feat: add MCP network permissions (#106)

* Add proxy configuration support for MCP tools with network restrictions

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance MCP configuration schema with additional properties for container, args, env, headers, and permissions

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Refactor proxy configuration handling: consolidate proxy file generation and introduce inline proxy configuration support

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Update workflow triggers for test-proxy

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Removed the step to start proxy services

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Update permissions in test-proxy workflow to allow issue reporting

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Fix proxy service naming in Docker Compose configuration

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance MCP configuration handling: pass tool name to getMCPConfig and transformContainerToDockerCommand, update Docker command arguments in proxy scenarios

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Update Docker command in transformContainerToDockerCommand for proxy scenarios

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Remove unnecessary includae statements from test-proxy workflow documentation

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance proxy configuration: update Docker Compose command for proxy-enabled containers, and support custom proxy arguments in MCP config.

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Add DEBUG environment variable to MCP configuration for enhanced logging

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Debugging: Update Claude Code Action to use forked version

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance proxy setup: remove unused proxy domain, pre-pull Docker images, and start Squid proxy service for MCP tools

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* regenerate the yaml

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Update Claude Code Action to use forked version

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance proxy configuration: enforce egress control for tools, update Docker Compose generation, and improve permission checks in tool configurations.

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* regenerate the yaml

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance proxy configuration: add iptables rules to accept established connections and egress from Squid IP

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Enhance proxy configuration: update iptables rules for established connections and egress control, improve YAML generation for MCP tools

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* fmt

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* fixed some linting issues

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>

* Refactor GitHub Actions workflow to enhance output sanitization and streamline job structure

---------

Signed-off-by: Jiaxiao Zhou <duibao55328@gmail.com>
Co-authored-by: Peli de Halleux <pelikhan@users.noreply.github.com>

Author: Mossaka

.github/workflows/test-proxy.lock.yml

@@ -0,0 +1,53 @@
+---
+on:
+  pull_request:
+    branches: [ "main" ]
+  workflow_dispatch:
+
+permissions:
+  issues: write # needed to write the output report to an issue
+
+tools:
+  fetch:
+    mcp:
+      type: stdio
+      container: mcp/fetch
+      permissions:
+        network:
+          allowed: 
+            - "example.com"
+    allowed: 
+      - "fetch"
+  
+  github:
+    allowed:
+      - "create_issue"
+      - "create_comment"
+      - "get_issue"
+
+engine: claude
+runs-on: ubuntu-latest
+---
+
+# Test Network Permissions
+
+## Task Description
+
+Test the MCP network permissions feature to validate that domain restrictions are properly enforced.
+
+- Use the fetch tool to successfully retrieve content from `https://example.com/` (the only allowed domain)
+- Attempt to access blocked domains and verify they fail with network errors:
+  - `https://httpbin.org/json` 
+  - `https://api.github.com/user`
+  - `https://www.google.com/`
+  - `http://malicious-example.com/`
+- Verify that all blocked requests fail at the network level (proxy enforcement)
+- Confirm that only example.com is accessible through the Squid proxy
+
+Create a GitHub issue with the test results, documenting:
+- Which domains were successfully accessed vs blocked
+- Error messages received for blocked domains  
+- Confirmation that network isolation is working correctly
+- Any security observations or recommendations
+
+The test should demonstrate that MCP containers are properly isolated and can only access explicitly allowed domains through the network proxy.

.github/workflows/test-proxy.md

@@ -14,30 +14,133 @@
     "command": {
       "type": "string", 
       "description": "Command for stdio MCP connections"
+    },
+    "container": {
+      "type": "string",
+      "pattern": "^[a-zA-Z0-9][a-zA-Z0-9/_.-]*$",
+      "description": "Container image for stdio MCP connections (alternative to command)"
+    },
+    "args": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      },
+      "description": "Arguments for command or container execution"
+    },
+    "env": {
+      "type": "object",
+      "patternProperties": {
+        "^[A-Z_][A-Z0-9_]*$": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "description": "Environment variables for MCP server"
+    },
+    "headers": {
+      "type": "object",
+      "patternProperties": {
+        "^[A-Za-z0-9-]+$": {
+          "type": "string"
+        }
+      },
+      "additionalProperties": false,
+      "description": "HTTP headers for HTTP MCP connections"
+    },
+    "permissions": {
+      "type": "object",
+      "properties": {
+        "network": {
+          "type": "object",
+          "properties": {
+            "allowed": {
+              "type": "array",
+              "items": {
+                "type": "string",
+                "pattern": "^[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?(\\.[a-zA-Z0-9]([a-zA-Z0-9\\-]{0,61}[a-zA-Z0-9])?)*$",
+                "description": "Allowed domain name"
+              },
+              "minItems": 1,
+              "uniqueItems": true,
+              "description": "List of allowed domain names for network access"
+            }
+          },
+          "required": ["allowed"],
+          "additionalProperties": false,
+          "description": "Network access permissions"
+        }
+      },
+      "additionalProperties": false,
+      "description": "Permissions configuration for container-based MCP servers"
     }
   },
   "required": ["type"],
-  "additionalProperties": true,
-  "if": {
-    "properties": {
-      "type": {
-        "const": "http"
+  "additionalProperties": false,
+  "allOf": [
+    {
+      "if": {
+        "properties": {
+          "type": {
+            "const": "http"
+          }
+        }
+      },
+      "then": {
+        "required": ["url"],
+        "not": {
+          "anyOf": [
+            {"required": ["command"]},
+            {"required": ["container"]},
+            {"required": ["permissions"]}
+          ]
+        }
       }
-    }
-  },
-  "then": {
-    "required": ["url"]
-  },
-  "else": {
-    "if": {
-      "properties": {
-        "type": {
-          "const": "stdio"
+    },
+    {
+      "if": {
+        "properties": {
+          "type": {
+            "const": "stdio"
+          }
+        }
+      },
+      "then": {
+        "anyOf": [
+          {"required": ["command"]},
+          {"required": ["container"]}
+        ],
+        "not": {
+          "allOf": [
+            {"required": ["command"]},
+            {"required": ["container"]}
+          ]
         }
       }
     },
-    "then": {
-      "required": ["command"]
+    {
+      "if": {
+        "required": ["container"]
+      },
+      "then": {
+        "properties": {
+          "type": {
+            "const": "stdio"
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "required": ["permissions"]
+      },
+      "then": {
+        "required": ["container"],
+        "properties": {
+          "type": {
+            "const": "stdio"
+          }
+        }
+      }
     }
-  }
+  ]
 }

pkg/parser/schemas/mcp_config_schema.json

@@ -1912,6 +1912,8 @@ func (c *Compiler) generateSafetyChecks(yaml *strings.Builder, data *WorkflowDat
 func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any, engine AgenticEngine) {
 	// Collect tools that need MCP server configuration
 	var mcpTools []string
+	var proxyTools []string
+
 	for toolName, toolValue := range tools {
 		// Standard MCP tools
 		if toolName == "github" {
@@ -1920,12 +1922,72 @@ func (c *Compiler) generateMCPSetup(yaml *strings.Builder, tools map[string]any,
 			// Check if it's explicitly marked as MCP type in the new format
 			if hasMcp, _ := hasMCPConfig(mcpConfig); hasMcp {
 				mcpTools = append(mcpTools, toolName)
+
+				// Check if this tool needs proxy
+				if needsProxySetup, _ := needsProxy(mcpConfig); needsProxySetup {
+					proxyTools = append(proxyTools, toolName)
+				}
 			}
 		}
 	}
 
-	// Sort MCP tools to ensure stable code generation
+	// Sort tools to ensure stable code generation
 	sort.Strings(mcpTools)
+	sort.Strings(proxyTools)
+
+	// Generate proxy configuration files inline for proxy-enabled tools
+	// These files will be used automatically by docker compose when MCP tools run
+	if len(proxyTools) > 0 {
+		yaml.WriteString("      - name: Setup Proxy Configuration for MCP Network Restrictions\n")
+		yaml.WriteString("        run: |\n")
+		yaml.WriteString("          echo \"Generating proxy configuration files for MCP tools with network restrictions...\"\n")
+		yaml.WriteString("          \n")
+
+		// Generate proxy configurations inline for each proxy-enabled tool
+		for _, toolName := range proxyTools {
+			if toolConfig, ok := tools[toolName].(map[string]any); ok {
+				c.generateInlineProxyConfig(yaml, toolName, toolConfig)
+			}
+		}
+
+		yaml.WriteString("          echo \"Proxy configuration files generated.\"\n")
+
+		// Pre-pull images and start squid proxy ahead of time to avoid timeouts
+		yaml.WriteString("      - name: Pre-pull images and start Squid proxy\n")
+		yaml.WriteString("        run: |\n")
+		yaml.WriteString("          set -e\n")
+		yaml.WriteString("          echo 'Pre-pulling Docker images for proxy-enabled MCP tools...'\n")
+		yaml.WriteString("          docker pull ubuntu/squid:latest\n")
+
+		// Pull each tool's container image if specified, and bring up squid service
+		for _, toolName := range proxyTools {
+			if toolConfig, ok := tools[toolName].(map[string]any); ok {
+				if mcpConf, err := getMCPConfig(toolConfig, toolName); err == nil {
+					if containerVal, hasContainer := mcpConf["container"]; hasContainer {
+						if containerStr, ok := containerVal.(string); ok && containerStr != "" {
+							yaml.WriteString(fmt.Sprintf("          echo 'Pulling %s for tool %s'\n", containerStr, toolName))
+							yaml.WriteString(fmt.Sprintf("          docker pull %s\n", containerStr))
+						}
+					}
+				}
+				yaml.WriteString(fmt.Sprintf("          echo 'Starting squid-proxy service for %s'\n", toolName))
+				yaml.WriteString(fmt.Sprintf("          docker compose -f docker-compose-%s.yml up -d squid-proxy\n", toolName))
+
+				// Enforce that egress from this tool's network can only reach the Squid proxy
+				subnetCIDR, squidIP, _ := computeProxyNetworkParams(toolName)
+				yaml.WriteString(fmt.Sprintf("          echo 'Enforcing egress to proxy for %s (subnet %s, squid %s)'\n", toolName, subnetCIDR, squidIP))
+				yaml.WriteString("          if command -v sudo >/dev/null 2>&1; then SUDO=sudo; else SUDO=; fi\n")
+				// Accept established/related connections first (position 1)
+				yaml.WriteString("          $SUDO iptables -C DOCKER-USER -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT\n")
+				// Accept all egress from Squid IP (position 2)
+				yaml.WriteString(fmt.Sprintf("          $SUDO iptables -C DOCKER-USER -s %s -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 2 -s %s -j ACCEPT\n", squidIP, squidIP))
+				// Allow traffic to squid:3128 from the subnet (position 3)
+				yaml.WriteString(fmt.Sprintf("          $SUDO iptables -C DOCKER-USER -s %s -d %s -p tcp --dport 3128 -j ACCEPT 2>/dev/null || $SUDO iptables -I DOCKER-USER 3 -s %s -d %s -p tcp --dport 3128 -j ACCEPT\n", subnetCIDR, squidIP, subnetCIDR, squidIP))
+				// Then reject all other egress from that subnet (append to end)
+				yaml.WriteString(fmt.Sprintf("          $SUDO iptables -C DOCKER-USER -s %s -j REJECT 2>/dev/null || $SUDO iptables -A DOCKER-USER -s %s -j REJECT\n", subnetCIDR, subnetCIDR))
+			}
+		}
+	}
 
 	// If no MCP tools, no configuration needed
 	if len(mcpTools) == 0 {

pkg/workflow/compiler.go

@@ -3210,7 +3210,7 @@ func TestTransformImageToDockerCommand(t *testing.T) {
 				mcpConfig[k] = v
 			}
 
-			err := transformContainerToDockerCommand(mcpConfig)
+			err := transformContainerToDockerCommand(mcpConfig, "test")
 
 			if tt.wantErr {
 				if err == nil {