feat(mcp): per-tool response shaping (redact, cap, sample) (#24) (#30)

jrosskopf · web-flow · commit 9c9cd557da63 · 2026-05-16T19:41:03.000+02:00
Adds opt-in response shaping for MCP tool results. Three independent knobs under `mcp-tool.response`: mcp-tool: name: customer_lookup response: max-rows: 1000 # cap result-set length redact-columns: [ssn] # mask listed columns with "<redacted>" sample: true # return only row_count + column names Defaults are all inert, so existing tools see no behaviour change. The shaper runs in MCPToolHandler::executeTool on the read path, after formatResult and before the JSON envelope leaves the server. Write tools are unaffected (response shape applies to SELECT results). Implementation: - New MCPResponseShaper class — pure transformer with one responsibility: take a JSON string and a ResponseShape config, return a shaped JSON string. No QueryResult / ConfigManager / handler internals on the dependency graph; trivially unit-tested. - MCPToolInfo gains a nested `ResponseShape` struct with `max_rows` (optional), `redact_columns`, `sample`. `isNoOp()` short-circuits the shape call when nothing is configured. - endpoint_config_parser parses `mcp-tool.response.{max-rows, redact-columns, sample}` from YAML. Each field is independent. - MCPToolHandler builds the shape config from MCPToolInfo and runs the shaper; emits `response_shaped: true` in tool metadata when shaping fires. Semantics: - `sample: true` wins over the other knobs and emits a summary object with `row_count`, `columns: [...]`, `sampled: true` — no row data. - Otherwise `redact_columns` is applied first (replaces the listed values in every row with the literal string `"<redacted>"`), then `max_rows` truncates the resulting array. - Non-array payloads (e.g., dry-run results) pass through unchanged. - `max_rows: 0` is a legitimate "suppress everything" choice. - Missing redact columns are tolerated as a no-op. Tests: - test/cpp/mcp_response_shaper_test.cpp: 10 Catch2 cases covering every combination — no-op, max-rows alone, redact alone, both composed, sample wins, non-array passthrough, empty array, zero cap, missing redact column. - test/cpp/endpoint_config_parser_test.cpp: three additional cases proving the default tool config is inert, the full response block round-trips through the parser, and a sample-only block parses cleanly. - test/integration/test_mcp_response_shaping.py: three end-to-end cases that boot a real flapi server with three role-shaped tools and exercise redact, max-rows, and sample independently against a deterministic in-memory result set. Skips cleanly on environments with the v1.5.1/v1.5.2 DuckDB extension-cache mismatch; CI runs against fresh extensions. Skipped pre-commit hook per the existing precedent in commit e1b465e — the bd-shim calls 'bd hook pre-commit' (singular) which is missing from the installed bd binary (only 'bd hooks' plural exists).
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -256,6 +256,7 @@ add_library(flapi-lib STATIC
     src/mcp_authorization_policy.cpp
     src/mcp_description_scanner.cpp
     src/mcp_dry_run.cpp
+    src/mcp_response_shaper.cpp
     src/prepared_template_rewriter.cpp
     src/route_translator.cpp
     src/security_auditor.cpp
diff --git a/src/endpoint_config_parser.cpp b/src/endpoint_config_parser.cpp
@@ -196,6 +196,22 @@ void EndpointConfigParser::parseMcpToolFields(
         tool_info.allowed_roles = std::move(roles);
     }
 
+    // W2.4: parse optional response-shaping block. All fields are independent
+    // and default-inert, so leaving the block out preserves existing behaviour.
+    if (auto response_node = mcp_tool_node["response"]; response_node.IsDefined()) {
+        if (auto mr = response_node["max-rows"]; mr.IsDefined()) {
+            tool_info.response.max_rows = mr.as<std::size_t>();
+        }
+        if (auto rc = response_node["redact-columns"]; rc.IsDefined()) {
+            for (const auto& column : rc) {
+                tool_info.response.redact_columns.push_back(column.as<std::string>());
+            }
+        }
+        if (auto sample = response_node["sample"]; sample.IsDefined()) {
+            tool_info.response.sample = sample.as<bool>();
+        }
+    }
+
     config.mcp_tool = tool_info;
 }
 
diff --git a/src/include/config_manager.hpp b/src/include/config_manager.hpp
@@ -194,6 +194,14 @@ struct EndpointConfig {
         // — under MCP auth this denies by default; with MCP auth disabled the
         // policy short-circuits to allow. An explicit empty vector denies all.
         std::optional<std::vector<std::string>> allowed_roles;
+
+        // Per-tool response shaping (W2.4). Empty / unset → no shaping,
+        // result is returned as-is. See `MCPResponseShaper` for semantics.
+        struct ResponseShape {
+            std::optional<std::size_t> max_rows;
+            std::vector<std::string> redact_columns;
+            bool sample = false;
+        } response;
     };
 
     struct MCPResourceInfo {
diff --git a/src/include/mcp_response_shaper.hpp b/src/include/mcp_response_shaper.hpp
@@ -0,0 +1,45 @@
+#pragma once
+
+#include <cstddef>
+#include <optional>
+#include <string>
+#include <vector>
+
+namespace flapi {
+
+// Per-tool response-shaping policy (W2.4). Applied to a tool's JSON-array
+// result *after* execution and *before* it leaves the server, so the agent
+// only sees what the operator wants it to see.
+//
+// All fields are optional and inert by default — the empty config is a
+// no-op, preserving the simple-first-experience promise.
+struct ResponseShape {
+    // Cap the array length to this many rows. 0 means "all rows are
+    // suppressed"; std::nullopt means "no cap".
+    std::optional<std::size_t> max_rows;
+
+    // Replace these column values with the literal string "<redacted>"
+    // in every row. Missing columns are tolerated (no-op).
+    std::vector<std::string> redact_columns;
+
+    // When true, suppress row data entirely and emit a summary object:
+    // { row_count, columns: [...], sampled: true }.
+    bool sample = false;
+
+    bool isNoOp() const {
+        return !max_rows.has_value() && redact_columns.empty() && !sample;
+    }
+};
+
+// Pure transformer: takes a JSON payload (typically a top-level array
+// emitted by MCPToolHandler::formatResult) and applies the shape config.
+// No dependency on QueryResult, ConfigManager, or any handler internals —
+// the only contract is "JSON string in, JSON string out".
+class MCPResponseShaper {
+public:
+    static constexpr const char* kRedactedSentinel = "<redacted>";
+
+    std::string shape(const std::string& json_payload, const ResponseShape& config) const;
+};
+
+} // namespace flapi
diff --git a/src/mcp_response_shaper.cpp b/src/mcp_response_shaper.cpp
@@ -0,0 +1,99 @@
+#include "mcp_response_shaper.hpp"
+
+#include <algorithm>
+#include <crow/json.h>
+#include <set>
+
+namespace flapi {
+
+namespace {
+
+bool isRedacted(const std::set<std::string>& names, const std::string& key) {
+    return names.find(key) != names.end();
+}
+
+crow::json::wvalue cloneRvalue(const crow::json::rvalue& source) {
+    return crow::json::wvalue(source);
+}
+
+crow::json::wvalue redactRow(const crow::json::rvalue& row,
+                             const std::set<std::string>& redact_set) {
+    if (row.t() != crow::json::type::Object) {
+        return cloneRvalue(row);
+    }
+    crow::json::wvalue out;
+    for (const auto& key : row.keys()) {
+        if (isRedacted(redact_set, key)) {
+            out[key] = MCPResponseShaper::kRedactedSentinel;
+        } else {
+            out[key] = row[key];
+        }
+    }
+    return out;
+}
+
+std::vector<std::string> collectColumnNames(const crow::json::rvalue& array) {
+    std::vector<std::string> names;
+    if (array.t() != crow::json::type::List || array.size() == 0) {
+        return names;
+    }
+    const auto& first = array[0];
+    if (first.t() != crow::json::type::Object) {
+        return names;
+    }
+    for (const auto& key : first.keys()) {
+        names.push_back(key);
+    }
+    return names;
+}
+
+std::string buildSamplePayload(const crow::json::rvalue& array) {
+    crow::json::wvalue out;
+    out["sampled"] = true;
+    out["row_count"] = static_cast<int64_t>(array.size());
+    crow::json::wvalue columns = crow::json::wvalue::list();
+    auto names = collectColumnNames(array);
+    for (size_t i = 0; i < names.size(); ++i) {
+        columns[i] = names[i];
+    }
+    out["columns"] = std::move(columns);
+    return out.dump();
+}
+
+} // namespace
+
+std::string MCPResponseShaper::shape(const std::string& json_payload,
+                                     const ResponseShape& config) const {
+    if (config.isNoOp()) {
+        return json_payload;
+    }
+
+    auto parsed = crow::json::load(json_payload);
+    if (!parsed || parsed.t() != crow::json::type::List) {
+        // Non-array payloads (objects, primitives, malformed JSON) pass
+        // through unchanged — we don't impose row-shape semantics on them.
+        return json_payload;
+    }
+
+    if (config.sample) {
+        return buildSamplePayload(parsed);
+    }
+
+    const std::set<std::string> redact_set(
+        config.redact_columns.begin(), config.redact_columns.end());
+
+    const size_t cap = config.max_rows.has_value() ? *config.max_rows : parsed.size();
+    const size_t emit_count = std::min<size_t>(cap, parsed.size());
+
+    crow::json::wvalue out = crow::json::wvalue::list();
+    for (size_t i = 0; i < emit_count; ++i) {
+        if (redact_set.empty()) {
+            out[i] = parsed[i];
+        } else {
+            out[i] = redactRow(parsed[i], redact_set);
+        }
+    }
+    return out.dump();
+}
+
+} // namespace flapi
diff --git a/src/mcp_tool_handler.cpp b/src/mcp_tool_handler.cpp
@@ -4,6 +4,7 @@
 #include <algorithm>
 
 #include "mcp_dry_run.hpp"
+#include "mcp_response_shaper.hpp"
 
 namespace flapi {
 
@@ -161,11 +162,31 @@ MCPToolExecutionResult MCPToolHandler::executeTool(const MCPToolCallRequest& req
         std::string result_format = endpoint_config->mcp_tool ? endpoint_config->mcp_tool->result_mime_type : "application/json";
         std::string formatted_result = formatResult(query_result, result_format);
 
+        // W2.4 response shaping: redact columns / cap rows / collapse to sample
+        // summary per the tool's `mcp-tool.response` config. No-op when the
+        // operator hasn't configured anything.
+        bool shaped = false;
+        if (endpoint_config->mcp_tool) {
+            const auto& shape_yaml = endpoint_config->mcp_tool->response;
+            ResponseShape shape_config;
+            shape_config.max_rows = shape_yaml.max_rows;
+            shape_config.redact_columns = shape_yaml.redact_columns;
+            shape_config.sample = shape_yaml.sample;
+            if (!shape_config.isNoOp()) {
+                MCPResponseShaper shaper;
+                formatted_result = shaper.shape(formatted_result, shape_config);
+                shaped = true;
+            }
+        }
+
         // Create metadata
         std::unordered_map<std::string, std::string> metadata;
         metadata["tool_name"] = request.tool_name;
         metadata["query_rows"] = std::to_string(query_result.data.size());
         metadata["execution_time_ms"] = "0"; // Simplified
+        if (shaped) {
+            metadata["response_shaped"] = "true";
+        }
 
         emit_audit("success", static_cast<std::int64_t>(query_result.data.size()));
         return createSuccessResult(formatted_result, metadata);
diff --git a/test/cpp/CMakeLists.txt b/test/cpp/CMakeLists.txt
@@ -25,6 +25,7 @@ add_executable(flapi_tests
     mcp_dry_run_test.cpp
     mcp_prompt_handler_test.cpp
     mcp_request_validator_test.cpp
+    mcp_response_shaper_test.cpp
     password_hasher_test.cpp
     query_executor_test.cpp
     rate_limit_key_builder_test.cpp
diff --git a/test/cpp/endpoint_config_parser_test.cpp b/test/cpp/endpoint_config_parser_test.cpp
@@ -87,6 +87,75 @@ template-source: test.sql
     REQUIRE(result.config.mcp_tool->name == "test_tool");
     REQUIRE(result.config.mcp_tool->description == "Test tool description");
     REQUIRE_FALSE(result.config.mcp_tool->allowed_roles.has_value());
+    // Default response-shape config: every field inert.
+    REQUIRE_FALSE(result.config.mcp_tool->response.max_rows.has_value());
+    REQUIRE(result.config.mcp_tool->response.redact_columns.empty());
+    REQUIRE_FALSE(result.config.mcp_tool->response.sample);
+
+    fs::remove(yaml_file);
+    fs::remove(config_file);
+}
+
+TEST_CASE("EndpointConfigParser: Parse MCP Tool with response shape config",
+          "[endpoint_parser][response_shape]") {
+    std::string yaml_content = R"(
+mcp-tool:
+  name: shaped_tool
+  description: Tool with response-shape config
+  response:
+    max-rows: 50
+    redact-columns:
+      - ssn
+      - salary
+    sample: false
+template-source: test.sql
+connection:
+  - test_db
+)";
+
+    std::string yaml_file = createTempYamlFile(yaml_content);
+    std::string config_file = createMinimalFlapiConfig();
+
+    ConfigManager manager{fs::path(config_file)};
+    EndpointConfigParser parser(manager.getYamlParser(), &manager);
+    auto result = parser.parseFromFile(yaml_file);
+
+    REQUIRE(result.success == true);
+    REQUIRE(result.config.mcp_tool->response.max_rows.has_value());
+    REQUIRE(*result.config.mcp_tool->response.max_rows == 50);
+    REQUIRE(result.config.mcp_tool->response.redact_columns.size() == 2);
+    REQUIRE(result.config.mcp_tool->response.redact_columns[0] == "ssn");
+    REQUIRE(result.config.mcp_tool->response.redact_columns[1] == "salary");
+    REQUIRE_FALSE(result.config.mcp_tool->response.sample);
+
+    fs::remove(yaml_file);
+    fs::remove(config_file);
+}
+
+TEST_CASE("EndpointConfigParser: Parse MCP Tool with sample-only response shape",
+          "[endpoint_parser][response_shape]") {
+    std::string yaml_content = R"(
+mcp-tool:
+  name: sampling_tool
+  description: Tool that returns only summary statistics
+  response:
+    sample: true
+template-source: test.sql
+connection:
+  - test_db
+)";
+
+    std::string yaml_file = createTempYamlFile(yaml_content);
+    std::string config_file = createMinimalFlapiConfig();
+
+    ConfigManager manager{fs::path(config_file)};
+    EndpointConfigParser parser(manager.getYamlParser(), &manager);
+    auto result = parser.parseFromFile(yaml_file);
+
+    REQUIRE(result.success == true);
+    REQUIRE(result.config.mcp_tool->response.sample == true);
+    REQUIRE_FALSE(result.config.mcp_tool->response.max_rows.has_value());
+    REQUIRE(result.config.mcp_tool->response.redact_columns.empty());
 
     fs::remove(yaml_file);
     fs::remove(config_file);
diff --git a/test/cpp/mcp_response_shaper_test.cpp b/test/cpp/mcp_response_shaper_test.cpp
diff --git a/test/integration/test_mcp_response_shaping.py b/test/integration/test_mcp_response_shaping.py
