches /OWNER/REPO/pull/NUMBER.
Reject hosts not in GITHUB_HOSTS env allowlist.
Replace shlex.quote with httpx params= for REST queries.
Loosen validate_comment: accept line, original_line, position, original_position.
2) GitHub API Robustness
Use modern headers everywhere:
Accept: application/vnd.github+jsonX-GitHub-Api-Version: 2022-11-28User-Agent: mcp-pr-review-spec-maker/1.0
Normalize env vars:
GITHUB_API_URL for REST base.GITHUB_GRAPHQL_URL optional override.GH_HOST for HTML host (default github.com).
Detect secondary rate limits (403/429 “abuse detection”):
Back off ~60s and retry once.
Expand 5xx retry backoff ceiling to ~15s.
3) Pagination & Large Repos
Add _get_all_open_prs helper:
Use per_page=100, follow Link headers up to 5 pages.
Pre-compile LINK_NEXT_RE = re.compile(r'<([^>]+)>\s*;\s*rel="next"').
4) Logging & Redaction
Add a logging filter to redact:
Authorization headersGITHUB_TOKENAny *_TOKEN
Move load_dotenv() and logging.basicConfig() under if __name__ == "__main__":.
Prefer logger.debug() over print() except for user-visible progress.
5) MCP Best Practices
Tool schemas:
Add format: "uri" to pr_url.
Keep required: [] where mutually exclusive inputs exist (e.g., markdown vs comments).
Yield cooperatively (await asyncio.sleep(0)) in loops for cancellation.
6) URL & Remote Parsing
Allow dots in repo names by updating REMOTE_REGEXES to capture [^/]+?.
_get_repo should raise ValueError(f"Not a git repository: {path}").Standardize module name (git_pr_resolver.py vs github_pr_resolver.py).
7) Testing Plan
Unit tests (mocked HTTP with pytest-httpx/respx):
PR URL parsing (valid/invalid).
Repo param validation.
GraphQL happy path and error fallback.
Pagination across multiple pages.
403/429 rate-limit handling.
File writing (reject symlinks, bad names).
Property tests (hypothesis):
Filenames matching regex.
Comment dicts with different line/position keys.
Integration tests (skip unless GITHUB_TOKEN set):
Resolve PR + generate markdown on a small PR.
CI :
ruff check, ruff format --check.mypy --strict.pytest --cov with ≥90% threshold.
8) Optional Enhancements
Combine review + issue comments when requested.
Support ETag caching with If-None-Match.
Extend User-Agent with version and host (e.g., (+host=github.com)).
Reactions are currently unavailable
You can’t perform that action at this time.
