feat: add get_business_term MCP tool

[connor-savage]

Summary

Add get_business_term MCP tool to Chip.

Generated by chip-factory pipeline.

[svc-snyk-github-jira]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[EricWarnerCollibra]

Review: get_business_term Tool

Convention Compliance ✅

All conventions are followed correctly:

• Package name get_business_term matches directory name (snake_case)
• Exports NewTool, Input, Output (plus supporting lineage types)
• NewTool takes *http.Client and returns *chip.Tool[Input, Output]
• handler is unexported and returns chip.ToolHandlerFunc[Input, Output]
• Input/Output use json and jsonschema tags throughout
• Tool name get_business_term is snake_case
• Errors returned as Output{}, err — no panics
• No direct mcp-go imports — only uses pkg/chip and pkg/clients
• Client calls go through pkg/clients/get_business_term_client.go
• Permissions: []string{"dgc.ai-copilot"} — consistent with similar tools (ask_dad, ask_glossary)
• Registered correctly in register.go

Build, Test, Lint ✅

• Build: go build ./cmd/chip — passed
• Unit Tests: All 7 tests passed (FullLineage, NotFound, EmptyAssetID, NoAttributesNoLineage, FiltersNonPhysicalData, MultipleDataAttributes, ServerError)
• Full Test Suite: All 14 packages passed, no regressions
• Lint: golangci-lint run ./... — clean, no warnings

MCP Validation ✅

• Tool registered and visible via factory mcp-list
• Empty asset_id returns: {"isError": true, "text": "asset_id is required"}
• Missing asset_id field rejected by JSON schema validation
• Non-existent UUID returns: "asset not found: 00000000-..."

Adversarial Testing ✅ (7 edge cases tested)

Input	Result	Verdict
"" (empty string)	asset_id is required	✅ Clean error
{} (missing field)	JSON schema validation error	✅ Caught at framework level
00000000-0000-0000-0000-000000000000 (zero UUID)	asset not found	✅ Clear error
not-a-uuid-at-all (malformed)	unexpected status: 400	✅ Handled
<script>alert(1)</script> (XSS)	unexpected status: 403	✅ Safe
166-char string (very long)	unexpected status: 400	✅ Handled
SQL injection string	unexpected status: 403	✅ Safe
Path traversal ../../etc/passwd	decoding response: invalid character '<'	✅ Safe (url.PathEscape prevents traversal)

Code Quality Observations

Strengths:

• Clean 3-level lineage traversal (BT → DA → Table → Column) with proper filtering at each level
• Test coverage is thorough: happy path, error cases, empty data, multi-DA, non-physical filtering
• Client code properly uses url.PathEscape for the asset ID in the URL path
• Consistent use of make([]T, 0) ensures empty JSON arrays [] instead of null

Minor notes (non-blocking):

• No pagination for attributes/relations responses — if a business term has >1000 attributes or relations, some may be missed. Acceptable for v1.
• The path traversal input returns a JSON decoding error rather than a cleaner "invalid asset ID" message — the API returns HTML for that input. Not a bug, just slightly less polished error messaging.

Verdict: APPROVED — The tool is well-implemented, follows all conventions, has excellent test coverage, and handles edge cases gracefully.

[connor-savage]

 Full pipeline succeeded end-to-end:   
                                                                                         - PR #25 opened for get_business_term                                                  - Review: APPROVED by the reviewer agent (using separate token)                    
  - Build, tests, lint, MCP validation all passed                                        - 7 adversarial tests passed (empty strings, missing fields, non-existent UUIDs,   
  malformed UUIDs, XSS/SQL injection, path traversal, long strings)                  
  - 2 non-blocking notes: no pagination for large attribute/relation sets (acceptable
  for v1), and path traversal produces a JSON decode error vs cleaner message
  - Review cost: $2.00, integration cost: ~$0.70
  - Total pipeline time: 16m43s