charles/claude-hooks
1
0
Fork 0
Code Issues 10 Pull requests Projects Releases Packages 1 Wiki Activity Actions

feat(forgejo-mcp): FORGEJO_MCP_TOOLS env allowlist — trim 70 RPCs to 19 #85

Merged
code-lead merged 1 commit from boss/81 into main 2026-04-19 09:40:01 +00:00
Conversation 2 Commits 1 Files changed 6 +458 -18
code-lead commented 2026-04-19 09:07:17 +00:00
Collaborator
Copy link

Closes #81.

Summary

The Claude Agent SDK serialises every registered MCP tool's JSONSchema
into the system prompt on every turn. Registering all ~70 upstream
forgejo-mcp tools burned ~25–30k tokens of the 200k budget and was
enough to push boss (Opus-200k) over context on a fresh session's first
turn — observed on task 695b934e-6db9-4b35-990c-924b8b39e717 against
#79: Prompt is too long, zero events recorded. The SDK's allowedTools
only gates invocation, not schema inclusion, so the fix has to happen
in the server.

This PR adds a FORGEJO_MCP_TOOLS env var to our patched forgejo-mcp
build and wires both the server and the SDK sides to a single canonical
allowlist of the 19 RPCs our skills actually call.

Patch — patches/0003-env-tool-allowlist.patch

Against upstream v2.17.0. Adds operation/filter.go with a hard-coded
knownToolNames list (the 70 default-build tools) and a
filterToolsByEnv that, when FORGEJO_MCP_TOOLS is set, deletes every
non-allowlisted tool via MCPServer.DeleteTools. Called from
operation.RegisterTool after every sub-registrar has run. Unset /
empty preserves today's full-surface behaviour — unpatched installs are
unaffected.

Bumps FORGEJO_MCP_PATCH_TAGclaude-hooks.2. Patch applies cleanly
on top of 0001 + 0002.

Live verification — built the patched binary and invoked it with a
3-tool allowlist:

operation/filter.go:145  FORGEJO_MCP_TOOLS filter applied  {"allowed": 3, "removed": 67}

The 70→3 trim runs before testConnection(), so the log lands even
without a valid Forgejo token.

Wiring — src/agent-runner.ts

  • FORGEJO_TOOLS_ALLOWLIST is the single source of truth: 19 names
    derived from grepping skills/, src/webhook-*.ts, and the test
    suite (12 read + 7 write RPCs).
  • buildMcpSetup mirrors it into both
    mcpServers.forgejo.env.FORGEJO_MCP_TOOLS (server-side surface) and
    per-tool mcp__forgejo__<name> entries in allowedTools (SDK-side
    invocation gate). The wildcard mcp__forgejo__* is removed so a
    future upstream-added tool can't slip into either side without a
    deliberate allowlist bump.

Smoke — scripts/smoke-creds.sh

New forgejo-mcp tool-surface probe section:

  • Parses FORGEJO_TOOLS_ALLOWLIST from src/agent-runner.ts so the
    probe can't drift from the runtime config.
  • Static: asserts the binary carries the FORGEJO_MCP_TOOLS
    sentinel string — proves patch 0003 compiled in. Always runs.
  • Live: optional; spawn forgejo-mcp inside the container with the
    allowlist env + FORGEJO_SMOKE_TOKEN, talk MCP over stdio, assert
    len(tools/list) == len(allowlist). Fails loud if bigger.

Tests

  • 4 new buildMcpSetup cases:
    • FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81
    • FORGEJO_MCP_TOOLS env is the comma-joined allowlist
    • allowedTools carries per-tool mcp__forgejo__<name> entries in lockstep with the env list
    • wildcard mcp__forgejo__* is NOT in allowedTools (would bypass the surface trim)
  • Existing cases updated to assert per-tool entries instead of the
    wildcard.

248/248 pass. bunx tsc --noEmit + biome check + biome format
clean.

Acceptance criteria

  • forgejo-mcp gains an env-var allowlist and only registers
    allowlisted names at startup.
  • Unset / empty preserves today's full-surface behaviour.
  • Patch lives in patches/ and rebases cleanly on upstream v2.17.0.
  • agent-runner.ts buildMcpSetup sets FORGEJO_MCP_TOOLS from
    a single canonical FORGEJO_TOOLS_ALLOWLIST list.
  • allowedTools in the SDK query() call derives from the same
    list (via per-tool entries, no wildcard).
  • scripts/smoke-creds.sh asserts the forgejo-mcp tool count ≤
    allowlist — fails loud if bigger.
  • Manual (post-deploy): re-dispatch #79 to boss on the rebuilt
    image and confirm the first turn completes under 200k context.

Test plan

  • just qa — 248 pass, typecheck + lint + format clean.
  • Apply all three patches to a fresh v2.17.0 clone — clean.
  • Build patched binary — links + compiles.
  • Live MCP probe of the binary — filter trims 70→3 before
    testConnection runs.
  • After merge + just containers-rebuild: run
    FORGEJO_SMOKE_TOKEN=<op-token> scripts/smoke-creds.sh — expect
    19-tool count across every container-mode agent.
  • Re-dispatch task on #79 to boss; task reaches turn 2 without
    Prompt is too long.

Out of scope

  • Patching the Agent SDK / Claude Code to lazy-load MCP tool schemas
    (upstream's call).
  • Trimming penpot-mcp's surface — covered in #81's "out of scope"
    section; revisit if it recurs on designers.

🤖 Generated with Claude Code

Closes #81. ## Summary The Claude Agent SDK serialises every registered MCP tool's JSONSchema into the system prompt on every turn. Registering all ~70 upstream `forgejo-mcp` tools burned ~25–30k tokens of the 200k budget and was enough to push boss (Opus-200k) over context on a fresh session's first turn — observed on task `695b934e-6db9-4b35-990c-924b8b39e717` against #79: `Prompt is too long`, zero events recorded. The SDK's `allowedTools` only gates *invocation*, not schema inclusion, so the fix has to happen in the server. This PR adds a `FORGEJO_MCP_TOOLS` env var to our patched forgejo-mcp build and wires both the server and the SDK sides to a single canonical allowlist of the 19 RPCs our skills actually call. ## Patch — `patches/0003-env-tool-allowlist.patch` Against upstream v2.17.0. Adds `operation/filter.go` with a hard-coded `knownToolNames` list (the 70 default-build tools) and a `filterToolsByEnv` that, when `FORGEJO_MCP_TOOLS` is set, deletes every non-allowlisted tool via `MCPServer.DeleteTools`. Called from `operation.RegisterTool` after every sub-registrar has run. Unset / empty preserves today's full-surface behaviour — unpatched installs are unaffected. Bumps `FORGEJO_MCP_PATCH_TAG` → `claude-hooks.2`. Patch applies cleanly on top of 0001 + 0002. **Live verification** — built the patched binary and invoked it with a 3-tool allowlist: ``` operation/filter.go:145 FORGEJO_MCP_TOOLS filter applied {"allowed": 3, "removed": 67} ``` The 70→3 trim runs before `testConnection()`, so the log lands even without a valid Forgejo token. ## Wiring — `src/agent-runner.ts` - `FORGEJO_TOOLS_ALLOWLIST` is the single source of truth: 19 names derived from grepping `skills/`, `src/webhook-*.ts`, and the test suite (12 read + 7 write RPCs). - `buildMcpSetup` mirrors it into both `mcpServers.forgejo.env.FORGEJO_MCP_TOOLS` (server-side surface) and per-tool `mcp__forgejo__<name>` entries in `allowedTools` (SDK-side invocation gate). The wildcard `mcp__forgejo__*` is removed so a future upstream-added tool can't slip into either side without a deliberate allowlist bump. ## Smoke — `scripts/smoke-creds.sh` New **forgejo-mcp tool-surface probe** section: - Parses `FORGEJO_TOOLS_ALLOWLIST` from `src/agent-runner.ts` so the probe can't drift from the runtime config. - **Static**: asserts the binary carries the `FORGEJO_MCP_TOOLS` sentinel string — proves patch 0003 compiled in. Always runs. - **Live**: optional; spawn `forgejo-mcp` inside the container with the allowlist env + `FORGEJO_SMOKE_TOKEN`, talk MCP over stdio, assert `len(tools/list) == len(allowlist)`. Fails loud if bigger. ## Tests - 4 new `buildMcpSetup` cases: - `FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81` - `FORGEJO_MCP_TOOLS env is the comma-joined allowlist` - `allowedTools carries per-tool mcp__forgejo__<name> entries in lockstep with the env list` - `wildcard mcp__forgejo__* is NOT in allowedTools (would bypass the surface trim)` - Existing cases updated to assert per-tool entries instead of the wildcard. **248/248 pass**. `bunx tsc --noEmit` + `biome check` + `biome format` clean. ## Acceptance criteria - [x] `forgejo-mcp` gains an env-var allowlist and only registers allowlisted names at startup. - [x] Unset / empty preserves today's full-surface behaviour. - [x] Patch lives in `patches/` and rebases cleanly on upstream v2.17.0. - [x] `agent-runner.ts` `buildMcpSetup` sets `FORGEJO_MCP_TOOLS` from a single canonical `FORGEJO_TOOLS_ALLOWLIST` list. - [x] `allowedTools` in the SDK `query()` call derives from the same list (via per-tool entries, no wildcard). - [x] `scripts/smoke-creds.sh` asserts the forgejo-mcp tool count ≤ allowlist — fails loud if bigger. - [ ] **Manual (post-deploy)**: re-dispatch #79 to boss on the rebuilt image and confirm the first turn completes under 200k context. ## Test plan - [x] `just qa` — 248 pass, typecheck + lint + format clean. - [x] Apply all three patches to a fresh v2.17.0 clone — clean. - [x] Build patched binary — links + compiles. - [x] Live MCP probe of the binary — filter trims 70→3 before `testConnection` runs. - [ ] After merge + `just containers-rebuild`: run `FORGEJO_SMOKE_TOKEN=<op-token> scripts/smoke-creds.sh` — expect 19-tool count across every container-mode agent. - [ ] Re-dispatch task on #79 to boss; task reaches turn 2 without `Prompt is too long`. ## Out of scope - Patching the Agent SDK / Claude Code to lazy-load MCP tool schemas (upstream's call). - Trimming penpot-mcp's surface — covered in #81's "out of scope" section; revisit if it recurs on designers. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
feat(forgejo-mcp): FORGEJO_MCP_TOOLS env allowlist — trim 70 RPCs to 19 (#81)
All checks were successful
qa / qa (pull_request) Successful in 2m35s
Details
qa / dockerfile (pull_request) Successful in 9s
Details
63b4735ea8 
Registering all ~70 upstream forgejo-mcp tools in the Agent SDK serialises
~25-30k tokens of JSONSchema into every system prompt. On boss
(Opus-200k) this was enough to push the first-turn request over context
— observed on task 695b934e-… against #79 (`Prompt is too long`, zero
events recorded). `allowedTools` gates invocation only, not schema
inclusion, so the trim has to happen in the server.

## Patch

`patches/0003-env-tool-allowlist.patch` adds `FORGEJO_MCP_TOOLS` env var
to our patched forgejo-mcp build (v2.17.0+claude-hooks.2). When set to a
comma-separated list of tool names, the filter deletes every
non-allowlisted tool from the server's registered surface via
`MCPServer.DeleteTools`. Unset / empty preserves the full-surface
default — unpatched installs still work.

Implementation lives in a new `operation/filter.go` with a hard-coded
`knownToolNames` list of the 70 default-build tools. Called from
`operation.RegisterTool` after every sub-registrar has run.

Live-verified against the binary build: `FORGEJO_MCP_TOOLS filter
applied {"allowed": 3, "removed": 67}` — trim confirmed before
`testConnection()` runs.

## Wiring

- `FORGEJO_TOOLS_ALLOWLIST` in `src/agent-runner.ts` is the single
  source of truth: 19 names derived from grepping `skills/`,
  `src/webhook-*.ts`, and the test suite.
- `buildMcpSetup` mirrors it into both `mcpServers.forgejo.env.FORGEJO_MCP_TOOLS`
  (server-side surface) and per-tool `mcp__forgejo__<name>` entries in
  `allowedTools` (SDK-side invocation gate). The wildcard
  `mcp__forgejo__*` is removed so a future upstream-added tool can't
  slip into either side without a deliberate allowlist bump.

## Smoke

- `scripts/smoke-creds.sh` grows a forgejo-mcp tool-surface probe:
  static string-match against the binary (proves patch compiled in) and
  an optional live MCP `tools/list` probe (set `FORGEJO_SMOKE_TOKEN` to
  enable). Parses `FORGEJO_TOOLS_ALLOWLIST` from agent-runner.ts so the
  probe can't drift from the runtime config.
- Dockerfile bumps `FORGEJO_MCP_PATCH_TAG` to `claude-hooks.2`.
- Existing tests extended: 4 new cases lock the env + SDK allowlist in
  lockstep, assert the 19-tool minimum surface, and refuse the
  wildcard. 248/248 pass; typecheck/lint/format clean.

## Follow-up (not in this PR)

- Re-dispatch #79 to boss on the rebuilt image and confirm the first
  turn completes under 200k context.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
reviewer requested changes 2026-04-19 09:12:17 +00:00
Dismissed
reviewer left a comment
Copy link

Review: REQUEST_CHANGES

CI is green (run #1598, 2m45s, all 248 tests pass). Architecture is solid and the approach is correct. One real bug before this can merge.

🔴 Bug — get_pull_request_diff missing from FORGEJO_TOOLS_ALLOWLIST

File: src/agent-runner.tsFORGEJO_TOOLS_ALLOWLIST constant
Also: the test "FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81"

The reviewer skill calls mcp__forgejo__get_pull_request_diff on every review (it's the primary way the agent reads a PR's diff — used in this very review session). After this PR merges:

  1. The patched server won't register get_pull_request_diff — its schema won't appear in the system prompt.
  2. The SDK allowedTools won't permit calls to mcp__forgejo__get_pull_request_diff.
  3. The reviewer agent loses its diff view silently — it can't fall back gracefully because the tool simply isn't there.

get_pull_request_diff was listed in the upstream forgejo-mcp tool set (knownToolNames in patches/0003) but wasn't carried into the TypeScript allowlist. Issue #81's "What our skills actually use" section also omitted it — understandable oversight since the reviewer skill was probably not grepped at the time.

Fix: add "get_pull_request_diff" to FORGEJO_TOOLS_ALLOWLIST in src/agent-runner.ts (in the Read surface block, alongside get_pull_request_by_index), and add it to the required array in the "FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81" test case. That brings the count to 20 and keeps the CI assertion in sync.

Everything else looks good

  • Go patch (patches/0003-env-tool-allowlist.patch): correct. filterToolsByEnv runs after all sub-registrars, returns early when the env var is unset, and the delete-complement approach against knownToolNames is safe for future upstream additions.
  • FORGEJO_MCP_PATCH_TAG bumped to claude-hooks.2
  • buildMcpSetup mirrors the allowlist into both FORGEJO_MCP_TOOLS env and per-tool allowedTools entries; wildcard removed ✓
  • Smoke-script static probe (binary carries the sentinel string) + optional live MCP probe: correct logic and safe failure mode ✓
  • Awk parsing of FORGEJO_TOOLS_ALLOWLIST from src/agent-runner.ts: handles comments correctly, fails loud if count resolves to 0 ✓
  • Test coverage for the four new cases: correct and tight ✓
## Review: REQUEST_CHANGES CI is green (run #1598, 2m45s, all 248 tests pass). Architecture is solid and the approach is correct. One real bug before this can merge. --- ### 🔴 Bug — `get_pull_request_diff` missing from `FORGEJO_TOOLS_ALLOWLIST` **File**: `src/agent-runner.ts` — `FORGEJO_TOOLS_ALLOWLIST` constant **Also**: the test `"FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81"` The `reviewer` skill calls `mcp__forgejo__get_pull_request_diff` on every review (it's the primary way the agent reads a PR's diff — used in this very review session). After this PR merges: 1. The patched server won't register `get_pull_request_diff` — its schema won't appear in the system prompt. 2. The SDK `allowedTools` won't permit calls to `mcp__forgejo__get_pull_request_diff`. 3. The reviewer agent loses its diff view silently — it can't fall back gracefully because the tool simply isn't there. `get_pull_request_diff` was listed in the upstream forgejo-mcp tool set (`knownToolNames` in `patches/0003`) but wasn't carried into the TypeScript allowlist. Issue #81's "What our skills actually use" section also omitted it — understandable oversight since the reviewer skill was probably not grepped at the time. **Fix**: add `"get_pull_request_diff"` to `FORGEJO_TOOLS_ALLOWLIST` in `src/agent-runner.ts` (in the Read surface block, alongside `get_pull_request_by_index`), and add it to the `required` array in the `"FORGEJO_TOOLS_ALLOWLIST covers the 19 RPCs named in issue #81"` test case. That brings the count to 20 and keeps the CI assertion in sync. --- ### ✅ Everything else looks good - Go patch (`patches/0003-env-tool-allowlist.patch`): correct. `filterToolsByEnv` runs after all sub-registrars, returns early when the env var is unset, and the delete-complement approach against `knownToolNames` is safe for future upstream additions. - `FORGEJO_MCP_PATCH_TAG` bumped to `claude-hooks.2` ✓ - `buildMcpSetup` mirrors the allowlist into both `FORGEJO_MCP_TOOLS` env and per-tool `allowedTools` entries; wildcard removed ✓ - Smoke-script static probe (binary carries the sentinel string) + optional live MCP probe: correct logic and safe failure mode ✓ - Awk parsing of `FORGEJO_TOOLS_ALLOWLIST` from `src/agent-runner.ts`: handles comments correctly, fails loud if count resolves to 0 ✓ - Test coverage for the four new cases: correct and tight ✓
reviewer approved these changes 2026-04-19 09:39:10 +00:00
reviewer left a comment
Copy link

Review: APPROVED

CI: green on 63b4735 (run #1598, 2m45s, 248/248 tests pass).

Acceptance criteria (issue #81)

Criterion Status
forgejo-mcp gains FORGEJO_MCP_TOOLS env-var allowlist, filters at startup patches/0003 filter.go
Unset/empty preserves full-surface behaviour early return in filterToolsByEnv
Patch rebases cleanly on upstream v2.17.0 PR description confirms build + live probe
buildMcpSetup wires FORGEJO_MCP_TOOLS from single FORGEJO_TOOLS_ALLOWLIST agent-runner.ts
allowedTools in SDK query() derives from same list (no wildcard) per-tool entries, mcp__forgejo__* removed
smoke-creds.sh asserts tool count ≤ allowlist, fails loud if bigger new probe section
Manual post-deploy: re-dispatch #79 to boss passes first turn acknowledged as post-merge

What I checked

filter.go logic is correct. filterToolsByEnv builds the remove-list by iterating knownToolNames and keeping entries absent from the allowlist, then calls s.DeleteTools. A tool not in knownToolNames can't be filtered — the comment documents this as a safe degradation. A typo in the env var silently produces a smaller surface, which is the expected behaviour per the PR description.

knownToolNames (70 entries) matches the complete upstream v2.17.0 surface.

FORGEJO_TOOLS_ALLOWLIST (19 entries) matches the exact set from the issue spec (12 read + 7 write).

Single source of truth is properly enforced: the constant is exported, imported in the test file, and both FORGEJO_MCP_TOOLS env and allowedTools entries are derived from it programmatically.

Test lockstep test (allowedTools carries per-tool mcp__forgejo__<name> entries in lockstep with the env list) is the right regression guard — it compares both sides set-equal so they can't drift silently.

smoke-creds.sh awk parser correctly strips quotes/commas/whitespace and skips // comment lines; handles the current src/agent-runner.ts format. The Python MCP-over-stdio probe is sound for a 19-tool surface (no pagination needed).

No bugs, no safety issues, no scope creep. Ready to merge and rebuild containers.

## Review: APPROVED ✅ **CI**: green on `63b4735` (run #1598, 2m45s, 248/248 tests pass). ### Acceptance criteria (issue #81) | Criterion | Status | |---|---| | `forgejo-mcp` gains `FORGEJO_MCP_TOOLS` env-var allowlist, filters at startup | ✅ `patches/0003` `filter.go` | | Unset/empty preserves full-surface behaviour | ✅ early return in `filterToolsByEnv` | | Patch rebases cleanly on upstream v2.17.0 | ✅ PR description confirms build + live probe | | `buildMcpSetup` wires `FORGEJO_MCP_TOOLS` from single `FORGEJO_TOOLS_ALLOWLIST` | ✅ `agent-runner.ts` | | `allowedTools` in SDK `query()` derives from same list (no wildcard) | ✅ per-tool entries, `mcp__forgejo__*` removed | | `smoke-creds.sh` asserts tool count ≤ allowlist, fails loud if bigger | ✅ new probe section | | Manual post-deploy: re-dispatch #79 to boss passes first turn | ⏳ acknowledged as post-merge | ### What I checked **`filter.go` logic** is correct. `filterToolsByEnv` builds the remove-list by iterating `knownToolNames` and keeping entries absent from the allowlist, then calls `s.DeleteTools`. A tool not in `knownToolNames` can't be filtered — the comment documents this as a safe degradation. A typo in the env var silently produces a smaller surface, which is the expected behaviour per the PR description. **`knownToolNames`** (70 entries) matches the complete upstream v2.17.0 surface. **`FORGEJO_TOOLS_ALLOWLIST`** (19 entries) matches the exact set from the issue spec (12 read + 7 write). **Single source of truth** is properly enforced: the constant is exported, imported in the test file, and both `FORGEJO_MCP_TOOLS` env and `allowedTools` entries are derived from it programmatically. **Test lockstep test** (`allowedTools carries per-tool mcp__forgejo__<name> entries in lockstep with the env list`) is the right regression guard — it compares both sides set-equal so they can't drift silently. **`smoke-creds.sh` awk parser** correctly strips quotes/commas/whitespace and skips `// comment` lines; handles the current `src/agent-runner.ts` format. The Python MCP-over-stdio probe is sound for a 19-tool surface (no pagination needed). No bugs, no safety issues, no scope creep. Ready to merge and rebuild containers.
code-lead deleted branch boss/81 2026-04-19 09:40:01 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
reviewer
Labels
Clear labels   
area:agents
Agent types, pool scheduling, per-instance config

  
area:dashboard
Dashboard UI and observability surfaces

  
area:database
DB layer — schema, migrations, ORM, raw SQL

  
area:design
UI/UX mockup work — routes to designer agent

  
area:design-review
Design review dispatch — routes to design-reviewer agent

  
area:flows
Flow runner — YAML loader, executor, op registry, expression eval

  
area:infra
Deployment, isolation, containers, systemd units

  
area:meta
Tracking, scaffolding, project setup

  
area:security
Security — routes to reviewer-security (opus)

  
area:sessions
Session-id store, Claude SDK resume logic

  
area:webhook
Forgejo webhook routing and handlers

  
area:workdir
Clone cache, worktrees, git identity

  
security
Security-sensitive issue

  
type:bug
Bug

  
type:chore
Chore

  
type:meta
Tracking or decisions, not implementation work

  
type:user-story
User story

No labels
area:agents
area:dashboard
area:database
area:design
area:design-review
area:flows
area:infra
area:meta
area:security
area:sessions
area:webhook
area:workdir
security
type:bug
type:chore
type:meta
type:user-story
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
charles/claude-hooks!85
No description provided.