[mcp] Validated MCP tool names (#8948)

Author: glen-84

src/HotChocolate/Adapters/src/Adapters.Mcp.Core/Properties/McpAdapterResources.Designer.cs

@@ -30,6 +30,9 @@
   <data name="OperationToolDefinition_DocumentMustContainSingleOperation" xml:space="preserve">
     <value>An operation tool document must have exactly one operation definition.</value>
   </data>
+  <data name="OperationToolDefinition_InvalidToolName" xml:space="preserve">
+    <value>The tool name '{0}' is invalid. Tool names must match the regular expression '{1}'.</value>
+  </data>
   <data name="OperationToolFactory_OpenAiComponentResourceName" xml:space="preserve">
     <value>{0} OpenAI Component</value>
   </data>

src/HotChocolate/Adapters/src/Adapters.Mcp.Core/Properties/McpAdapterResources.resx

@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using System.Text;
+using System.Text.RegularExpressions;
 using CaseConverter;
 using HotChocolate.Language;
 using static HotChocolate.Adapters.Mcp.Properties.McpAdapterResources;
@@ -10,7 +11,7 @@ namespace HotChocolate.Adapters.Mcp.Storage;
 /// Represents a GraphQL-operation-based MCP tool definition which is used by
 /// Hot Chocolate to create the actual MCP tool.
 /// </summary>
-public sealed class OperationToolDefinition
+public sealed partial class OperationToolDefinition
 {
     /// <summary>
     /// Initializes a new MCP tool definition from a GraphQL operation document.
@@ -67,6 +68,12 @@ public OperationToolDefinition(
                 nameof(document));
         }
 
+        if (name is not null && !ValidateToolNameRegex().IsMatch(name))
+        {
+            throw new ArgumentException(
+                string.Format(OperationToolDefinition_InvalidToolName, name, ValidateToolNameRegex()));
+        }
+
         Name = name ?? operation.Name?.Value.ToSnakeCase()!;
         Document = document;
         Title = title;
@@ -129,4 +136,8 @@ public OpenAiComponent? OpenAiComponent
     }
 
     public string? OpenAiComponentOutputTemplate { get; private set; }
+
+    /// <summary>Regex that validates tool names.</summary>
+    [GeneratedRegex(@"^[A-Za-z0-9_.-]{1,128}\z")]
+    private static partial Regex ValidateToolNameRegex();
 }

src/HotChocolate/Adapters/src/Adapters.Mcp.Core/Storage/OperationToolDefinition.cs

@@ -0,0 +1,57 @@
+using HotChocolate.Language;
+
+namespace HotChocolate.Adapters.Mcp.Storage;
+
+public sealed class OperationToolDefinitionTests
+{
+    [Theory]
+    [InlineData(null)]
+    [InlineData("valid")]
+    [InlineData("valid_name")]
+    [InlineData("valid.name")]
+    [InlineData("valid-name")]
+    public void OperationToolDefinition_WithValidName_Succeeds(string? name)
+    {
+        // arrange & act
+        var exception =
+            Record.Exception(
+                () =>
+                    new OperationToolDefinition(Utf8GraphQLParser.Parse(OperationDocument), name));
+
+        // assert
+        Assert.Null(exception);
+    }
+
+    [Theory]
+    [InlineData("")]
+    [InlineData("invalid🔧")]
+    [InlineData("invalid name")]
+    [InlineData("invalid/name")]
+    [InlineData("invalid\\name")]
+    [InlineData("invalid", 20)] // 7 characters repeated 20 times = 140 characters
+    public void OperationToolDefinition_WithInvalidName_ThrowsArgumentException(
+        string name,
+        int repeat = 0)
+    {
+        // arrange
+        if (repeat > 0)
+        {
+            name = string.Concat(Enumerable.Repeat(name, repeat));
+        }
+
+        // act
+        var exception =
+            Record.Exception(
+                () =>
+                    new OperationToolDefinition(Utf8GraphQLParser.Parse(OperationDocument), name));
+
+        // assert
+        Assert.IsType<ArgumentException>(exception);
+        Assert.Equal(
+            $"The tool name '{name}' is invalid. Tool names must match the regular expression "
+            + "'^[A-Za-z0-9_.-]{1,128}\\z'.",
+            exception.Message);
+    }
+
+    private const string OperationDocument = "query GetUsers { users { id } }";
+}