feat(@angular/cli): validate workspace paths against allowed MCP roots

Author: amishne

packages/angular/cli/src/commands/mcp/tools/build.ts

@@ -41,6 +41,7 @@ export async function runBuild(input: BuildToolInput, context: McpToolContext) {
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
 
   // Build "ng"'s command line.

packages/angular/cli/src/commands/mcp/tools/devserver/devserver-start.ts

@@ -48,6 +48,7 @@ export async function startDevserver(input: DevserverStartToolInput, context: Mc
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
 
   const key = getDevserverKey(workspacePath, projectName);

packages/angular/cli/src/commands/mcp/tools/devserver/devserver-stop.ts

@@ -32,6 +32,7 @@ export async function stopDevserver(input: DevserverStopToolInput, context: McpT
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
   const key = getDevserverKey(workspacePath, projectName);
   const devserver = context.devservers.get(key);

packages/angular/cli/src/commands/mcp/tools/devserver/devserver-wait-for-build.ts

@@ -62,6 +62,7 @@ export async function waitForDevserverBuild(
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
   const key = getDevserverKey(workspacePath, projectName);
   const devserver = context.devservers.get(key);

packages/angular/cli/src/commands/mcp/tools/e2e.ts

@@ -35,6 +35,7 @@ export async function runE2e(input: E2eToolInput, host: Host, context: McpToolCo
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
 
   if (workspace && projectName) {

packages/angular/cli/src/commands/mcp/tools/modernize.ts

@@ -111,6 +111,7 @@ export async function runModernization(input: ModernizeInput, context: McpToolCo
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
 
   const instructions: string[] = [];

packages/angular/cli/src/commands/mcp/tools/test.ts

@@ -43,6 +43,7 @@ export async function runTest(input: TestToolInput, context: McpToolContext) {
     workspacePathInput: input.workspace,
     projectNameInput: input.project,
     mcpWorkspace: context.workspace,
+    server: context.server,
   });
 
   // Build "ng"'s command line.

packages/angular/cli/src/commands/mcp/workspace-utils.ts

@@ -7,7 +7,9 @@
  */
 
 import { workspaces } from '@angular-devkit/core';
-import { dirname, join } from 'node:path';
+import { type McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
+import { dirname, isAbsolute, join, relative as relativePath, resolve } from 'node:path';
+import { fileURLToPath } from 'node:url';
 import { AngularWorkspace } from '../../utilities/config';
 import { type Host, LocalWorkspaceHost } from './host';
 import { McpToolContext } from './tools/tool-registry';
@@ -92,11 +94,13 @@ export async function resolveWorkspaceAndProject({
   workspacePathInput,
   projectNameInput,
   mcpWorkspace,
+  server,
 }: {
   host: Host;
   workspacePathInput?: string;
   projectNameInput?: string;
   mcpWorkspace?: AngularWorkspace;
+  server?: McpServer;
 }): Promise<{
   workspace: AngularWorkspace;
   workspacePath: string;
@@ -106,6 +110,29 @@ export async function resolveWorkspaceAndProject({
   let workspace: AngularWorkspace;
 
   if (workspacePathInput) {
+    if (server) {
+      // Validate that the provided workspace path is within the allowed MCP roots.
+      // This prevents attackers from tricking the server into loading and executing code
+      // from arbitrary locations on the filesystem.
+      const rootsResponse = await server.server.listRoots();
+      const roots = rootsResponse.roots;
+      const normalizedInputPath = resolve(workspacePathInput);
+
+      const isAllowed = roots.some((root) => {
+        const rootPath = resolve(fileURLToPath(root.uri));
+        const relative = relativePath(rootPath, normalizedInputPath);
+
+        return !relative.startsWith('..') && !isAbsolute(relative);
+      });
+
+      if (!isAllowed) {
+        throw new Error(
+          `Workspace path is outside the allowed MCP roots: ${workspacePathInput}. ` +
+            "You can use 'list_projects' to find available workspaces.",
+        );
+      }
+    }
+
     if (!host.existsSync(workspacePathInput)) {
       throw new Error(
         `Workspace path does not exist: ${workspacePathInput}. ` +

packages/angular/cli/src/commands/mcp/workspace-utils_spec.ts

@@ -179,6 +179,42 @@ describe('MCP Workspace Utils', () => {
       expect(AngularWorkspace.load).toHaveBeenCalledWith('/my/workspace/angular.json');
     });
 
+    it('should allow provided workspace within allowed MCP roots', async () => {
+      const mockServer = {
+        server: {
+          listRoots: jasmine.createSpy('listRoots').and.resolveTo({
+            roots: [{ uri: 'file:///my/' }],
+          }),
+        },
+      } as any;
+
+      const result = await resolveWorkspaceAndProject({
+        host: mockHost,
+        workspacePathInput: '/my/workspace',
+        server: mockServer,
+      });
+      expect(result.workspacePath).toBe('/my/workspace');
+      expect(AngularWorkspace.load).toHaveBeenCalledWith('/my/workspace/angular.json');
+    });
+
+    it('should reject provided workspace outside allowed MCP roots', async () => {
+      const mockServer = {
+        server: {
+          listRoots: jasmine.createSpy('listRoots').and.resolveTo({
+            roots: [{ uri: 'file:///other/' }],
+          }),
+        },
+      } as any;
+
+      await expectAsync(
+        resolveWorkspaceAndProject({
+          host: mockHost,
+          workspacePathInput: '/my/workspace',
+          server: mockServer,
+        }),
+      ).toBeRejectedWithError(/Workspace path is outside the allowed MCP roots/);
+    });
+
     it('should throw if provided workspace does not exist', async () => {
       mockHost.existsSync.and.returnValue(false);
       await expectAsync(