github · SamMorrowDrums · May 29, 2026 · May 17, 2026 · May 23, 2026 · May 29, 2026
@@ -0,0 +1,36 @@
+package github
+
+import (
+	"os"
+	"testing"
+
+	"github.com/github/github-mcp-server/pkg/toolvalidation"
+	"github.com/stretchr/testify/require"
+)
+
+// TestAllToolRegistrationsExplicitlySetReadOnlyHint statically scans every
+// non-test Go source file in this package and asserts that every mcp.Tool
+// composite literal explicitly sets Annotations.ReadOnlyHint.
+//
+// The AST scan itself lives in pkg/toolvalidation so downstream packages
+// (e.g. github/github-mcp-server-remote) can apply the same guardrail to
+// their own tool registrations without duplicating the parser logic.
+//
+// This complements TestAllToolsHaveRequiredMetadata, which can only check
+// that Annotations is non-nil at runtime: Go cannot distinguish an unset
+// bool field from one explicitly set to false. Source-level validation
+// closes that gap and prevents future tool registrations from silently
+// defaulting ReadOnlyHint to false (which has caused downstream agents to
+// prompt for human approval on read-intent tools).
+//
+// Related issue: github/github-mcp-server#2483
+func TestAllToolRegistrationsExplicitlySetReadOnlyHint(t *testing.T) {
+	pkgDir, err := os.Getwd()
+	require.NoError(t, err, "must be able to resolve package directory")
+
+	violations, err := toolvalidation.ScanReadOnlyHint(pkgDir)
+	require.NoError(t, err)
+	if len(violations) > 0 {
+		t.Fatal(toolvalidation.FormatReadOnlyHintViolations(violations))
+	}
+}
@@ -0,0 +1,256 @@
+// Package toolvalidation provides source-level (AST) validators for MCP tool
+// registrations. It is intended to be consumed from _test.go files in any
+// package that registers mcp.Tool literals (including downstream repositories
+// such as github-mcp-server-remote) so the same guardrails apply everywhere
+// without duplicating the parsing logic.
+package toolvalidation
+
+import (
+	"fmt"
+	"go/ast"
+	"go/parser"
+	"go/token"
+	"os"
+	"path/filepath"
+	"strconv"
+	"strings"
+)
+
+// MCPImportPath is the canonical module path of the MCP go-sdk. Source files
+// that import this path under any alias (including the default `mcp`) are
+// candidates for tool-literal validation.
+const MCPImportPath = "github.com/modelcontextprotocol/go-sdk/mcp"
+
+// ReadOnlyHintViolation describes a single mcp.Tool composite literal that
+// failed the ReadOnlyHint check.
+type ReadOnlyHintViolation struct {
+	// File is the path to the offending source file, made relative to the
+	// scan directory when possible.
+	File string
+	// Line is the 1-indexed line number of the offending literal.
+	Line int
+	// ToolName is the value of the Name field on the mcp.Tool literal, or
+	// "<unknown>" when it cannot be statically extracted.
+	ToolName string
+	// Reason is a human-readable explanation of why the literal failed.
+	Reason string
+}
+
+// String renders a violation in the format used by FormatReadOnlyHintViolations:
+// "<file>:<line> tool=<name>: <reason>".
+func (v ReadOnlyHintViolation) String() string {
+	return fmt.Sprintf("%s:%d tool=%s: %s", v.File, v.Line, v.ToolName, v.Reason)
+}
+
+// ScanReadOnlyHint parses every non-test .go file in dir (a single package
+// directory) and returns a violation for each mcp.Tool composite literal that
+// does not explicitly set Annotations.ReadOnlyHint.
+//
+// The Go runtime cannot distinguish an unset bool field from one explicitly
+// set to false, so this AST-level check exists to prevent future tool
+// registrations from silently defaulting ReadOnlyHint to false — which has
+// triggered downstream agents to prompt for human approval on safe read
+// operations.
+//
+// Callers typically invoke this from a _test.go file:
+//
+//	dir, _ := os.Getwd()
+//	violations, err := toolvalidation.ScanReadOnlyHint(dir)
+func ScanReadOnlyHint(dir string) ([]ReadOnlyHintViolation, error) {
+	fset := token.NewFileSet()
+	pkgs, err := parser.ParseDir(fset, dir, func(info os.FileInfo) bool {
+		// Skip test files: they are allowed to construct mcp.Tool literals
+		// for fixtures or mocks where ReadOnlyHint is not meaningful.
+		return !strings.HasSuffix(info.Name(), "_test.go")
+	}, parser.ParseComments)
+	if err != nil {
+		return nil, fmt.Errorf("parse package directory %q: %w", dir, err)
+	}
+
+	var violations []ReadOnlyHintViolation
+	for _, pkg := range pkgs {
+		for filename, file := range pkg.Files {
+			aliases := mcpAliasesFor(file)
+			if len(aliases) == 0 {
+				continue
+			}
+			rel, relErr := filepath.Rel(dir, filename)
+			if relErr != nil || rel == "" {
+				rel = filepath.Base(filename)
+			}
+			ast.Inspect(file, func(n ast.Node) bool {
+				cl, ok := n.(*ast.CompositeLit)
+				if !ok {
+					return true
+				}
+				if !isQualifiedType(cl.Type, aliases, "Tool") {
+					return true
+				}
+				violations = append(violations, checkToolLiteral(cl, aliases, rel, fset.Position(cl.Pos()).Line)...)
+				return true
+			})
+		}
+	}
+	return violations, nil
+}
+
+// FormatReadOnlyHintViolations renders a single multi-line error message
+// suitable for passing to t.Fatal. Returns "" when violations is empty.
+func FormatReadOnlyHintViolations(violations []ReadOnlyHintViolation) string {
+	if len(violations) == 0 {
+		return ""
+	}
+	var msg strings.Builder
+	msg.WriteString("Found tool registrations that do not explicitly set ReadOnlyHint:\n")
+	for _, v := range violations {
+		msg.WriteString("  - ")
+		msg.WriteString(v.String())
+		msg.WriteByte('\n')
+	}
+	msg.WriteString("\nEvery mcp.Tool registration must declare Annotations.ReadOnlyHint explicitly ")
+	msg.WriteString("(true for read-only tools, false for tools with side effects). ")
+	msg.WriteString("See pkg/toolvalidation.ScanReadOnlyHint.")
+	return msg.String()
+}
+
+func checkToolLiteral(cl *ast.CompositeLit, aliases map[string]struct{}, file string, line int) []ReadOnlyHintViolation {
+	toolName := extractToolName(cl)
+	if toolName == "" {
+		toolName = "<unknown>"
+	}
+	mk := func(reason string) ReadOnlyHintViolation {
+		return ReadOnlyHintViolation{File: file, Line: line, ToolName: toolName, Reason: reason}
+	}
+
+	if hasUnkeyedFields(cl) {
+		return []ReadOnlyHintViolation{mk("mcp.Tool literal uses positional (unkeyed) fields; this check requires keyed fields so Annotations.ReadOnlyHint can be verified")}
+	}
+
+	annotations := findFieldValue(cl, "Annotations")
+	if annotations == nil {
+		return []ReadOnlyHintViolation{mk("mcp.Tool literal is missing an Annotations field")}
+	}
+
+	annoLit := unwrapAnnotationsLiteral(annotations, aliases)
+	if annoLit == nil {
+		return []ReadOnlyHintViolation{mk("Annotations is not an &mcp.ToolAnnotations{...} literal; ReadOnlyHint cannot be statically verified")}
+	}
+
+	if hasUnkeyedFields(annoLit) {
+		return []ReadOnlyHintViolation{mk("mcp.ToolAnnotations literal uses positional (unkeyed) fields; use keyed fields so ReadOnlyHint can be verified")}
+	}
+
+	if findFieldValue(annoLit, "ReadOnlyHint") == nil {
+		return []ReadOnlyHintViolation{mk("ToolAnnotations literal does not explicitly set ReadOnlyHint")}
+	}
+	return nil
+}
+
+// mcpAliasesFor returns the set of local identifiers under which the given
+// file imports the MCP go-sdk (MCPImportPath). The default unaliased import
+// resolves to the package name "mcp". Blank (`_`) and dot (`.`) imports are
+// skipped because tool literals cannot meaningfully be qualified through them.
+func mcpAliasesFor(file *ast.File) map[string]struct{} {
+	aliases := map[string]struct{}{}
+	for _, imp := range file.Imports {
+		path, err := strconv.Unquote(imp.Path.Value)
+		if err != nil || path != MCPImportPath {
+			continue
+		}
+		if imp.Name != nil {
+			if imp.Name.Name == "_" || imp.Name.Name == "." {
+				continue
+			}
+			aliases[imp.Name.Name] = struct{}{}
+			continue
+		}
+		aliases["mcp"] = struct{}{}
+	}
+	return aliases
+}
+
+// isQualifiedType reports whether expr is a SelectorExpr of the form
+// <alias>.<typeName> where alias is in the provided alias set.
+func isQualifiedType(expr ast.Expr, aliases map[string]struct{}, typeName string) bool {
+	sel, ok := expr.(*ast.SelectorExpr)
+	if !ok {
+		return false
+	}
+	ident, ok := sel.X.(*ast.Ident)
+	if !ok {
+		return false
+	}
+	if _, ok := aliases[ident.Name]; !ok {
+		return false
+	}
+	return sel.Sel != nil && sel.Sel.Name == typeName
+}
+
+// hasUnkeyedFields reports whether the composite literal has any positional
+// (non-key/value) elements. The static check cannot reliably map positional
+// fields without full type information, so such literals are rejected with a
+// dedicated diagnostic rather than producing false "missing field" violations.
+func hasUnkeyedFields(cl *ast.CompositeLit) bool {
+	for _, elt := range cl.Elts {
+		if _, ok := elt.(*ast.KeyValueExpr); !ok {
+			return true
+		}
+	}
+	return false
+}
+
+// findFieldValue returns the value expression for the named keyed field of a
+// composite literal, or nil if the field is absent.
+func findFieldValue(cl *ast.CompositeLit, name string) ast.Expr {
+	for _, elt := range cl.Elts {
+		kv, ok := elt.(*ast.KeyValueExpr)
+		if !ok {
+			continue
+		}
+		key, ok := kv.Key.(*ast.Ident)
+		if !ok {
+			continue
+		}
+		if key.Name == name {
+			return kv.Value
+		}
+	}
+	return nil
+}
+
+// unwrapAnnotationsLiteral attempts to extract the *ast.CompositeLit for
+// &mcp.ToolAnnotations{...} or mcp.ToolAnnotations{...} from an expression,
+// resolving the MCP package's local alias per file.
+func unwrapAnnotationsLiteral(expr ast.Expr, aliases map[string]struct{}) *ast.CompositeLit {
+	if u, ok := expr.(*ast.UnaryExpr); ok && u.Op == token.AND {
+		expr = u.X
+	}
+	cl, ok := expr.(*ast.CompositeLit)
+	if !ok {
+		return nil
+	}
+	if !isQualifiedType(cl.Type, aliases, "ToolAnnotations") {
+		return nil
+	}
+	return cl
+}
+
+// extractToolName returns the literal value of the Name field of an mcp.Tool
+// composite literal, or empty string if the value is not a basic string literal.
+// Interpreted ("...") and raw (`...`) string literals are handled via
+// strconv.Unquote so embedded escapes are decoded correctly; the raw
+// literal value is returned as a best-effort fallback if unquoting fails.
+func extractToolName(cl *ast.CompositeLit) string {
+	v := findFieldValue(cl, "Name")
+	if v == nil {
+		return ""
+	}
+	bl, ok := v.(*ast.BasicLit)
+	if !ok || bl.Kind != token.STRING {
+		return ""
+	}
+	if unq, err := strconv.Unquote(bl.Value); err == nil {
+		return unq
+	}
+	return bl.Value
+}