Skip to content

Commit ce425f0

Browse files
Dumbrisclaude
andauthored
fix(mcp): point quarantine remediation at quarantine_security, not upstream_servers (#816)
The quarantined-server block message and add-server quarantine response told agents to run upstream_servers with operation 'list_quarantined' / 'inspect_quarantined', but those operations moved to the quarantine_security tool — following the instructions returns "Unknown operation: list_quarantined" (verified live in v0.47.0-rc.4 release QA), a dead-end remediation. The text also implied upstream_servers can unquarantine, which it cannot. Update instructions/next_steps/review_commands to reference quarantine_security and the tray/Web UI unquarantine path. Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
1 parent 85c2e0f commit ce425f0

2 files changed

Lines changed: 11 additions & 4 deletions

File tree

internal/server/mcp.go

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2484,7 +2484,7 @@ func (p *MCPProxyServer) handleQuarantinedToolCall(ctx context.Context, serverNa
24842484
"toolName": toolName,
24852485
"requestedArgs": args,
24862486
"message": fmt.Sprintf("🔒 SECURITY BLOCK: Server '%s' is currently in quarantine for security review. Tool calls are blocked to prevent potential Tool Poisoning Attacks (TPAs).", serverName),
2487-
"instructions": "To use tools from this server, please: 1) Review the server and its tools for malicious content, 2) Use the 'upstream_servers' tool with operation 'list_quarantined' to inspect tools, 3) Use the tray menu or 'upstream_servers' tool to remove from quarantine if verified safe",
2487+
"instructions": "To use tools from this server, please: 1) Review the server and its tools for malicious content, 2) Use the 'quarantine_security' tool with operation 'inspect_quarantined' to inspect tools, 3) Ask the user to remove the server from quarantine via the tray menu or Web UI if verified safe",
24882488
"toolAnalysis": toolAnalysis,
24892489
"securityHelp": "For security documentation, see: Tool Poisoning Attacks (TPAs) occur when malicious instructions are embedded in tool descriptions. Always verify tool descriptions for hidden commands, file access requests, or data exfiltration attempts.",
24902490
}
@@ -3967,11 +3967,11 @@ func (p *MCPProxyServer) handleAddUpstream(ctx context.Context, request mcp.Call
39673967
if quarantined {
39683968
responseMap["security_status"] = "QUARANTINED_FOR_REVIEW"
39693969
responseMap["message"] = fmt.Sprintf("🔒 SECURITY: Server '%s' has been added but is quarantined for security review. Tool calls are blocked to prevent potential Tool Poisoning Attacks (TPAs).", name)
3970-
responseMap["next_steps"] = "To use tools from this server, please: 1) Review the server and its tools for malicious content, 2) Use the 'upstream_servers' tool with operation 'list_quarantined' to inspect tools, 3) Use the tray menu or API to unquarantine if verified safe"
3970+
responseMap["next_steps"] = "To use tools from this server, please: 1) Review the server and its tools for malicious content, 2) Use the 'quarantine_security' tool with operation 'inspect_quarantined' to inspect tools, 3) Ask the user to remove the server from quarantine via the tray menu or Web UI if verified safe"
39713971
responseMap["security_help"] = "For security documentation, see: Tool Poisoning Attacks (TPAs) occur when malicious instructions are embedded in tool descriptions. Always verify tool descriptions for hidden commands, file access requests, or data exfiltration attempts."
39723972
responseMap["review_commands"] = []string{
3973-
"upstream_servers operation='list_quarantined'",
3974-
"upstream_servers operation='inspect_quarantined' name='" + name + "'",
3973+
"quarantine_security operation='list_quarantined'",
3974+
"quarantine_security operation='inspect_quarantined' name='" + name + "'",
39753975
}
39763976
responseMap["unquarantine_note"] = "IMPORTANT: Unquarantining can be done through the system tray menu, Web UI, or API endpoints for security."
39773977
} else {

internal/server/mcp_direct_callability_test.go

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,13 @@ func TestDirectToolCallabilityBlock_ServerQuarantined(t *testing.T) {
3838
assert.Equal(t, "QUARANTINED_SERVER_BLOCKED", response["status"])
3939
assert.Equal(t, "github", response["serverName"])
4040
assert.Equal(t, "list_repos", response["toolName"])
41+
42+
// The remediation must point at operations the agent can actually execute:
43+
// list_quarantined/inspect_quarantined live on quarantine_security, and
44+
// upstream_servers rejects them with "Unknown operation".
45+
instructions, _ := response["instructions"].(string)
46+
assert.Contains(t, instructions, "quarantine_security")
47+
assert.NotContains(t, instructions, "'upstream_servers' tool with operation 'list_quarantined'")
4148
}
4249

4350
func TestDirectToolCallabilityBlock_ConfigDeniedTool(t *testing.T) {

0 commit comments

Comments
 (0)