You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Round-1 review fixes for the in-proxy profiles impl (MCP-1281/MCP-1278):
1. code_execution empty-effective-set bypass (MUST-FIX). A deny-all profile
(servers: []) or a non-overlapping token∩profile yields an empty effective
allow-list, which the JS runtime treated as "allow all" — leaking every
server through code_execution. Add ExecutionOptions.RestrictToAllowed:
when an active profile is in context, the allow-list is enforced even when
empty (empty set = deny all). Set by the profile path in
handleCodeExecution.
2. FR-011 metadata written to wrong shape (MUST-FIX). withProfileMeta smuggled
the slug into the intent submap, so records landed as
metadata.intent.profile and error paths dropped it entirely. Thread an
explicit profile slug through EmitActivityToolCallCompleted →
metadata["profile"] at top level, on success AND error paths.
3. Spec amendment (no code change): document per-request profile resolution
(hot-reload takes effect on the next request) in spec.md + data-model.md,
replacing the inaccurate "snapshot-until-reconnect" wording. Per-request
re-resolution is kept as the safer behavior.
Tests: jsruntime deny-all/non-empty enforcement + backward-compat; Activity
service metadata["profile"] (success+error, not nested); code_execution
deny-all/non-overlapping rejection at the profile path; upgraded the FR-011
integration test to assert the persisted record's metadata["profile"].
Related #622
0 commit comments