core/mcp
8
0
Fork 0
Code Issues 4 Pull requests 2 Projects Releases Packages Wiki Activity Actions
Model Context Protocol — Go MCP server + Laravel MCP package
227 commits 6 branches 28 tags 1.4 MiB
Find a file
Snider cdb4bdbc45 fix(mcp/brain/client): block absolute-URL bypass + apiURL scheme allowlist (MEDIUM) 
requestURL() now returns (string, error) and rejects absolute or
host-bearing URLs BEFORE request construction and BEFORE Authorization
header is set. Closes the bearer-key leak vector: a path that ever
flows from upstream JSON, config, or a tool argument can no longer
spray the Bearer token at attacker-chosen URLs.

New() validates apiURL at construction:
- https://* always accepted
- http://* rejected unless CORE_BRAIN_INSECURE=true is set
  (explicit dev/test opt-in; production should always be TLS)

Cerberus #1052 from workspace-wide sniff. Today's call sites (Remember,
Recall, Forget, List) hardcode the path → safe; this closes the API
shape that invited future Call(ctx, method, untrustedPath, body)
patterns from leaking the bearer.

Tests: absolute http:// + https:// paths make zero HTTP calls, good
relative path construction works, http:// apiURL rejected by default
+ accepted with CORE_BRAIN_INSECURE=true. Existing test fixtures
converted to TLS to match the new default policy.

Co-authored-by: Codex <noreply@openai.com>
Closes tasks.lthn.sh/view.php?id=1052
2026-04-25 19:19:36 +01:00
.core feat: initial core/mcp — Go MCP server + PHP Laravel MCP package 2026-03-09 18:34:17 +00:00
.github/workflows docs: update CLAUDE.md for Options{} API + add CI workflow 2026-03-21 13:53:49 +00:00
cmd merge(mcp): reconcile origin AX-6 sweep + brainclient refactor with homelab migration + features 2026-04-25 16:08:35 +01:00
docs docs(security): document accepted ollama CVEs + operator runbook 2026-04-25 01:40:43 +01:00
pkg/mcp fix(mcp/brain/client): block absolute-URL bypass + apiURL scheme allowlist (MEDIUM) 2026-04-25 19:19:36 +01:00
src/php feat(mcp): add server resource listing 2026-04-02 16:47:03 +00:00
tests/cli/mcp feat(ax-10): bring mcp to v0.8.0-alpha.1 + CLI test scaffold 2026-04-24 23:35:37 +01:00
.gitattributes feat: initial core/mcp — Go MCP server + PHP Laravel MCP package 2026-03-09 18:34:17 +00:00
.gitignore docs: add implementation plans for plan CRUD and issue dispatch 2026-03-15 15:10:52 +00:00
CLAUDE.md docs: update CLAUDE.md for Options{} API + add CI workflow 2026-03-21 13:53:49 +00:00
composer.json feat: initial core/mcp — Go MCP server + PHP Laravel MCP package 2026-03-09 18:34:17 +00:00
EXCEPTIONS.md fix(mcp): resolve codex review findings — spelling, imports, tests, assertions 2026-03-22 02:14:33 +00:00
go.mod feat(ax-10): bring mcp to v0.8.0-alpha.1 + CLI test scaffold 2026-04-24 23:35:37 +01:00
go.sum refactor(mcp): migrate stdlib imports to core/go primitives + upgrade go-sdk v1.5.0 2026-04-08 22:03:52 +01:00
README.md Initial commit 2026-03-09 18:30:06 +00:00

README.md

mcp

Model Context Protocol — Go MCP server + Laravel MCP package