test: assert MCP safety annotations on security advisory write tools

Array Fleet · cursoragent · Array Fleet · commit c0b7fcede7fa · 2026-06-09T23:57:02.000Z
Verify OpenWorldHint and DestructiveHint registration for create/update
tools and confirm CVE request stays non-destructive.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/pkg/github/security_advisories_test.go b/pkg/github/security_advisories_test.go
@@ -1214,19 +1214,45 @@ func Test_validateGHSAID(t *testing.T) {
 }
 
 func TestSecurityAdvisoryWriteToolsRegistered(t *testing.T) {
-	expected := map[string]bool{
-		"create_repository_security_advisory":            false,
-		"update_repository_security_advisory":            false,
-		"request_cve_for_repository_security_advisory": false,
+	expected := map[string]struct {
+		readOnly     bool
+		destructive  bool
+		openWorld    bool
+	}{
+		"create_repository_security_advisory": {
+			readOnly:    false,
+			destructive: true,
+			openWorld:   true,
+		},
+		"update_repository_security_advisory": {
+			readOnly:    false,
+			destructive: true,
+			openWorld:   true,
+		},
+		"request_cve_for_repository_security_advisory": {
+			readOnly:    false,
+			destructive: false,
+			openWorld:   true,
+		},
 	}
 
 	for _, tool := range AllTools(translations.NullTranslationHelper) {
-		if _, ok := expected[tool.Tool.Name]; ok {
-			assert.Equal(t, ToolsetMetadataSecurityAdvisories.ID, tool.Toolset.ID)
-			require.NotNil(t, tool.Tool.Annotations)
-			assert.Equal(t, expected[tool.Tool.Name], tool.Tool.Annotations.ReadOnlyHint)
-			delete(expected, tool.Tool.Name)
+		want, ok := expected[tool.Tool.Name]
+		if !ok {
+			continue
+		}
+		assert.Equal(t, ToolsetMetadataSecurityAdvisories.ID, tool.Toolset.ID)
+		require.NotNil(t, tool.Tool.Annotations)
+		assert.Equal(t, want.readOnly, tool.Tool.Annotations.ReadOnlyHint)
+		require.NotNil(t, tool.Tool.Annotations.OpenWorldHint)
+		assert.Equal(t, want.openWorld, *tool.Tool.Annotations.OpenWorldHint)
+		if want.destructive {
+			require.NotNil(t, tool.Tool.Annotations.DestructiveHint)
+			assert.True(t, *tool.Tool.Annotations.DestructiveHint)
+		} else {
+			assert.Nil(t, tool.Tool.Annotations.DestructiveHint)
 		}
+		delete(expected, tool.Tool.Name)
 	}
 
 	assert.Empty(t, expected, "missing security advisory write tools: %v", expected)
