fix(self-mod): render full MCP server payload on the approval card#2998
Open
glifocat wants to merge 3 commits into
Open
fix(self-mod): render full MCP server payload on the approval card#2998glifocat wants to merge 3 commits into
glifocat wants to merge 3 commits into
Conversation
The add_mcp_server approval card showed only the server name and command, but approval applied name, command, args, and env. The approver authorized fields they never saw. Render every field JSON encoded, so boundaries are exact and an embedded newline shows as a visible \n escape instead of adding fake lines to the card. Validate args/env types before the approval is created. apply.ts is unchanged, it already applies exactly the stored payload.
3f5b41e to
874ee63
Compare
Render the payload in a code fence with invisibles and backticks escaped as visible \uXXXX, redact secret-shaped values to a byte count plus sha256 fingerprint (card only, the verbatim value is still applied), and reject oversized payloads before the approval row exists (32 args, 32 env vars, 16 KB payload, 1500-byte rendered card). A failed card delivery now deletes the pending approval row instead of leaving it orphaned.
b94005c to
8a03d1d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Type of Change
.claude/skills/<name>/, no source changes)Description
Closes #2762. Closes #2827 (same finding filed twice).
What this does
The
add_mcp_serverapproval card now shows every field that gets applied, not just the name and command. The payload renders in a code fence, one JSON-encoded line per field. Bad payloads are rejected before the approval row exists.Example card:
The details:
\uXXXXescapes. Payload content cannot close the fence or add lines to the card.GITHUB_TOKEN, values likesk-...) are redacted on the card only. The real value is applied unchanged. The fingerprint lets an approver check the value against a copy they already have.NODE_OPTIONSare not secret-shaped and stay fully visible.primitive.ts, all approval types).Why
The handler stores name, command, args, and env in the approval payload, but the card only rendered name and command. On approve, all four fields go into the group's MCP server config. So the approver authorized args and env they never saw. #2762 and #2827 report this, with repro payloads.
How I verified it
src/modules/self-mod/request.test.ts, 15 tests, the first for this module: card contents (fails on unfixed main), fence integrity against markdown and backtick payloads, visible escapes for bidi/zero-width/BOM, redaction fingerprints, boundaries at 32/33 args and env vars and at the exact byte limits, type validation, and the card as delivered through the chat-sdk bridge.src/modules/approvals/primitive.test.ts: delivery failure removes the row (fails on unfixedprimitive.ts), success keeps it.tsc --noEmit, eslint, and prettier clean on the changed files.Left out on purpose: a digest binding the approved payload to the approval row. Apply already reads the stored payload directly. Possible follow-up.
Assisted by Claude; reviewed and verified by a human before submission.