Introduce tool:list verb for ingress and tool:read for egress filtering#4050
Introduce tool:list verb for ingress and tool:read for egress filtering#4050ghaskins wants to merge 1 commit intostacklok:mainfrom
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #4050 +/- ##
==========================================
- Coverage 68.68% 68.67% -0.01%
==========================================
Files 454 458 +4
Lines 46027 46255 +228
==========================================
+ Hits 31612 31766 +154
- Misses 11977 12041 +64
- Partials 2438 2448 +10 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR refines the authorization model by separating tool discovery from tool invocation, adding an explicit ingress permission for list requests and switching tool-list egress filtering to a read-style permission.
Changes:
- Add an ingress authorization check for MCP list operations (
MCPOperationList), enabling policies to gate discovery requests (e.g.,Action::"list_tools"). - Update tools list response filtering to authorize per-tool visibility via
MCPOperationRead/Action::"read_tool"instead ofcall_tool. - Update unit/integration tests and Cedar authorizer logic to support
read_tooland the new list-operation authorization requirement.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/authz/middleware.go | Adds ingress authorization for list operations before response filtering. |
| pkg/authz/response_filter.go | Switches tool list filtering from call to read authorization. |
| pkg/authz/authorizers/cedar/core.go | Adds Cedar support for authorizing read_tool operations. |
| pkg/authz/middleware_test.go | Updates middleware tests to include new list permissions and tool visibility semantics. |
| pkg/authz/response_filter_test.go | Updates response filtering tests to permit read_tool for tool visibility. |
| pkg/authz/integration_test.go | Updates integration tests to permit list operations and use read_tool for tool visibility. |
| pkg/vmcp/auth/factory/authz_not_wired_test.go | Adjusts policy setup to reflect new list permissions (vMCP wiring tests). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| r.Context(), | ||
| featureOp.Feature, | ||
| authorizers.MCPOperationList, | ||
| "metadata", |
There was a problem hiding this comment.
For list operations, the middleware is passing a hard-coded resourceID ("metadata") into AuthorizeWithJWTClaims. This changes the resource/mcp.resource_id seen by non-Cedar authorizers (e.g., the HTTP PDP authorizer will emit mrn:mcp:<server>:tool:metadata for tools/list), which is likely unintended and makes list authorization harder to reason about. Prefer passing an empty resourceID (or the parsed cursor if you intentionally want pagination-aware decisions).
| "metadata", | |
| "", |
There was a problem hiding this comment.
@yrobla I left this one, as the assignment was intentional. The rationale was that this presents a verb of "tool:list" with a resource MRN of "mrn:...:tool:metadata", which makes sense to me, i.e. we are listing the tool's metadata (name, prompts, etc). Thoughts?
github-actions
bot
added
size/XS
ghaskins
force-pushed
the
list-filtering
branch
from
9abad98 to
dfead51
Compare
github-actions
bot
added
size/XS
ghaskins
requested review from
ChrisJBurns,
JAORMX,
amirejaz,
jerm-dro,
jhrozek and
yrobla
as code owners
Previously, listing tools used the tool:call verb for both ingress authorization and egress response filtering, making it impossible to distinguish between a user discovering available tools versus invoking them with potential side effects. This change introduces: - A new ingress tool:list verb for tool listing requests, allowing policy authors to independently control access to tool discovery - Egress filtering switches from tool:call to tool:read for filtering listed tools in responses, reflecting that listing is a read-only discovery operation The distinction between read-only discovery (tool:list/tool:read) and potentially mutable actions (tool:call) is now clear in both policies and audit logs. NOTE: This is a breaking change for users with existing Cedar policies that relied on tool:call to gate tool listing. Signed-off-by: Greg Haskins <greg@manetu.com>
ghaskins
force-pushed
the
list-filtering
branch
from
dfead51 to
c1bdae4
Compare
github-actions
bot
added
size/XS
Summary
Previously, listing tools used the tool:call verb for both ingress authorization and egress response filtering, making it impossible to distinguish between a user discovering available tools versus invoking them with potential side effects.
Fixes #4048
Type of change
Test plan
task test)task test-e2e)task lint-fix)Changes
This change introduces:
The distinction between read-only discovery (tool:list/tool:read) and potentially mutable actions (tool:call) is now clear in both policies and audit logs.
Does this introduce a user-facing change?
Yes. This is a breaking change for users with existing Cedar policies that relied on tool:call to gate tool listing.