feat(registries): user-added registries + provenance/trust model + registry add-source CLI (MCP-866)#573
Merged
Merged
Conversation
… merge) Foundation layer for user-added registries. CLI add-source, server-add-time stamping/enforcement, REST/MCP surface, and docs follow in subsequent commits. - Add registry provenance trust tags (official/trusted vs custom/unverified) to both config and registries RegistryEntry, with IsTrusted() helpers. - DefaultRegistries are tagged official/trusted. - SetRegistriesFromConfig recomputes provenance AUTHORITATIVELY by ID: a shipped-default ID is always official; anything user-added is custom/unverified — a user cannot self-assert trust via config. - ServerConfig gains SourceRegistryID + SourceRegistryProvenance so a server's origin is recorded for the approval/quarantine view. - Config validation rejects skip_quarantine for servers sourced from a custom/unverified registry (quarantine-always; no user allowlist). - RegistriesLocked enterprise stub knob (doc + add-source rejection only). - Tests: provenance JSON round-trip, authoritative merge recompute (incl. rejecting self-asserted trust), skip_quarantine rejection/allowance. config + registries suites green with -race; golangci-lint 0 issues. Refs MCP-866. Co-Authored-By: Paperclip <noreply@paperclip.ing>
…rcement (MCP-866) Builds on the provenance foundation to let users add their own MCP registry sources, always tagged custom/unverified so their servers can never escape quarantine. There is no allowlist a user can add themselves into. - `mcpproxy registry add-source <https-url> [--protocol|--id|--name]`: daemon-first CLI that adds a generic modelcontextprotocol/registry v0.1 endpoint. Writes cfg.Registries copy-on-write via UpdateConfig + persists, and rebuilds the effective catalog so the source is immediately searchable. - Server keystone (add_from_registry): stamp SourceRegistryID/Provenance onto the derived ServerConfig from the resolved registry; a custom/unverified source forces Quarantined=true and SkipQuarantine=false regardless of the global default (CN-002 extended). - New add-source op (add_registry_source.go): pure URL→entry derivation (https validation, id-from-host slug, v0.1 servers-url derivation) + guardrails (registries_locked, no shadowing a built-in id, no duplicate). Stable cross-surface error codes: invalid_registry_url / registries_locked / registry_shadows_builtin / duplicate_registry. - REST POST /api/v1/registries; cliclient.AddRegistrySource; provenance + trusted surfaced in list_registries across runtime REST + MCP so a UI can show the one-time third-party-registry warning. - Docs: docs/registries.md trust model + add-source + registries_locked stub. - OpenAPI regenerated. TDD: add-source derivation/validation unit tests, custom-origin quarantine-always keystone tests, and a registries integration test proving a user-added v0.1 endpoint is searchable AND tagged custom/unverified. Local: go build ./..., config/registries/server/httpapi/cliclient/contracts/cmd suites green (-race on the pure-logic packages), binary API + MCP e2e green, golangci-lint 0 issues, approval-hash stability canary green. Related MCP-866 Co-Authored-By: Paperclip <noreply@paperclip.ing>
Deploying mcpproxy-docs with
|
| Latest commit: |
bd314d3
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://e25212e7.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://feat-866-user-registries-pro.mcpproxy-docs.pages.dev |
…CP-866) CI caught the new ServerConfig fields tripping the storage field-coverage canary (TestSaveServerSyncFieldCoverage) — they were unpersisted. Persist them so a server's registry origin survives a restart; otherwise a reloaded custom-origin server would lose its provenance and the skip_quarantine guard plus the approval/quarantine view would silently stop working. - Add SourceRegistryID + SourceRegistryProvenance to UpstreamRecord. - Carry them through every config<->record conversion (async saveServerSync, Manager.SaveUpstreamServer, GetUpstreamServer, ListUpstreamServers, ListQuarantinedUpstreamServers). - Extend the field-coverage canary's expectedFields; add a save->reload round-trip test (incl. via the quarantine listing). Fixes the Unit Tests / E2E / Build Binaries CI failures on #573 (all ran go test ./... and hit the same storage canary). storage suite green with -race; go build ./... clean; gofmt clean. Related MCP-866 Co-Authored-By: Paperclip <noreply@paperclip.ing>
|
Codecov Report❌ Patch coverage is 📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 26840067587 --repo smart-mcp-proxy/mcpproxy-go
|
…ries (MCP-866) Add Provenance and Trusted fields to contracts.Registry so the REST API surfaces the trust tag for each registry. Copy from the internal registry entry in handleListRegistries. Provenance is derived authoritatively at merge time (MCP-866): - Built-in defaults get provenance=official/trusted, trusted=true - User-added registries get provenance=custom/unverified, trusted=false Regenerated swagger.yaml. Test asserts a custom registry shows provenance=custom/unverified and trusted=false. Related #573
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements user-added MCP registries with a derived provenance/trust model under the goal MCP-856 (board-approved). Builds on the official v0.1 parser +
SetRegistriesFromConfigmerge shipped in MCP-865 (#572).A user can now add any https endpoint that speaks the official
modelcontextprotocol/registryv0.1 protocol (the same protocol Copilot/VS Code/Azure ship). The added source is always taggedcustom/unverified— there is no allowlist a user can add themselves into — so every server discovered through it lands quarantined and can never skip quarantine.What's included
Trust model (derived, not asserted)
provenanceon registry entries:official/trusted(shipped defaults) vscustom/unverified(anything user-added).SetRegistriesFromConfigrecomputes provenance authoritatively by ID — writing"provenance":"official/trusted"into a custom config entry has no effect.RegistryEntry.IsTrusted()helpers (config + registries).Quarantine-always for custom origins
ServerConfiggainssource_registry_id/source_registry_provenance(surfaced in the approval/quarantine view).Quarantined=true+SkipQuarantine=falsefor custom-origin servers, regardless of the global default.skip_quarantinefor any custom-origin server.registry add-sourcesurfacesmcpproxy registry add-source <https-url> [--protocol|--id|--name](daemon-first; COWUpdateConfig+ persist).POST /api/v1/registries;cliclient.AddRegistrySource.provenance+trustedsurfaced inlist_registries(runtime REST + MCP) so a UI can show the one-time third-party-registry warning.invalid_registry_url(400),registries_locked(403),registry_shadows_builtin/duplicate_registry(409).Enterprise stub:
registries_lockedconfig knob (doc + add-source rejection only).Docs:
docs/registries.mdtrust model + add-source +registries_locked. OpenAPI regenerated.Tests (acceptance criteria from the issue)
skip_quarantineis rejected/ignored forcustom/unverifiedorigin (config validation + keystone enforcement).list_registries/search_servers(MCP), REST, and CLI.Verification
go build ./...; config/registries/server/httpapi/cliclient/contracts/cmd suites green (-raceon the pure-logic packages).golangci-lint0 issues; gofmt clean; tool-approval-hash stability canary green.Gates
Per spec-064: PR opened, not merged. Merge is the human's action at the pre-merge gate, after CI is green and both AI reviewers accept.
Unblocks the frontend child MCP-867 (add-registry affordance + provenance surfacing).
Related MCP-866