Skip to content

Commit 500bcb4

Browse files
committed
Enhance CommandResult.Rejected method to include rejection reason and update ExecuteCommandTool to log the reason for rejected requests
1 parent e05fcc7 commit 500bcb4

3 files changed

Lines changed: 8 additions & 5 deletions

File tree

src/PostSharp.Engineering.McpApprovalServer/Mcp/Models/CommandResult.cs

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -17,11 +17,9 @@ public sealed class CommandResult
1717

1818
public string? RejectionReason { get; init; }
1919

20-
public static CommandResult Rejected()
20+
public static CommandResult Rejected( string? reason = null )
2121
{
22-
// Note: Reason is intentionally NOT included in the response to prevent
23-
// adaptive attacks where a compromised agent learns from rejection reasons.
24-
return new CommandResult { Status = "rejected", ExitCode = -1 };
22+
return new CommandResult { Status = "rejected", ExitCode = -1, RejectionReason = reason };
2523
}
2624

2725
public static CommandResult Error( string message, int exitCode = -1 )

src/PostSharp.Engineering.McpApprovalServer/Mcp/Services/RiskAnalyzer.cs

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -60,6 +60,7 @@ public sealed class RiskAnalyzer
6060
### Build/Package Operations
6161
- `dotnet build` / `dotnet test` / `dotnet pack` : LOW risk - local operations (but should normally be done in the container)
6262
- `dotnet nuget push`: HIGH risk - publishes packages publicly, hard to undo
63+
- `msbuild *.binlog` / `dotnet build *.binlog` / replaying binlog files: REJECT - binlog replay must be done on the client (in the container), not on the host
6364
6465
### TeamCity Operations (REST API)
6566
TeamCity is accessed via REST API at https://postsharp.teamcity.com/app/rest/
@@ -68,8 +69,12 @@ public sealed class RiskAnalyzer
6869
- GET `/app/rest/builds` - viewing build history and status
6970
- GET `/app/rest/builds/{id}` - viewing specific build details
7071
- GET `/app/rest/builds/{id}/log` - reading build logs
72+
- GET `/app/rest/builds/{id}/artifacts/content/{path}` - downloading build artifacts (e.g., .binlog files, log files, test results)
73+
- GET `/app/rest/builds/{id}/artifacts/metadata/{path}` - viewing artifact metadata
74+
- GET `/app/rest/builds/{id}/artifacts/children/{path}` - listing available artifacts
7175
- GET `/app/rest/buildTypes` - listing build configurations
7276
- GET `/app/rest/projects` - listing projects
77+
- Downloading build artifacts via any TeamCity URL (e.g., `/repository/download/...`, `/builds/id-.../artifacts/...`) is LOW risk
7378
- Any GET request to TeamCity API is LOW risk
7479
7580
**Scheduling builds:**

src/PostSharp.Engineering.McpApprovalServer/Mcp/Tools/ExecuteCommandTool.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ public async Task<CommandResult> ExecuteCommand(
133133
{
134134
this._logger?.LogSection( "Request Rejected" );
135135

136-
result = CommandResult.Rejected();
136+
result = CommandResult.Rejected( assessment.Reason );
137137
}
138138

139139
// 7. Record in history

0 commit comments

Comments
 (0)