stackhawk
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎CLAUDE.md‎
Lines changed: 11 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 11 additions & 0 deletions
diff --git a/‎pyproject.toml‎
Lines changed: 3 additions & 1 deletion b/‎pyproject.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎requirements.txt‎
Lines changed: 2 additions & 0 deletions b/‎requirements.txt‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎stackhawk_mcp/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎stackhawk_mcp/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎stackhawk_mcp/__main__.py‎
Lines changed: 4 additions & 2 deletions b/‎stackhawk_mcp/__main__.py‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎stackhawk_mcp/http_server.py‎
Lines changed: 72 additions & 85 deletions b/‎stackhawk_mcp/http_server.py‎
Lines changed: 72 additions & 85 deletions
@@ -26,6 +26,9 @@ jobs:
           python -m pip install --upgrade pip
           pip install -r requirements.txt
           pip install .
+      - name: Run mypy
+        run: |
+          mypy stackhawk_mcp/
       - name: Run tests
         run: |
           pytest --maxfail=1 --disable-warnings
 
@@ -86,6 +86,17 @@ export STACKHAWK_API_KEY="your-api-key-here"
 - Individual test files for each major feature area
 - API integration tests and schema validation tests included
 
+### Tool Routing Tests (REQUIRED)
+
+**Every MCP tool must have a routing test in `tests/test_findings_triage_routing.py`.**
+
+These tests mock the target method and call the tool through the MCP handler, verifying:
+1. The handler resolves to a real method (not an `AttributeError` at runtime)
+2. The method is called on the correct object (`self` vs `self.client`)
+3. Arguments are forwarded correctly
+
+When adding a new tool to `handle_call_tool`, add a corresponding test following the existing pattern. No API key needed — these are pure wiring tests.
+
 ## Development Notes
 
 ### Python Requirements
 
@@ -23,7 +23,9 @@ dev = [
     "pytest>=7.0.0",
     "pytest-asyncio>=0.21.0",
     "black>=23.0.0",
-    "mypy>=1.0.0"
+    "mypy>=1.0.0",
+    "types-PyYAML>=6.0",
+    "types-jsonschema>=4.0.0"
 ]
 
 [project.scripts]
 
@@ -12,6 +12,8 @@ pytest>=7.0.0
 pytest-asyncio>=0.21.0
 black>=23.0.0
 mypy>=1.0.0
+types-PyYAML>=6.0
+types-jsonschema>=4.0.0
 bumpver>=2023.1129
 
 # FastAPI dependencies
 
@@ -7,4 +7,4 @@
 
 __version__ = "1.2.4"
 __author__ = "StackHawk MCP Team"
-__email__ = "support@stackhawk.com"
+__email__ = "support@stackhawk.com"
@@ -1,8 +1,10 @@
 import asyncio
 from .server import main
 
-def cli():
+
+def cli() -> None:
     asyncio.run(main())
 
+
 if __name__ == "__main__":
-    cli() 
+    cli()
@@ -30,125 +30,108 @@
 # Store active SSE connections
 active_connections = {}
 
-def create_jsonrpc_response(id_value, result=None, error=None):
+
+def create_jsonrpc_response(id_value: object, result: object = None, error: object = None) -> dict:
     """Create a proper JSON-RPC 2.0 response"""
-    response = {
-        "jsonrpc": "2.0",
-        "id": id_value
-    }
+    response = {"jsonrpc": "2.0", "id": id_value}
     if error:
         response["error"] = error
     else:
         response["result"] = result
     return response
 
-def fix_tool_schema(tool):
+
+def fix_tool_schema(tool: dict | object) -> dict | object:
     """Fix tool schema to ensure outputSchema and annotations are objects"""
     if isinstance(tool, dict):
         # Ensure outputSchema is an object with proper type
         if tool.get("outputSchema") is None:
             tool["outputSchema"] = {"type": "object"}
         elif isinstance(tool["outputSchema"], dict) and tool["outputSchema"].get("type") is None:
             tool["outputSchema"]["type"] = "object"
-        
+
         # Ensure annotations is an object
         if tool.get("annotations") is None:
             tool["annotations"] = {}
-        
+
         # Ensure meta is an object
         if tool.get("meta") is None:
             tool["meta"] = {}
-    
+
     return tool
 
-async def handle_initialize_request(request_data):
+
+async def handle_initialize_request(request_data: dict) -> dict:
     """Handle MCP initialize request"""
     return create_jsonrpc_response(
         request_data.get("id"),
         {
             "protocolVersion": "2025-03-26",
-            "capabilities": {
-                "tools": {}
-            },
-            "serverInfo": {
-                "name": "StackHawk MCP",
-                "version": __version__
-            }
-        }
+            "capabilities": {"tools": {}},
+            "serverInfo": {"name": "StackHawk MCP", "version": __version__},
+        },
     )
 
-async def handle_list_tools_request(request_data):
+
+async def handle_list_tools_request(request_data: dict) -> dict:
     """Handle MCP list tools request"""
     try:
         tools = await mcp_server.list_tools()
         # Fix the tool schemas to ensure proper objects
-        fixed_tools = [fix_tool_schema(t.dict() if hasattr(t, 'dict') else t) for t in tools]
-        return create_jsonrpc_response(
-            request_data.get("id"),
-            {
-                "tools": fixed_tools
-            }
-        )
+        fixed_tools = [fix_tool_schema(t.dict() if hasattr(t, "dict") else t) for t in tools]
+        return create_jsonrpc_response(request_data.get("id"), {"tools": fixed_tools})
     except Exception as e:
         return create_jsonrpc_response(
-            request_data.get("id"),
-            error={
-                "code": -1,
-                "message": str(e)
-            }
+            request_data.get("id"), error={"code": -1, "message": str(e)}
         )
 
-async def handle_call_tool_request(request_data):
+
+async def handle_call_tool_request(request_data: dict) -> dict:
     """Handle MCP call tool request"""
     try:
         params = request_data.get("params", {})
         name = params.get("name")
         arguments = params.get("arguments", {})
-        
+
         result = await mcp_server.call_tool(name, arguments)
         return create_jsonrpc_response(
             request_data.get("id"),
-            {
-                "content": [r.dict() if hasattr(r, 'dict') else r for r in result]
-            }
+            {"content": [r.dict() if hasattr(r, "dict") else r for r in result]},
         )
     except Exception as e:
         return create_jsonrpc_response(
-            request_data.get("id"),
-            error={
-                "code": -1,
-                "message": str(e)
-            }
+            request_data.get("id"), error={"code": -1, "message": str(e)}
         )
 
+
 @app.post("/mcp")
-async def mcp_endpoint(request: Request):
+async def mcp_endpoint(request: Request) -> Response:
     """Main MCP endpoint that handles all JSON-RPC messages"""
-    
+
     # Check Accept header
     accept_header = request.headers.get("accept", "")
     if "application/json" not in accept_header and "text/event-stream" not in accept_header:
         return JSONResponse(
             content={"error": "Accept header must include application/json or text/event-stream"},
-            status_code=400
+            status_code=400,
         )
-    
+
     try:
         # Parse request body
         body = await request.body()
         if not body:
             return JSONResponse(content={"error": "Empty request body"}, status_code=400)
-        
+
         data = json.loads(body)
-        
+
         # Handle batched requests
         if isinstance(data, list):
             responses = []
             for item in data:
                 response = await handle_jsonrpc_message(item)
                 if response:
                     responses.append(response)
-            
+
             if len(responses) == 1:
                 return JSONResponse(content=responses[0])
             else:
@@ -160,20 +143,21 @@ async def mcp_endpoint(request: Request):
                 return JSONResponse(content=response)
             else:
                 return Response(status_code=202)  # Accepted with no body
-                
+
     except json.JSONDecodeError:
         return JSONResponse(content={"error": "Invalid JSON"}, status_code=400)
     except Exception as e:
         return JSONResponse(content={"error": str(e)}, status_code=500)
 
-async def handle_jsonrpc_message(message):
+
+async def handle_jsonrpc_message(message: object) -> dict | None:
     """Handle individual JSON-RPC message"""
     if not isinstance(message, dict):
         return None
-    
+
     method = message.get("method")
     message_id = message.get("id")
-    
+
     if method == "initialize":
         return await handle_initialize_request(message)
     elif method == "tools/list":
@@ -185,30 +169,26 @@ async def handle_jsonrpc_message(message):
         return None
     else:
         return create_jsonrpc_response(
-            message_id,
-            error={
-                "code": -32601,
-                "message": f"Method not found: {method}"
-            }
+            message_id, error={"code": -32601, "message": f"Method not found: {method}"}
         )
 
+
 @app.get("/mcp")
-async def mcp_sse_endpoint(request: Request):
+async def mcp_sse_endpoint(request: Request) -> Response:
     """SSE endpoint for streaming responses"""
-    
+
     # Check Accept header
     accept_header = request.headers.get("accept", "")
     if "text/event-stream" not in accept_header:
         return JSONResponse(
-            content={"error": "Accept header must include text/event-stream"},
-            status_code=405
+            content={"error": "Accept header must include text/event-stream"}, status_code=405
         )
-    
+
     # Generate connection ID
     connection_id = str(uuid.uuid4())
     active_connections[connection_id] = True
-    
-    async def event_stream():
+
+    async def event_stream():  # type: ignore[no-untyped-def]
         try:
             while active_connections.get(connection_id, False):
                 # For now, just keep the connection alive
@@ -219,41 +199,48 @@ async def event_stream():
         finally:
             if connection_id in active_connections:
                 del active_connections[connection_id]
-    
+
     return StreamingResponse(
         event_stream(),
         media_type="text/event-stream",
         headers={
             "Cache-Control": "no-cache",
             "Connection": "keep-alive",
             "Content-Type": "text/event-stream",
-        }
+        },
     )
 
+
 # Legacy endpoints for manual testing (keep these for now)
 @app.get("/")
-async def root():
-    return JSONResponse(content={
-        "jsonrpc": "2.0",
-        "id": 1,
-        "result": {
-            "serverName": "StackHawk MCP",
-            "serverVersion": __version__,
-            "protocolVersion": "v1"
+async def root() -> JSONResponse:
+    return JSONResponse(
+        content={
+            "jsonrpc": "2.0",
+            "id": 1,
+            "result": {
+                "serverName": "StackHawk MCP",
+                "serverVersion": __version__,
+                "protocolVersion": "v1",
+            },
         }
-    })
+    )
+
 
 @app.post("/")
-async def root_post():
-    return JSONResponse(content={
-        "jsonrpc": "2.0",
-        "id": 1,
-        "result": {
-            "serverName": "StackHawk MCP",
-            "serverVersion": __version__,
-            "protocolVersion": "v1"
+async def root_post() -> JSONResponse:
+    return JSONResponse(
+        content={
+            "jsonrpc": "2.0",
+            "id": 1,
+            "result": {
+                "serverName": "StackHawk MCP",
+                "serverVersion": __version__,
+                "protocolVersion": "v1",
+            },
         }
-    })
+    )
+
 
 if __name__ == "__main__":
-    uvicorn.run("stackhawk_mcp.http_server:app", host="0.0.0.0", port=8080, reload=True) 
+    uvicorn.run("stackhawk_mcp.http_server:app", host="0.0.0.0", port=8080, reload=True)