Skip to content

Use executor HTTP layer for GraphQL discovery#1103

Closed
RhysSullivan wants to merge 1 commit into
fix/mcp-hosted-egress-guardfrom
fix/graphql-hosted-egress-guard
Closed

Use executor HTTP layer for GraphQL discovery#1103
RhysSullivan wants to merge 1 commit into
fix/mcp-hosted-egress-guardfrom
fix/graphql-hosted-egress-guard

Conversation

@RhysSullivan

Copy link
Copy Markdown
Owner

What changed

  • Remove the unguarded GraphQL FetchHttpClient fallback in resolveTools.
  • Require GraphQL discovery to use the executor-supplied HTTP layer.
  • Add a regression proving the plugin uses the injected layer during schema discovery.

Why

GraphQL account creation and discovery could perform server-side introspection through an unguarded network path.

Validation

  • bun --bun vitest run src/sdk/plugin.test.ts src/sdk/multi-placement-auth.test.ts from packages/plugins/graphql
  • bun run --cwd packages/plugins/graphql typecheck
  • bun run --cwd packages/core/sdk typecheck

Stack

Base: fix/mcp-hosted-egress-guard

Previous: #1102

Next: fix/openapi-hosted-origin-guard

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Cloudflare preview

Torn down — the PR is closed.

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
executor-marketing 5865d0c Commit Preview URL

Branch Preview URL
Jun 23 2026, 06:15 PM

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 23, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
✅ Deployment successful!
View logs
executor-cloud 5865d0c Jun 23 2026, 06:17 PM

@pkg-pr-new

pkg-pr-new Bot commented Jun 23, 2026

Copy link
Copy Markdown

Open in StackBlitz

@executor-js/cli

npm i https://pkg.pr.new/@executor-js/cli@1103

@executor-js/config

npm i https://pkg.pr.new/@executor-js/config@1103

@executor-js/execution

npm i https://pkg.pr.new/@executor-js/execution@1103

@executor-js/sdk

npm i https://pkg.pr.new/@executor-js/sdk@1103

@executor-js/codemode-core

npm i https://pkg.pr.new/@executor-js/codemode-core@1103

@executor-js/runtime-quickjs

npm i https://pkg.pr.new/@executor-js/runtime-quickjs@1103

@executor-js/plugin-file-secrets

npm i https://pkg.pr.new/@executor-js/plugin-file-secrets@1103

@executor-js/plugin-graphql

npm i https://pkg.pr.new/@executor-js/plugin-graphql@1103

@executor-js/plugin-keychain

npm i https://pkg.pr.new/@executor-js/plugin-keychain@1103

@executor-js/plugin-mcp

npm i https://pkg.pr.new/@executor-js/plugin-mcp@1103

@executor-js/plugin-onepassword

npm i https://pkg.pr.new/@executor-js/plugin-onepassword@1103

@executor-js/plugin-openapi

npm i https://pkg.pr.new/@executor-js/plugin-openapi@1103

executor

npm i https://pkg.pr.new/executor@1103

commit: f2e5bc2

@RhysSullivan RhysSullivan force-pushed the fix/mcp-hosted-egress-guard branch from cfa7e54 to f3967a6 Compare June 23, 2026 16:59
@RhysSullivan RhysSullivan force-pushed the fix/graphql-hosted-egress-guard branch from 12d79c6 to 36facc5 Compare June 23, 2026 17:00
@RhysSullivan RhysSullivan force-pushed the fix/mcp-hosted-egress-guard branch from f3967a6 to 16eb505 Compare June 23, 2026 17:06
@RhysSullivan RhysSullivan force-pushed the fix/graphql-hosted-egress-guard branch from 36facc5 to cdacfd7 Compare June 23, 2026 17:07
@RhysSullivan RhysSullivan force-pushed the fix/mcp-hosted-egress-guard branch from 16eb505 to 75ec6f1 Compare June 23, 2026 17:35
@RhysSullivan RhysSullivan force-pushed the fix/graphql-hosted-egress-guard branch from cdacfd7 to 9c24ce4 Compare June 23, 2026 17:36
@RhysSullivan RhysSullivan force-pushed the fix/mcp-hosted-egress-guard branch from 75ec6f1 to 9726c66 Compare June 23, 2026 18:01
@RhysSullivan RhysSullivan force-pushed the fix/graphql-hosted-egress-guard branch from 9c24ce4 to f2e5bc2 Compare June 23, 2026 18:01
@RhysSullivan RhysSullivan marked this pull request as ready for review June 23, 2026 18:02
@greptile-apps

greptile-apps Bot commented Jun 23, 2026

Copy link
Copy Markdown

Greptile Summary

This PR closes an unguarded egress path in GraphQL connection-time introspection. Previously, resolveTools fell back to FetchHttpClient.layer (raw fetch) when no plugin-level options.httpClientLayer was provided, bypassing the executor's controlled HTTP layer even though httpClientLayer was already present in ResolveToolsInput and passed by the executor.

  • plugin.ts: Removes FetchHttpClient import and the httpClientLayerFallback constant; resolveTools now uses the executor-supplied httpClientLayer from its input as the default, matching the existing pattern in invokeTool and detect.
  • plugin.test.ts: Adds a regression test that wires a spy HttpClient layer into createExecutor and asserts all introspection traffic flows through it, confirming the fix end-to-end.

Confidence Score: 5/5

Safe to merge. The change is a targeted, minimal fix: one fallback constant replaced by the executor-supplied layer, and a regression test that confirms the new path.

The patch removes an accidental raw-fetch escape hatch in resolveTools, wires the executor-provided layer in its place (matching the already-correct invokeTool and detect paths), and adds a spy-layer test that fails if the guard is ever re-bypassed. No behavioral regressions are introduced.

No files require special attention.

Important Files Changed

Filename Overview
packages/plugins/graphql/src/sdk/plugin.ts Removes unguarded FetchHttpClient fallback in resolveTools; now uses executor-supplied httpClientLayer, which was already present in ResolveToolsInput but was being ignored. The options?.httpClientLayer override is intentionally preserved for consistency with invokeTool and detect.
packages/plugins/graphql/src/sdk/plugin.test.ts Adds a regression test that injects a spy HttpClient layer into createExecutor and asserts the plugin's connection-time introspection routes through it rather than a raw fetch.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Executor as Executor (createExecutor)
    participant RT as resolveTools
    participant Introspect as introspect()
    participant HttpLayer as httpClientLayer (executor-supplied)

    note over Executor,HttpLayer: Before this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>Introspect: Effect.provide(FetchHttpClient.layer)
    note right of Introspect: Bypasses executor guard

    note over Executor,HttpLayer: After this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>HttpLayer: Effect.provide(options?.httpClientLayer ?? httpClientLayer)
    HttpLayer-->>Introspect: Guarded HTTP response
    Introspect-->>RT: IntrospectionResult
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Executor as Executor (createExecutor)
    participant RT as resolveTools
    participant Introspect as introspect()
    participant HttpLayer as httpClientLayer (executor-supplied)

    note over Executor,HttpLayer: Before this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>Introspect: Effect.provide(FetchHttpClient.layer)
    note right of Introspect: Bypasses executor guard

    note over Executor,HttpLayer: After this PR
    Executor->>RT: "resolveTools({ config, httpClientLayer })"
    RT->>Introspect: introspect(endpoint)
    Introspect->>HttpLayer: Effect.provide(options?.httpClientLayer ?? httpClientLayer)
    HttpLayer-->>Introspect: Guarded HTTP response
    Introspect-->>RT: IntrospectionResult
Loading

Reviews (2): Last reviewed commit: "Use executor HTTP layer for GraphQL disc..." | Re-trigger Greptile

@RhysSullivan RhysSullivan force-pushed the fix/mcp-hosted-egress-guard branch from 9726c66 to db1ee2c Compare June 23, 2026 18:11
@RhysSullivan RhysSullivan force-pushed the fix/graphql-hosted-egress-guard branch from f2e5bc2 to 5865d0c Compare June 23, 2026 18:11
@RhysSullivan

Copy link
Copy Markdown
Owner Author

Superseded by batch merge #1106.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant