RubyGems - actionmcp - Versions diffs - 0.82.0 → 0.83.0 - Mend

actionmcp 0.82.0 → 0.83.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/lib/action_mcp/gateway.rb +16 -3
data/lib/action_mcp/resource_template.rb +45 -33
data/lib/action_mcp/tool.rb +6 -6
data/lib/action_mcp/tools_registry.rb +7 -2
data/lib/action_mcp/version.rb +1 -1
metadata +5 -19

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b0ca96b3275c9dcece973bd75cc7eb4585fea06f6a99d8dec6a7603817c28b69
-  data.tar.gz: a188765f7176684ee0875a9eecf25cf07ff4c2338c93be7fc5fe29954f26bbb0
+  metadata.gz: 78f8c65c494089838368555cda5818fcf8cb74f1c9ecf46e8e93d830efab878d
+  data.tar.gz: c31e29bcaaf55f0f5dc662e144b859f22315cea77702bcda842cc03cb525eaa5
 SHA512:
-  metadata.gz: 678b6231e5c2df59dc9b90c26d5135cfb2ceb2aaa45ed55e774dc9700cf15f634d8a796fa2c9d3e2a78896bf21f41a86d303f2ca97db4445d289f8a24a8892b5
-  data.tar.gz: 2d1458519c3b69045a8f885be8da811544de78e793cc191ca2145d08ebc41a019a209b3f51fc9bcc9138e72b75f6b1fcc11428e01a06b1b6326f7bcc902d7dee
+  metadata.gz: f582244915ed79650cb23424423d0bf80862f7d4a47ac0a563a830bc47b340cdaa3e2bc435934862fe16db6934b3328c633efb1130b4b5aa55a4e12ec12c94df
+  data.tar.gz: 93d40e3def9b7c16abacc08c6f866a91f2f43669c746bd6a577323af3d1496cbfda1421a036f8638aed370aa444b62e3a9ed64232dfc1c975bed0687498d677d

data/lib/action_mcp/gateway.rb CHANGED Viewed

@@ -4,6 +4,11 @@ module ActionMCP
   class UnauthorizedError < StandardError; end
   class Gateway
+    # Whitelist of allowed identity attribute names to prevent method shadowing
+    # and unauthorized attribute assignment. Extend this list if you use custom
+    # identifier names in your GatewayIdentifier implementations.
+    ALLOWED_IDENTITY_KEYS = %w[user api_key jwt bearer token account session].freeze
     class << self
       # pluck in one or many GatewayIdentifier classes
       def identified_by(*klasses)
@@ -69,13 +74,21 @@ module ActionMCP
     def assign_identities(identities)
       identities.each do |name, value|
+        name_str = name.to_s
+        # Validate identity key against whitelist to prevent method shadowing
+        unless ALLOWED_IDENTITY_KEYS.include?(name_str)
+          raise ArgumentError, "Invalid identity key: '#{name_str}'. " \
+                               "Allowed keys: #{ALLOWED_IDENTITY_KEYS.join(', ')}"
+        end
         # define accessor on the fly
         self.class.attr_reader name unless respond_to?(name)
-        instance_variable_set("@#{name}", value)
+        instance_variable_set("@#{name_str}", value)
         # also set current context if you have one
-        ActionMCP::Current.public_send("#{name}=", value) if
-          ActionMCP::Current.respond_to?("#{name}=")
+        ActionMCP::Current.public_send("#{name_str}=", value) if
+          ActionMCP::Current.respond_to?("#{name_str}=")
       end
       ActionMCP::Current.gateway = self if
         ActionMCP::Current.respond_to?(:gateway=)

data/lib/action_mcp/resource_template.rb CHANGED Viewed

@@ -48,6 +48,11 @@ module ActionMCP
         @required_parameters ||= []
       end
+      # Cache compiled regex patterns for URI matching to avoid recompilation
+      def uri_regex_cache
+        @uri_regex_cache ||= {}
+      end
       def parameter(name, description:, required: false, **options)
         @parameters ||= {}
         @parameters[name] = { description: description, required: required, **options }
@@ -139,48 +144,55 @@ module ActionMCP
       # Extract parameters from a URI using the template pattern
       def extract_params_from_uri(uri_string)
-        # Convert template parameters to named capture groups
-        regex_parts = []
-        current_pos = 0
-        param_names = []
-        # Find all template parameters like {param_name}
-        @uri_template.scan(/\{([^}]+)\}/) do |param_name|
-          param_names << param_name[0]
-          # Get the position of this parameter in the template
-          param_start = @uri_template.index("{#{param_name[0]}}", current_pos)
-          # Add the text before the parameter (escaped)
-          if param_start > current_pos
-            prefix = Regexp.escape(@uri_template[current_pos...param_start])
-            regex_parts << prefix
-          end
+        # Check cache for compiled regex and param names
+        cache_entry = uri_regex_cache[@uri_template]
-          # Add the named capture group
-          regex_parts << "(?<#{param_name[0]}>[^/]+)"
+        unless cache_entry
+          # Convert template parameters to named capture groups
+          regex_parts = []
+          current_pos = 0
+          param_names = []
-          # Update current position
-          current_pos = param_start + param_name[0].length + 2 # +2 for { and }
-        end
+          # Find all template parameters like {param_name}
+          @uri_template.scan(/\{([^}]+)\}/) do |param_name|
+            param_names << param_name[0]
-        # Add any remaining text after the last parameter
-        if current_pos < @uri_template.length
-          suffix = Regexp.escape(@uri_template[current_pos..])
-          regex_parts << suffix
-        end
+            # Get the position of this parameter in the template
+            param_start = @uri_template.index("{#{param_name[0]}}", current_pos)
+            # Add the text before the parameter (escaped)
+            if param_start > current_pos
+              prefix = Regexp.escape(@uri_template[current_pos...param_start])
+              regex_parts << prefix
+            end
-        # Build the final regex
-        regex_pattern = regex_parts.join
-        regex = Regexp.new("^#{regex_pattern}$")
+            # Add the named capture group
+            regex_parts << "(?<#{param_name[0]}>[^/]+)"
+            # Update current position
+            current_pos = param_start + param_name[0].length + 2 # +2 for { and }
+          end
+          # Add any remaining text after the last parameter
+          if current_pos < @uri_template.length
+            suffix = Regexp.escape(@uri_template[current_pos..])
+            regex_parts << suffix
+          end
+          # Build the final regex and cache it
+          regex_pattern = regex_parts.join
+          regex = Regexp.new("^#{regex_pattern}$")
+          cache_entry = { regex: regex, param_names: param_names }
+          uri_regex_cache[@uri_template] = cache_entry
+        end
-        # Try to match the URI
-        match_data = regex.match(uri_string)
+        # Try to match the URI using cached regex
+        match_data = cache_entry[:regex].match(uri_string)
         return nil unless match_data
         # Extract named captures as parameters
         params = {}
-        param_names.each do |name|
+        cache_entry[:param_names].each do |name|
           params[name.to_sym] = match_data[name] if match_data[name]
         end

data/lib/action_mcp/tool.rb CHANGED Viewed

@@ -240,9 +240,9 @@ module ActionMCP
       prop_definition.merge!(opts) if opts.any?
       self._schema_properties = _schema_properties.merge(prop_name.to_s => prop_definition)
-      self._required_properties = _required_properties.dup.tap do |req|
-        req << prop_name.to_s if required
-      end
+      new_required = _required_properties.dup
+      new_required << prop_name.to_s if required
+      self._required_properties = new_required
       # Map the JSON Schema type to an ActiveModel attribute type.
       attribute prop_name, map_json_type_to_active_model_type(type), default: default
@@ -271,9 +271,9 @@ module ActionMCP
       collection_definition[:description] = description if description && !description.empty?
       self._schema_properties = _schema_properties.merge(prop_name.to_s => collection_definition)
-      self._required_properties = _required_properties.dup.tap do |req|
-        req << prop_name.to_s if required
-      end
+      new_required = _required_properties.dup
+      new_required << prop_name.to_s if required
+      self._required_properties = new_required
       # Map the type - for number arrays, use our custom type instance
       mapped_type = if type == "number"

data/lib/action_mcp/tools_registry.rb CHANGED Viewed

@@ -26,8 +26,13 @@ module ActionMCP
         # Handle parameter validation errors
         error_response(:invalid_params, message: e.message)
       rescue StandardError => e
-        # FIXME, we should maybe not return the error message to the user
-        error_response(:invalid_params, message: "Tool execution failed: #{e.message}")
+        # Hide error details in production to prevent information disclosure
+        message = if Rails.env.production?
+          "Tool execution failed"
+        else
+          "Tool execution failed: #{e.message}"
+        end
+        error_response(:invalid_params, message: message)
       end
       def item_klass

data/lib/action_mcp/version.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 require_relative "gem_version"
 module ActionMCP
-  VERSION = "0.82.0"
+  VERSION = "0.83.0"
   class << self
     alias version gem_version

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: actionmcp
 version: !ruby/object:Gem::Version
-  version: 0.82.0
+  version: 0.83.0
 platform: ruby
 authors:
 - Abdelkader Boudih
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 8.0.1
+        version: 8.0.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 8.0.1
+        version: 8.0.4
 - !ruby/object:Gem::Dependency
   name: concurrent-ruby
   requirement: !ruby/object:Gem::Requirement
@@ -71,14 +71,14 @@ dependencies:
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 8.0.1
+        version: 8.0.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 8.0.1
+        version: 8.0.4
 - !ruby/object:Gem::Dependency
   name: zeitwerk
   requirement: !ruby/object:Gem::Requirement
@@ -93,20 +93,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.6'
-- !ruby/object:Gem::Dependency
-  name: ostruct
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - ">="
-      - !ruby/object:Gem::Version
-        version: '0'
 - !ruby/object:Gem::Dependency
   name: json_schemer
   requirement: !ruby/object:Gem::Requirement