Chapter 11 Β· Operate
Testing Strategy
Test the failure paths as carefully as the success paths. The reference build ships solid unit tests; here's what exists, what to add before production, and the smoke sequence to run after every deploy.
π― What you'll be able to do
- Know which unit tests already exist and what they cover
- Plan the integration tests to add before production
- Run the deploy-time smoke sequence and read its decision points
- Run the full local and remote validation commands safely
Existing tests in the reference build
| File | Coverage |
|---|---|
tests/test_auth.py | Token hashing, cache expiry, Jira resource selection. |
tests/test_middleware.py | Bearer extraction, origin checks, missing-token behavior. |
tests/test_trim.py | Issue trimming, clipping, max-result clamp, byte-budget overflow, ADF shape. |
tests/conftest.py | Deterministic test environment and token-context reset. |
Tests to add before production
| Category | Tests |
|---|---|
| MCP protocol | initialize, tools/list, tools/call. |
| Gateway integrity | missing, wrong, and correct X-Gateway-Token. |
| OAuth behavior | missing, malformed, expired token; insufficient scopes. |
| Jira errors | 401, 403, 404, 429, 5xx. |
| Multi-site users | pinned cloud id, pinned site URL, no matching site. |
| Connector schema | validates the MCP extension and OAuth scopes. |
| Payload stress | huge custom fields, long summaries, many issues. |
| Deployment smoke | APIM endpoint responds and rejects direct app bypass. |
Why this matters
Auth failures are where security bugs hide. A test that asserts a wrong gateway token is rejected is just as important as one that asserts the right one is accepted.
Suggested smoke sequence
Loading diagramβ¦
Commands
Local validation:
PowerShell
ruff check .
python -m compileall app
pytest -q
python scripts\smoke.pyRemote smoke against a deployed APIM endpoint:
PowerShell
$env:BASE = "https://<apim-host>/jira-mcp"
$env:TOKEN = "<short-lived-atlassian-access-token>"
python scripts\smoke.pyNever commit or paste real tokens
Tokens belong in transient environment variables only. Do not put them in files, commit messages, or screenshots. Treat a leaked token as a credential incident.
β Concept check
Your remote smoke run reaches tools/list but no Jira tools appear, even though the server is healthy. Where do you look first?
π Chapter summary
- Existing unit tests cover auth, middleware, and trimming with a deterministic environment.
- Add MCP protocol, gateway integrity, OAuth, Jira error, multi-site, connector schema, and payload-stress tests.
- The smoke sequence verifies the deployed path end-to-end, including the deliberate 401.