Wire normalizeMcpCommand into mcp_command_mismatch detector#41
Closed
Conalh wants to merge 1 commit into
Closed
Conversation
Closes the false-positive class flagged in the PolicyMesh audit: two surfaces that differ only in cosmetically neutral ways (`npx -y <pkg>` vs `npx <pkg>`, `.cmd` vs unsuffixed, flag reordering) were being reported as high-severity command mismatches. What changed - McpServer gains a `canonicalIdentity: string` field, computed by agent-gov-core@v0.1.2's normalizeMcpCommand from (command, args, url). Both the JSON and Codex TOML parsers populate it. - `detectMcpCommandMismatch` now groups by `canonicalIdentity` instead of the raw joined `command` string. The human-readable command list in the finding message still uses `command` so the finding stays actionable. - Env is deliberately omitted from `canonicalIdentity`. Env drift has its own detector (mcp_env_mismatch); including env here would have surfaced two findings for what users perceive as one issue (and broke the mcp-env-value-mismatch fixture test). Regression test pinned `mcp-command-neutral-flag-equivalence` fixture: root MCP runs `npx -y @modelcontextprotocol/server-github@1.2.3`, Cursor runs the same without `-y`. Before this change the audit emitted a high-severity mcp_command_mismatch finding; after it emits none. Test 'CLI does not flag mcp_command_mismatch on neutral -y flag drift between surfaces' asserts the post-fix behavior — it fails on the pre-fix engine, passes here. 39 PolicyMesh tests pass. Stacked on #40 (JSONC migration); merge that one first. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the PolicyMesh audit's
mcp_command_mismatchfalse-positive class. Two surfaces that differ only in cosmetically neutral ways (npx -y <pkg>vsnpx <pkg>,.cmdsuffix, flag reordering) no longer produce a high-severity finding.What changed
McpServergains acanonicalIdentity: stringfield, computed byagent-gov-core@v0.1.2'snormalizeMcpCommandfrom(command, args, url). Both the JSON and Codex TOML parsers populate it.detectMcpCommandMismatchgroups bycanonicalIdentityinstead of the raw joinedcommandstring. The finding message still usescommandso the diff stays human-readable and actionable.canonicalIdentity. Env drift is reported bymcp_env_mismatch; including env here would have surfaced two findings for one issue (and brokemcp-env-value-mismatch).Regression test
New fixture
test/fixtures/mcp-command-neutral-flag-equivalence/— root MCP runsnpx -y @modelcontextprotocol/server-github@1.2.3, Cursor runs the same without-y. The new testCLI does not flag mcp_command_mismatch on neutral -y flag drift between surfacesasserts the post-fix behavior. I verified it fails on the pre-fix engine and passes here.This locks the audit finding closed: if anyone reverts the canonical-identity grouping in
engine.ts, CI catches it.Stack
Stacked on #40 (JSONC migration). Merge that first; PR base will retarget to
mainautomatically.Test plan
npm test— 39 tests pass, including the new regressionmcp_command_mismatchdeltas🤖 Generated with Claude Code