fix: address critical code review issues for validation improvements

- Fix type safety vulnerability in enhanced-config-validator.ts
  - Added proper type checking before string operations
  - Return early when nodeType is invalid instead of using empty string

- Improve error handling robustness in MCP server
  - Wrapped validation in try-catch to handle unexpected errors
  - Properly re-throw ValidationError instances
  - Add user-friendly error messages for internal errors

- Write comprehensive CHANGELOG entry for v2.10.3
  - Document fixes for issues #58, #68, #70, #73
  - Detail new validation system features
  - List all enhancements and test coverage

Addressed HIGH priority issues from code review:
- Type safety holes in config validator
- Missing error handling for validation system failures
- Consistent error types across validation tools

Author: czlonkowski

CLAUDE.md

@@ -180,6 +180,9 @@ The MCP server exposes tools in several categories:
 - Sub-agents are not allowed to spawn further sub-agents
 - When you use sub-agents, do not allow them to commit and push. That should be done by you
 
+### Development Best Practices
+- Run typecheck and lint after every code change
+
 # important-instruction-reminders
 Do what has been asked; nothing more, nothing less.
 NEVER create files unless they're absolutely necessary for achieving your goal.

data/nodes.db

@@ -7,6 +7,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [2.10.3] - 2025-08-07
+
+### Fixed
+- **Validation System Robustness**: Fixed multiple critical validation issues affecting AI agents and workflow validation (fixes #58, #68, #70, #73)
+  - **Issue #73**: Fixed `validate_node_minimal` crash when config is undefined
+    - Added safe property access with optional chaining (`config?.resource`)
+    - Tool now handles undefined, null, and malformed configs gracefully
+  - **Issue #58**: Fixed `validate_node_operation` crash on invalid nodeType
+    - Added type checking before calling string methods
+    - Prevents "Cannot read properties of undefined (reading 'replace')" error
+  - **Issue #70**: Fixed validation profile settings being ignored
+    - Extended profile parameter to all validation phases (nodes, connections, expressions)
+    - Added Sticky Notes filtering to reduce false positives
+    - Enhanced cycle detection to allow legitimate loops (SplitInBatches)
+  - **Issue #68**: Added error recovery suggestions for AI agents
+    - New `addErrorRecoverySuggestions()` method provides actionable recovery steps
+    - Categorizes errors and suggests specific fixes for each type
+    - Helps AI agents self-correct when validation fails
+
+### Added
+- **Input Validation System**: Comprehensive validation for all MCP tool inputs
+  - Created `validation-schemas.ts` with custom validation utilities
+  - No external dependencies - pure TypeScript implementation
+  - Tool-specific validation schemas for all MCP tools
+  - Clear error messages with field-level details
+- **Enhanced Cycle Detection**: Improved detection of legitimate loops vs actual cycles
+  - Recognizes SplitInBatches loop patterns as valid
+  - Reduces false positive cycle warnings
+- **Comprehensive Test Suite**: Added 16 tests covering all validation fixes
+  - Tests for crash prevention with malformed inputs
+  - Tests for profile behavior across validation phases
+  - Tests for error recovery suggestions
+  - Tests for legitimate loop patterns
+
+### Enhanced
+- **Validation Profiles**: Now consistently applied across all validation phases
+  - `minimal`: Reduces warnings for basic validation
+  - `runtime`: Standard validation for production workflows
+  - `ai-friendly`: Optimized for AI agent workflow creation
+  - `strict`: Maximum validation for critical workflows
+- **Error Messages**: More helpful and actionable for both humans and AI agents
+  - Specific recovery suggestions for common errors
+  - Clear guidance on fixing validation issues
+  - Examples of correct configurations
+
 ## [2.10.2] - 2025-08-05
 
 ### Updated

docs/CHANGELOG.md

@@ -1,6 +1,6 @@
 {
   "name": "n8n-mcp",
-  "version": "2.10.2",
+  "version": "2.10.3",
   "description": "Integration between n8n workflow automation and Model Context Protocol (MCP)",
   "main": "dist/index.js",
   "bin": {

package.json

@@ -28,6 +28,7 @@ import { handleUpdatePartialWorkflow } from './handlers-workflow-diff';
 import { getToolDocumentation, getToolsOverview } from './tools-documentation';
 import { PROJECT_VERSION } from '../utils/version';
 import { normalizeNodeType, getNodeTypeAlternatives, getWorkflowNodeType } from '../utils/node-utils';
+import { ToolValidation, Validator, ValidationError } from '../utils/validation-schemas';
 import { 
   negotiateProtocolVersion, 
   logProtocolNegotiation,
@@ -460,9 +461,77 @@ export class N8NDocumentationMCPServer {
   }
 
   /**
-   * Validate required parameters for tool execution
+   * Enhanced parameter validation using schemas
    */
-  private validateToolParams(toolName: string, args: any, requiredParams: string[]): void {
+  private validateToolParams(toolName: string, args: any, legacyRequiredParams?: string[]): void {
+    try {
+      // If legacy required params are provided, use the new validation but fall back to basic if needed
+      let validationResult;
+      
+      switch (toolName) {
+        case 'validate_node_operation':
+          validationResult = ToolValidation.validateNodeOperation(args);
+          break;
+        case 'validate_node_minimal':
+          validationResult = ToolValidation.validateNodeMinimal(args);
+          break;
+        case 'validate_workflow':
+        case 'validate_workflow_connections':
+        case 'validate_workflow_expressions':
+          validationResult = ToolValidation.validateWorkflow(args);
+          break;
+      case 'search_nodes':
+        validationResult = ToolValidation.validateSearchNodes(args);
+        break;
+      case 'list_node_templates':
+        validationResult = ToolValidation.validateListNodeTemplates(args);
+        break;
+      case 'n8n_create_workflow':
+        validationResult = ToolValidation.validateCreateWorkflow(args);
+        break;
+      case 'n8n_get_workflow':
+      case 'n8n_get_workflow_details':
+      case 'n8n_get_workflow_structure':
+      case 'n8n_get_workflow_minimal':
+      case 'n8n_update_full_workflow':
+      case 'n8n_delete_workflow':
+      case 'n8n_validate_workflow':
+      case 'n8n_get_execution':
+      case 'n8n_delete_execution':
+        validationResult = ToolValidation.validateWorkflowId(args);
+        break;
+      default:
+        // For tools not yet migrated to schema validation, use basic validation
+        return this.validateToolParamsBasic(toolName, args, legacyRequiredParams || []);
+      }
+      
+      if (!validationResult.valid) {
+        const errorMessage = Validator.formatErrors(validationResult, toolName);
+        logger.error(`Parameter validation failed for ${toolName}:`, errorMessage);
+        throw new ValidationError(errorMessage);
+      }
+    } catch (error) {
+      // Handle validation errors properly
+      if (error instanceof ValidationError) {
+        throw error; // Re-throw validation errors as-is
+      }
+      
+      // Handle unexpected errors from validation system
+      logger.error(`Validation system error for ${toolName}:`, error);
+      
+      // Provide a user-friendly error message
+      const errorMessage = error instanceof Error 
+        ? `Internal validation error: ${error.message}`
+        : `Internal validation error while processing ${toolName}`;
+      
+      throw new Error(errorMessage);
+    }
+  }
+  
+  /**
+   * Legacy parameter validation (fallback)
+   */
+  private validateToolParamsBasic(toolName: string, args: any, requiredParams: string[]): void {
     const missing: string[] = [];
 
     for (const param of requiredParams) {
@@ -619,12 +688,17 @@ export class N8NDocumentationMCPServer {
               fix: 'Provide config as an object with node properties'
             }],
             warnings: [],
-            suggestions: [],
+            suggestions: [
+              '🔧 RECOVERY: Invalid config detected. Fix with:',
+              '   • Ensure config is an object: { "resource": "...", "operation": "..." }',
+              '   • Use get_node_essentials to see required fields for this node type',
+              '   • Check if the node type is correct before configuring it'
+            ],
             summary: {
               hasErrors: true,
               errorCount: 1,
               warningCount: 0,
-              suggestionCount: 0
+              suggestionCount: 3
             }
           };
         }
@@ -638,7 +712,10 @@ export class N8NDocumentationMCPServer {
             nodeType: args.nodeType || 'unknown',
             displayName: 'Unknown Node',
             valid: false,
-            missingRequiredFields: ['Invalid config format - expected object']
+            missingRequiredFields: [
+              'Invalid config format - expected object',
+              '🔧 RECOVERY: Use format { "resource": "...", "operation": "..." } or {} for empty config'
+            ]
           };
         }
         return this.validateNodeMinimal(args.nodeType, args.config);
@@ -2141,12 +2218,12 @@ Full documentation is being prepared. For now, use get_node_essentials for confi
     // Get properties  
     const properties = node.properties || [];
 
-    // Extract operation context
+    // Extract operation context (safely handle undefined config properties)
     const operationContext = {
-      resource: config.resource,
-      operation: config.operation,
-      action: config.action,
-      mode: config.mode
+      resource: config?.resource,
+      operation: config?.operation,
+      action: config?.action,
+      mode: config?.mode
     };
 
     // Find missing required fields
@@ -2163,7 +2240,7 @@ Full documentation is being prepared. For now, use get_node_essentials for confi
         // Check show conditions
         if (prop.displayOptions.show) {
           for (const [key, values] of Object.entries(prop.displayOptions.show)) {
-            const configValue = config[key];
+            const configValue = config?.[key];
             const expectedValues = Array.isArray(values) ? values : [values];
 
             if (!expectedValues.includes(configValue)) {
@@ -2176,7 +2253,7 @@ Full documentation is being prepared. For now, use get_node_essentials for confi
         // Check hide conditions
         if (isVisible && prop.displayOptions.hide) {
           for (const [key, values] of Object.entries(prop.displayOptions.hide)) {
-            const configValue = config[key];
+            const configValue = config?.[key];
             const expectedValues = Array.isArray(values) ? values : [values];
 
             if (expectedValues.includes(configValue)) {
@@ -2189,8 +2266,8 @@ Full documentation is being prepared. For now, use get_node_essentials for confi
         if (!isVisible) continue;
       }
 
-      // Check if field is missing
-      if (!(prop.name in config)) {
+      // Check if field is missing (safely handle null/undefined config)
+      if (!config || !(prop.name in config)) {
         missingFields.push(prop.displayName || prop.name);
       }
     }

src/mcp/server.ts

@@ -45,6 +45,19 @@ export class EnhancedConfigValidator extends ConfigValidator {
     mode: ValidationMode = 'operation',
     profile: ValidationProfile = 'ai-friendly'
   ): EnhancedValidationResult {
+    // Input validation - ensure parameters are valid
+    if (typeof nodeType !== 'string') {
+      throw new Error(`Invalid nodeType: expected string, got ${typeof nodeType}`);
+    }
+    
+    if (!config || typeof config !== 'object') {
+      throw new Error(`Invalid config: expected object, got ${typeof config}`);
+    }
+    
+    if (!Array.isArray(properties)) {
+      throw new Error(`Invalid properties: expected array, got ${typeof properties}`);
+    }
+    
     // Extract operation context from config
     const operationContext = this.extractOperationContext(config);
 
@@ -190,6 +203,17 @@ export class EnhancedConfigValidator extends ConfigValidator {
     config: Record<string, any>,
     result: EnhancedValidationResult
   ): void {
+    // Type safety check - this should never happen with proper validation
+    if (typeof nodeType !== 'string') {
+      result.errors.push({
+        type: 'invalid_type',
+        property: 'nodeType',
+        message: `Invalid nodeType: expected string, got ${typeof nodeType}`,
+        fix: 'Provide a valid node type string (e.g., "nodes-base.webhook")'
+      });
+      return;
+    }
+    
     // First, validate fixedCollection properties for known problematic nodes
     this.validateFixedCollectionStructures(nodeType, config, result);