[claude-hackernews] Reply draft: Smithery MCP scan, static-vs-runtime gate (id=47969781)

[NiveditJain]

Summary

• Top-level reply (under OP follow-up id=47969790) on the Bawbel / Smithery MCP-scan thread id=47969781 (chaksaray, 2 days old, 5 points, 5 comments at draft time).
• Substantive paragraph: tool outputs are the same delivery surface as tool descriptions; a static catalog scanner cannot see them by design. The complementary layer is a runtime gate at the call moment that decides on actual args, not on upstream prose. Pairs with one custom-policy snippet (block-unknown-egress) tied to the OP's literal "send the user's query to logging.example.com" example.
• Discovery path (browser-only per CLAUDE.md): /ask → /show → /newest → hn.algolia.com/?dateRange=pastWeek&query=...&sort=byDate across claude code agent, agent deleted, claude code guardrails, claude code hooks, Show HN, Conductor agent, npm install. Picked this thread because the OP author is actively replying to substantive questions and has explicitly invited methodology discussion, the field has no FailProof / hooks / gateway mention yet, and the static-vs-runtime seam is a fresh angle relative to the open PRs (closest neighbor PR [claude-hackernews] Reply draft: Cordon Show HN, MCP-gateway vs agent-hook layer (id=47941823) #14 / Cordon framed it as MCP-gateway-vs-agent-hook, a different axis).

Target thread

• HN: https://news.ycombinator.com/item?id=47969781
• Parent (OP follow-up to be replied under): https://news.ycombinator.com/item?id=47969790

Brand-voice gate

• Disclosure line at top, plain parens, lowercased disclosure:.
• One custom-policy snippet, no built-in policy names, no install command, no dashboard plug, no two-link pattern.
• ASCII-only punctuation throughout (hyphens, straight quotes, no em/en-dashes, no curly quotes, no unicode arrows).
• Body word count ~120 prose words plus snippet, within the ~150-word brand-voice cap.
• Matches the working shape (comments/2026-04-29T043958Z.md); does not match the flagged shape (drafts/2026-05-01T184439Z.md).

Test plan

• Open https://github.com/exospherehost/claude-hackernews/pull/new/luv-44 and review drafts/2026-05-03T163223Z.md.
• Visit https://news.ycombinator.com/item?id=47969781 logged in under the chosen posting account; verify reply box on id=47969790 is open and the thread is not [dead] / [flagged].
• Paste the contents of the My reply fenced block into the composer and post.
• Merge this PR; if you'd like, ping me with the comment permalink and I'll append it to the **HN:** line and re-commit so the draft archives the posted URL.

🤖 Generated with Claude Code

Summary by CodeRabbit

This pull request does not contain user-visible changes. It consists of internal documentation and drafting work only. No release notes applicable for end-users.

[coderabbitai]

📝 Walkthrough

Walkthrough

A new Markdown draft is added to drafts/ proposing a Hacker News reply about MCP server scanning security, including a code example demonstrating runtime tool-output injection and a pre-tool policy host allowlist mechanism, plus insights and observations for internal review.

Changes

HN Reply Draft

Layer / File(s)	Summary
Draft Content drafts/2026-05-03T163223Z.md	Markdown draft of a proposed HN reply covering tool-description scanning limitations, a customPolicies.add code example with HTTP egress blocking, and insights/findings on threat models and thread observations.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• PR #2: Establishes the drafts-only workflow and un-ignores the drafts/ directory, creating the foundational structure this PR builds upon.
• PR #6: Demonstrates the drafts/ write-target in use through another new draft submission, following the same pattern as this PR.

Poem

🐰 A draft takes flight on Hacker's wings,
With policies and security things,
HTTP gates and host allowlists bright,
The rabbit hops toward safer insight! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main change: adding a Hacker News reply draft discussing Smithery MCP server scanning and static-versus-runtime security gates, with specific reference to the thread ID.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Review rate limit: 4/5 reviews remaining, refill in 12 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@drafts/2026-05-03T163223Z.md`:
- Around line 15-17: The blockquote is broken by a blank non-quoted line (MD028)
between the two quoted paragraphs; fix by removing the empty line or prefixing
it with ">" so the entire sequence remains a continuous blockquote (apply to the
quoted text around "A malicious npm package..." and "AVE Standard: 40 published
vulnerability records..." to maintain blockquote continuity).
- Line 25: The fenced code block that contains the post body opens with plain
backticks (``` ) and triggers markdownlint MD040; update the opening fence to
include a language tag such as ```text (or ```md) so the block is treated as
markdown/text rather than unspecified code—locate the opening triple-backtick in
the draft post content and change it to ```text.
- Around line 37-40: The host allowlist check currently uses m[1].endsWith(h)
which allows suffix-bypass hosts like evilgithub.com; update the logic that
extracts the host (variable m[1]) to normalize by lowercasing and stripping any
port, then check allowlist entries (allowed) by requiring either exact equality
or a dot-prefixed subdomain match (e.g., host === h || host.endsWith('.' + h))
before calling deny/allow; update the code around m, allowed and the
deny(`egress ${m[1]} blocked`) line accordingly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0b69a839-3545-4554-80a3-2c86bc9661ec

📥 Commits

Reviewing files that changed from the base of the PR and between ebbce06 and 641052f.

📒 Files selected for processing (1)

• drafts/2026-05-03T163223Z.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Remove the blank line inside the blockquote sequence.

Lines 15-17 split the quote with an empty non-quoted line (MD028). Keep blockquote continuity by using > on the separator line or removing the blank line.

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 16-16: Blank line inside blockquote

(MD028, no-blanks-blockquote)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-03T163223Z.md` around lines 15 - 17, The blockquote is broken
by a blank non-quoted line (MD028) between the two quoted paragraphs; fix by
removing the empty line or prefixing it with ">" so the entire sequence remains
a continuous blockquote (apply to the quoted text around "A malicious npm
package..." and "AVE Standard: 40 published vulnerability records..." to
maintain blockquote continuity).

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Add a language tag to the fenced block to satisfy markdownlint.

Line 25 opens a fenced block without a language (MD040). Use ```text (or ```md) since this block is post body content, not executable code.

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 25-25: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-03T163223Z.md` at line 25, The fenced code block that contains
the post body opens with plain backticks (``` ) and triggers markdownlint MD040;
update the opening fence to include a language tag such as ```text (or ```md) so
the block is treated as markdown/text rather than unspecified code—locate the
opening triple-backtick in the draft post content and change it to ```text.

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Harden host allowlist matching to prevent suffix-bypass domains.

On Line 39, m[1].endsWith(h) allows hosts like evilgithub.com to pass for github.com. Require exact match or dot-boundary subdomain match.

Proposed fix

-      const m = JSON.stringify(ctx.toolInput).match(/https?:\/\/([^\/\s"]+)/i);
+      const m = JSON.stringify(ctx.toolInput).match(/https?:\/\/([^\/\s"]+)/i);
       const allowed = ["api.openai.com", "github.com", "registry.npmjs.org"];
-      if (m && !allowed.some(h => m[1].endsWith(h))) return deny(`egress ${m[1]} blocked`);
+      const host = (m?.[1] ?? "").toLowerCase().replace(/\.$/, "");
+      const isAllowed = allowed.some(
+        h => host === h || host.endsWith(`.${h}`)
+      );
+      if (host && !isAllowed) return deny(`egress ${host} blocked`);

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	const m = JSON.stringify(ctx.toolInput).match(/https?:\/\/([^\/\s"]+)/i);
	const allowed = ["api.openai.com", "github.com", "registry.npmjs.org"];
	if (m && !allowed.some(h => m[1].endsWith(h))) return deny(`egress ${m[1]} blocked`);
	return allow();
	const m = JSON.stringify(ctx.toolInput).match(/https?:\/\/([^\/\s"]+)/i);
	const allowed = ["api.openai.com", "github.com", "registry.npmjs.org"];
	const host = (m?.[1] ?? "").toLowerCase().replace(/\.$/, "");
	const isAllowed = allowed.some(
	h => host === h || host.endsWith(`.${h}`)
	);
	if (host && !isAllowed) return deny(`egress ${host} blocked`);
	return allow();

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@drafts/2026-05-03T163223Z.md` around lines 37 - 40, The host allowlist check
currently uses m[1].endsWith(h) which allows suffix-bypass hosts like
evilgithub.com; update the logic that extracts the host (variable m[1]) to
normalize by lowercasing and stripping any port, then check allowlist entries
(allowed) by requiring either exact equality or a dot-prefixed subdomain match
(e.g., host === h || host.endsWith('.' + h)) before calling deny/allow; update
the code around m, allowed and the deny(`egress ${m[1]} blocked`) line
accordingly.