MCP-313 Support SONARQUBE_TOOLSETS and SONARQUBE_READ_ONLY headers

[nquinquenel]

No description provided.

[hashicorp-vault-sonar-prod]

MCP-313

[Copilot]

Pull request overview

Adds HTTP per-request tool visibility narrowing by honoring SONARQUBE_TOOLSETS and SONARQUBE_READ_ONLY headers via a wrapper around the MCP SDK stateless handler, plus documentation and tests.

Changes:

• Introduce ToolsListFilteringHandler to filter tools/list results based on per-request headers while delegating all other methods unchanged.
• Extend HttpServerTransportProvider context extraction to include toolset/read-only headers and add a capturing transport to wrap the SDK handler after server build.
• Update docs/README and add unit tests covering tool list filtering behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
src/main/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandler.java	New handler that filters tools/list results using per-request context.
src/test/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandlerTest.java	Tests for toolset/read-only filtering and delegation behavior.
src/main/java/org/sonarsource/sonarqube/mcp/transport/HttpServerTransportProvider.java	Extract new headers into context; add capturing transport and install filter hook.
src/main/java/org/sonarsource/sonarqube/mcp/SonarQubeMcpServer.java	Use capturing transport and install the tools/list filter after server build.
src/main/java/org/sonarsource/sonarqube/mcp/configuration/McpServerLaunchConfiguration.java	Expose header/env-var names for use in transport layer.
docs/http-authentication-architecture.md	Document per-request tool filtering and updated flow/headers.
README.md	Document per-request headers for narrowing tool visibility in HTTP(S) mode.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

SonarQube reviewer guide

Summary: Add per-request HTTP header filtering for MCP tools, allowing clients to narrow the visible toolset and enable read-only mode on individual requests without expanding server-level restrictions.

Review Focus:

• ToolsListFilteringHandler is the core of this feature—verify it correctly intercepts tools/list responses and enforces that per-request filters can only narrow, never expand, the server-level tool set
• Ensure the handler is installed early in the request pipeline (via the wrapper transport in HttpServerTransportProvider) so unfiltered responses never reach clients
• Confirm that tools/call requests for disallowed tools return METHOD_NOT_FOUND immediately without delegating to the SDK
• Review the test coverage in ToolsListFilteringHandlerTest to ensure edge cases (PROJECTS always included, read-only enforcement, combined filters) are handled correctly

Start review at: src/main/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandler.java. This new class is the security-critical component that enforces per-request tool narrowing. Its logic determines what tools clients can access, and any bugs could either leak tools or incorrectly block valid requests. The wrapping strategy in `HttpServerTransportProvider.getFilteringTransport

💬 Please send your feedback

Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
85.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud