Refine threat-model prompt and update MCP server prompt handling#22
Merged
Conversation
…onality - Integrated express-rate-limit to limit requests to the MCP endpoint. - Updated MCP server to register native prompts for client compatibility. - Enhanced error handling in MCP POST request to ensure consistent responses. - Improved JSON parsing error handling to avoid stack leaks. - Updated dependencies in package.json and package-lock.json for better stability and performance.
…aid tooling integration
Contributor
There was a problem hiding this comment.
Pull request overview
This pull request refines the threat modeling prompt and updates the MCP server infrastructure to better support security-focused workflows. The changes improve request security, add rate limiting, and expand the threat-model prompt with comprehensive Mermaid diagram validation requirements and a more detailed output structure aligned with the threat-model-lite skill.
Changes:
- Enhanced threat-model prompt with mandatory Mermaid diagram validation using VSCode extension tools, detailed DFD requirements, and expanded 4Q framework guidance
- Improved MCP server security with header redaction, request body size limits, rate limiting (120 req/min on MCP endpoints), and enhanced error handling
- Added dual-exposure pattern for prompts (both as MCP tools and native MCP prompts) for client compatibility
- Updated application-security-architect agent with Mermaid Chart tool declarations
Reviewed changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| src/middlewares/reqInfo.js | Adds header redaction function to prevent logging of auth tokens, removes body from req.info |
| src/mcp_tools/list_prompts.js | Changes inputSchema from plain object to z.object({}) wrapper |
| src/mcp_tools/get_prompt.js | Adds isError flag to error responses for better error handling |
| src/mcp_server.js | Adds registerPrompt loop to expose prompts via native MCP protocol in addition to tools |
| src/express_app.js | Adds express-rate-limit, JSON body parser with 1MB limit, enhanced error handling, and try-catch for MCP POST handler |
| prompts/threat-model.prompt.md | Expands from 91 to 288 lines with comprehensive Mermaid tooling requirements, detailed DFD/sequence diagram specs, and structured 10-section output format |
| package.json | Removes unused ajv dependency, adds express-rate-limit as direct dependency |
| package-lock.json | Updates dependencies including MCP SDK to 1.26.0, express to 5.2.1, and various dev dependencies |
| agents/application-security-architect.agent.md | Adds Mermaid Chart VSCode extension tools to the agent's tool list |
Convert to plain object syntax to maintain consistency across other tools. Will address in a future update. Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
src/mcp_server.jsto expose and route the revised prompt endpoints and to map prompt metadata to the new prompt structure. See src/mcp_server.js.server.jswiring to register the updated MCP routes and startup behavior. See server.js.src/mcp_tools/get_prompt.jsand related prompt-listing helpers to return the new prompt metadata shape. See src/mcp_tools/get_prompt.js and src/mcp_tools/list_prompts.js.