Skip to content

feat: MCP gateway, response DLP, shared proxy infrastructure#34

Merged
chen-zichen merged 6 commits intomainfrom
feat/gitignore-mp4
Feb 27, 2026
Merged

feat: MCP gateway, response DLP, shared proxy infrastructure#34
chen-zichen merged 6 commits intomainfrom
feat/gitignore-mp4

Conversation

@cyyever
Copy link
Collaborator

@cyyever cyyever commented Feb 27, 2026

Summary

  • MCP gateway (crust mcp-gateway): Stdio proxy for MCP servers with bidirectional inspection — inbound
    request evaluation and outbound response DLP scanning. Works with any MCP server.
  • Auto-detect mode (crust wrap): Combined proxy that inspects both MCP and ACP methods in both directions.
    Method names are disjoint — no conflict.
  • Response DLP scanning: Server responses (both result and error fields) are now scanned for leaked secrets
    before reaching the client. Catches malicious or misconfigured servers returning API keys/tokens in tool
    results or error messages.
  • Shared proxy infrastructure: Unified internal/jsonrpc/ package extracts common JSON-RPC stdio proxying,
    signal handling, and pipe inspection from the ACP-specific implementation — now shared across MCP, ACP, and
    auto-detect modes.
  • E2E tests against real MCP server: 12 end-to-end tests using @modelcontextprotocol/server-filesystem —
    including response DLP tests with files containing embedded AWS keys and GitHub tokens.

Test plan

  • go build ./... passes
  • go test -race ./... passes
  • Tested manually (describe below)

Security checklist

  • No new path traversal or glob bypass vectors
  • No secrets or credentials in code

@cyyever
chore: replace old demo scripts with unified TUI demo
3e0d503 
Remove demo.tape, demo-full.tape, and demo-agent.py (obsoleted by the
new VHS-based TUI demo). Add demo-tui.tape, demo-acp.sh, and simplify
demo-attack.sh (12 requests) and demo-mock.py (2 canned responses).

All demo files use fake paths, fake credentials, and environment
variables for API keys — no privacy-sensitive data.
@cyyever
refactor: unify proxy code into internal/jsonrpc shared package
79de817 
Extract ~750 lines of duplicated proxy infrastructure from acpwrap,
mcpgateway, and autowrap into a shared internal/jsonrpc package with
MethodConverter abstraction. Each protocol package is now a thin wrapper
(~25 lines) plus its protocol-specific converter function.

New internal/jsonrpc/ package:
- types.go: Message, ErrorResponse, LockedWriter, MethodConverter
- pipe.go: PipeInspect, PipePassthrough, SendBlockError
- proxy.go: RunProxy (unified subprocess lifecycle)
- signal_{unix,windows}.go: cross-platform signal forwarding

Bug fixes:
- Scanner buffer overflow now logged at WARN (was DEBUG)
- Signal-forwarding goroutine tracked in WaitGroup
- Tool name included in all block log messages
- Stdin pipe closed if stdout pipe creation fails
- Child stdout closed on Start() failure

Also adds mock MCP server (cmd/mock-mcp-server) and golangci-lint
exclusion for jsonrpc package name conflict with stdlib.

Net: -747 lines deleted, +2266 added → ~43% reduction in proxy code.
@cyyever
test: add E2E tests against real MCP filesystem server
b3f64cd 
Add E2E tests that exercise the full proxy stack against
@modelcontextprotocol/server-filesystem — a real MCP server doing
actual file I/O. Tests verify initialize handshake, tools/list,
allowed reads/writes returning real content, and blocked .env/.ssh
access returning Crust error responses.

- 8 E2E tests in internal/mcpgateway/e2e_test.go
- Guarded with -short skip + npx availability check
- New CI job (E2E Tests) with Node.js 22 + pre-installed server
- Trimmed redundant unit tests now covered by E2E
@cyyever
docs: add MCP gateway documentation
96ca43f 
Add docs/mcp.md with detailed MCP gateway guide — architecture diagram,
supported servers, Claude Desktop config, auto-detect mode, blocking
examples, and CLI flags.

Update README with MCP Gateway section, grouped documentation table
(Setup / Reference), and MCP column in how-it-works blocking matrix.
@cyyever
feat: add response DLP scanning and bidirectional stdio proxy inspection
53a1c31 
Close security gaps where server responses could leak secrets undetected:

- Add Engine.ScanDLP() for standalone DLP scanning of arbitrary content
- PipeInspect now scans response Result fields for DLP patterns before
  forwarding to the client (errors sent to client via fwdWriter)
- MCP gateway outbound now uses MCPMethodToToolCall (was passthrough)
- New BothMethodToToolCall combined converter for crust wrap outbound
  inspects both MCP and ACP methods in both directions
- E2E tests against real @modelcontextprotocol/server-filesystem verify
  that files with embedded AWS keys and GitHub tokens are blocked by
  response DLP even when the file path passes inbound rules
@cyyever
feat: add DLP scanning for error response field
6004af5 
Scan JSON-RPC error field for leaked secrets alongside the existing
result field scanning. A malicious server could embed API keys in
error messages to exfiltrate them.
@chen-zichen chen-zichen merged commit 0eba957 into main Feb 27, 2026
6 checks passed
@chen-zichen chen-zichen deleted the feat/gitignore-mp4 branch February 27, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chen-zichen chen-zichen chen-zichen approved these changes

@zhangchen-xu zhangchen-xu zhangchen-xu approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cyyever @chen-zichen @zhangchen-xu