Skip to content

fix: default deny piece mcp servers#524

Merged
j5ik2o merged 4 commits intomainfrom
fix/piece-mcp-servers-default-deny
Mar 19, 2026
Merged

fix: default deny piece mcp servers#524
j5ik2o merged 4 commits intomainfrom
fix/piece-mcp-servers-default-deny

Conversation

@j5ik2o
Copy link
Collaborator

@j5ik2o j5ik2o commented Mar 15, 2026

Summary

  • make all piece-level MCP transports default-deny
  • require explicit project/global opt-in for stdio, http, and sse
  • keep the underlying MCP transport support intact for trusted configurations

Why this draft exists

This is the stricter and more consistent version of the piece-level MCP policy.

A piece can attach MCP servers directly into the AI execution context. For stdio, that means spawning a local process. For http and sse, that means connecting to a local or remote endpoint that can still inject arbitrary tool definitions into the agent session.

That makes all three transports part of the same untrusted-piece problem.

Why all transports default to false

http and sse are not safe by default just because they do not spawn a local process.

A malicious piece can point at an attacker-controlled remote endpoint and inject tools into the agent context, or it can target localhost services that the operator already has running. From the AI's perspective, the blast radius is still tool injection.

So this draft uses a consistent default:

  • stdio: false
  • http: false
  • sse: false

What this draft changes

Piece YAML MCP servers are rejected by default for every transport.
Operators can explicitly allow transports in trusted project/global config, for example:

piece_mcp_servers:
  http: true
  sse: true

or:

piece_mcp_servers:
  stdio: true

What can go wrong without this fix

Without this change, an untrusted piece can inject MCP-backed tools into the AI runtime, either by spawning local stdio servers or by connecting to local/remote endpoints. That can expand the model's effective tool surface and lead to unintended command execution, data access, or integration abuse.

Alternatives

  • Weaker option: keep http/sse enabled by default and only block stdio
  • Middle ground rejected here: treat remote transports as safer even though they can still inject tools
  • This PR: default-deny all transports, allow explicit opt-in through trusted config

Testing

  • npm run build
  • npm test -- --run src/__tests__/models.test.ts src/__tests__/projectConfig.test.ts src/__tests__/it-piece-loader.test.ts

Tag

  • #14_Untrusted pieces can launch arbitrary MCP server commands.txt

@j5ik2o j5ik2o mentioned this pull request Mar 15, 2026
Closed
@j5ik2o j5ik2o marked this pull request as ready for review March 19, 2026 06:26
j5ik2o added 3 commits March 19, 2026 15:31
@j5ik2o
fix: default deny piece mcp servers
e1be095
@j5ik2o
fix: preserve piece MCP policy precedence
292ba0d
@j5ik2o
refactor: extract pieceMcpServers helpers and consolidate save logic
cc18dd3 
Move pieceMcpServers normalization/denormalization to
projectConfigTransforms.ts and consolidate policy save blocks
into a data-driven loop to keep projectConfig.ts under 300 lines.
@j5ik2o j5ik2o force-pushed the fix/piece-mcp-servers-default-deny branch from 38db5a3 to cc18dd3 Compare March 19, 2026 06:36
@j5ik2o
test: add missing piece_mcp_servers test coverage
f705c81 
- Explicit deny: project false overrides global true
- Global config: load and save/reload round-trip
- Env override: TAKT_PIECE_MCP_SERVERS JSON for global config
- Env override: TAKT_PIECE_MCP_SERVERS_STDIO for global config
- Env override: TAKT_PIECE_MCP_SERVERS_HTTP for project config
@j5ik2o j5ik2o force-pushed the fix/piece-mcp-servers-default-deny branch from edc83d8 to f705c81 Compare March 19, 2026 06:46
@j5ik2o j5ik2o merged commit e8484be into main Mar 19, 2026
3 of 4 checks passed
@j5ik2o j5ik2o deleted the fix/piece-mcp-servers-default-deny branch March 19, 2026 06:56
@nrslib nrslib mentioned this pull request Mar 20, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@j5ik2o