21284416549
60%

Ran 23 Jan 2026 11:28AM UTC

Jobs 1

Files 461

Run time 1min

Badge

Embed ▾

Committed 23 Jan 2026 11:21AM UTC coverage: 59.852% (+0.01%) from 59.84%

Build # 21284416549

Build Type

push

github

Committed by

web-flow

Commit Message

Fix authorization bypass for unknown MCP methods (#3406)

Previously, MCP methods not in the MCPMethodToFeatureOperation map
bypassed authorization checks entirely, allowing unauthenticated access
to security-sensitive operations like sampling/createMessage (LLM text
generation), elicitation/create, and task management methods.

This commit switches to a default-deny security model where:
  - Unknown methods are rejected with a clear error message
  - All methods must be explicitly configured in the authorization map
  - Protocol-level methods (ping, initialize, notifications) are
    explicitly marked as always-allowed
  - Security-sensitive methods are explicitly denied until proper
    authorization features are implemented

Closes: #3168

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Run Details

7 of 7 new or added lines in 1 file covered. (100.0%)

5 existing lines in 2 files now uncovered.

36977 of 61781 relevant lines covered (59.85%)

80.0 hits per line

Uncovered Existing Lines

Lines	Coverage	∆	File
2	84.23	-0.28%	pkg/vmcp/composer/workflow_engine.go
3	71.85	-1.11%	pkg/ignore/processor.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	21284416549.1	23 Jan 2026 11:28AM UTC	461	59.85	GitHub Action Run

stacklok / toolhive / 21284416549
60%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Jobs

Source Files on build 21284416549

stacklok / toolhive / 21284416549 60%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Existing Lines

Jobs

Source Files on build 21284416549

stacklok / toolhive / 21284416549
60%

README BADGES
x