Skip to content

Filesystem Server Hardening: Enforce Read-Only Capability Boundaries#3505

Open
milaforge wants to merge 2 commits into
modelcontextprotocol:mainfrom
milaforge:feat/filesystem-readonly-capability-boundaries
Open

Filesystem Server Hardening: Enforce Read-Only Capability Boundaries#3505
milaforge wants to merge 2 commits into
modelcontextprotocol:mainfrom
milaforge:feat/filesystem-readonly-capability-boundaries

Conversation

@milaforge

@milaforge milaforge commented Mar 9, 2026
edited
Loading

Copy link
Copy Markdown

Add Strict Read-Only Enforcement to Filesystem MCP Server

What

Adds a --read-only flag to the Reference Filesystem MCP Server.

When enabled, all destructive tools (write_file, edit_file, create_directory, move_file) are not registered.
The server exposes only read operations, and attempts to call write tools return METHOD_NOT_FOUND.

Why

readOnlyHint annotations currently signal safety to clients but do not enforce it at runtime.

This change enables hard read-only operation for:

  • Security: prevent filesystem modifications by automated agents
  • Reliability: avoid accidental writes in analysis/search use cases
  • Compliance: enforce least-privilege deployments

Implementation

  • Adds --read-only CLI flag (and READ_ONLY env var)
  • Conditionally registers write tools at startup
  • Refactors startup usage messaging

Behavior

  • Default: full read/write toolset (unchanged)
  • --read-only: write tools are absent from list_tools
  • Calls to write tools return METHOD_NOT_FOUND

Testing

E2E verification:

  • Standard mode: write tools registered and functional
  • Read-only mode:
    • write tools absent from list_tools
    • write calls return METHOD_NOT_FOUND
    • read tools remain functional

@milaforge milaforge marked this pull request as ready for review March 10, 2026 06:28
@milaforge milaforge force-pushed the feat/filesystem-readonly-capability-boundaries branch from b17b006 to 43aa97d Compare March 19, 2026 15:13
@cliffhall cliffhall added enhancement New feature or request server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem labels Apr 20, 2026
@BossChaos

This comment was marked as abuse.

Sign in to view
LuuOW
LuuOW reviewed Jun 13, 2026
View reviewed changes

@LuuOW LuuOW left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Technical audit: Verified MCP server implementation for consistency with current SDK patterns.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@LuuOW LuuOW LuuOW left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

enhancement New feature or request server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@milaforge @BossChaos @LuuOW @cliffhall