Skip to content

fix(mcp): enforce scope-safe memory tools#1035

Merged
kunickiaj merged 1 commit into
mainfrom
05-04-fix_mcp_enforce_scope_safe_memory_tools
May 5, 2026
Merged

fix(mcp): enforce scope-safe memory tools#1035
kunickiaj merged 1 commit into
mainfrom
05-04-fix_mcp_enforce_scope_safe_memory_tools

Conversation

@kunickiaj
Copy link
Copy Markdown
Owner

@kunickiaj kunickiaj commented May 5, 2026
edited
Loading

Description

Updates the MCP memory tools so every read and write surface (`memory_search`, `memory_search_index`, `memory_timeline`, `memory_explain`, `memory_expand`, `memory_get`, `memory_get_observations`, `memory_recent`, `memory_pack`, `memory_remember`, `memory_forget`) respects the device's authorized sharing domains by default:

  • New `memory-access.ts` helpers route direct-id, getMany, forget, and remember through scope-filtered store paths.
  • Filter schema accepts optional `scope_id` / `include_scope_ids` / `exclude_scope_ids` that intersect with authorization.
  • `rememberMemoryForMcp` rolls back inside the transaction with `unauthorized_scope` if the resolved scope is not locally visible.

Implements codemem-ov4g.5.4.

Type of Change

  • 🐛 Bug fix (fixes an issue)

Testing

  • Relevant checks pass locally (`pnpm run tsc`, `pnpm run lint`, `pnpm run test`)
  • Added/updated tests for changes
  • Manually verified changes work as expected

Coverage: MCP direct reads, getMany filtering, forget refusal on unauthorized scope, remember rollback when scope is hidden.

Checklist

  • Code follows project style (`pnpm run lint` passes for touched files)
  • Self-review completed
  • Documentation updated (if needed)
  • No new warnings introduced

This was referenced May 5, 2026
Merged
Merged
Merged
@kunickiaj Graphite App
Copy link
Copy Markdown
Owner Author

kunickiaj commented May 5, 2026
edited
Loading

This stack of pull requests is managed by Graphite. Learn more about stacking.

This was referenced May 5, 2026
Merged
Merged
Merged
Merged
@kunickiaj kunickiaj marked this pull request as ready for review May 5, 2026 05:24
@kunickiaj kunickiaj force-pushed the 05-04-test_plugin_guard_scoped_opencode_context_injection branch from f84345f to 4db68bf Compare May 5, 2026 14:36
@kunickiaj kunickiaj force-pushed the 05-04-fix_mcp_enforce_scope_safe_memory_tools branch 2 times, most recently from 37559a6 to 88c60eb Compare May 5, 2026 14:46
@kunickiaj kunickiaj force-pushed the 05-04-test_plugin_guard_scoped_opencode_context_injection branch from 4db68bf to cbfb119 Compare May 5, 2026 14:46
@kunickiaj Graphite App
Copy link
Copy Markdown
Owner Author

kunickiaj commented May 5, 2026
edited
Loading

Merge activity

  • May 5, 2:59 PM UTC: A user started a stack merge that includes this pull request via Graphite.
  • May 5, 3:12 PM UTC: Graphite rebased this pull request as part of a merge.
  • May 5, 3:13 PM UTC: @kunickiaj merged this pull request with Graphite.

@kunickiaj kunickiaj changed the base branch from 05-04-test_plugin_guard_scoped_opencode_context_injection to graphite-base/1035 May 5, 2026 15:08
@kunickiaj kunickiaj changed the base branch from graphite-base/1035 to main May 5, 2026 15:10
@kunickiaj kunickiaj force-pushed the 05-04-fix_mcp_enforce_scope_safe_memory_tools branch from 88c60eb to 678e5ef Compare May 5, 2026 15:11
@kunickiaj kunickiaj merged commit deb0384 into main May 5, 2026
8 checks passed
@kunickiaj kunickiaj deleted the 05-04-fix_mcp_enforce_scope_safe_memory_tools branch May 5, 2026 15:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kunickiaj