Skip to content

fix(security): enable in-process tpa-descriptions scanner without Docker (MCP-2396)#662

Merged
Dumbris merged 1 commit into
mainfrom
fix/mcp-2396-tpa-descriptions-error-state
Jun 14, 2026
Merged

fix(security): enable in-process tpa-descriptions scanner without Docker (MCP-2396)#662
Dumbris merged 1 commit into
mainfrom
fix/mcp-2396-tpa-descriptions-error-state

Conversation

@Dumbris

@Dumbris Dumbris commented Jun 14, 2026

Copy link
Copy Markdown
Member

Problem

The built-in tpa-descriptions scanner (MCPProxy's flagship in-process Tool-Poisoning-Attack description analyzer, added in #636) enables 'successfully' but lands in status=error with an empty error field and docker_image=''. resolveScanners then prefail-skips it on every scan with the unactionable notice "reconfigure it from the Security page" — but it's a built-in with nothing to configure. The TPA description scan never runs via the pipeline.

Root cause

tpa-descriptions is InProcess: true and has no Docker image, so EffectiveImage() returns "". The enable endpoint (POST /scanners/{id}/enableInstallScanner) had no in-process branch: the empty image fell through to the Docker fast-path / availability check / pull flow, so the scanner ended up pullingerror.

Fix (internal/security/scanner/)

  • InstallScanner: short-circuit InProcess scanners to installed synchronously (via targetStatusAfterPull), skipping the Docker image-availability/pull path entirely. No image, nothing to pull.
  • syncRegistryFromStorage: self-heal at startup — an in-process scanner an older build persisted in a Docker state (error/pulling) is reset to installed and re-saved, so existing broken installs recover without a manual re-toggle.

No docker_image is expected for this scanner; behavior now matches the existing docs (docs/features/security-scanner-plugins.md: "installed (always on) out of the box"), so no doc change is needed.

Tests (TDD — red first, then green)

  • TestServiceInstallInProcessScanner — enabling an in-process scanner lands it in installed (not error/pulling), persists it, and emits a scanner_changed installed event. Failed before the fix (got "pulling").
  • TestServiceHealsInProcessScannerStuckInError — a service constructed with a stale error record for an in-process scanner self-heals to installed at startup.

Verification

go build ./...                                   # ok
go test ./internal/security/... -race            # ok (scanner, security, patterns)
golangci-lint v2.5.0 run --config .github/.golangci.yml ./internal/security/scanner/...  # 0 issues

Related MCP-2396

…ker (MCP-2396)

The built-in, Docker-less tpa-descriptions scanner has an empty EffectiveImage(),
so the enable path (InstallScanner) fell through to the Docker pull flow and left
it stuck in 'error'/'pulling'. resolveScanners then prefail-skipped every scan with
an unactionable 'reconfigure it from the Security page' notice — the flagship
Tool-Poisoning-Attack description scan never ran via the pipeline.

- InstallScanner: short-circuit InProcess scanners to 'installed' synchronously,
  skipping the Docker image-availability/pull path entirely.
- syncRegistryFromStorage: self-heal in-process scanners an older build persisted
  in a Docker state (error/pulling) back to 'installed' at startup, so existing
  broken installs recover without a manual re-toggle.

Adds TestServiceInstallInProcessScanner (enable path) and
TestServiceHealsInProcessScannerStuckInError (startup heal).

Related MCP-2396
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: 4189612
Status: ✅  Deploy successful!
Preview URL: https://1fe521f7.mcpproxy-docs.pages.dev
Branch Preview URL: https://fix-mcp-2396-tpa-description.mcpproxy-docs.pages.dev

View logs

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 46.15385% with 7 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/security/scanner/service.go 46.15% 5 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

@github-actions

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/mcp-2396-tpa-descriptions-error-state

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (25 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27501562256 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved via Claude Code review (Codex out): in-process tpa-descriptions enable+heal (MCP-2396). Reviewer verified fix + tests + CI green; VERDICT ACCEPT.

@Dumbris Dumbris merged commit 5889ac8 into main Jun 14, 2026
37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants