security: validate MCP_REGISTRY_URL and reject http:// overrides at SimpleRegistryClient

[danielmeppiel]

Follow-up to #813 (fixed in PR #810). The fix for #813 makes MCP_REGISTRY_URL honoured by all apm mcp discovery commands, but the supply-chain-security panel review identified two hardening items that should ship as a separate, security-focused change.

S1 - Validate MCP_REGISTRY_URL at construction

SimpleRegistryClient.__init__ (src/apm_cli/registry/client.py:19-21) currently accepts whatever string the env var contains. A misconfigured value (mcp.internal.example.com without scheme, file:///etc/hosts, blank string) silently flows into request URLs.

Proposal:

• Parse the override with urlparse; reject missing scheme/netloc with a clear error.
• Reject http:// by default; require an explicit MCP_REGISTRY_ALLOW_HTTP=1 opt-in for plaintext intranet registries.
• Emit an actionable error message naming the offending value and the env var.

S2 - Fail-closed on registry network errors when overridden

In RegistryIntegration.validate_servers_exist (and equivalent install pre-flights), today a network failure against a custom MCP_REGISTRY_URL falls back through error paths that may degrade to "could not reach registry, skipping validation". For default registry: acceptable. For an explicitly overridden registry: should fail-closed -- the user opted into a specific endpoint and we must not silently bypass validation.

Proposal: when MCP_REGISTRY_URL is set, registry network errors during install pre-flights are fatal (current behaviour for the default URL stays as-is or is tightened separately).

Why a separate issue

• These are behaviour changes, not bug fixes. S1 rejects URL shapes that work today; S2 changes degraded-mode semantics.
• Both warrant CEO ratification on the breaking-change angle (intranet http:// registries, fail-closed install behaviour).
• PR feat(install): add --mcp flag for declaratively adding MCP servers to apm.yml #810 ships the regression fix only; this issue tracks the hardening.

Related

• Bug: bug: apm mcp search/list/show ignore MCP_REGISTRY_URL env var #813
• Initial fix PR: feat(install): add --mcp flag for declaratively adding MCP servers to apm.yml #810

Acceptance criteria

• SimpleRegistryClient.__init__ validates URL shape; rejects schemeless and (by default) http:// overrides.
• MCP_REGISTRY_ALLOW_HTTP=1 documented as the explicit opt-in.
• Registry network errors during install pre-flights are fatal when MCP_REGISTRY_URL is set.
• Tests cover all three: invalid URL rejection, http opt-in, and fail-closed install.
• CHANGELOG entry under ### Changed (these are intentional behaviour changes).

[danielmeppiel]

Fixed in PR #810 via commit 8364cba.

Implementation:

• S1 (URL validation) -- SimpleRegistryClient.__init__ now rejects schemeless values, empty strings, and unsupported schemes with actionable errors. Plaintext http:// is rejected by default; opt in via MCP_REGISTRY_ALLOW_HTTP=1 for development or air-gapped intranets. Whitespace and trailing slashes are normalised.
• S2 (fail-closed on overrides) -- MCPServerOperations.validate_servers_exist now raises RuntimeError on registry network errors when the URL came from the caller or MCP_REGISTRY_URL. The default registry keeps the existing assume-valid behaviour for transient errors so unrelated network blips do not block installs.

Coverage: +14 tests (TestSimpleRegistryClientValidation + custom-registry network-error path). Full unit suite: 4637 passing.

Docs: mcp-servers.md gets a new 'URL validation and security' subsection; cli-commands.md and the apm-usage skill carry the matching one-liners; CHANGELOG has a new ### Security entry under [Unreleased].