|
| 1 | +# MCP Approval Server |
| 2 | + |
| 3 | +A WPF GUI application that provides an MCP (Model Context Protocol) server for executing privileged commands on the host machine with human approval. Used when Claude runs inside a Docker container and needs to perform operations requiring host credentials or external access. |
| 4 | + |
| 5 | +## Architecture |
| 6 | + |
| 7 | +### Approval Flow |
| 8 | + |
| 9 | +1. **Request Reception**: Claude in Docker calls `ExecuteCommand` via MCP |
| 10 | +2. **Parallel Risk Analysis**: Two analyzers run concurrently: |
| 11 | + - **Regex Rule Engine** (`RegexRuleEngine.cs`): Fast pattern matching against predefined rules |
| 12 | + - **AI Risk Analyzer** (`RiskAnalyzer.cs`): Uses Claude CLI (Haiku, escalating to Opus if uncertain) |
| 13 | +3. **Risk Combination** (`RiskCombiner.cs`): Takes the maximum (most restrictive) of both assessments |
| 14 | +4. **Human Approval** (`GuiApprovalPrompter.cs`): Shows approval dialog with risk assessment |
| 15 | +5. **Execution** (`CommandExecutor.cs`): If approved, executes via PowerShell on host |
| 16 | +6. **History Recording** (`CommandHistoryService.cs`): Records for session-based auto-approval |
| 17 | + |
| 18 | +### Risk Levels |
| 19 | + |
| 20 | +| Level | Description | |
| 21 | +|-------|-------------| |
| 22 | +| `Low` | Safe operations, recommendation shown | |
| 23 | +| `Medium` | Requires attention, manual review expected | |
| 24 | +| `High` | Potentially dangerous, careful review required | |
| 25 | +| `Critical` | Very dangerous, default recommendation is reject | |
| 26 | +| `Uncertain` | AI couldn't determine - escalates to Opus, then human | |
| 27 | + |
| 28 | +### Key Components |
| 29 | + |
| 30 | +``` |
| 31 | +Mcp/ |
| 32 | +├── Models/ |
| 33 | +│ ├── CommandContext.cs # Git context for rule evaluation |
| 34 | +│ ├── CommandRecord.cs # History entry |
| 35 | +│ ├── CommandResult.cs # Execution result |
| 36 | +│ ├── CommandRule.cs # Rule definition |
| 37 | +│ └── RiskAssessment.cs # Risk analysis result |
| 38 | +├── Services/ |
| 39 | +│ ├── CommandRules.cs # Predefined regex rules |
| 40 | +│ ├── CommandExecutor.cs # PowerShell execution |
| 41 | +│ ├── CommandHistoryService.cs # Session history |
| 42 | +│ ├── RegexRuleEngine.cs # Pattern-based risk evaluation |
| 43 | +│ ├── RiskAnalyzer.cs # AI-based risk analysis |
| 44 | +│ └── RiskCombiner.cs # Combines AI + regex assessments |
| 45 | +└── Tools/ |
| 46 | + └── ExecuteCommandTool.cs # MCP tool entry point |
| 47 | +
|
| 48 | +Services/ |
| 49 | +├── ApprovalRequest.cs # Approval request model |
| 50 | +├── ApprovalRequestQueue.cs # Concurrent request queue |
| 51 | +├── GitHelper.cs # Git operations helper |
| 52 | +├── GuiApprovalPrompter.cs # WPF approval dialog integration |
| 53 | +├── McpHttpServer.cs # HTTP server for MCP |
| 54 | +├── TraceLogger.cs # File-based logging |
| 55 | +└── TrayIconService.cs # System tray integration |
| 56 | +
|
| 57 | +Views/ |
| 58 | +├── ApprovalWindow.xaml # Approval dialog |
| 59 | +├── HistoryWindow.xaml # Command history viewer |
| 60 | +└── MainWindow.xaml # Main window (hidden, tray-based) |
| 61 | +``` |
| 62 | + |
| 63 | +## Adding Command Rules |
| 64 | + |
| 65 | +Rules are defined in `Mcp/Services/CommandRules.cs`. Each rule has: |
| 66 | + |
| 67 | +- `Name`: Unique identifier for logging |
| 68 | +- `Pattern`: Regex to match against the command |
| 69 | +- `RiskLevel`: Low, Medium, High, or Critical |
| 70 | +- `Recommendation`: Approve, Reject, or None (defer to AI) |
| 71 | +- `Reason`: Human-readable explanation |
| 72 | +- `Condition`: Optional function for context-aware matching (e.g., branch checks) |
| 73 | + |
| 74 | +Example: |
| 75 | +```csharp |
| 76 | +new CommandRule |
| 77 | +{ |
| 78 | + Name = "git-push-to-feature", |
| 79 | + Pattern = new Regex( @"git\s+push", RegexOptions.IgnoreCase ), |
| 80 | + RiskLevel = RiskLevel.Low, |
| 81 | + Recommendation = Recommendation.Approve, |
| 82 | + Reason = "Pushing to feature/topic branch" |
| 83 | +} |
| 84 | +``` |
| 85 | + |
| 86 | +Rules are evaluated in order - first match wins. Place more specific rules before general ones. |
| 87 | + |
| 88 | +## AI Risk Analysis |
| 89 | + |
| 90 | +The `RiskAnalyzer` uses Claude CLI with a two-tier approach: |
| 91 | + |
| 92 | +1. **Haiku first**: Fast, cheap analysis for most requests |
| 93 | +2. **Opus escalation**: If Haiku returns `UNCERTAIN`, escalates to Opus |
| 94 | +3. **Human fallback**: If Opus is also uncertain, defaults to Medium risk |
| 95 | + |
| 96 | +The AI receives: |
| 97 | +- Command and claimed purpose |
| 98 | +- Working directory and git branch |
| 99 | +- Session history (last 10 commands) |
| 100 | +- For `git push`: Full commit diff for secrets/content analysis |
| 101 | + |
| 102 | +## Session Auto-Approval |
| 103 | + |
| 104 | +Commands that were previously approved in the same session can be auto-approved: |
| 105 | +- Same command text |
| 106 | +- Same working directory |
| 107 | +- Recorded in `CommandHistoryService` |
| 108 | + |
| 109 | +This allows repetitive operations (like multiple pushes) without repeated approval dialogs. |
| 110 | + |
| 111 | +## Security Considerations |
| 112 | + |
| 113 | +- Server binds to `localhost:9847` only (not network-exposed) |
| 114 | +- Docker accesses via host gateway IP |
| 115 | +- All commands require human approval (no automatic execution) |
| 116 | +- Critical operations (nuget push, repo delete, force push) default to reject |
| 117 | +- AI analyzes commit diffs for secrets, credentials, inappropriate content |
| 118 | +- File operations on host are forbidden (must be done in container) |
0 commit comments