[security][workflow] Fail closed on cross-host MCP profile drift and capability substitution #714

Open
opened 2026-07-14 20:16:30 -05:00 by jcwalker3 · 1 comment
Owner

Problem:
After explicitly activating mdcps-reviewer for remote dadeschools, immediate calls briefly reported the correct profile, but later capability and runtime calls silently drifted to prgs-author.

Observed behavior:

  • Requested profile: mdcps-reviewer
  • Requested remote: dadeschools
  • Intended repository: 913443/eAgenda
  • Later reported active profile: prgs-author
  • prgs-author belongs to a different host/repository context
  • gitea_resolve_task_capability used the substituted profile to manufacture an apparently allowed result
  • The guide/runtime context also returned prgs-author after an mdcps-reviewer pin
  • Acting on the result could send a mutation to the wrong host or repository
  • mdcps-reviewer authenticated as jcwalker3 although its configured/expected identity was reported as 913443

Required behavior:

  • A namespaced MCP connection must remain bound to its configured profile for its entire process/session.
  • Capability resolution must evaluate only the active profile for the requested remote.
  • Never substitute a profile from another host to satisfy a requested capability.
  • Profile, remote, identity, repository, and namespace must form one immutable mutation context.
  • Any mismatch or drift must fail closed before mutation.
  • whoami, runtime context, control-plane guide, capability resolver, and mutation tools must report consistent context.
  • If a requested task is unsupported, return a structured denial instead of locating a more privileged profile.
  • Include expected-versus-actual identity validation.
  • Audit the profile and remote used immediately before every mutation.

Acceptance criteria:

  1. Repeated calls after pinning mdcps-reviewer never report prgs-author.
  2. A dadeschools request cannot resolve through a prgs profile.
  3. Unsupported capability returns denied/unsupported without profile substitution.
  4. Identity mismatch blocks mutation.
  5. Repository/host mismatch blocks mutation.
  6. Tests reproduce the exact pin → drift → resolver sequence.
  7. All read and mutation tools use the same immutable context.
  8. Existing static-profile namespaces remain functional.

Incident linkage to include:

  • eAgenda #170 was auto-closed by merged PR #191 despite unmet acceptance criteria.
  • eAgenda #188 remains open and must retain the unfinished scope.
  • No mutations were performed because the agent correctly failed closed.
  • Note: This cross-profile issue is another control-plane authorization failure, related to #712 and #713, but it is a distinct defect.
Problem: After explicitly activating `mdcps-reviewer` for remote `dadeschools`, immediate calls briefly reported the correct profile, but later capability and runtime calls silently drifted to `prgs-author`. Observed behavior: - Requested profile: mdcps-reviewer - Requested remote: dadeschools - Intended repository: 913443/eAgenda - Later reported active profile: prgs-author - prgs-author belongs to a different host/repository context - `gitea_resolve_task_capability` used the substituted profile to manufacture an apparently allowed result - The guide/runtime context also returned prgs-author after an mdcps-reviewer pin - Acting on the result could send a mutation to the wrong host or repository - mdcps-reviewer authenticated as jcwalker3 although its configured/expected identity was reported as 913443 Required behavior: - A namespaced MCP connection must remain bound to its configured profile for its entire process/session. - Capability resolution must evaluate only the active profile for the requested remote. - Never substitute a profile from another host to satisfy a requested capability. - Profile, remote, identity, repository, and namespace must form one immutable mutation context. - Any mismatch or drift must fail closed before mutation. - `whoami`, runtime context, control-plane guide, capability resolver, and mutation tools must report consistent context. - If a requested task is unsupported, return a structured denial instead of locating a more privileged profile. - Include expected-versus-actual identity validation. - Audit the profile and remote used immediately before every mutation. Acceptance criteria: 1. Repeated calls after pinning mdcps-reviewer never report prgs-author. 2. A dadeschools request cannot resolve through a prgs profile. 3. Unsupported capability returns denied/unsupported without profile substitution. 4. Identity mismatch blocks mutation. 5. Repository/host mismatch blocks mutation. 6. Tests reproduce the exact pin → drift → resolver sequence. 7. All read and mutation tools use the same immutable context. 8. Existing static-profile namespaces remain functional. Incident linkage to include: - eAgenda #170 was auto-closed by merged PR #191 despite unmet acceptance criteria. - eAgenda #188 remains open and must retain the unfinished scope. - No mutations were performed because the agent correctly failed closed. - Note: This cross-profile issue is another control-plane authorization failure, related to #712 and #713, but it is a distinct defect.
jcwalker3 added status:in-progress and removed status:ready labels 2026-07-14 21:57:49 -05:00
Author
Owner

Issue claim heartbeat

<!-- gitea-issue-claim-heartbeat:v1 --> **Issue claim heartbeat** - kind: claim - issue: #714 - branch: fix/issue-714-session-context-immutability - phase: claimed - profile: prgs-author - pr: none - blocker: none - next_action: create worktree and begin implementation
jcwalker3 added status:pr-open and removed status:in-progress labels 2026-07-14 22:06:22 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Scaled-Tech-Consulting/Gitea-Tools#714