feat: add reusable roots enforcement utilities to MCPServer#2425
Closed
NeelakandanNC wants to merge 2 commits intomodelcontextprotocol:mainfrom
Closed
feat: add reusable roots enforcement utilities to MCPServer#2425NeelakandanNC wants to merge 2 commits intomodelcontextprotocol:mainfrom
NeelakandanNC wants to merge 2 commits intomodelcontextprotocol:mainfrom
Conversation
MCP Roots let clients declare filesystem boundaries to servers, but the SDK provides no helpers to enforce them — every server author has to write the same boundary-check logic by hand. This adds a small utility module so authors can drop in enforcement without reinventing it. - get_roots(ctx): fetch root URIs declared by the client - assert_within_roots(path, ctx): raise PermissionError if path is outside roots - within_roots_check: decorator that auto-enforces roots on path parameters Both sides of the comparison go through Path.resolve() so that platform firmlinks (e.g. macOS /tmp -> /private/tmp, /home -> /System/Volumes/Data/home) don't produce spurious denials.
- Add a test for a decorated tool that takes a non-path string parameter alongside a path parameter. Covers the previously unexercised loop-continue branch in within_roots_check when a str/Path argument is found whose name isn't `path` / `*_path`. - Replace placeholder return bodies in the "decorator denies" tests with `raise AssertionError(...) # pragma: no cover`, so the unreachable tool bodies don't drop project coverage below CI's fail_under=100 threshold while still documenting that they must not run.
Member
|
Please create an issue about it, with what you want to achieve. I don't think the proposed API is easy to use. |
Author
|
Sure, will create a issue and add proper docs to understand it and make it easier to use |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
MCP Roots let clients declare filesystem boundaries to servers, but the SDK provides no helpers to enforce them — every server author has to write the same boundary-check logic by hand. This adds a small utility module so authors can drop in enforcement without reinventing it.
Both sides of the comparison go through Path.resolve() so that platform firmlinks (e.g. macOS /tmp -> /private/tmp, /home -> /System/Volumes/Data/home) don't produce spurious denials.
Motivation and Context
I learned about MCP Roots in an advanced MCP course. When I actually tried implementing it in my own servers, I realised you have to write the same enforcement logic every single time you build a new server — the course teaches the concept but the SDK gives you no utility to actually apply it without repeating yourself.
So I built one.
How Has This Been Tested?
Breaking Changes
Types of changes
Checklist
Additional context