Support --allowed-rules filtering with MCP server

[Copilot]

✅ MCP Server --allowed-rules Support Implementation Complete

Problem: The MCP server does not honor the --allowed-rules filter that is available in other CLI commands.

Root Cause:

• The MCP server creates its own config copies using defaultConfig := *config but doesn't apply the global allowedRules variable
• MCP server tools don't accept allowed_rules as a parameter
• The server uses newOpaWithConfig() which doesn't inherit the global flag settings

Implementation Plan:

• Analyze current codebase and understand the issue
• Confirm tests pass and project builds successfully
• Add allowed_rules parameter to MCP server tool definitions
• Update MCP server tool handlers to parse and apply the allowed_rules parameter
• Apply global allowedRules setting to MCP server's default config
• Test CLI behavior to confirm baseline functionality
• Add comprehensive tests for MCP server functionality
• Verify implementation with multiple test scenarios
• Fix linting issues (gofmt and testifylint)
• Fix global --allowed-rules flag inheritance bug

Technical Changes Implemented:

1. ✅ Added allowed_rules string array parameter to all MCP tool definitions using mcp.WithArray() and mcp.WithStringItems()
2. ✅ Modified all tool handlers to parse allowed_rules parameter using request.GetStringSlice()
3. ✅ Applied global allowedRules to the default config in startMCPServer()
4. ✅ Created request-specific OPA clients when allowed_rules parameter is provided
5. ✅ Ensured consistent behavior between CLI and MCP server
6. ✅ Added comprehensive test coverage for the new functionality
7. ✅ Fixed code formatting and lint violations
8. ✅ Fixed bug where global --allowed-rules flag was not inherited by MCP handlers

Files Modified:

• cmd/mcp_server.go - Added parameter definitions, handler logic, and fixed global flag inheritance
• cmd/handle_analyze_manifest_test.go - Added test coverage and fixed lint issues

Bug Fix Details:
The original implementation had a critical bug where MCP server handlers used requestConfig := *config instead of the mcpDefaultConfig that had global allowedRules applied. This meant that when users ran poutine mcp-server --allowed-rules injection, the global setting was ignored. The fix ensures all handlers inherit the global configuration properly.

Validation Results:

• ✅ Project builds successfully
• ✅ All existing tests pass (no regressions)
• ✅ CLI --allowed-rules filtering works correctly (baseline confirmed)
• ✅ New MCP server tests demonstrate filtering functionality:
  • Without filter: Multiple findings detected
  • With injection filter: Only matching findings returned
  • With non-existent rule filter: No findings returned
• ✅ Both global flag and per-request parameter approaches work correctly
• ✅ Code passes all linting checks (gofmt and testifylint)
• ✅ Global flag inheritance verified with dedicated test

Impact:
The MCP server now fully supports --allowed-rules filtering at both:

1. Global level: poutine mcp-server --allowed-rules injection applies to all requests
2. Request level: Each tool call can specify "allowed_rules": ["injection"] for per-request filtering

This provides consistent behavior between the CLI and MCP server interfaces.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Support --allowed-rules filtering with MCP server</issue_title>
<issue_description>The MCP server does not honor the --allowed-rules filter</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #357

---

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

[fproulx-boostsecurity]

@copilot We got some linting issues

  Error: cmd/handle_analyze_manifest_test.go:343:1: File is not properly formatted (gofmt)
  		
  ^
  Error: cmd/mcp_server.go:516:1: File is not properly formatted (gofmt)
  		
  ^
  Error: cmd/handle_analyze_manifest_test.go:414:3: empty: use assert.Empty (testifylint)
  		assert.Len(t, insights.Findings, 0, "Should have no findings with non-existent rule filter")
  		^
  Error: cmd/handle_analyze_manifest_test.go:415:3: empty: use assert.Empty (testifylint)
  		assert.Len(t, insights.Rules, 0, "Should have no rules with non-existent rule filter")
  		^
  4 issues:
  * gofmt: 2
  * testifylint: 2
  
  Error: issues found
  Ran golangci-lint in 39504ms

[Copilot]

@copilot We got some linting issues

  Error: cmd/handle_analyze_manifest_test.go:343:1: File is not properly formatted (gofmt)

...

Fixed all linting issues in commit ac6de7b:

• gofmt: Removed trailing whitespace from cmd/handle_analyze_manifest_test.go and cmd/mcp_server.go
• testifylint: Replaced assert.Len(t, ..., 0, ...) with assert.Empty(t, ...) for better assertions

All tests continue to pass and the build is successful.

[SUSTAPLE117]

LGTM

[fproulx-boostsecurity]

@copilot I tested it with an MCP client, basically a coding agent that support MCP server and it appears that even though I configured it with --allowed-ruled injection it returned more findings

[Copilot]

@copilot I tested it with an MCP client, basically a coding agent that support MCP server and it appears that even though I configured it with --allowed-ruled injection it returned more findings

Fixed the bug in commit 59526f7. The issue was that MCP server handlers were using the global config instead of the mcpDefaultConfig that had the global --allowed-rules applied.

The handlers now properly inherit the global --allowed-rules setting. When you run poutine mcp-server --allowed-rules injection, all MCP requests will be filtered to only show injection findings unless overridden by per-request allowed_rules parameters.

Added a comprehensive test that verifies global allowed rules are properly inherited by the MCP server.

test