Skip to content

use policies for server load and config set#523

Merged
kgprs merged 2 commits into
docker:mainfrom
mickael-docker:server-load-policy
Jun 25, 2026
Merged

use policies for server load and config set#523
kgprs merged 2 commits into
docker:mainfrom
mickael-docker:server-load-policy

Conversation

@mickael-docker

Copy link
Copy Markdown
Contributor

mirrors the behaviour of mcp-add and provides defense-in-depth

this provides defense-in-depth
@mickael-docker mickael-docker requested a review from a team as a code owner June 23, 2026 15:31

@kgprs kgprs left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I found one issue in the activate-profile policy path.

Comment thread pkg/gateway/activateprofile.go Outdated
var validationErrors []serverValidation

for _, serverName := range serversToActivate {
if err := g.checkServerLoadPolicy(ctx, serverName, nil); err != nil {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because checkServerLoadPolicy always builds the request from g.configuration, this path evaluates profile servers before they have been merged into that configuration. For a newly activated profile server, Configuration.policyRequest hits the missing-server branch and sends only the server/action, without the target, server type, server source, transport, catalog, or working-set metadata that policy rules may depend on. That means policies matching those fields can fail to block activate-profile. Consider evaluating against profileConfig here, or passing an already-built policy.Request into the shared helper.

@kgprs kgprs merged commit b0d52aa into docker:main Jun 25, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants