Merge pull request #257 from githubnext/copilot/add-mount-support-mcp-gateway

Author: pelikhan

internal/config/config_test.go

@@ -802,6 +802,26 @@ func TestLoadFromStdin_InvalidMountFormat(t *testing.T) {
 			mounts:   `["/host::ro"]`,
 			errorMsg: "validation error",
 		},
+		{
+			name:     "relative source path",
+			mounts:   `["relative/path:/container:ro"]`,
+			errorMsg: "mount source must be an absolute path",
+		},
+		{
+			name:     "relative destination path",
+			mounts:   `["/host:relative/path:ro"]`,
+			errorMsg: "mount destination must be an absolute path",
+		},
+		{
+			name:     "dot relative source",
+			mounts:   `["./config:/app/config:ro"]`,
+			errorMsg: "mount source must be an absolute path",
+		},
+		{
+			name:     "dot relative destination",
+			mounts:   `["/host/config:./config:ro"]`,
+			errorMsg: "mount destination must be an absolute path",
+		},
 	}
 
 	for _, tt := range tests {

internal/config/rules/rules.go

@@ -106,6 +106,10 @@ func TimeoutPositive(timeout int, fieldName, jsonPath string) *ValidationError {
 
 // MountFormat validates a mount specification in the format "source:dest:mode"
 // Returns nil if valid, *ValidationError if invalid
+// Per MCP Gateway specification v1.7.0 section 4.1.5:
+// - Host path MUST be an absolute path
+// - Container path MUST be an absolute path
+// - Mode MUST be either "ro" (read-only) or "rw" (read-write)
 func MountFormat(mount, jsonPath string, index int) *ValidationError {
 	parts := strings.Split(mount, ":")
 	if len(parts) != 3 {
@@ -125,7 +129,17 @@ func MountFormat(mount, jsonPath string, index int) *ValidationError {
 			Field:      "mounts",
 			Message:    fmt.Sprintf("mount source cannot be empty in '%s'", mount),
 			JSONPath:   fmt.Sprintf("%s.mounts[%d]", jsonPath, index),
-			Suggestion: "Provide a valid source path",
+			Suggestion: "Provide a valid absolute source path (e.g., '/host/path')",
+		}
+	}
+
+	// Validate source is an absolute path (MCP spec requirement)
+	if !strings.HasPrefix(source, "/") {
+		return &ValidationError{
+			Field:      "mounts",
+			Message:    fmt.Sprintf("mount source must be an absolute path, got '%s'", source),
+			JSONPath:   fmt.Sprintf("%s.mounts[%d]", jsonPath, index),
+			Suggestion: "Use an absolute path starting with '/' (e.g., '/var/data' instead of 'data')",
 		}
 	}
 
@@ -135,7 +149,17 @@ func MountFormat(mount, jsonPath string, index int) *ValidationError {
 			Field:      "mounts",
 			Message:    fmt.Sprintf("mount destination cannot be empty in '%s'", mount),
 			JSONPath:   fmt.Sprintf("%s.mounts[%d]", jsonPath, index),
-			Suggestion: "Provide a valid destination path",
+			Suggestion: "Provide a valid absolute destination path (e.g., '/app/data')",
+		}
+	}
+
+	// Validate dest is an absolute path (MCP spec requirement)
+	if !strings.HasPrefix(dest, "/") {
+		return &ValidationError{
+			Field:      "mounts",
+			Message:    fmt.Sprintf("mount destination must be an absolute path, got '%s'", dest),
+			JSONPath:   fmt.Sprintf("%s.mounts[%d]", jsonPath, index),
+			Suggestion: "Use an absolute path starting with '/' (e.g., '/app/data' instead of 'app/data')",
 		}
 	}
 

internal/config/rules/rules_test.go

@@ -236,6 +236,68 @@ func TestMountFormat(t *testing.T) {
 			shouldErr: true,
 			errMsg:    "invalid mount mode",
 		},
+		{
+			name:      "invalid source - relative path",
+			mount:     "relative/path:/container/path:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount source must be an absolute path",
+		},
+		{
+			name:      "invalid dest - relative path",
+			mount:     "/host/path:relative/path:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount destination must be an absolute path",
+		},
+		{
+			name:      "invalid source - dot relative",
+			mount:     "./config:/app/config:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount source must be an absolute path",
+		},
+		{
+			name:      "invalid dest - dot relative",
+			mount:     "/host/config:./config:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount destination must be an absolute path",
+		},
+		{
+			name:      "invalid source - parent relative",
+			mount:     "../config:/app/config:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount source must be an absolute path",
+		},
+		{
+			name:      "invalid dest - parent relative",
+			mount:     "/host/config:../config:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: true,
+			errMsg:    "mount destination must be an absolute path",
+		},
+		{
+			name:      "valid mount - root paths",
+			mount:     "/:/root:ro",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: false,
+		},
+		{
+			name:      "valid mount - deep nested paths",
+			mount:     "/var/lib/docker/volumes/data:/app/data/volumes:rw",
+			jsonPath:  "mcpServers.github",
+			index:     0,
+			shouldErr: false,
+		},
 	}
 
 	for _, tt := range tests {

internal/difc/difc_test.go

@@ -268,7 +268,7 @@ func TestFormatViolationError(t *testing.T) {
 			SecrecyToAdd: []Tag{"private"},
 			Reason:       "Empty agent cannot access private resource",
 		}
-		agentSecrecy := NewSecrecyLabel()   // Empty
+		agentSecrecy := NewSecrecyLabel()     // Empty
 		agentIntegrity := NewIntegrityLabel() // Empty
 
 		resource := NewLabeledResource("private-resource")