Skip to content

fix(mcp): bound elicitation channel, warn on sensitive fields (#2524, #2523)#2530

Merged
bug-ops merged 1 commit intomainfrom
2524-mcp-elicitation-channel
Mar 31, 2026
Merged

fix(mcp): bound elicitation channel, warn on sensitive fields (#2524, #2523)#2530
bug-ops merged 1 commit intomainfrom
2524-mcp-elicitation-channel

Conversation

@bug-ops
Copy link
Copy Markdown
Owner

@bug-ops bug-ops commented Mar 31, 2026

Summary

Depends on #2521 — contains elicitation code this PR builds on. Merge after #2521 lands.

  • Replace unbounded elicitation mpsc channel with bounded (capacity 16), auto-decline on full — prevents memory exhaustion from misbehaving MCP servers (fix(mcp): unbounded elicitation mpsc channel allows memory exhaustion #2524)
  • Warn before prompting for sensitive field names (password, token, secret, key, credential, auth, private, passphrase, pin) — phishing prevention (security(mcp): warn on sensitive field names in elicitation requests #2523)
  • New config: [mcp] elicitation_queue_capacity = 16 and [mcp] elicitation_warn_sensitive_fields = true (both optional with safe defaults)
  • Fix 3 pre-existing clippy warnings in CLI elicitation prompt builder (match-to-if-let, uninlined format args)
  • Add unit tests: is_sensitive_field, bounded-channel overflow

Test plan

  • 6990/6990 tests pass
  • cargo clippy --workspace --all-targets -- -D warnings — clean
  • cargo +nightly fmt --check — clean

Closes #2524, closes #2523

@github-actions github-actions bot added documentation Improvements or additions to documentation channels zeph-channels crate (Telegram) rust Rust code changes core zeph-core crate bug Something isn't working size/XL Extra large PR (500+ lines) labels Mar 31, 2026
@bug-ops
fix(mcp): bound elicitation channel, warn on sensitive fields (#2524, #…
aeb178c 
…2523)

Replace the unbounded elicitation mpsc channel in McpManager with a bounded
channel (default capacity 16). Requests arriving when the queue is full are
auto-declined with a warning log, preventing memory exhaustion from misbehaving
or malicious MCP servers. Capacity is configurable via:

    [mcp]
    elicitation_queue_capacity = 16  # default

Add sensitive-field detection to the elicitation handler. Before prompting,
field names are matched case-insensitively against a list of sensitive patterns
(password, token, secret, key, credential, auth, private, passphrase, pin).
If any match, a warning is shown with the server name and field name so the
user can make an informed trust decision. Configurable via:

    [mcp]
    elicitation_warn_sensitive_fields = true  # default

Also fix three pre-existing clippy warnings in the elicitation CLI prompt
builder (match-to-if-let, uninlined format args) and a stale test assertion.

Closes #2524, closes #2523
@bug-ops bug-ops force-pushed the 2524-mcp-elicitation-channel branch from 24021f1 to aeb178c Compare March 31, 2026 12:56
@github-actions github-actions bot added size/L Large PR (201-500 lines) and removed channels zeph-channels crate (Telegram) size/XL Extra large PR (500+ lines) labels Mar 31, 2026
@bug-ops bug-ops enabled auto-merge (squash) March 31, 2026 12:59
@bug-ops bug-ops merged commit 715ff60 into main Mar 31, 2026
27 checks passed
@bug-ops bug-ops deleted the 2524-mcp-elicitation-channel branch March 31, 2026 13:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working core zeph-core crate documentation Improvements or additions to documentation rust Rust code changes size/L Large PR (201-500 lines)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(mcp): unbounded elicitation mpsc channel allows memory exhaustion security(mcp): warn on sensitive field names in elicitation requests

1 participant

@bug-ops