Enhance CommandResult.Rejected method to include rejection reason and update ExecuteCommandTool to log the reason for rejected requests

Author: gfraiteur

src/PostSharp.Engineering.McpApprovalServer/Mcp/Models/CommandResult.cs

@@ -17,11 +17,9 @@ public sealed class CommandResult
 
     public string? RejectionReason { get; init; }
 
-    public static CommandResult Rejected()
+    public static CommandResult Rejected( string? reason = null )
     {
-        // Note: Reason is intentionally NOT included in the response to prevent
-        // adaptive attacks where a compromised agent learns from rejection reasons.
-        return new CommandResult { Status = "rejected", ExitCode = -1 };
+        return new CommandResult { Status = "rejected", ExitCode = -1, RejectionReason = reason };
     }
 
     public static CommandResult Error( string message, int exitCode = -1 )

src/PostSharp.Engineering.McpApprovalServer/Mcp/Services/RiskAnalyzer.cs

@@ -60,6 +60,7 @@ public sealed class RiskAnalyzer
                                               ### Build/Package Operations
                                               - `dotnet build` / `dotnet test` / `dotnet pack` : LOW risk - local operations (but should normally be done in the container)
                                               - `dotnet nuget push`: HIGH risk - publishes packages publicly, hard to undo
+                                              - `msbuild *.binlog` / `dotnet build *.binlog` / replaying binlog files: REJECT - binlog replay must be done on the client (in the container), not on the host
 
                                               ### TeamCity Operations (REST API)
                                               TeamCity is accessed via REST API at https://postsharp.teamcity.com/app/rest/
@@ -68,8 +69,12 @@ public sealed class RiskAnalyzer
                                               - GET `/app/rest/builds` - viewing build history and status
                                               - GET `/app/rest/builds/{id}` - viewing specific build details
                                               - GET `/app/rest/builds/{id}/log` - reading build logs
+                                              - GET `/app/rest/builds/{id}/artifacts/content/{path}` - downloading build artifacts (e.g., .binlog files, log files, test results)
+                                              - GET `/app/rest/builds/{id}/artifacts/metadata/{path}` - viewing artifact metadata
+                                              - GET `/app/rest/builds/{id}/artifacts/children/{path}` - listing available artifacts
                                               - GET `/app/rest/buildTypes` - listing build configurations
                                               - GET `/app/rest/projects` - listing projects
+                                              - Downloading build artifacts via any TeamCity URL (e.g., `/repository/download/...`, `/builds/id-.../artifacts/...`) is LOW risk
                                               - Any GET request to TeamCity API is LOW risk
 
                                               **Scheduling builds:**

src/PostSharp.Engineering.McpApprovalServer/Mcp/Tools/ExecuteCommandTool.cs

@@ -133,7 +133,7 @@ public async Task<CommandResult> ExecuteCommand(
             {
                 this._logger?.LogSection( "Request Rejected" );
 
-                result = CommandResult.Rejected();
+                result = CommandResult.Rejected( assessment.Reason );
             }
 
             // 7. Record in history