feat: complete MCP traffic isolation — add missing endpoints, remove leaky path routing#620
Conversation
…leaky path routing Backend (DIARCHERS-1396 Phase 2): - projects.py: add GET /api/v1/mcp/projects/<id> (getProject) - builds.py: add GET /api/v1/mcp/projects/<id>/builds/<bid> (getBuild) - jobs.py: add GET .../jobs/<jid> (getJob), .../stats, .../testruns, .../manifest - All 6 new endpoints carry full middleware: mcp_auth_required + mcp_rate_limit + check_project_access_mcp + audit_mcp - Extract _ACCESS_DENIED and _JOB_BY_PROJECT constants to eliminate string duplication
liuwei08
left a comment
There was a problem hiding this comment.
Two must-fix issues found. See inline comments for details.
|
Fixed both review findings in 15038b1: [Blocker] Duplicate class definitions in builds.py — Confirmed valid. The old [High] Silent stats parse failure in jobs.py — Confirmed valid. Added |
Summary
Phase 2 of DIARCHERS-1396: fully isolate MCP token traffic to
/api/v1/mcp/*.The original implementation used a client-side
mcpPath()regex translation layer that only covered 6 paths. Any tool method not in that mapping would silently fall through to/api/v1/*regular traffic, defeating the isolation goal.Backend — 6 new MCP endpoints
All new endpoints carry the full middleware stack:
mcp_auth_required→@mcp_rate_limit→check_project_access_mcp→ handler →audit_mcp.GET /api/v1/mcp/projects/<id>GET /api/v1/mcp/projects/<id>/builds/<bid>GET /api/v1/mcp/projects/<id>/jobs/<jid>GET /api/v1/mcp/projects/<id>/jobs/<jid>/statsGET /api/v1/mcp/projects/<id>/jobs/<jid>/testrunsGET /api/v1/mcp/projects/<id>/jobs/<jid>/manifestAlso extracted
_ACCESS_DENIEDand_JOB_BY_PROJECTconstants injobs.pyto eliminate string duplication.Test plan
ib_mcp_*tokenlist_projects,list_builds,list_jobs,get_job_log,list_job_artifacts,trigger) still workmcp_access_logcontains entries for all new endpoint calls