fix(addie): grade_agent_signing auto-skips capability-profile mismatches#3452
Merged
Conversation
After the wrapper started running grades end-to-end (#3424), Addie's first prod demo against /mcp-strict reported "31 pass / 2 fail" — and diagnosed the 2 fails as real verifier bugs. They aren't: vectors 007 and 018 test required-mode and forbidden-mode content-digest enforcement respectively, but /mcp-strict declares covers_content_digest: 'either', so neither vector applies. The in-process gradeRequestSigning() has an `agentCapability` option that auto-skips these as capability_profile_mismatch; the CLI surface doesn't expose it. This wrapper now does the equivalent CLI-side: - Anonymously probes get_adcp_capabilities for request_signing.covers_content_digest. - Maps the declared mode → vectors that don't apply (007 when 'either' or 'forbidden', 018 when 'either' or 'required'). - Passes --skip <ids> to the CLI for the matching vectors. - Caller can short-circuit with content_digest_mode for auth-gated routes where the anonymous probe fails. Probe-failure path preserves today's no-skip behavior — better to over-report than silently swallow a real verifier bug. Validated against test-agent.adcontextprotocol.org/mcp-strict: - Without skip: 31 pass / 2 fail / 6 skip (vectors 007, 018 false-fail). - With auto-skip: 31 pass / 0 fail / 8 skip (clean report; probe succeeds when called with content_digest_mode=either). Real long-term fix is upstreaming a capability-aware --auto-skip flag to @adcp/client's CLI; the wrapper drops the hardcoded mapping then. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Security review on PR #3452 (🟡): the bare fetch() in probeContentDigestMode bypassed the SSRF gate that the grader CLI's ssrfSafeFetch enforces. A caller with an authenticated session could supply a URL whose DNS A record resolves to 127.0.0.1 / 169.254.169.254 / RFC1918 — fetch would hit the loopback/metadata endpoint before the grader CLI's own SSRF gate could refuse, and an error response would land in logger.debug. Plumb the local validateFetchUrl from server/src/utils/url-security.ts which DNS-resolves the hostname and rejects any address in private, link-local, loopback, CGNAT, IPv6 ULA, or always-blocked ranges. Add a 64 KiB body cap matching ssrfSafeFetch's default. Drop the agent URL from the probe-failure debug log to close the info-disclosure side channel. Set redirect: 'manual' so a 30x to a private host can't move the connection laterally. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
When the first end-to-end grade demo ran in prod Slack, Addie reported
31 pass / 2 fail / 6 skipagainsthttps://test-agent.adcontextprotocol.org/mcp-strictand diagnosed the 2 fails as real verifier bugs. They aren't:007-missing-content-digesttests that an agent declaringcovers_content_digest: 'required'rejects digest-less signatures.018-digest-covered-when-forbiddentests that an agent declaringcovers_content_digest: 'forbidden'rejects digest-covering signatures./mcp-strictdeclarescovers_content_digest: 'either', so both vectors are testing modes the agent didn't promise to enforce. The in-processgradeRequestSigning()has anagentCapabilityoption that auto-skips these ascapability_profile_mismatch; the CLI surface doesn't expose it.This wrapper now does the equivalent CLI-side:
get_adcp_capabilitiesforrequest_signing.covers_content_digest.--skip <ids>to the CLI.content_digest_modeparameter for routes where the anonymous probe is auth-gated.Result
Against
https://test-agent.adcontextprotocol.org/mcp-strict:The 2 extra skips are correctly classified as capability-profile mismatches.
Follow-ups
gradeRequestSigning()does richer capability-aware skipping than just content-digest. Long-term the right fix is to upstream a--auto-skip-capability-mismatchesflag to@adcp/client's CLI so this wrapper doesn't need to maintain a hardcoded vector→mode map.content_digest_mode. Could plumbevaluate_agent_quality'sresolveAgentAuthhere so saved credentials drive the probe automatically.Test plan
npx vitest run tests/unit/auth-grader-tools.test.ts— 10 tests pass (was 6; newcontentDigestSkipsForModecases for null / either / required / forbidden)./mcp-strictwith--skip 007-...,018-...produces31 pass / 0 fail / 8 skipagainst prod test agent.content_digest_mode: eitherand confirm clean report.🤖 Generated with Claude Code