Merge pull request #1325 from MemPalace/security/mcp-omit-absolute-paths

fix(mcp): omit absolute filesystem paths from MCP tool responses
2026-05-03 03:20:11 -03:00
parent 6f88b2a34e 7fc260f752
commit 3e6f6480c0
3 changed files with 54 additions and 8 deletions
@@ -454,7 +454,6 @@ def _tool_status_via_sqlite() -> dict:
        "total_drawers": total,
        "wings": wings,
        "rooms": rooms,
-        "palace_path": _config.palace_path,
        "protocol": PALACE_PROTOCOL,
        "aaak_dialect": AAAK_SPEC,
        "vector_disabled": True,
@@ -493,7 +492,6 @@ def tool_status():
        "total_drawers": count,
        "wings": wings,
        "rooms": rooms,
-        "palace_path": _config.palace_path,
        "protocol": PALACE_PROTOCOL,
        "aaak_dialect": AAAK_SPEC,
    }
@@ -914,12 +912,21 @@ def tool_get_drawer(drawer_id: str):
            return {"error": f"Drawer not found: {drawer_id}"}
        meta = result["metadatas"][0]
        doc = result["documents"][0]
+        # source_file is the absolute filesystem path written by the
+        # miners. Reduce to its basename before handing it to the MCP
+        # client — same threat model as the palace_path leak fix:
+        # nested-agent / multi-server topologies treat the client as a
+        # separate trust domain. Basename preserves citation utility.
+        # Mirrors the searcher.search_memories() return shape.
+        safe_meta = dict(meta) if meta else {}
+        if safe_meta.get("source_file"):
+            safe_meta["source_file"] = Path(safe_meta["source_file"]).name
        return {
            "drawer_id": drawer_id,
            "content": doc,
-            "wing": meta.get("wing", ""),
-            "room": meta.get("room", ""),
-            "metadata": meta,
+            "wing": safe_meta.get("wing", ""),
+            "room": safe_meta.get("room", ""),
+            "metadata": safe_meta,
        }
    except Exception as e:
        return {"error": str(e)}