feat(quarantine): trust-baseline tool approval + rug-pull flag + migration (MCP-2931)#726
Merged
Merged
Conversation
…ation (MCP-2931) Implements the trust-based tool-approval model. A trusted (non-quarantined) server's CURRENT toolset auto-approves as its baseline (approved_by "auto-baseline") instead of stranding as pending. Post-baseline review still applies: an approved tool whose hash changes flips to changed (rug pull) and a genuinely-new tool flips to pending — both blocked — unless the per-server auto_approve_tool_changes flag (MCP-2930) is set, which auto-approves all post-baseline changes AND additions for that server. Existing installs are migrated automatically: a trusted server with no approved baseline promotes its already-stranded pending records (whose stored hash matches the live tool) to approved on the next discovery pass, clearing the reporter's case with no user action. A changed (rug-pull) record is NEVER cleared by migration. Two-gate consistency: index blocking (BlockedTools) now keys off stored pending status regardless of server-level quarantine, matching the call-time gate (internal/server/mcp.go), so a tool is never indexed/visible-but-uncallable. New transition reasons (ReasonBaselineTrust, ReasonAutoApproveChanges) keep the approval invariant explicit: only user action or the explicit per-server flag may clear a changed record. TDD red→green tests cover every transition. Parent: MCP-2916.
Deploying mcpproxy-docs with
|
| Latest commit: |
5485583
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://643f99f7.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://feat-mcp2931-trust-baseline.mcpproxy-docs.pages.dev |
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27822638601 --repo smart-mcp-proxy/mcpproxy-go
|
![mcpproxy-gatekeeper[bot]](https://avatars.githubusercontent.com/u/216428285?s=60&v=4){kind=small}
There was a problem hiding this comment.
Approved via Claude Code review (MCP-2931). Trust-baseline tool approval: baseline auto-approve on trusted servers, post-baseline rug-pull/new→blocked, auto_approve_tool_changes flag bypass, safe migration (never clears a rug-pull), two-gate index/call consistency fixed. 8 new TDD tests + strengthened rapid property tests; go build both editions; -race tests pass; golangci-lint 0 issues.
# Conflicts: # docs/features/tool-quarantine.md
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements the trust-based tool-approval model (MCP-2931, parent MCP-2916) in
internal/runtime/tool_quarantine.go. This is the security-sensitive core that fixes the reporter's case where aquarantined:falseserver still stranded its tools aspending.Behavior
approved,approved_by:"auto-baseline") instead ofpending. Covers config-loadedquarantined:falseservers (discovery path) and the server-unquarantine promotion path.auto_approve_tool_changes:false): an approved tool whose hash changes →changed(rug pull) → blocked; a genuinely-new post-baseline tool →pending→ blocked.auto_approve_tool_changes:true: auto-approves all post-baseline changes AND additions for that server — nochanged/pending(consumes the MCP-2930 flag; legacyskip_quarantinemigrates onto it).pendingrecords (whose stored hash matches the live tool) toapprovedon the next discovery pass — clears the reporter's case with no user action. Achanged(rug-pull) record is never cleared by migration.BlockedTools) now keys off storedpendingstatus regardless of server-level quarantine, matching the call-time gate (internal/server/mcp.go). A tool is never indexed/visible-but-uncallable.Invariant safety
Two new transition reasons (
ReasonBaselineTrust,ReasonAutoApproveChanges) keepassertToolApprovalInvariantexplicit: achangedrecord may only be cleared by explicit user action or the explicit per-serverauto_approve_tool_changesflag. Rug-pull detection is not weakened on any default path.Tests (TDD red→green)
New
internal/runtime/tool_quarantine_trust_baseline_test.gocovers: baseline auto-approve; post-baseline new→pending; post-baseline rug-pull→changed;auto_approve_tool_changesbypass of new+changed and clearing an existing changed; stranded-pending migration; migration does-not-clear-changed; two-gate consistency across passes. Existing trusted-server tests updated to the new model; heavyrapidproperty invariant tests (on quarantined servers) still green.Verification
go test ./internal/runtime/... ./internal/server/... -short -race→ green (no data races).TestRapidQuarantineStateMachine,*NeverAutoApproved) → green.golangci-lint run --config .github/.golangci.yml ./internal/runtime/... ./internal/server/...→ 0 issues.Docs (ENG-9)
docs/features/tool-quarantine.md,docs/features/security-quarantine.md,docs/configuration.md,CLAUDE.mdupdated to describe the trust-baseline model, the now-enforcedauto_approve_tool_changes, and the migration.Parent: MCP-2916. Related: MCP-2930 (#724).