Add MCP service and routing #3261
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
Reply with @codex fix comments to fix any unresolved comments.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
| if mcpServer != nil { | ||
| mcpapi.Route(r, mcpServer) |
There was a problem hiding this comment.
[P0] Gate MCP websocket behind authentication
The new MCP route is mounted directly on the root router without any of the existing authentication or store middlewares, so /mcp/ws is publicly reachable by anyone who can hit the server. Because services/mcp/server.go exposes operations like list_projects and trigger_task using real services, an unauthenticated client can enumerate projects and enqueue tasks. This bypasses all permission checks and effectively gives remote callers full task execution rights; the handler should be placed under the authenticated API subrouter or otherwise enforce authentication before accepting commands.
Useful? React with 👍 / 👎.
Summary
Testing
go test ./api/mcp -run .go test ./api -run TestApiPinghttps://chatgpt.com/codex/tasks/task_e_68b300fa39a88325bfb110e051d62be4