守住 MCP compose 安全邊界

2026-05-13 15:54:46 +08:00
parent dc6fc6953a
commit 7766e35578
1 changed files with 46 additions and 0 deletions
--- a/tests/test_mcp_compose_contracts.py
+++ b/tests/test_mcp_compose_contracts.py
@@ -0,0 +1,46 @@
+from pathlib import Path
+import re
+
+
+ROOT = Path(__file__).resolve().parents[1]
+MCP_COMPOSE = ROOT / "docker-compose.mcp.yml"
+
+
+def _service_block(compose: str, service_name: str) -> str:
+    match = re.search(
+        rf"^  {re.escape(service_name)}:\n(?P<body>.*?)(?=^  [A-Za-z0-9_-]+:\n|\Z)",
+        compose,
+        flags=re.MULTILINE | re.DOTALL,
+    )
+    assert match, f"{service_name} service block missing"
+    return match.group("body")
+
+
+def test_mcp_http_services_keep_healthchecks():
+    compose = MCP_COMPOSE.read_text(encoding="utf-8")
+
+    for service_name in ["postgres-mcp", "mcp-omnisearch", "firecrawl-self"]:
+        block = _service_block(compose, service_name)
+        assert "healthcheck:" in block
+        assert "wget" in block
+        assert "/health" in block
+
+
+def test_firecrawl_stack_keeps_memory_guardrails():
+    compose = MCP_COMPOSE.read_text(encoding="utf-8")
+
+    assert "memory: 2g" in _service_block(compose, "firecrawl-self")
+    assert "memory: 1.5g" in _service_block(compose, "firecrawl-playwright")
+    assert "memory: 128m" in _service_block(compose, "firecrawl-redis")
+    assert "memory: 128m" in _service_block(compose, "filesystem-mcp")
+
+
+def test_filesystem_mcp_stays_read_only():
+    compose = MCP_COMPOSE.read_text(encoding="utf-8")
+    block = _service_block(compose, "filesystem-mcp")
+
+    assert "ALLOWED_PATHS=/data,/logs" in block
+    assert "./data:/data:ro" in block
+    assert "./logs:/logs:ro" in block
+    assert ":rw" not in block
+    assert "/var/run/docker.sock" not in block