Make the MCP server project-aware to prevent cross-project data leaks#519
Make the MCP server project-aware to prevent cross-project data leaks#519frozenraindrop wants to merge 1 commit into
Conversation
chuenchen309
left a comment
There was a problem hiding this comment.
Read through this and checked it out locally — the design is sound and the cross-project-leak concern is real (the MCP tools otherwise expose every registered project's contents with no signal about which one is authoritative).
A few things I verified:
instructionsis a validServerOptionsfield in the SDK version pinned here, so the server-level guidance is delivered through the supported channel rather than a custom hack.- The
{ ...health, ...projects, ...multiProjectWarning(...) }spread is safe — neither the health payload nor the projects response carries awarningkey, so nothing gets clobbered. multiProjectWarningcorrectly no-ops for the single-project case (length <= 1), so existing single-project users see zero behavior change.tsc --noEmitis clean and the existing test suite still passes.
The layering is nice: server-level instructions + the per-tool project_id: 'current' default enforce the isolation mechanically, and the warning on status/projects is a visible belt-and-suspenders on exactly the two discovery tools where an agent would first notice multiple projects exist.
LGTM from my read.
|
Following up on my own note about where the warning lands — thinking about it more, there's one coverage gap worth considering rather than the two enumeration tools being sufficient on their own. The
|
What this fixes
When multiple projects exist, an AI assistant using the llm-wiki MCP server had no clear signal about which project it should be working with. That opened the door for a request meant for one project to accidentally pull data from a different one, without ever checking in with the user first.
What changed
What this doesn't fix yet
These two changes rely on the assistant reading and following the guidance — they're a strong nudge, not a hard guarantee. A separate, more involved fix (binding a session to one project, or having the server ask the user directly when it's unclear) would close this properly. That's being filed as a follow-up issue rather than bundled into this PR.
Testing
Type-checked and built cleanly (tsc --noEmit, npm run build). No behavior changes for the single-project case.