feat: enhance MCP tool name validation with comprehensive pattern detection#1
Draft
feat: enhance MCP tool name validation with comprehensive pattern detection#1
Conversation
* updated server.py to patch traversal path vulnerability * included new line at end of file * updated new line to remove tab * Fix: Add newline at end of file * fixing end of file new line * added traversal path unit test to test_server.py --------- Co-authored-by: Heitor Vital <heitor.carmo@gmail.com>
… error in response and ctx (awslabs#2383) * fix: return error dicts instead of raising exceptions in MCP tools - Created handle_tool_error() utility for consistent error handling - Updated all MCP tools to return error dicts instead of raising exceptions - Ensures agents receive error details as tool results - Follows pattern used by other AWS MCP servers (aws-location, billing-cost-management) Changes: - Added utils/error_utils.py with handle_tool_error() function - Updated 8 tool files to use new error handling pattern - Updated all 1790 tests to check for error dict returns - Fixed validation errors to be caught in try blocks - All linters passing (ruff, pyright) This fixes the issue where agents couldn't see error messages like 'S3 object not found' when workflow runs failed due to inaccessible URIs. * remove summary
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
awslabs#2406) * fix: validate file path access in shorthand parser * Update CHANGELOG
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
Co-authored-by: Aaditya Bhoota <abhoota@amazon.com>
…wslabs#1969) * Add comprehensive AWS HealthImaging MCP Server - 21 production-ready tools for medical imaging lifecycle - GDPR compliance with patient data deletion - Enterprise bulk operations - Complete documentation and Docker support - 22 passing unit tests * Add AWS HealthImaging MCP Server implementation * Fix ruff linting and formatting errors * Fix security issues and Docker build - Remove sensitive patient IDs from log messages (CodeQL fix) - Replace hardcoded test IDs with clearly fake values (secrets scan fix) - Fix uv-requirements.txt to use pinned version with hashes (Docker build fix) * Fix pre-commit issues and regenerate uv.lock - Add Apache 2.0 license headers to all Python files - Remove shebang from main.py (not needed) - Add .python-version file (required for CI) - Update .gitignore to not ignore .python-version - Regenerate uv.lock with proper dependency resolution * Fix pre-commit: trailing whitespace, end-of-file newlines, JSON formatting, and pyright type error * Add comprehensive tests to improve coverage to 88% - Add test_operations.py for HealthImagingClient methods - Add test_handlers.py for all tool handlers - Add test_models.py for Pydantic model validation - Add test_main.py for main entry point - Add test_operations_extended.py for complex operations - Add test_error_handling.py for ClientError handling Total: 119 tests passing * Add comprehensive tests to reach 90%+ coverage for HealthImaging MCP server - Add tests for server handlers (list_resources, read_resource, call_tool) - Add tests for ToolHandler class with all 21 tool handlers - Add tests for error handling (ClientError, NoCredentialsError, ValidationError) - Add tests for remove_instance_from_image_set finding series from metadata - Add tests for validate_datastore_id and HealthImagingSearchError - Fix unused variable warnings - Remove test_operations_extended.py (merged into test_operations.py) - Total coverage: 97% (server.py: 100%, operations.py: 100%) * Fix pyright type errors in tests - Use proper MCP types (ReadResourceRequestParams, CallToolRequestParams) - Fix DatastoreFilter test to explicitly pass status=None - All 233 tests pass, pyright reports 0 errors * feat: Add comprehensive threat model and improve test coverage - Complete threat modeling analysis with 9 phases covering business context, architecture, threat actors, trust boundaries, asset flows, threats, and mitigations - Export threat model in JSON and Markdown formats to .threatmodel/ directory - Improve test coverage from 97% to 99.84% by fixing validation error test cases - Add comprehensive IAM policies documentation - Update development documentation and project structure - Remove deprecated Makefile and requirements-dev.txt files - All 233 tests passing with excellent coverage across all modules * Clean up project for GitHub publication - Remove threat model files (.threatmodel directory) - Remove internal documentation files (AWS_LABS_PUBLICATION_GUIDE.md, PROJECT_STRUCTURE.md, RFC_HEALTHIMAGING_MCP_SERVER.md, SETUP_COMPLETE.md) - Fix formatting issues found by pre-commit hooks - Update test coverage validation in test_models.py - Format IAM_POLICIES.md and VSCode settings - Project now ready for public GitHub publication with 99% test coverage * feat(healthimaging): standardize MCP server implementation - Remove individual SECURITY.md and CONTRIBUTING.md files (use top-level .github versions) - Replace make commands with direct alternatives in README - Migrate from standard logging to loguru across all Python files - Add standardized user agent to boto3 client configuration - Add documentation for healthimaging MCP server * style: apply pre-commit formatting fixes * fix(docs): update broken links to use absolute GitHub URLs * Empty awslabs/__init__.py for proper namespace package functionality * Update license header config to exclude awslabs/__init__.py * Update license header check and healthimaging server init * Fix security issues and improve HealthImaging MCP server - Fixed medium severity logging issues by changing logger.error() to logger.warning() in exception handlers that re-raise - Fixed high severity hardcoded password false positives by renaming test tokens to clearly indicate test values - Added proper license headers to all files - Replaced test account IDs with clearly fake values (000000000000) to avoid Code Defender issues - Made scripts executable and fixed code quality issues - All pre-commit checks now pass * Fix test imports and remove obsolete test files - Removed test files that imported non-existent classes (HealthImagingClient, etc.) - Fixed test_main.py to match actual code structure - All 129 tests now pass successfully - Maintained comprehensive test coverage for actual functionality * Clean up unnecessary files from HealthImaging MCP server - Remove cache directories (.pytest_cache, .ruff_cache, htmlcov) - Remove build artifacts (.coverage, __pycache__) - Remove virtual environment (.venv) - Remove system files (.DS_Store) - Fix code formatting issues identified by pre-commit hooks * Fix type checking issues in HealthImaging MCP server - Fix DeleteImageSetResponse to only include expected fields - Add enum conversion functions for DatastoreStatus and JobStatus - Update server functions to properly convert string parameters to enum types - All 129 tests still pass - Pre-commit checks pass * Fix CodeQL security alert and pyright type checking errors - Replace real patient IDs, study UIDs, and datastore IDs with placeholder values in example_usage.py - Add type ignore comments for complex dictionary assignments in healthimaging_operations.py - Fix pyright type checking errors for kwargs dictionary assignments - Remove generated htmlcov directory - All tests pass (135/135) with 94% coverage - All pre-commit checks pass - All pyright type checks pass * Fix CodeQL security alerts and improve test coverage to 95% - Remove all variable references from print statements in example_usage.py to prevent clear-text logging of sensitive information - Replace f-strings with generic text descriptions - Add comprehensive tests for export job optional parameters (study_instance_uid, series_instance_uid, sop_instance_uid, submitted_before, submitted_after) - Add test for image frame None blob edge case - Add test for image frame streaming body returning string content - Improve test coverage from 90% to 95% (target: 90.55%) - All 137 tests pass - All pre-commit checks pass - All pyright type checks pass * docs: align HealthImaging documentation with AWS API MCP server standards - Consolidated all documentation from docs/ directory into main README.md - Followed AWS API MCP server documentation structure and format - Removed redundant documentation files (API.md, ARCHITECTURE.md, DEVELOPMENT.md, IAM_POLICIES.md, QUICKSTART.md) - Updated README.md with comprehensive installation methods, features, and security sections - Standardized docker-healthcheck.sh to match other AWS MCP servers - Removed obsolete files (uv-requirements.txt, test files, testing guide) - Maintained all essential information while following AWS MCP server documentation patterns - All 137 tests passing, pre-commit checks pass * fix: update Dockerfile to remove reference to deleted uv-requirements.txt - Removed uv-requirements.txt from COPY instruction - Removed pip install from uv-requirements.txt step - Use only pyproject.toml and uv.lock for dependency management - Fixes Docker build failure after documentation cleanup * remove: delete redundant healthimaging-mcp-server-examples folder - Removed entire samples/healthimaging-mcp-server-examples directory - example_usage.py contained only print statements without actual MCP tool usage - README.md examples are better covered in main project documentation - Reduces repository clutter and maintenance overhead * Update src/healthimaging-mcp-server/Dockerfile dockerfile updated with version Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat(healthimaging): optimize client creation with user agent and update documentation - Add get_medical_imaging_client() function with proper user agent configuration - Replace all boto3.client('medical-imaging') calls with optimized client function - Update README.md with installation method buttons for Cursor, VS Code, and Kiro - Tone down GDPR compliance language in docusaurus documentation - Remove redundant requirements.txt and mcp_config.json files - Update test assertions to handle new client config parameter - All 137 tests passing - Code formatted with pre-commit hooks * Update pyright to latest version (1.1.408) - Updated pyright from >=1.1.398 to >=1.1.408 in both project.optional-dependencies and dependency-groups sections - Updated uv.lock file to use pyright v1.1.408 - Resolves version warning: 'there is a new pyright version available (v1.1.407 -> v1.1.408)' - All 137 tests passing, 95% code coverage maintained - 0 pyright errors, 0 warnings, 0 informations * Update filelock to latest available version (3.20.3) - Updated filelock from v3.20.1 to v3.20.3 (latest available) - Addresses GHSA-qmgc-5h2g-mvrw (CVE-2026-22701) - TOCTOU Symlink Vulnerability - Note: Complete fix not yet released; monitoring for next filelock release - Vulnerability is moderate severity and requires local filesystem access - All 137 tests passing * Fix virtualenv TOCTOU vulnerability (CVE-2026-22702) - Updated virtualenv from v20.35.4 to v20.36.1 - Addresses GHSA-597g-3phw-6986 - TOCTOU vulnerability in directory creation - Vulnerability fixed in version 20.36.0, using latest 20.36.1 - All 137 tests passing * Apply suggestion from @scottschreckengaust Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * Fix invalid JSON code fences in README - Removed duplicate code fence markers in Advanced Search section - Removed duplicate code fence markers in DICOM Metadata section - Moved descriptive text outside of code blocks for proper formatting - Addresses review comment about invalid JSON code fence syntax * Update Q CLI references to Kiro in README - Changed 'Q CLI, Cursor or Cline' to 'Kiro, Cursor or Cline' in installation methods - Updated config file path from ~/.aws/amazonq/mcp.json to ~/.kiro/settings/mcp.json - Applied changes to both uv and pip installation sections - Addresses review comment about outdated Q CLI references * Fix python-multipart arbitrary file write vulnerability (CVE-2026-24486) - Updated python-multipart from v0.0.21 to v0.0.22 - Addresses GHSA-wp53-j4wj-2cfg - Arbitrary File Write via Non-Default Configuration - High severity vulnerability fixed in version 0.0.22 - All 137 tests passing * Remove virtualenv dependency (not needed with uv) - Removed virtualenv>=20.36.1 from dependencies - uv handles virtual environments natively, making virtualenv redundant - All 137 tests still passing - Reduces dependency footprint * Add Docker support for HealthImaging MCP server - Added multi-stage Dockerfile with Amazon Linux base image - Implements security best practices (non-root user, minimal dependencies) - Uses uv for dependency management with frozen lockfile - Added docker-healthcheck.sh script for container health monitoring - Optimized layer caching for faster builds - Includes proper environment configuration for Python and uv * Add uv-requirements.txt for Docker build - Generated uv-requirements.txt with hashed dependencies for secure Docker builds - Required by Dockerfile for installing uv package manager - Ensures reproducible builds with pinned dependency versions * Fix docker-healthcheck.sh executable permission - Added executable permission to docker-healthcheck.sh - Resolves pre-commit hook error for shebang scripts * fix: Set PATH inline for uv commands in Docker build * fix: Use official uv installer instead of pip for Docker build * fix: Add gzip dependency for uv installer in Docker * fix: Use correct uv installation path /root/.local/bin * fix: Revert to pip-based uv installation matching other MCP servers - Use pip to install uv from uv-requirements.txt with hashes - Remove wget/tar/gzip dependencies (not needed for pip approach) - Clean up runtime stage to only include necessary dependencies - Matches pattern from cloudwatch-applicationsignals-mcp-server * fix: Update cryptography to v46.0.5 to fix SECT curves vulnerability (GHSA-r6ph-v2qm-q3c2) --------- Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…port (awslabs#2420) * Update docs to reflect sequence and identity column support Remove guidance stating sequences are unsupported. DSQL now supports CREATE SEQUENCE, ALTER SEQUENCE, DROP SEQUENCE, sequence manipulation functions (nextval, setval, currval, lastval), and GENERATED AS IDENTITY columns. Update identifier recommendations: UUIDs remain the default for primary keys, sequences/identity columns available for compact integer identifiers. SERIAL remains unsupported. CACHE must be 1 or >= 65536. Add sequence and identity column examples to dsql-examples docs. Update test_tools.md to use identity column syntax instead of SERIAL. * Address review feedback on sequence documentation - Reframe UUID recommendation (recommendation first, then rationale) - Replace prohibitive "SERIAL is not supported" with positive "ALWAYS use GENERATED AS IDENTITY" - Use RFC pattern "REQUIRED:" for CACHE specification - Reduce redundancy in dsql-examples.md CACHE section - Reorder onboarding.md to list best options first (UUID first)
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…wslabs#2428) * fix(aws-api-mcp-server): validate file path access in shorthand parser (awslabs#2406) * fix: validate file path access in shorthand parser * Update CHANGELOG * chore(aws-api-mcp-server): upgrade AWS CLI to v1.44.37 (awslabs#2416) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * chore: bump packages for release/2026.02.20260212091017 (awslabs#2417) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * docs: Disambiguating AWS MCP Servers from AWS MCP product. (awslabs#2353) * docs: Disambiguating AWS MCP Servers from AWS MCP product. * Address pr comments. * Change Github to GitHub. * Updating search endpoint to new search endpoint (awslabs#2413) Co-authored-by: Aaditya Bhoota <abhoota@amazon.com> * feat(healthimaging): add comprehensive AWS HealthImaging MCP Server (awslabs#1969) * Add comprehensive AWS HealthImaging MCP Server - 21 production-ready tools for medical imaging lifecycle - GDPR compliance with patient data deletion - Enterprise bulk operations - Complete documentation and Docker support - 22 passing unit tests * Add AWS HealthImaging MCP Server implementation * Fix ruff linting and formatting errors * Fix security issues and Docker build - Remove sensitive patient IDs from log messages (CodeQL fix) - Replace hardcoded test IDs with clearly fake values (secrets scan fix) - Fix uv-requirements.txt to use pinned version with hashes (Docker build fix) * Fix pre-commit issues and regenerate uv.lock - Add Apache 2.0 license headers to all Python files - Remove shebang from main.py (not needed) - Add .python-version file (required for CI) - Update .gitignore to not ignore .python-version - Regenerate uv.lock with proper dependency resolution * Fix pre-commit: trailing whitespace, end-of-file newlines, JSON formatting, and pyright type error * Add comprehensive tests to improve coverage to 88% - Add test_operations.py for HealthImagingClient methods - Add test_handlers.py for all tool handlers - Add test_models.py for Pydantic model validation - Add test_main.py for main entry point - Add test_operations_extended.py for complex operations - Add test_error_handling.py for ClientError handling Total: 119 tests passing * Add comprehensive tests to reach 90%+ coverage for HealthImaging MCP server - Add tests for server handlers (list_resources, read_resource, call_tool) - Add tests for ToolHandler class with all 21 tool handlers - Add tests for error handling (ClientError, NoCredentialsError, ValidationError) - Add tests for remove_instance_from_image_set finding series from metadata - Add tests for validate_datastore_id and HealthImagingSearchError - Fix unused variable warnings - Remove test_operations_extended.py (merged into test_operations.py) - Total coverage: 97% (server.py: 100%, operations.py: 100%) * Fix pyright type errors in tests - Use proper MCP types (ReadResourceRequestParams, CallToolRequestParams) - Fix DatastoreFilter test to explicitly pass status=None - All 233 tests pass, pyright reports 0 errors * feat: Add comprehensive threat model and improve test coverage - Complete threat modeling analysis with 9 phases covering business context, architecture, threat actors, trust boundaries, asset flows, threats, and mitigations - Export threat model in JSON and Markdown formats to .threatmodel/ directory - Improve test coverage from 97% to 99.84% by fixing validation error test cases - Add comprehensive IAM policies documentation - Update development documentation and project structure - Remove deprecated Makefile and requirements-dev.txt files - All 233 tests passing with excellent coverage across all modules * Clean up project for GitHub publication - Remove threat model files (.threatmodel directory) - Remove internal documentation files (AWS_LABS_PUBLICATION_GUIDE.md, PROJECT_STRUCTURE.md, RFC_HEALTHIMAGING_MCP_SERVER.md, SETUP_COMPLETE.md) - Fix formatting issues found by pre-commit hooks - Update test coverage validation in test_models.py - Format IAM_POLICIES.md and VSCode settings - Project now ready for public GitHub publication with 99% test coverage * feat(healthimaging): standardize MCP server implementation - Remove individual SECURITY.md and CONTRIBUTING.md files (use top-level .github versions) - Replace make commands with direct alternatives in README - Migrate from standard logging to loguru across all Python files - Add standardized user agent to boto3 client configuration - Add documentation for healthimaging MCP server * style: apply pre-commit formatting fixes * fix(docs): update broken links to use absolute GitHub URLs * Empty awslabs/__init__.py for proper namespace package functionality * Update license header config to exclude awslabs/__init__.py * Update license header check and healthimaging server init * Fix security issues and improve HealthImaging MCP server - Fixed medium severity logging issues by changing logger.error() to logger.warning() in exception handlers that re-raise - Fixed high severity hardcoded password false positives by renaming test tokens to clearly indicate test values - Added proper license headers to all files - Replaced test account IDs with clearly fake values (000000000000) to avoid Code Defender issues - Made scripts executable and fixed code quality issues - All pre-commit checks now pass * Fix test imports and remove obsolete test files - Removed test files that imported non-existent classes (HealthImagingClient, etc.) - Fixed test_main.py to match actual code structure - All 129 tests now pass successfully - Maintained comprehensive test coverage for actual functionality * Clean up unnecessary files from HealthImaging MCP server - Remove cache directories (.pytest_cache, .ruff_cache, htmlcov) - Remove build artifacts (.coverage, __pycache__) - Remove virtual environment (.venv) - Remove system files (.DS_Store) - Fix code formatting issues identified by pre-commit hooks * Fix type checking issues in HealthImaging MCP server - Fix DeleteImageSetResponse to only include expected fields - Add enum conversion functions for DatastoreStatus and JobStatus - Update server functions to properly convert string parameters to enum types - All 129 tests still pass - Pre-commit checks pass * Fix CodeQL security alert and pyright type checking errors - Replace real patient IDs, study UIDs, and datastore IDs with placeholder values in example_usage.py - Add type ignore comments for complex dictionary assignments in healthimaging_operations.py - Fix pyright type checking errors for kwargs dictionary assignments - Remove generated htmlcov directory - All tests pass (135/135) with 94% coverage - All pre-commit checks pass - All pyright type checks pass * Fix CodeQL security alerts and improve test coverage to 95% - Remove all variable references from print statements in example_usage.py to prevent clear-text logging of sensitive information - Replace f-strings with generic text descriptions - Add comprehensive tests for export job optional parameters (study_instance_uid, series_instance_uid, sop_instance_uid, submitted_before, submitted_after) - Add test for image frame None blob edge case - Add test for image frame streaming body returning string content - Improve test coverage from 90% to 95% (target: 90.55%) - All 137 tests pass - All pre-commit checks pass - All pyright type checks pass * docs: align HealthImaging documentation with AWS API MCP server standards - Consolidated all documentation from docs/ directory into main README.md - Followed AWS API MCP server documentation structure and format - Removed redundant documentation files (API.md, ARCHITECTURE.md, DEVELOPMENT.md, IAM_POLICIES.md, QUICKSTART.md) - Updated README.md with comprehensive installation methods, features, and security sections - Standardized docker-healthcheck.sh to match other AWS MCP servers - Removed obsolete files (uv-requirements.txt, test files, testing guide) - Maintained all essential information while following AWS MCP server documentation patterns - All 137 tests passing, pre-commit checks pass * fix: update Dockerfile to remove reference to deleted uv-requirements.txt - Removed uv-requirements.txt from COPY instruction - Removed pip install from uv-requirements.txt step - Use only pyproject.toml and uv.lock for dependency management - Fixes Docker build failure after documentation cleanup * remove: delete redundant healthimaging-mcp-server-examples folder - Removed entire samples/healthimaging-mcp-server-examples directory - example_usage.py contained only print statements without actual MCP tool usage - README.md examples are better covered in main project documentation - Reduces repository clutter and maintenance overhead * Update src/healthimaging-mcp-server/Dockerfile dockerfile updated with version Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * feat(healthimaging): optimize client creation with user agent and update documentation - Add get_medical_imaging_client() function with proper user agent configuration - Replace all boto3.client('medical-imaging') calls with optimized client function - Update README.md with installation method buttons for Cursor, VS Code, and Kiro - Tone down GDPR compliance language in docusaurus documentation - Remove redundant requirements.txt and mcp_config.json files - Update test assertions to handle new client config parameter - All 137 tests passing - Code formatted with pre-commit hooks * Update pyright to latest version (1.1.408) - Updated pyright from >=1.1.398 to >=1.1.408 in both project.optional-dependencies and dependency-groups sections - Updated uv.lock file to use pyright v1.1.408 - Resolves version warning: 'there is a new pyright version available (v1.1.407 -> v1.1.408)' - All 137 tests passing, 95% code coverage maintained - 0 pyright errors, 0 warnings, 0 informations * Update filelock to latest available version (3.20.3) - Updated filelock from v3.20.1 to v3.20.3 (latest available) - Addresses GHSA-qmgc-5h2g-mvrw (CVE-2026-22701) - TOCTOU Symlink Vulnerability - Note: Complete fix not yet released; monitoring for next filelock release - Vulnerability is moderate severity and requires local filesystem access - All 137 tests passing * Fix virtualenv TOCTOU vulnerability (CVE-2026-22702) - Updated virtualenv from v20.35.4 to v20.36.1 - Addresses GHSA-597g-3phw-6986 - TOCTOU vulnerability in directory creation - Vulnerability fixed in version 20.36.0, using latest 20.36.1 - All 137 tests passing * Apply suggestion from @scottschreckengaust Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> * Fix invalid JSON code fences in README - Removed duplicate code fence markers in Advanced Search section - Removed duplicate code fence markers in DICOM Metadata section - Moved descriptive text outside of code blocks for proper formatting - Addresses review comment about invalid JSON code fence syntax * Update Q CLI references to Kiro in README - Changed 'Q CLI, Cursor or Cline' to 'Kiro, Cursor or Cline' in installation methods - Updated config file path from ~/.aws/amazonq/mcp.json to ~/.kiro/settings/mcp.json - Applied changes to both uv and pip installation sections - Addresses review comment about outdated Q CLI references * Fix python-multipart arbitrary file write vulnerability (CVE-2026-24486) - Updated python-multipart from v0.0.21 to v0.0.22 - Addresses GHSA-wp53-j4wj-2cfg - Arbitrary File Write via Non-Default Configuration - High severity vulnerability fixed in version 0.0.22 - All 137 tests passing * Remove virtualenv dependency (not needed with uv) - Removed virtualenv>=20.36.1 from dependencies - uv handles virtual environments natively, making virtualenv redundant - All 137 tests still passing - Reduces dependency footprint * Add Docker support for HealthImaging MCP server - Added multi-stage Dockerfile with Amazon Linux base image - Implements security best practices (non-root user, minimal dependencies) - Uses uv for dependency management with frozen lockfile - Added docker-healthcheck.sh script for container health monitoring - Optimized layer caching for faster builds - Includes proper environment configuration for Python and uv * Add uv-requirements.txt for Docker build - Generated uv-requirements.txt with hashed dependencies for secure Docker builds - Required by Dockerfile for installing uv package manager - Ensures reproducible builds with pinned dependency versions * Fix docker-healthcheck.sh executable permission - Added executable permission to docker-healthcheck.sh - Resolves pre-commit hook error for shebang scripts * fix: Set PATH inline for uv commands in Docker build * fix: Use official uv installer instead of pip for Docker build * fix: Add gzip dependency for uv installer in Docker * fix: Use correct uv installation path /root/.local/bin * fix: Revert to pip-based uv installation matching other MCP servers - Use pip to install uv from uv-requirements.txt with hashes - Remove wget/tar/gzip dependencies (not needed for pip approach) - Clean up runtime stage to only include necessary dependencies - Matches pattern from cloudwatch-applicationsignals-mcp-server * fix: Update cryptography to v46.0.5 to fix SECT curves vulnerability (GHSA-r6ph-v2qm-q3c2) --------- Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com> * chore: bump packages for release/2026.02.20260213033417 (awslabs#2423) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * chore(aws-api-mcp-server): upgrade AWS CLI to v1.44.38 (awslabs#2424) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * fix(aws-diagram-mcp-server): replace string-matching scanner with AST-based dangerous function detection The previous string-matching approach in check_dangerous_functions was trivially bypassed via getattr(), vars(), globals(), compile(), and class hierarchy traversal (__class__.__bases__.__subclasses__). This replaces it with AST-based analysis that inspects actual code structure, covering dangerous builtin calls, attribute calls, and dunder access. Also removes the redundant duplicate call in scan_python_code. Co-Authored-By: Kalindi Vijesh Parekh <kalindiv@amazon.com> * fix(aws-diagram-mcp-server): address PR review comments - Catch Exception instead of just SyntaxError in AST fallback to handle ValueError (NUL bytes) and other ast.parse failures gracefully - Normalize string fallback patterns to use explicit (pattern, name) tuples for consistent canonical function names in reports --------- Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> Co-authored-by: Arne Wouters <25950814+arnewouters@users.noreply.github.com> Co-authored-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> Co-authored-by: Leonardo Araneda Freccero <arangatang@users.noreply.github.com> Co-authored-by: Aaditya Bhoota <51334684+AadityaBhoota@users.noreply.github.com> Co-authored-by: Aaditya Bhoota <abhoota@amazon.com> Co-authored-by: manish364 <48702011+manish364@users.noreply.github.com> Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com> Co-authored-by: Kalindi Vijesh Parekh <kalindiv@amazon.com>
…i compatibility (awslabs#2430) * fix(aws-diagram-mcp-server): use str type for diagram_type parameter for Gemini compatibility The get_diagram_examples tool's diagram_type parameter used a DiagramType(str, Enum) which does not emit "type": "string" in the JSON schema. Gemini requires an explicit "type" field in tool parameter schemas and rejects calls without it. Change the parameter type to str with a default of 'all' so the schema includes "type": "string". Convert to DiagramType internally, falling back to ALL for unrecognized values. Closes awslabs#661 * fix: use list() to explicitly iterate DiagramType enum in test Address code quality bot warning about iterating over a type by wrapping DiagramType in list() to make the iteration explicit.
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
* Remove max_range_check * Update tests * Update CHANGELOG * Update src/aws-api-mcp-server/awslabs/aws_api_mcp_server/core/parser/custom_validators/botocore_param_validator.py Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com> --------- Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…tion on incorrect git URL (awslabs#2418) Co-authored-by: dinsajwa <dinsajwa@amazon.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
…er (awslabs#2447) Add ysunio as code owner to dynamodb-mcp-server
… configured buckets when supplying ad-hoc buckets to search (awslabs#2419)
Added mysql-to-dsql-migrations.md which defines the appropriate workflows to migrate MySQL DDL operations and data types to DSQL-compatible equivalents using RFC prescriptive language. Covers: - MySQL data type mapping (ENUM, SET, JSON, UNSIGNED, AUTO_INCREMENT, etc.) - ALTER TABLE ALTER COLUMN and DROP COLUMN via table recreation pattern - AUTO_INCREMENT migration with three options: UUID, IDENTITY column, SEQUENCE - CACHE size guidance (REQUIRED: 1 or >= 65536) aligned with development-guide - FOREIGN KEY, ON UPDATE CURRENT_TIMESTAMP, and FULLTEXT migration patterns - Full CREATE TABLE migration example with decisions summary - Batched migration, error handling, and verify/swap patterns
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…GALRM (awslabs#2429) * fix(aws-diagram-mcp-server): use cross-platform timeout instead of SIGALRM signal.SIGALRM is POSIX-only and raises AttributeError on Windows, making diagram generation crash. Use SIGALRM on Unix with a proper finally block to reset the alarm, and fall back to a daemon thread with join(timeout) on Windows. Also adds a finally block on Unix to ensure alarm(0) is called even if exec raises a non-TimeoutError exception. Closes awslabs#165 Closes awslabs#2246 Co-Authored-By: Kalindi <kalindi-dev@users.noreply.github.com> * fix: address PR review comments on cross-platform timeout - Simplify condition to use hasattr(signal, 'SIGALRM') as primary check instead of sys.platform, making it robust for any non-POSIX platform - Save and restore the previous SIGALRM handler in the finally block - Document daemon thread limitation (continues after timeout) - Remove sys import (no longer needed) - Fix tests to properly exercise the threading fallback by removing SIGALRM attribute instead of just mocking sys.platform - Use CPU-bound busy loop in timeout test instead of import time (which would be rejected by the security scanner) - Fix mixed import style in test_signal_module_imported --------- Co-authored-by: Kalindi <kalindi-dev@users.noreply.github.com>
…ository code generation (awslabs#2434) Implements support for defining and generating cross-table atomic transactional operations using DynamoDB's TransactWriteItems and TransactGetItems APIs. Key Changes: - Add cross_table_access_patterns schema section for defining atomic transactions - Generate TransactionService class with method stubs for cross-table operations - Support TransactWrite (Put/Update/Delete/ConditionCheck) and TransactGet operations - Update access_pattern_mapping.json to include transaction patterns - Extend usage_examples.py with transaction pattern demonstrations - Add user_registration test fixture for TDD validation - Implement validations for cross-table patterns - Add snapshot tests for transaction service generation Generated Code: - transaction_service.py with TransactionService class and method stubs - Proper imports, type hints, and docstrings with implementation hints - Integration with existing repository architecture
* Add comprehensive AWS HealthImaging MCP Server
- 21 production-ready tools for medical imaging lifecycle
- GDPR compliance with patient data deletion
- Enterprise bulk operations
- Complete documentation and Docker support
- 22 passing unit tests
* Add AWS HealthImaging MCP Server implementation
* Fix ruff linting and formatting errors
* Fix security issues and Docker build
- Remove sensitive patient IDs from log messages (CodeQL fix)
- Replace hardcoded test IDs with clearly fake values (secrets scan fix)
- Fix uv-requirements.txt to use pinned version with hashes (Docker build fix)
* Fix pre-commit issues and regenerate uv.lock
- Add Apache 2.0 license headers to all Python files
- Remove shebang from main.py (not needed)
- Add .python-version file (required for CI)
- Update .gitignore to not ignore .python-version
- Regenerate uv.lock with proper dependency resolution
* Fix pre-commit: trailing whitespace, end-of-file newlines, JSON formatting, and pyright type error
* Add comprehensive tests to improve coverage to 88%
- Add test_operations.py for HealthImagingClient methods
- Add test_handlers.py for all tool handlers
- Add test_models.py for Pydantic model validation
- Add test_main.py for main entry point
- Add test_operations_extended.py for complex operations
- Add test_error_handling.py for ClientError handling
Total: 119 tests passing
* Add comprehensive tests to reach 90%+ coverage for HealthImaging MCP server
- Add tests for server handlers (list_resources, read_resource, call_tool)
- Add tests for ToolHandler class with all 21 tool handlers
- Add tests for error handling (ClientError, NoCredentialsError, ValidationError)
- Add tests for remove_instance_from_image_set finding series from metadata
- Add tests for validate_datastore_id and HealthImagingSearchError
- Fix unused variable warnings
- Remove test_operations_extended.py (merged into test_operations.py)
- Total coverage: 97% (server.py: 100%, operations.py: 100%)
* Fix pyright type errors in tests
- Use proper MCP types (ReadResourceRequestParams, CallToolRequestParams)
- Fix DatastoreFilter test to explicitly pass status=None
- All 233 tests pass, pyright reports 0 errors
* feat: Add comprehensive threat model and improve test coverage
- Complete threat modeling analysis with 9 phases covering business context, architecture, threat actors, trust boundaries, asset flows, threats, and mitigations
- Export threat model in JSON and Markdown formats to .threatmodel/ directory
- Improve test coverage from 97% to 99.84% by fixing validation error test cases
- Add comprehensive IAM policies documentation
- Update development documentation and project structure
- Remove deprecated Makefile and requirements-dev.txt files
- All 233 tests passing with excellent coverage across all modules
* Clean up project for GitHub publication
- Remove threat model files (.threatmodel directory)
- Remove internal documentation files (AWS_LABS_PUBLICATION_GUIDE.md, PROJECT_STRUCTURE.md, RFC_HEALTHIMAGING_MCP_SERVER.md, SETUP_COMPLETE.md)
- Fix formatting issues found by pre-commit hooks
- Update test coverage validation in test_models.py
- Format IAM_POLICIES.md and VSCode settings
- Project now ready for public GitHub publication with 99% test coverage
* feat(healthimaging): standardize MCP server implementation
- Remove individual SECURITY.md and CONTRIBUTING.md files (use top-level .github versions)
- Replace make commands with direct alternatives in README
- Migrate from standard logging to loguru across all Python files
- Add standardized user agent to boto3 client configuration
- Add documentation for healthimaging MCP server
* style: apply pre-commit formatting fixes
* fix(docs): update broken links to use absolute GitHub URLs
* Empty awslabs/__init__.py for proper namespace package functionality
* Update license header config to exclude awslabs/__init__.py
* Update license header check and healthimaging server init
* Fix security issues and improve HealthImaging MCP server
- Fixed medium severity logging issues by changing logger.error() to logger.warning() in exception handlers that re-raise
- Fixed high severity hardcoded password false positives by renaming test tokens to clearly indicate test values
- Added proper license headers to all files
- Replaced test account IDs with clearly fake values (000000000000) to avoid Code Defender issues
- Made scripts executable and fixed code quality issues
- All pre-commit checks now pass
* Fix test imports and remove obsolete test files
- Removed test files that imported non-existent classes (HealthImagingClient, etc.)
- Fixed test_main.py to match actual code structure
- All 129 tests now pass successfully
- Maintained comprehensive test coverage for actual functionality
* Clean up unnecessary files from HealthImaging MCP server
- Remove cache directories (.pytest_cache, .ruff_cache, htmlcov)
- Remove build artifacts (.coverage, __pycache__)
- Remove virtual environment (.venv)
- Remove system files (.DS_Store)
- Fix code formatting issues identified by pre-commit hooks
* Fix type checking issues in HealthImaging MCP server
- Fix DeleteImageSetResponse to only include expected fields
- Add enum conversion functions for DatastoreStatus and JobStatus
- Update server functions to properly convert string parameters to enum types
- All 129 tests still pass
- Pre-commit checks pass
* Fix CodeQL security alert and pyright type checking errors
- Replace real patient IDs, study UIDs, and datastore IDs with placeholder values in example_usage.py
- Add type ignore comments for complex dictionary assignments in healthimaging_operations.py
- Fix pyright type checking errors for kwargs dictionary assignments
- Remove generated htmlcov directory
- All tests pass (135/135) with 94% coverage
- All pre-commit checks pass
- All pyright type checks pass
* Fix CodeQL security alerts and improve test coverage to 95%
- Remove all variable references from print statements in example_usage.py to prevent clear-text logging of sensitive information
- Replace f-strings with generic text descriptions
- Add comprehensive tests for export job optional parameters (study_instance_uid, series_instance_uid, sop_instance_uid, submitted_before, submitted_after)
- Add test for image frame None blob edge case
- Add test for image frame streaming body returning string content
- Improve test coverage from 90% to 95% (target: 90.55%)
- All 137 tests pass
- All pre-commit checks pass
- All pyright type checks pass
* docs: align HealthImaging documentation with AWS API MCP server standards
- Consolidated all documentation from docs/ directory into main README.md
- Followed AWS API MCP server documentation structure and format
- Removed redundant documentation files (API.md, ARCHITECTURE.md, DEVELOPMENT.md, IAM_POLICIES.md, QUICKSTART.md)
- Updated README.md with comprehensive installation methods, features, and security sections
- Standardized docker-healthcheck.sh to match other AWS MCP servers
- Removed obsolete files (uv-requirements.txt, test files, testing guide)
- Maintained all essential information while following AWS MCP server documentation patterns
- All 137 tests passing, pre-commit checks pass
* fix: update Dockerfile to remove reference to deleted uv-requirements.txt
- Removed uv-requirements.txt from COPY instruction
- Removed pip install from uv-requirements.txt step
- Use only pyproject.toml and uv.lock for dependency management
- Fixes Docker build failure after documentation cleanup
* remove: delete redundant healthimaging-mcp-server-examples folder
- Removed entire samples/healthimaging-mcp-server-examples directory
- example_usage.py contained only print statements without actual MCP tool usage
- README.md examples are better covered in main project documentation
- Reduces repository clutter and maintenance overhead
* Update src/healthimaging-mcp-server/Dockerfile
dockerfile updated with version
Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
* feat(healthimaging): optimize client creation with user agent and update documentation
- Add get_medical_imaging_client() function with proper user agent configuration
- Replace all boto3.client('medical-imaging') calls with optimized client function
- Update README.md with installation method buttons for Cursor, VS Code, and Kiro
- Tone down GDPR compliance language in docusaurus documentation
- Remove redundant requirements.txt and mcp_config.json files
- Update test assertions to handle new client config parameter
- All 137 tests passing
- Code formatted with pre-commit hooks
* Update pyright to latest version (1.1.408)
- Updated pyright from >=1.1.398 to >=1.1.408 in both project.optional-dependencies and dependency-groups sections
- Updated uv.lock file to use pyright v1.1.408
- Resolves version warning: 'there is a new pyright version available (v1.1.407 -> v1.1.408)'
- All 137 tests passing, 95% code coverage maintained
- 0 pyright errors, 0 warnings, 0 informations
* Update filelock to latest available version (3.20.3)
- Updated filelock from v3.20.1 to v3.20.3 (latest available)
- Addresses GHSA-qmgc-5h2g-mvrw (CVE-2026-22701) - TOCTOU Symlink Vulnerability
- Note: Complete fix not yet released; monitoring for next filelock release
- Vulnerability is moderate severity and requires local filesystem access
- All 137 tests passing
* Fix virtualenv TOCTOU vulnerability (CVE-2026-22702)
- Updated virtualenv from v20.35.4 to v20.36.1
- Addresses GHSA-597g-3phw-6986 - TOCTOU vulnerability in directory creation
- Vulnerability fixed in version 20.36.0, using latest 20.36.1
- All 137 tests passing
* Apply suggestion from @scottschreckengaust
Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
* Fix invalid JSON code fences in README
- Removed duplicate code fence markers in Advanced Search section
- Removed duplicate code fence markers in DICOM Metadata section
- Moved descriptive text outside of code blocks for proper formatting
- Addresses review comment about invalid JSON code fence syntax
* Update Q CLI references to Kiro in README
- Changed 'Q CLI, Cursor or Cline' to 'Kiro, Cursor or Cline' in installation methods
- Updated config file path from ~/.aws/amazonq/mcp.json to ~/.kiro/settings/mcp.json
- Applied changes to both uv and pip installation sections
- Addresses review comment about outdated Q CLI references
* Fix python-multipart arbitrary file write vulnerability (CVE-2026-24486)
- Updated python-multipart from v0.0.21 to v0.0.22
- Addresses GHSA-wp53-j4wj-2cfg - Arbitrary File Write via Non-Default Configuration
- High severity vulnerability fixed in version 0.0.22
- All 137 tests passing
* Remove virtualenv dependency (not needed with uv)
- Removed virtualenv>=20.36.1 from dependencies
- uv handles virtual environments natively, making virtualenv redundant
- All 137 tests still passing
- Reduces dependency footprint
* Add Docker support for HealthImaging MCP server
- Added multi-stage Dockerfile with Amazon Linux base image
- Implements security best practices (non-root user, minimal dependencies)
- Uses uv for dependency management with frozen lockfile
- Added docker-healthcheck.sh script for container health monitoring
- Optimized layer caching for faster builds
- Includes proper environment configuration for Python and uv
* Add uv-requirements.txt for Docker build
- Generated uv-requirements.txt with hashed dependencies for secure Docker builds
- Required by Dockerfile for installing uv package manager
- Ensures reproducible builds with pinned dependency versions
* Fix docker-healthcheck.sh executable permission
- Added executable permission to docker-healthcheck.sh
- Resolves pre-commit hook error for shebang scripts
* fix: Set PATH inline for uv commands in Docker build
* fix: Use official uv installer instead of pip for Docker build
* fix: Add gzip dependency for uv installer in Docker
* fix: Use correct uv installation path /root/.local/bin
* fix: Revert to pip-based uv installation matching other MCP servers
- Use pip to install uv from uv-requirements.txt with hashes
- Remove wget/tar/gzip dependencies (not needed for pip approach)
- Clean up runtime stage to only include necessary dependencies
- Matches pattern from cloudwatch-applicationsignals-mcp-server
* fix: Update cryptography to v46.0.5 to fix SECT curves vulnerability (GHSA-r6ph-v2qm-q3c2)
* docs: Update CHANGELOG with all recent improvements and security fixes
- Document Docker support and installation improvements
- List all new DICOM operations and patient data management tools
- Record security vulnerability fixes (urllib3, filelock, python-multipart, cryptography)
- Note configuration and documentation improvements
* docs: Update docusaurus page to show 39 tools and add TOC
- Update tool count from 21 to 39 to reflect all available operations
- Add comprehensive Table of Contents for easy navigation
- Organize tools into 8 categories: Datastore, Image Set, DICOM Jobs, Metadata/Frame, Tagging, Advanced DICOM, Bulk, and Hierarchy operations
- List all 39 tools with descriptions
- Add Bulk Operations and DICOM Hierarchy sections to features
---------
Co-authored-by: Scott Schreckengaust <scottschreckengaust@users.noreply.github.com>
Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
Add --created-by to create-cluster.sh for cluster tagging and --ai-model to psql-connect.sh for application_name tracking. Update code snippets in docs with application_name patterns. Fix contradictory parameterized query guidance.
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
* Add fully separated and clearly defined access control steering for stricter development enforcement of non-admin role usage. * Update dev guide to reference scoped roles as a best practice * Add skill-aliases via different names in SKILL.md's `XML` to improve searchability/breadth on skill discovery based on vanilla LLM's abilities to identify the value/use of agent-skills and self-install. * Added a pre-commit hook to sync the SKILL.md files if run locally and fail the PR checks if run in a PR. Validated with explicit testing after changing aws-dsql-skill/SKILL.md ``` Exit code 1 sync dsql skill alias SKILL.md files..........................Failed - hook id: sync-dsql-skill-aliases - exit code: 1 - files were modified by this hook Fixed aws-dsql-skill/SKILL.md ``` And testing when all files are synced. ``` sync dsql skill alias SKILL.md files..........................Passed ```
The check-license-header CI step treats symlinks (scripts, references, mcp) in skill alias directories as uncovered files. Add patterns to the no-license-required rule so these symlinks are recognized.
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
* chore(dynamodb-mcp-server): update README.md * adding baseline secrets --------- Co-authored-by: Lee Hannigan <lhnng@amazon.com> Co-authored-by: Sunil <138931262+ysunio@users.noreply.github.com>
…labs#2506) - Add four new MCP tools for HealthOmics Run Group management (CreateAHORunGroup, GetAHORunGroup, ListAHORunGroups, UpdateAHORunGroup) - Add optional run_group_id parameter to StartAHORun and ListAHORuns for run group association and filtering - Add RunGroupSummary, RunGroupDetail, and RunGroupListResponse Pydantic models for type safety - Add run group constants (max name length, max resource limit, max ID length) to consts.py - Add comprehensive test coverage for run group operations and workflow execution integration - Update README with run group management tools documentation and required IAM permissions - Update CHANGELOG with v0.0.27 release notes documenting new run group features
Added @sabeelmansuri as a code owner for aws-healthomics-mcp-server.
…labs#2523) - Add four new MCP tools for managing HealthOmics Run Caches (CreateAHORunCache, GetAHORunCache, ListAHORunCaches, UpdateAHORunCache) - Add RunCache data models (RunCacheStatus, RunCacheSummary, RunCacheDetail, RunCacheListResponse) to core.py - Implement run_cache.py with full CRUD operations including S3 URI validation and cache behavior configuration - Add comprehensive test coverage in test_run_cache.py for all run cache operations - Update README.md with run cache tool documentation and IAM permission requirements - Add required IAM permissions (omics:CreateRunCache, omics:GetRunCache, omics:ListRunCaches, omics:UpdateRunCache, s3:HeadBucket) - Update CHANGELOG.md with release notes documenting new run cache features - Register all four run cache tools in server.py MCP tool registry
…wslabs#2522) Remove os module and bare diagrams import from the user code execution namespace. Replace raw urlretrieve with a safe wrapper that validates URL scheme, image extension, and prevents path traversal. Restrict __builtins__ to a safe subset excluding dangerous functions as defense-in-depth.
…awslabs#2357) * Implements batch calling for call_aws tool. * Tending the comments, fixing unit tests * Tending the comments, fixing unit tests cr: https://code.amazon.com/reviews/CR-251201048 er: https://code.amazon.com/reviews/CR-251201048 --------- Co-authored-by: Baris Kurt <barisk@amazon.com>
…for all tools in dynamodb_mcp_server (awslabs#2520)
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…ry code generation (awslabs#2528) Add support for DynamoDB filter expressions in the repository generation tool, enabling server-side filtering on non-key attributes for Query and Scan operations. - Add FilterCondition dataclass and FilterExpressionValidator with full validation for operators (=, <>, <, <=, >, >=, between, in), functions (contains, begins_with, attribute_exists, attribute_not_exists, size), and logical operators (AND, OR) - Integrate filter expression validation into SchemaValidator pipeline - Update AccessPatternMapper to propagate filter_expression metadata - Update repository_template.j2 to generate filter parameters in method signatures, docstrings, and implementation hint comments - Update usage_examples_template.j2 and usage_data_validator to support filter_values section - Add food_delivery_app test fixture covering all filter expression variants - Add unit, integration, and snapshot tests for filter expression support - Add FILTER_EXPRESSIONS.md documentation cr: https://code.amazon.com/reviews/CR-256157185 Co-authored-by: Sunil <138931262+ysunio@users.noreply.github.com>
…awslabs#2497) * chore(aws-msk-mcp-server): Add new code owners for aws-msk-mcp-server * Clean up MSK code owners * Fix code owners
* Add Topics Management API Module Implements comprehensive topic management for MSK clusters with 6 new MCP tools: Read Operations (always available): - list_topics: List all topics in a cluster with filtering and pagination - describe_topic: Get detailed topic configuration and status - describe_topic_partitions: Retrieve partition-level information Write Operations (require --allow-writes flag): - create_topic: Create new topics with custom configurations - update_topic: Update topic configurations and partition counts - delete_topic: Delete topics with safety confirmations Key Features: - Follows existing architecture pattern with separate read/mutate modules - Integrates with read-only mode for enhanced security - Safety checks for destructive operations (delete requires explicit confirmation) - Protection for system topics (__, _internal, _confluent, _kafka, _schema prefixes) - Support for Base64 encoded topic configurations - Comprehensive error handling and parameter validation - Consistent with existing code patterns and documentation standards * fix: add Optional type hints to resolve pyright errors Add Optional[str] and Optional[int] type hints to function parameters that can accept None values. This resolves 8 pyright type checking errors in the topics management API. Files modified: - read_topics/list_topics.py - read_topics/describe_topic_partitions.py - mutate_topics/create_topic.py - mutate_topics/update_topic.py * test: add comprehensive unit tests for topics management API Add 30+ test cases covering all 6 topic operations: - Read operations: list_topics, describe_topic, describe_topic_partitions - Mutate operations: create_topic, update_topic, delete_topic Test coverage includes: - Success scenarios with various parameter combinations - Error handling (client errors, missing resources) - Safety validations (delete confirmation, system topic protection) - Parameter validation (missing client, invalid inputs) - Pagination support Each test file follows project conventions with proper mocking, assertions, and error verification. * fix: resolve all remaining pyright type errors - Add conditional kwargs passing to avoid None assignments - Add dict[str, Any] type annotations for params dictionaries - Use conditional logic in __init__.py tool wrappers instead of direct None passing This resolves all 11 pyright errors: - 8 errors from passing None to non-Optional parameters - 3 errors from int values in str-typed dictionaries Changes: - read_topics/__init__.py: Use kwargs for optional params - mutate_topics/__init__.py: Use conditional/kwargs for optional params - list_topics.py: Add dict[str, Any] type for params - describe_topic_partitions.py: Add dict[str, Any] type for params - update_topic.py: Add dict[str, Any] type for params * fix: add Optional types to Pydantic Field parameters Fix remaining 8 pyright errors by adding Optional[str] and Optional[int] to Pydantic Field parameter definitions. When a Field has a default of None, the parameter type itself must be Optional, not just the function parameter. Also fix secrets detection warning by adding pragma comment to base64 test data. This resolves: - 8 pyright errors in __init__.py files (Field parameter types) - 1 secrets detection false positive (base64 test data) Changes: - read_topics/__init__.py: Add Optional to Field types - mutate_topics/__init__.py: Add Optional to Field types - test_describe_topic.py: Add pragma comment for test data * fix: remove invalid character causing syntax error in test Remove '?' character from beginning of test_describe_topic.py that was causing SyntaxError during test collection. * style: fix docstring formatting to comply with ruff Update module docstrings to follow Google style guide: - Summary on first line (no blank line after opening quotes) - Blank line after summary - End summary with period This resolves ruff linting errors D205, D212, and D415 for all topic management operation files. Files modified: - create_topic.py, delete_topic.py, update_topic.py - describe_topic.py, describe_topic_partitions.py, list_topics.py * test: add wrapper function tests to improve coverage Add tests for read_topics and mutate_topics __init__.py tool wrappers to cover conditional parameter passing logic. This addresses the 12 missing lines in coverage by testing: - list_topics wrapper with optional parameters - describe_topic_partitions wrapper with optional parameters - create_topic wrapper with/without configs - update_topic wrapper with optional parameters Expected to bring coverage from 88.35% to >90%. * test: remove failing wrapper tests Remove test_read_topics_init.py and test_mutate_topics_init.py as they incorrectly access FastMCP internal attributes that are not part of the public API. The core functionality is already well-tested with 33 test cases achieving 89% coverage. The missing lines in __init__.py wrappers are minimal conditional logic that's implicitly tested through the operation tests. * style: apply ruff auto-formatting Apply ruff formatting to all topic management files to match project style: - Convert double quotes to single quotes - Fix line wrapping and spacing - Add newlines at end of files - Format function docstrings This resolves all pre-commit formatting warnings. * style: fix function docstring formatting with ruff check Apply ruff check --fix to resolve D212 docstring errors. Removed blank lines after opening docstring quotes in function definitions to comply with Google style guide. Fixed 6 function docstrings in: - create_topic.py, delete_topic.py, update_topic.py - describe_topic.py, describe_topic_partitions.py, list_topics.py This should be the final formatting fix. * test: add __init__.py wrapper tests for full coverage Add comprehensive tests for read_topics and mutate_topics __init__.py module wrappers using the project's MockMCP spy pattern. Tests cover: - Tool registration verification - list_topics wrapper with and without optional params - describe_topic wrapper - describe_topic_partitions wrapper with and without optional params - create_topic wrapper with and without configs - update_topic wrapper with and without optional params - delete_topic wrapper This covers all 31 missing lines in __init__.py files and should bring patch coverage above 90%. * style: fix ruff linting in wrapper test files Remove unused pytest import and fix import sorting. * fix: update system_prefixes to match CR (__amazon, __consumer) Update protected system topic prefixes from generic prefixes to MSK-specific ones matching the internal CR: - __amazon (MSK internal topics like __amazon_msk_canary) - __consumer (Kafka consumer offset topics) Also update tests to match and add test for allowing regular underscore-prefixed topics. * chore(aws-dataprocessing-mcp-server): Fix DateTime Issue in MCP tools (awslabs#2486) * fix(dsql): Fix skill integrity risks (awslabs#2487) For loader script: Mitigate remote code execution risks from unverified binary downloads by adding download URL domain allowlisting, HTTPS-only enforcement via curl --proto/--fail, file size and binary type validation (ELF/Mach-O), and isolated extraction to a temp directory before install. For create script: Replace eval-based command execution with bash array expansion to prevent command injection via --tags and --region arguments. Use jq instead of awk for safe JSON construction of tag values. * chore(aws-api-mcp-server): upgrade AWS CLI to v1.44.44 (awslabs#2489) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * chore(aws-api-mcp-server): upgrade fastmcp to 3.0.1 (awslabs#2490) * chore(aws-api-mcp-server): upgrade fastmcp to 3.0.0 * fix tests * upgrade to 3.0.1 to get latest typing fixes * chore: bump packages for release/2026.02.20260223082610 (awslabs#2493) Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> * fix(dynamodb): change env values to strings and add connection-based (awslabs#2465) * fix(dynamodb): change env values to strings and add connection-based config sample * fix: update secret-baseline --------- Co-authored-by: Sunil Yadav <ysunio@amazon.com> * chore(aws-msk-mcp-server): Add new code owners for aws-msk-mcp-server * fix: add check_mcp_generated_tag safety guard to mutate_topics Add MCP Generated tag check before update_topic and delete_topic operations, consistent with mutate_cluster and mutate_config modules. Changes: - Import check_mcp_generated_tag from common_functions - update_topic_tool: raises ValueError if cluster not MCP-tagged - delete_topic_tool: raises ValueError if cluster not MCP-tagged - create_topic_tool: add docstring Note to tag cluster after creation - Update docstrings with 'MCP Generated' Note for update/delete Also update tests: - Mock check_mcp_generated_tag in existing update/delete tests - Add test_update_topic_tool_tag_check_fails - Add test_delete_topic_tool_tag_check_fails * fix: remove non-Mehari Note from create_topic docstring Remove the custom Note we added to create_topic_tool that Mehari does not have. create_topic now matches Mehari's version exactly - no Note in docstring. * fix: add tag check to create_topic as well All three mutate operations now check the MCP Generated tag before performing any mutations on the cluster. * test: update create_topic tests with tag check mock * docs: fix Note text in all mutate_topics docstrings Add missing Note to create_topic_tool and fix wording in all three: - create_topic: add Note (was missing) - update_topic: resource -> cluster, update it -> update topics - delete_topic: resource -> cluster, delete it -> delete topics * style: fix import order and EOF in test_mutate_topics_init --------- Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> Co-authored-by: Vaibhav Naik <101835362+naikvaib@users.noreply.github.com> Co-authored-by: Anwesha <64298192+anwesham-lab@users.noreply.github.com> Co-authored-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com> Co-authored-by: Arne Wouters <25950814+arnewouters@users.noreply.github.com> Co-authored-by: Clint Eastman <clintae@amazon.com> Co-authored-by: Sunil Yadav <ysunio@amazon.com>
Signed-off-by: awslabs-mcp <203918161+awslabs-mcp@users.noreply.github.com>
…bs#2535) * Apply suggested fix to src/aws-api-mcp-server/tests/test_server.py from Copilot Autofix Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * Apply suggested fix to src/aws-api-mcp-server/tests/test_server.py from Copilot Autofix Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * Apply suggested fix to src/aws-api-mcp-server/tests/test_server.py from Copilot Autofix Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * Apply suggested fix to src/aws-api-mcp-server/tests/test_server.py from Copilot Autofix Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * Apply suggested fix to src/aws-api-mcp-server/tests/test_server.py from Copilot Autofix Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com> * Remove duplicate assignment of mock_response --------- Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
Co-authored-by: Phani Srikar Edupuganti <edupp@amazon.com> Co-authored-by: Laith Al-Saadoon <9553966+theagenticguy@users.noreply.github.com>
…wslabs#2516) * feat: add billing conductor tools to cost management MCP * docs: update root README description for billing-cost-management server to include Billing Conductor * fix failing build * fix: apply ruff formatting * test: improve coverage for billing conductor operations * refactor: address PR review - DRY formatters, document max_pages --------- Co-authored-by: John Wang <johnyxw@amazon.com> Co-authored-by: Alain Krok <alkrok@amazon.com>
) * fix(dsql): Update broken github links Update SQLAlchemy documentation links to point to pet clinic example instead of general directory as requested in review feedback. By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license. * chore(codeowners): Add praba2210 as code owner for aurora-dsql-mcp-server Add @praba2210 to the CODEOWNERS list for the aurora-dsql-mcp-server directory to reflect current ownership and review responsibilities. * Revert "chore(codeowners): Add praba2210 as code owner for aurora-dsql-mcp-server" This reverts commit f161edf. --------- Co-authored-by: Prabakaran Annadurai <prabaw@amazon.com>
…pdates group across 1 directory with 8 updates (awslabs#2518) Bumps the github-actions-version-updates group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [astral-sh/setup-uv](https://github.com/astral-sh/setup-uv) | `7.2.0` | `7.3.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `b2ff80ddacba59b60f4e0cf3b699baaea3230cd9` | `c0fc915677567258ee3c194d03ffe7ae3dc8d741` | | [bridgecrewio/checkov-action](https://github.com/bridgecrewio/checkov-action) | `12.3079.0` | `12.3086.0` | | [actions/dependency-review-action](https://github.com/actions/dependency-review-action) | `4.8.2` | `4.8.3` | | [actions/cache](https://github.com/actions/cache) | `5.0.2` | `5.0.3` | | [awslabs/mcp](https://github.com/awslabs/mcp) | `2026.01.20260126220610` | `2026.02.20260224185711` | | [actions/stale](https://github.com/actions/stale) | `10.1.1` | `10.2.0` | | [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) | `0.33.1` | `0.34.1` | Updates `astral-sh/setup-uv` from 7.2.0 to 7.3.0 - [Release notes](https://github.com/astral-sh/setup-uv/releases) - [Commits](astral-sh/setup-uv@61cb8a9...eac588a) Updates `github/codeql-action` from b2ff80ddacba59b60f4e0cf3b699baaea3230cd9 to c0fc915677567258ee3c194d03ffe7ae3dc8d741 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b2ff80d...c0fc915) Updates `bridgecrewio/checkov-action` from 12.3079.0 to 12.3086.0 - [Release notes](https://github.com/bridgecrewio/checkov-action/releases) - [Commits](bridgecrewio/checkov-action@5051a5c...f99709f) Updates `actions/dependency-review-action` from 4.8.2 to 4.8.3 - [Release notes](https://github.com/actions/dependency-review-action/releases) - [Commits](actions/dependency-review-action@3c4e3dc...05fe457) Updates `actions/cache` from 5.0.2 to 5.0.3 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@8b402f5...cdf6c1f) Updates `awslabs/mcp` from 2026.01.20260126220610 to 2026.02.20260224185711 - [Release notes](https://github.com/awslabs/mcp/releases) - [Commits](awslabs/mcp@16fbeff...1184105) Updates `actions/stale` from 10.1.1 to 10.2.0 - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@9971854...b5d41d4) Updates `aquasecurity/trivy-action` from 0.33.1 to 0.34.1 - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@b6643a2...e368e32) --- updated-dependencies: - dependency-name: astral-sh/setup-uv dependency-version: 7.3.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates - dependency-name: github/codeql-action dependency-version: c0fc915677567258ee3c194d03ffe7ae3dc8d741 dependency-type: direct:production dependency-group: github-actions-version-updates - dependency-name: bridgecrewio/checkov-action dependency-version: 12.3086.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates - dependency-name: actions/dependency-review-action dependency-version: 4.8.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions-version-updates - dependency-name: actions/cache dependency-version: 5.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions-version-updates - dependency-name: awslabs/mcp dependency-version: 2026.02.20260224185711 dependency-type: direct:production dependency-group: github-actions-version-updates - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates - dependency-name: aquasecurity/trivy-action dependency-version: 0.34.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: github-actions-version-updates ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
Comment on lines
+445
to
+446
| exec( | ||
| code, namespace |
Check warning
Code scanning / Bandit
Use of exec detected. Warning
Comment on lines
+461
to
+462
| exec( | ||
| code, namespace |
Check warning
Code scanning / Bandit
Use of exec detected. Warning
| download_dir = tempfile.mkdtemp(prefix='diagram-icons-') | ||
| download_path = os.path.join(download_dir, safe_name) | ||
|
|
||
| _, headers = _real_urlretrieve(url, download_path) # nosec B310 - scheme validated above |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected Warning
Comment on lines
+445
to
+447
| exec( | ||
| code, namespace | ||
| ) # nosem: python.lang.security.audit.exec-detected.exec-detected |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected Warning
Comment on lines
+461
to
+463
| exec( | ||
| code, namespace | ||
| ) # nosem: python.lang.security.audit.exec-detected.exec-detected |
Check warning
Code scanning / Semgrep OSS
Semgrep Finding: python.lang.security.audit.exec-detected.exec-detected Warning
Updates aquasecurity/trivy-action from v0.34.1 to v0.34.2 to resolve failing trivy workflow checks. Version 0.34.1 introduced issues causing all trivy builds to fail with exit code 1. Fixes trivy workflow failures across all MCP server builds.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR enhances the tool name validation script introduced in awslabs#616 to comprehensively detect and validate MCP tools across all registration patterns used in the codebase.
Problem Solved
The original implementation (from PR awslabs#616) only detected tools registered with the
@mcp.tool(name='...')pattern. This meant many tools in the codebase were not being validated, leading to:Changes Made
🔍 Enhanced Tool Detection (6 Patterns)
The script now detects all common MCP tool registration patterns:
@mcp.tool(name='tool_name')@mcp.tool()→ uses function nameapp.tool('tool_name')(function)mcp.tool()(function)self.mcp.tool(name='tool_name')(function)@server.tool(name='tool_name')🧹 Code Improvements
validate_tool_name()Testing Results
Verified across servers with different naming conventions:
Before vs After
Before:
@mcp.tool(name='...'))After:
Alignment with Issue awslabs#616 Goals
✅ 64-character limit enforcement - Working correctly across all patterns
✅ Naming convention validation - Validates alphanumeric, underscore, hyphen rules
✅ Flexible style support - Recommends snake_case, accepts kebab-case and PascalCase
✅ Team consistency - Warns about mixed styles within a server
✅ Non-breaking - Warnings don't fail the build (per Scott's guidance)
Feedback Addressed
Per Scott's guidance on standardization:
Related Issues
Closes awslabs#616
Checklist
Contributor Statement
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the project license.
Ready for review @scottschreckengaust