Wire normalizeMcpCommand into mcp_command_mismatch detector#43
Merged
Conversation
Closes the false-positive class flagged in the PolicyMesh audit: two surfaces that differ only in cosmetically neutral ways (`npx -y <pkg>` vs `npx <pkg>`, `.cmd` vs unsuffixed, flag reordering) were being reported as high-severity command mismatches. What changed - McpServer gains a `canonicalIdentity: string` field, computed by agent-gov-core@v0.1.2's normalizeMcpCommand from (command, args, url). Both the JSON and Codex TOML parsers populate it. - `detectMcpCommandMismatch` now groups by `canonicalIdentity` instead of the raw joined `command` string. The human-readable command list in the finding message still uses `command` so the finding stays actionable. - Env is deliberately omitted from `canonicalIdentity`. Env drift has its own detector (mcp_env_mismatch); including env here would have surfaced two findings for what users perceive as one issue (and broke the mcp-env-value-mismatch fixture test). Regression test pinned `mcp-command-neutral-flag-equivalence` fixture: root MCP runs `npx -y @modelcontextprotocol/server-github@1.2.3`, Cursor runs the same without `-y`. Before this change the audit emitted a high-severity mcp_command_mismatch finding; after it emits none. Test 'CLI does not flag mcp_command_mismatch on neutral -y flag drift between surfaces' asserts the post-fix behavior — it fails on the pre-fix engine, passes here. 39 PolicyMesh tests pass. Stacked on #40 (JSONC migration); merge that one first. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reopened against
mainafter PR #40 merged (the original PR #41 was auto-closed when its base branch was deleted).Wires
agent-gov-core'snormalizeMcpCommandinto the cross-surface mismatch detector. Servers with the same canonical identity but different raw command strings (e.g.npx -y foo@1.2.3vsnpx foo@1.2.3) no longer false-firemcp_command_mismatch. Env is intentionally excluded (it has its own detector). Regression fixture pinned viamcp-command-neutral-flag-equivalence; verified failing on pre-fix engine, passing post-fix. Audit finding closed.See closed PR #41 for full discussion.