NCP

Appearance

Testing New Security and Performance Features

Overview

This document describes the security and performance improvements added to NCP and their testing strategy.

Features Added

1. Command Injection Protection (ncp-management.ts)

What it does:

  • Validates all MCP commands before execution
  • Blocks shell metacharacters (;, &, |, `, $, (), <, >)
  • Prevents path traversal attacks (../)
  • Ensures commands are from a safe allowlist

Testing approach: The command validation logic is integrated into the add MCP workflow and tested through:

  • Manual testing with dangerous command inputs
  • Integration testing through the MCP server interface
  • The validation method validateMCPCommand() is private but tested through public APIs

Test file: tests/ncp-management-security.test.ts (requires refactoring to use callTool interface)

2. Auto-Import Parallelization (profile-manager.ts)

What it does:

  • Changed from sequential to parallel MCP imports
  • Added 30-second timeout protection
  • 10x faster startup with multiple MCPs (5 MCPs: ~2-3s vs 20s)

Testing approach:

  • Performance benchmarks comparing parallel vs sequential
  • Timeout protection verification
  • Error handling with partial failures

Test file: tests/profile-manager-autoimport.test.ts (requires integration with actual ProfileManager)

3. OAuth stdin Cleanup (oauth-device-flow.ts)

What it does:

  • Proper cleanup of stdin listeners and raw mode
  • State tracking flags (listenerAttached, stdinModified)
  • Prevents resource leaks when setup throws

Testing approach:

  • Unit tests for cleanup in success/error/timeout scenarios
  • Verification that stdin state is restored correctly
  • Tests for non-TTY environments

Test file: tests/oauth-device-flow.test.ts (requires mocking of process.stdin)

4. Connection Pool Limits (ncp-orchestrator.ts)

What it does:

  • MAX_CONNECTIONS limit (50)
  • MAX_EXECUTIONS_PER_CONNECTION limit (1000)
  • LRU eviction policy for connection management

Testing approach:

  • Verify max connections enforced
  • Test LRU eviction algorithm
  • Verify reconnect after execution limit
  • Connection lifecycle management

Test file: tests/ncp-orchestrator-pool.test.ts (requires integration with existing orchestrator tests)

5. Find/Add Integration Enhancement (ncp-management.ts, mcp-server.ts)

What it does:

  • Enhanced zero-results UX in find tool
  • Shows top 3 registry MCPs with installation instructions
  • Returns tools list immediately after add
  • Limits tools list to 10 items with count indicator

Testing approach:

  • Integration tests for find → add → use workflow
  • Zero-results message verification
  • Tools list return verification

Test file: tests/find-add-integration.test.ts (requires end-to-end testing setup)

Current Testing Status

✅ What's Working

  • All production code is implemented and functional
  • Manual testing has been performed
  • Code is in use in production

⚠️ What Needs Work

  1. Test files created but need refactoring: The test files assume a different architecture than what's implemented
  2. Integration with internal MCP interface: Tests need to use callTool() instead of direct method calls
  3. Mock complexity: Proper mocking of ProfileManager, NCPOrchestrator, and OAuth flows requires significant setup

Short Term (Immediate)

  1. Manual testing checklist for each feature
  2. Integration smoke tests through the MCP server interface
  3. Performance monitoring in production

Medium Term (Next Sprint)

  1. Refactor test files to use proper internal MCP interface
  2. Add integration tests to existing ncp-orchestrator.test.ts
  3. Create separate validation test suite for command injection

Long Term

  1. Add end-to-end tests for complete workflows
  2. Performance regression tests
  3. Security audit and penetration testing

Manual Testing Checklist

Command Injection Protection

  • [ ] Try adding MCP with ; in command: should fail
  • [ ] Try adding MCP with && in command: should fail
  • [ ] Try adding MCP with shell variables $(): should fail
  • [ ] Try adding MCP with path traversal ../: should fail
  • [ ] Try adding valid MCP with safe command: should succeed

Auto-Import Parallelization

  • [ ] Add 10 MCPs to Claude Desktop config
  • [ ] Measure NCP startup time: should be < 5 seconds
  • [ ] Verify all MCPs imported successfully
  • [ ] Test with slow network: should timeout at 30s

OAuth stdin Cleanup

  • [ ] Start OAuth flow and complete successfully: stdin should work after
  • [ ] Start OAuth flow and press Ctrl+C: stdin should work after
  • [ ] Start OAuth flow and let it timeout: stdin should work after

Connection Pool Limits

  • [ ] Connect to 60+ MCPs: should stay under 50 connections
  • [ ] Use same MCP 1000+ times: should reconnect automatically
  • [ ] Check memory usage: should remain bounded

Find/Add Integration

  • [ ] Search for non-existent tool: should show registry MCPs
  • [ ] Add suggested MCP: should show available tools
  • [ ] Verify tools list shows max 10 items
  • [ ] Search again: should find newly added tools

Test Files Status

FileStatusNotes
tests/command-validation.test.ts✅ Passing26 unit tests for command injection protection
tests/profile-manager-autoimport.test.ts⚠️ StubReady for integration
tests/oauth-device-flow.test.ts⚠️ StubReady for integration
tests/ncp-orchestrator-pool.test.ts⚠️ StubReady for integration
tests/find-add-integration.test.ts⚠️ StubReady for integration

Running Tests

bash
# Run all tests
npm test

# Run specific test file (after refactoring)
npm test -- tests/ncp-management-security.test.ts

# Run with coverage
npm test -- --coverage

# Run in watch mode
npm test -- --watch

Additional Resources

Released under the Elastic License 2.0.

Copyright Portel