feat: enforce shadow mcp access rules

[alx-xo]

Summary

This PR wires Shadow MCP runtime enforcement to the generic Redis-backed access rules added in #2763.

The runtime path now:

• injects accesscontrol.Store into shadowmcp.Client
• evaluates matching shadow_mcp rules for the active organization/project
• supports match evidence by full URL, URL host, and server identity
• normalizes runtime evidence before matching
• applies deny-wins semantics when multiple rules match
• falls back to existing valid-toolset provenance checks when no rule matches
• fails closed when access-rule evaluation errors

This PR also removes the legacy Shadow MCP approval Redis store/files. Runtime server-identity rules now only apply after a configured MCP server was actually matched, so an identity allow rule cannot allow an unconfigured server alias.

Verification

• Runtime branch: mise run test:server ./internal/hooks ./internal/shadowmcp -run 'TestClaude_PreToolUse_DoesNotAllowUnconfiguredServerByIdentityRule|TestClaude_PreToolUse_AllowsApprovedLocalStdioServer|TestEvaluateAccessRules' -count=1 passed, 5 tests
• Top of stack: rg -n "shadow-mcp-allow|AddShadowMCPApproval|RemoveShadowMCPApproval|IsShadowMCPApproved|func CanonicalizeMatch\(" server/internal client/dashboard returned no matches
• Top of stack: mise run test:server ./internal/accesscontrol ./internal/access ./internal/risk ./internal/shadowmcp ./internal/hooks -count=1 passed, 458 tests
• Top of stack: mise run lint:server passed
• Top of stack: pnpm --dir client/dashboard type-check passed
• Top of stack: pnpm --dir client/dashboard exec vitest run src/components/access/ShadowMCPAccessContent.test.tsx passed, 3 tests
• Top of stack: git diff --check passed

Stack

• feat: add redis-backed shadow mcp access API #2763 Redis-backed Shadow MCP access API
• feat: enforce shadow mcp access rules #2771 Shadow MCP runtime enforcement
• feat: add shadow mcp request links #2796 blocked hook request-access links
• feat: add shadow mcp access rules dashboard #2831 dashboard access rules UI

https://linear.app/speakeasy/issue/AGE-2586/feat-enforce-shadow-mcp-access-rules

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gram-docs-redirect	Ready	Preview, Comment	May 28, 2026 10:19pm

[changeset-bot]

🦋 Changeset detected

Latest commit: c234311

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[github-actions]

atlas migrate lint on server/migrations

Status	Step	Result
	1 new migration file detected	20260512194918_shadow-mcp-access-controls.sql
	ERD and visual diff generated	View Visualization
	No issues found	View Report
Read the full linting report on Atlas Cloud

[github-actions]

atlas migrate lint on server/clickhouse/migrations

Status	Step	Result
	No migration files detected
	ERD and visual diff generated	View Visualization
	No issues found	View Report
Read the full linting report on Atlas Cloud

[claude]

Claude Code Review

This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.

_{Tip: disable this comment in your organization's Code Review settings.}

[linear-code]

AGE-2586

[github-actions]

Prompt-injection risk report

Corpus: 933 cases (384 malicious / 549 benign)
This PR: a06e0fdb · 2026-05-28T22:20:56Z

No main baseline artifact found yet; this comment shows the current run only.

Operational Modes

mode	status	total	TP	FP	FN	precision	recall	F1	FP-rate
L0 only	ok	933	76	0	308	1	0.1979	0.3304	0
L0 + L1 opt-in	skipped	-	-	-	-	-	-	-	-

L1 opt-in was not evaluated in this run: classifier URL is not set.

_{Generated by .github/scripts/risk-metrics-comment.py. Full source/rule breakdown and samples are in the risk-accuracy-metrics artifact.}

[speakeasybot]

🚀 Preview Environment (PR #2771)

Preview URL: https://pr-2771.dev.getgram.ai

Component	Status	Details	Updated (UTC)
✅ Database	Ready	Created and validated	2026-05-28 22:26:18.
✅ Images	Available	Container images ready	2026-05-28 22:25:36.

_{Gram Preview Bot}