Skip to content

feat(mcp): W2.2 — shadow / dry-run mode for tool calls#29

Merged
jrosskopf merged 1 commit into
mainfrom
feature/gh-24-mcp-dry-run
May 16, 2026
Merged

feat(mcp): W2.2 — shadow / dry-run mode for tool calls#29
jrosskopf merged 1 commit into
mainfrom
feature/gh-24-mcp-dry-run

Conversation

@jrosskopf
Copy link
Copy Markdown
Contributor

@jrosskopf jrosskopf commented May 16, 2026

Summary

  • Adds _dryRun: true to MCP tool-call arguments. When set, MCPToolHandler::executeTool runs the full authorization + argument-validation pipeline, renders the SQL via the existing SQLTemplateProcessor, and returns a JSON payload describing what would have run — instead of executing it. Read and write tools both honour the flag (no side effects).
  • This is the in-product version of the "shadow-mode audit and query inspection" pattern external MCP-security gateways pitch (per the vendor email that triggered the security roadmap).
  • Closes W2.2 of the security roadmap (Security Wave 2: MCP hardening (per-tool RBAC, dry-run, response shaping, description hygiene) #24).

Test plan

  • 6 Catch2 unit cases in test/cpp/mcp_dry_run_test.cpp cover flag extraction (missing key, true, false, non-boolean) and the JSON formatter (full payload shape, empty-parameters edge case).
  • ctest -R "MCPDryRun" — 6/6 pass.
  • 2 end-to-end Python cases in test/integration/test_mcp_dry_run.py boot a real flapi server with MCP+JWT and assert dry-run markers appear only when requested. They skip cleanly in environments with the existing DuckDB v1.5.1/v1.5.2 extension-cache mismatch; CI exercises them against fresh extensions.
  • Reviewer: confirm that returning rendered SQL to the agent is acceptable for the use case (it can leak schema names / connection patterns to a partially-trusted caller). If not, we can gate dry-run behind an explicit role.

Design notes

  • MCPDryRun is a static pure-helper class with two responsibilities: peel the reserved flag off an argument wvalue, and format the JSON result. Single-responsibility, no I/O, trivially testable. The handler injects nothing extra.
  • The flag is consumed before validateToolArguments so the unknown-parameter check never sees it. Non-boolean values are stripped but treated as false — a conservative choice that prevents smuggling.
  • Reserved-key naming follows the spec: _dryRun (camelCase, underscore prefix matches existing conventions for handler-controlled params like __auth_username).

Closes part of #24
Refs #21

@jrosskopf jrosskopf mentioned this pull request May 16, 2026
Merged
5 tasks
@jrosskopf
feat(mcp): shadow / dry-run mode for tool calls (#24)
7fa5b71 
Adds `_dryRun: true` to MCP tool-call arguments. When set, MCPToolHandler:

  1. Strips the reserved key so validators do not see it.
  2. Runs the full authorisation + argument-validation pipeline.
  3. Renders the SQL via the existing SQLTemplateProcessor.
  4. Returns a JSON payload describing what *would* have run — dry_run
     flag, tool name, rendered SQL, and the parameter map — instead of
     touching the database.

This is the in-product version of the "shadow-mode audit and query
inspection" pattern external MCP-security gateways pitch. Read and
write tools both honour dry-run: no executeQuery, no executeWrite, no
cache invalidation, no side effects.

Implementation:

- New MCPDryRun static class with two pure helpers: extractFlag (peels
  the reserved key off a wvalue argument object, returning whether it
  was set to true) and formatResult (builds the JSON payload). Both
  are fully unit-tested without spinning up a server.
- MCPToolHandler::executeTool copies the request's argument object up
  front (it's const), calls extractFlag on the copy, validates and
  prepares parameters as usual, then short-circuits to formatResult
  before any db_manager interaction when dry-run is in effect.

Tests:

- test/cpp/mcp_dry_run_test.cpp: 6 Catch2 cases covering flag extraction
  (missing, true, false, non-boolean) and the result formatter
  (full payload shape, empty-parameters edge case).
- test/integration/test_mcp_dry_run.py: 2 end-to-end cases that boot a
  real flapi server with MCP+JWT, issue tools/call with and without
  the flag, and assert the dry-run markers appear only when requested.
  The fixture skips cleanly on environments where flapi cannot boot
  due to the v1.5.1/v1.5.2 DuckDB extension-cache mismatch; CI runs
  against fresh extension caches.

Skipped pre-commit hook per the existing precedent in commit e1b465e —
the bd-shim calls 'bd hook pre-commit' (singular) which is missing
from the installed bd binary (only 'bd hooks' plural exists).
@jrosskopf jrosskopf force-pushed the feature/gh-24-mcp-dry-run branch from 7e7efe6 to 7fa5b71 Compare May 16, 2026 17:35
@jrosskopf jrosskopf merged commit 385f793 into main May 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jrosskopf