WIP

omgitsads · omgitsads · commit 199e62c685f4 · 2026-01-29T11:01:05.000+01:00
diff --git a/cmd/github-mcp-server/main.go b/cmd/github-mcp-server/main.go
@@ -136,7 +136,10 @@ func init() {
 	rootCmd.PersistentFlags().Bool("insiders", false, "Enable insiders features")
 	rootCmd.PersistentFlags().Duration("repo-access-cache-ttl", 5*time.Minute, "Override the repo access cache TTL (e.g. 1m, 0s to disable)")
 	rootCmd.PersistentFlags().Int("port", 8082, "HTTP server port")
-	rootCmd.PersistentFlags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
+
+	// Add port flag to http command
+	httpCmd.PersistentFlags().Int("port", 8082, "HTTP server port")
+	httpCmd.PersistentFlags().String("base-url", "", "Base URL where this server is publicly accessible (for OAuth resource metadata)")
 
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
@@ -152,8 +155,8 @@ func init() {
 	_ = viper.BindPFlag("lockdown-mode", rootCmd.PersistentFlags().Lookup("lockdown-mode"))
 	_ = viper.BindPFlag("insiders", rootCmd.PersistentFlags().Lookup("insiders"))
 	_ = viper.BindPFlag("repo-access-cache-ttl", rootCmd.PersistentFlags().Lookup("repo-access-cache-ttl"))
-	_ = viper.BindPFlag("port", rootCmd.PersistentFlags().Lookup("port"))
-	_ = viper.BindPFlag("base-url", rootCmd.PersistentFlags().Lookup("base-url"))
+	_ = viper.BindPFlag("port", httpCmd.PersistentFlags().Lookup("port"))
+	_ = viper.BindPFlag("base-url", httpCmd.PersistentFlags().Lookup("base-url"))
 
 	// Add subcommands
 	rootCmd.AddCommand(stdioCmd)
diff --git a/pkg/context/mcp_info.go b/pkg/context/mcp_info.go
@@ -0,0 +1,39 @@
+package context
+
+import "context"
+
+type mcpMethodInfoCtx string
+
+var mcpMethodInfoCtxKey mcpMethodInfoCtx = "mcpmethodinfo"
+
+// MCPMethodInfo contains pre-parsed MCP method information extracted from the JSON-RPC request.
+// This is populated early in the request lifecycle to enable:
+//   - Inventory filtering via ForMCPRequest (only register needed tools/resources/prompts)
+//   - Avoiding duplicate JSON parsing in middlewares (secret-scanning, scope-challenge)
+//   - Performance optimization for per-request server creation
+type MCPMethodInfo struct {
+	// Method is the MCP method being called (e.g., "tools/call", "tools/list", "initialize")
+	Method string
+	// ItemName is the name of the specific item being accessed (tool name, resource URI, prompt name)
+	// Only populated for call/get methods (tools/call, prompts/get, resources/read)
+	ItemName string
+	// Owner is the repository owner from tool call arguments, if present
+	Owner string
+	// Repo is the repository name from tool call arguments, if present
+	Repo string
+	// Arguments contains the raw tool arguments for tools/call requests
+	Arguments map[string]any
+}
+
+// ContextWithMCPMethodInfo stores the MCPMethodInfo in the context.
+func ContextWithMCPMethodInfo(ctx context.Context, info *MCPMethodInfo) context.Context {
+	return context.WithValue(ctx, mcpMethodInfoCtxKey, info)
+}
+
+// MCPMethod retrieves the MCPMethodInfo from the context.
+func MCPMethod(ctx context.Context) (*MCPMethodInfo, bool) {
+	if info, ok := ctx.Value(mcpMethodInfoCtxKey).(*MCPMethodInfo); ok {
+		return info, true
+	}
+	return nil, false
+}
diff --git a/pkg/context/token.go b/pkg/context/token.go
@@ -1,19 +1,30 @@
 package context
 
-import "context"
+import (
+	"context"
+
+	"github.com/github/github-mcp-server/pkg/utils"
+)
 
 // tokenCtxKey is a context key for authentication token information
-type tokenCtxKey struct{}
+type tokenCtx string
+
+var tokenCtxKey tokenCtx = "tokenctx"
+
+type TokenInfo struct {
+	Token     string
+	TokenType utils.TokenType
+}
 
 // WithTokenInfo adds TokenInfo to the context
-func WithTokenInfo(ctx context.Context, token string) context.Context {
-	return context.WithValue(ctx, tokenCtxKey{}, token)
+func WithTokenInfo(ctx context.Context, token string, tokenType utils.TokenType) context.Context {
+	return context.WithValue(ctx, tokenCtxKey, TokenInfo{Token: token, TokenType: tokenType})
 }
 
 // GetTokenInfo retrieves the authentication token from the context
-func GetTokenInfo(ctx context.Context) (string, bool) {
-	if token, ok := ctx.Value(tokenCtxKey{}).(string); ok {
-		return token, true
+func GetTokenInfo(ctx context.Context) (TokenInfo, bool) {
+	if tokenInfo, ok := ctx.Value(tokenCtxKey).(TokenInfo); ok {
+		return tokenInfo, true
 	}
-	return "", false
+	return TokenInfo{}, false
 }
diff --git a/pkg/github/dependencies.go b/pkg/github/dependencies.go
@@ -283,7 +283,11 @@ func (d *RequestDeps) GetClient(ctx context.Context) (*gogithub.Client, error) {
 	}
 
 	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
+	tokenInfo, ok := ghcontext.GetTokenInfo(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no token info in context")
+	}
+	token := tokenInfo.Token
 
 	baseRestURL, err := d.apiHosts.BaseRESTURL(ctx)
 	if err != nil {
@@ -309,7 +313,11 @@ func (d *RequestDeps) GetGQLClient(ctx context.Context) (*githubv4.Client, error
 	}
 
 	// extract the token from the context
-	token, _ := ghcontext.GetTokenInfo(ctx)
+	tokenInfo, ok := ghcontext.GetTokenInfo(ctx)
+	if !ok {
+		return nil, fmt.Errorf("no token info in context")
+	}
+	token := tokenInfo.Token
 
 	// Construct GraphQL client
 	// We use NewEnterpriseClient unconditionally since we already parsed the API host
diff --git a/pkg/github/server.go b/pkg/github/server.go
@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
 	gherrors "github.com/github/github-mcp-server/pkg/errors"
 	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/octicons"
@@ -73,10 +74,10 @@ type MCPServerConfig struct {
 
 type MCPServerOption func(*mcp.ServerOptions)
 
-func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inventory *inventory.Inventory) (*mcp.Server, error) {
+func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependencies, inv *inventory.Inventory) (*mcp.Server, error) {
 	// Create the MCP server
 	serverOpts := &mcp.ServerOptions{
-		Instructions:      inventory.Instructions(),
+		Instructions:      inv.Instructions(),
 		Logger:            cfg.Logger,
 		CompletionHandler: CompletionsHandler(deps.GetClient),
 	}
@@ -102,20 +103,25 @@ func NewMCPServer(ctx context.Context, cfg *MCPServerConfig, deps ToolDependenci
 	ghServer.AddReceivingMiddleware(addGitHubAPIErrorToContext)
 	ghServer.AddReceivingMiddleware(InjectDepsMiddleware(deps))
 
-	if unrecognized := inventory.UnrecognizedToolsets(); len(unrecognized) > 0 {
+	if unrecognized := inv.UnrecognizedToolsets(); len(unrecognized) > 0 {
 		cfg.Logger.Warn("Warning: unrecognized toolsets ignored", "toolsets", strings.Join(unrecognized, ", "))
 	}
 
+	invToUse := inv
+	if methodInfo, ok := ghcontext.MCPMethod(ctx); ok && methodInfo != nil {
+		invToUse = inv.ForMCPRequest(methodInfo.Method, methodInfo.ItemName)
+	}
+
 	// Register GitHub tools/resources/prompts from the inventory.
 	// In dynamic mode with no explicit toolsets, this is a no-op since enabledToolsets
 	// is empty - users enable toolsets at runtime via the dynamic tools below (but can
 	// enable toolsets or tools explicitly that do need registration).
-	inventory.RegisterAll(ctx, ghServer, deps)
+	invToUse.RegisterAll(ctx, ghServer, deps)
 
 	// Register dynamic toolset management tools (enable/disable) - these are separate
 	// meta-tools that control the inventory, not part of the inventory itself
 	if cfg.DynamicToolsets {
-		registerDynamicTools(ghServer, inventory, deps, cfg.Translator)
+		registerDynamicTools(ghServer, invToUse, deps, cfg.Translator)
 	}
 
 	return ghServer, nil
diff --git a/pkg/http/middleware/mcp_parse.go b/pkg/http/middleware/mcp_parse.go
@@ -0,0 +1,126 @@
+package middleware
+
+import (
+	"bytes"
+	"encoding/json"
+	"io"
+	"net/http"
+
+	ghcontext "github.com/github/github-mcp-server/pkg/context"
+)
+
+// mcpJSONRPCRequest represents the structure of an MCP JSON-RPC request.
+// We only parse the fields needed for routing and optimization.
+type mcpJSONRPCRequest struct {
+	JSONRPC string `json:"jsonrpc"`
+	Method  string `json:"method"`
+	Params  struct {
+		// For tools/call
+		Name      string          `json:"name,omitempty"`
+		Arguments json.RawMessage `json:"arguments,omitempty"`
+		// For prompts/get
+		// Name is shared with tools/call
+		// For resources/read
+		URI string `json:"uri,omitempty"`
+	} `json:"params"`
+}
+
+// WithMCPParse creates a middleware that parses MCP JSON-RPC requests early in the
+// request lifecycle and stores the parsed information in the request context.
+// This enables:
+//   - Registry filtering via ForMCPRequest (only register needed tools/resources/prompts)
+//   - Avoiding duplicate JSON parsing in downstream middlewares
+//   - Access to owner/repo for secret-scanning middleware
+//
+// The middleware reads the request body, parses it, restores the body for downstream
+// handlers, and stores the parsed MCPMethodInfo in the request context.
+func WithMCPParse() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		fn := func(w http.ResponseWriter, r *http.Request) {
+			ctx := r.Context()
+
+			// Skip health check endpoints
+			if r.URL.Path == "/_ping" {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Only parse POST requests (MCP uses JSON-RPC over POST)
+			if r.Method != http.MethodPost {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Read the request body
+			body, err := io.ReadAll(r.Body)
+			if err != nil {
+				// Log but continue - don't block requests on parse errors
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Restore the body for downstream handlers
+			r.Body = io.NopCloser(bytes.NewReader(body))
+
+			// Skip empty bodies
+			if len(body) == 0 {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Parse the JSON-RPC request
+			var mcpReq mcpJSONRPCRequest
+			err = json.Unmarshal(body, &mcpReq)
+			if err != nil {
+				// Log but continue - could be a non-MCP request or malformed JSON
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Skip if not a valid JSON-RPC 2.0 request
+			if mcpReq.JSONRPC != "2.0" || mcpReq.Method == "" {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Build the MCPMethodInfo
+			methodInfo := &ghcontext.MCPMethodInfo{
+				Method: mcpReq.Method,
+			}
+
+			// Extract item name based on method type
+
+			switch mcpReq.Method {
+			case "tools/call":
+				methodInfo.ItemName = mcpReq.Params.Name
+				// Parse arguments if present
+				if len(mcpReq.Params.Arguments) > 0 {
+					var args map[string]any
+					err := json.Unmarshal(mcpReq.Params.Arguments, &args)
+					if err == nil {
+						methodInfo.Arguments = args
+						// Extract owner and repo if present
+						if owner, ok := args["owner"].(string); ok {
+							methodInfo.Owner = owner
+						}
+						if repo, ok := args["repo"].(string); ok {
+							methodInfo.Repo = repo
+						}
+					}
+				}
+			case "prompts/get":
+				methodInfo.ItemName = mcpReq.Params.Name
+			case "resources/read":
+				methodInfo.ItemName = mcpReq.Params.URI
+			default:
+				// Whatever
+			}
+
+			// Store the parsed info in context
+			ctx = ghcontext.ContextWithMCPMethodInfo(ctx, methodInfo)
+
+			next.ServeHTTP(w, r.WithContext(ctx))
+		}
+		return http.HandlerFunc(fn)
+	}
+}
diff --git a/pkg/http/middleware/scope_challenge.go b/pkg/http/middleware/scope_challenge.go
diff --git a/pkg/http/middleware/token.go b/pkg/http/middleware/token.go
diff --git a/pkg/utils/token.go b/pkg/utils/token.go
