Skip to content

MCP-313 Support SONARQUBE_TOOLSETS and SONARQUBE_READ_ONLY headers#235

Open
nquinquenel wants to merge 2 commits intomasterfrom
feature/nq/MCP-313-toolset-readonly
Open

MCP-313 Support SONARQUBE_TOOLSETS and SONARQUBE_READ_ONLY headers#235
nquinquenel wants to merge 2 commits intomasterfrom
feature/nq/MCP-313-toolset-readonly

Conversation

@nquinquenel
Copy link
Member

No description provided.

@hashicorp-vault-sonar-prod
Copy link

hashicorp-vault-sonar-prod bot commented Feb 26, 2026

MCP-313

Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds HTTP per-request tool visibility narrowing by honoring SONARQUBE_TOOLSETS and SONARQUBE_READ_ONLY headers via a wrapper around the MCP SDK stateless handler, plus documentation and tests.

Changes:

  • Introduce ToolsListFilteringHandler to filter tools/list results based on per-request headers while delegating all other methods unchanged.
  • Extend HttpServerTransportProvider context extraction to include toolset/read-only headers and add a capturing transport to wrap the SDK handler after server build.
  • Update docs/README and add unit tests covering tool list filtering behavior.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/main/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandler.java New handler that filters tools/list results using per-request context.
src/test/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandlerTest.java Tests for toolset/read-only filtering and delegation behavior.
src/main/java/org/sonarsource/sonarqube/mcp/transport/HttpServerTransportProvider.java Extract new headers into context; add capturing transport and install filter hook.
src/main/java/org/sonarsource/sonarqube/mcp/SonarQubeMcpServer.java Use capturing transport and install the tools/list filter after server build.
src/main/java/org/sonarsource/sonarqube/mcp/configuration/McpServerLaunchConfiguration.java Expose header/env-var names for use in transport layer.
docs/http-authentication-architecture.md Document per-request tool filtering and updated flow/headers.
README.md Document per-request headers for narrowing tool visibility in HTTP(S) mode.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@nquinquenel nquinquenel marked this pull request as ready for review February 26, 2026 16:05
@nquinquenel nquinquenel force-pushed the feature/nq/MCP-313-toolset-readonly branch from 58b7fe5 to 571c2b7 Compare February 26, 2026 18:29
@sonarqubecloud
Copy link

SonarQube reviewer guide

Review in SonarQube

Summary: Add per-request HTTP header filtering for MCP tools, allowing clients to narrow the visible toolset and enable read-only mode on individual requests without expanding server-level restrictions.

Review Focus:

  • ToolsListFilteringHandler is the core of this feature—verify it correctly intercepts tools/list responses and enforces that per-request filters can only narrow, never expand, the server-level tool set
  • Ensure the handler is installed early in the request pipeline (via the wrapper transport in HttpServerTransportProvider) so unfiltered responses never reach clients
  • Confirm that tools/call requests for disallowed tools return METHOD_NOT_FOUND immediately without delegating to the SDK
  • Review the test coverage in ToolsListFilteringHandlerTest to ensure edge cases (PROJECTS always included, read-only enforcement, combined filters) are handled correctly

Start review at: src/main/java/org/sonarsource/sonarqube/mcp/transport/ToolsListFilteringHandler.java. This new class is the security-critical component that enforces per-request tool narrowing. Its logic determines what tools clients can access, and any bugs could either leak tools or incorrectly block valid requests. The wrapping strategy in `HttpServerTransportProvider.getFilteringTransport

💬 Please send your feedback

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues
0 Dependency risks

Measures
0 Security Hotspots
85.7% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants