Read-only regression coverage for dynamic toolsets and aliases · github/github-mcp-server · Discussion #2194 · GitHub
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
-
Heading
-
Bold
-
Italic
-
Quote
-
Code
-
Link
-
Numbered list
-
Unordered list
-
Task list
-
Attach files
-
Mention
-
Reference
👍
1
reacted with thumbs up emoji
👎
1
reacted with thumbs down emoji
😄
1
reacted with laugh emoji
🎉
1
reacted with hooray emoji
😕
1
reacted with confused emoji
❤️
1
reacted with heart emoji
🚀
1
reacted with rocket emoji
👀
1
reacted with eyes emoji
Footer
You can’t perform that action at this time.
Uh oh!
There was an error while loading. Please reload this page.
{{title}}
Uh oh!
There was an error while loading. Please reload this page.
-
Problem observed
The current inventory logic already fail-closes correctly in read-only mode, but there was no dedicated regression coverage for two sensitive paths: dynamic toolset enablement (ToolsForToolset) and deprecated alias lookup through ForMCPRequest().
Why it matters operationally
These paths sit directly on capability exposure boundaries. If a future inventory refactor regresses one of them, write-capable tools could become reachable in environments that operators explicitly configured as read-only.
Minimal repro
Fix approach
This change is coverage-only. It adds one regression test proving ToolsForToolset still filters out write tools under read-only mode, and one regression test proving deprecated aliases do not bypass read-only filtering when resolving a tools/call request.
Validation evidence
Open follow-up question for maintainers
Would you want similar read-only regression coverage added around lockdown-mode inventory construction as a separate follow-up, or is keeping this change scoped to the two reproduced paths the better trade-off?
Inspired by research context: CAISI publishes independent, reproducible AI agent governance research: https://caisi.dev
Beta Was this translation helpful? Give feedback.