Summary
MCPServer.spec.readOnly is honored by in-tree tool families (kubernetes/linux) but not by federated provider tools, which are all registered as callable pass-throughs regardless. The documented "block destructive ops in prod" knob is silently partial.
Details
providers/mcp/aggregate/aggregatemcp.go:308 threads ReadOnly into the in-tree FamilyContext (honored).
providers/mcp/aggregate/provider_proxy.go:81-170 registerProviderTools registers every federated provider tool as a pass-through proxy with no cfg.ReadOnly check.
- Result: a tenant who sets
readOnly: true still gets mutating federated tools like infrastructure__provision / kro_provision exposed and callable.
Fix
In registerOneProxyTool, when cfg.ReadOnly is set, skip/hide tools whose Annotations.ReadOnlyHint is not true (or hide all federated tools in read-only mode).
Severity
Medium (safety-control bypass).
Summary
MCPServer.spec.readOnlyis honored by in-tree tool families (kubernetes/linux) but not by federated provider tools, which are all registered as callable pass-throughs regardless. The documented "block destructive ops in prod" knob is silently partial.Details
providers/mcp/aggregate/aggregatemcp.go:308threadsReadOnlyinto the in-treeFamilyContext(honored).providers/mcp/aggregate/provider_proxy.go:81-170registerProviderToolsregisters every federated provider tool as a pass-through proxy with nocfg.ReadOnlycheck.readOnly: truestill gets mutating federated tools likeinfrastructure__provision/kro_provisionexposed and callable.Fix
In
registerOneProxyTool, whencfg.ReadOnlyis set, skip/hide tools whoseAnnotations.ReadOnlyHintis not true (or hide all federated tools in read-only mode).Severity
Medium (safety-control bypass).