Detect active remote MCP endpoints with scheme-aware severity#45
Merged
Conversation
Closes the active-config gap I noted in the previous HTTP severity commit (4082373): mcp_sample_remote_endpoint fired on sample configs but the active .mcp.json / .codex/config.toml server loops weren't scrutinizing remote endpoints at all. A `serverUrl` change on an active MCP server got nothing — even though active configs are the ones actually carrying traffic, where unencrypted transport is a real-time exfiltration risk, not just a copy-paste foot-gun. Adds two new findings, severity calibrated higher than the sample equivalents because these endpoints are live: - scope_trail.mcp_remote_endpoint http:// → critical (live unencrypted MCP transport) https:// → high (any active remote endpoint warrants review) - scope_trail.codex_mcp_remote_endpoint Same shape for `[mcp_servers.NAME]` in .codex/config.toml. Supports both `serverUrl` and `server_url` (Codex uses snake_case). Refactor: `remoteEndpoint`, `isRemoteEndpoint`, `isUnencryptedEndpoint` extracted to mcp-risk.ts so both detectors share one source of truth for the endpoint policy. Severity ladder across surfaces (lowest to highest): - sample https:// → medium (copy-paste risk only) - sample http:// → high (sample silently teaches MitM) - active https:// → high (live remote transport, encrypted) - active http:// → critical (live remote transport, unencrypted) Test coverage: dedicated regression tests in mcp-drift.test.mjs and codex-mcp-drift.test.mjs pin the http/https split for both detectors. Existing Windsurf active-drift test updated to include the new mcp_remote_endpoint finding on the team-registry serverUrl change.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the active-config gap I noted in the previous HTTP-severity commit (
4082373).mcp_sample_remote_endpointflagged sample configs, but the active.mcp.jsonand.codex/config.tomlserver loops weren't scrutinizing remote endpoints at all — aserverUrlchange on a live MCP server produced no finding.Two new findings, calibrated higher than the sample equivalents because these endpoints are live:
https://http://https://http://Changes
src/mcp-risk.ts— ExtractedremoteEndpoint,isRemoteEndpoint,isUnencryptedEndpointso both detectors share one endpoint policy.src/detectors/mcp.ts— Active server loop now emitsscope_trail.mcp_remote_endpointwhen a server'surl/serverUrlchanges (or appears on a newly-added server). Scheme-aware severity.src/detectors/codex-config.ts— Same shape for[mcp_servers.NAME]in.codex/config.toml. Supports bothserverUrlandserver_urlsince Codex uses snake_case in TOML.serverUrlchange.Test plan
npm test— 52/52 passing locallynpm run buildclean🤖 Generated with Claude Code