Use constants, protect docker-mcpEnsures no one can modify the docker-mcp resource

Author: masegraye

cmd/docker-mcp/catalog/add.go

@@ -23,6 +23,11 @@ func ParseAddArgs(dst, src, catalogFile string) *ParsedAddArgs {
 }
 
 func ValidateArgs(args ParsedAddArgs) error {
+	// Prevent users from modifying the Docker catalog
+	if args.Dst == DockerCatalogName {
+		return fmt.Errorf("cannot add servers to catalog '%s' as it is managed by Docker", args.Dst)
+	}
+	
 	cfg, err := ReadConfig()
 	if err != nil {
 		return err

cmd/docker-mcp/catalog/catalog.go

@@ -9,8 +9,9 @@ import (
 )
 
 const (
-	DockerCatalogName = "docker-mcp"
-	DockerCatalogURL  = "https://desktop.docker.com/mcp/catalog/v2/catalog.yaml"
+	DockerCatalogName     = "docker-mcp"
+	DockerCatalogURL      = "https://desktop.docker.com/mcp/catalog/v2/catalog.yaml"
+	DockerCatalogFilename = "docker-mcp.yaml"
 
 	// Docker server names for bootstrap command
 	DockerHubServerName = "dockerhub"

cmd/docker-mcp/catalog/create.go

@@ -5,6 +5,11 @@ import (
 )
 
 func Create(name string) error {
+	// Prevent users from creating the Docker catalog
+	if name == DockerCatalogName {
+		return fmt.Errorf("cannot create catalog '%s' as it is reserved for Docker's official catalog", name)
+	}
+	
 	cfg, err := ReadConfig()
 	if err != nil {
 		return err

cmd/docker-mcp/catalog/export.go

@@ -17,7 +17,7 @@ import (
 // This function only allows exporting user-managed catalogs, not the Docker catalog
 func Export(ctx context.Context, catalogName, outputPath string) error {
 	// Validate that we're not trying to export the Docker catalog
-	if catalogName == "docker-mcp" || catalogName == "docker-mcp.yaml" {
+	if catalogName == DockerCatalogName || catalogName == DockerCatalogFilename {
 		return fmt.Errorf("cannot export the Docker MCP catalog as it is managed by Docker")
 	}
 

cmd/docker-mcp/catalog/fork.go

@@ -5,13 +5,26 @@ import (
 )
 
 func Fork(src, dst string) error {
+	// Prevent users from creating a destination catalog with the Docker name
+	if dst == DockerCatalogName {
+		return fmt.Errorf("cannot create catalog '%s' as it is reserved for Docker's official catalog", dst)
+	}
+	
 	cfg, err := ReadConfig()
 	if err != nil {
 		return err
 	}
-	if _, ok := cfg.Catalogs[src]; !ok {
-		return fmt.Errorf("catalog %q not found", src)
+	
+	// Special handling for Docker catalog - it exists but not in cfg.Catalogs
+	if src == DockerCatalogName {
+		// Allow forking from Docker catalog, but it won't be in cfg.Catalogs
+		// We'll read it directly from the DockerCatalogName
+	} else {
+		if _, ok := cfg.Catalogs[src]; !ok {
+			return fmt.Errorf("catalog %q not found", src)
+		}
 	}
+	
 	if _, ok := cfg.Catalogs[dst]; ok {
 		return fmt.Errorf("catalog %q already exists", dst)
 	}

cmd/docker-mcp/catalog/rm.go

@@ -7,6 +7,11 @@ import (
 )
 
 func Rm(name string) error {
+	// Prevent users from removing the Docker catalog
+	if name == DockerCatalogName {
+		return fmt.Errorf("cannot remove catalog '%s' as it is managed by Docker", name)
+	}
+	
 	cfg, err := ReadConfig()
 	if err != nil {
 		return err

cmd/docker-mcp/commands/catalog_validation_test.go

@@ -0,0 +1,167 @@
+package commands
+
+import (
+	"context"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/docker/mcp-gateway/cmd/docker-mcp/catalog"
+)
+
+func TestDockerCatalogProtection(t *testing.T) {
+	// Create temporary home directory
+	tempHome := t.TempDir()
+	originalHome := os.Getenv("HOME")
+	defer func() {
+		if originalHome != "" {
+			os.Setenv("HOME", originalHome)
+		}
+	}()
+	
+	if err := os.Setenv("HOME", tempHome); err != nil {
+		t.Fatal(err)
+	}
+
+	// Create the MCP directory structure
+	mcpDir := filepath.Join(tempHome, ".docker", "mcp")
+	catalogsDir := filepath.Join(mcpDir, "catalogs")
+	require.NoError(t, os.MkdirAll(catalogsDir, 0755))
+
+	// Initialize the catalog system
+	ctx := context.Background()
+	require.NoError(t, catalog.Init(ctx))
+
+	t.Run("TestCreateDockerCatalogPrevented", func(t *testing.T) {
+		err := catalog.Create(catalog.DockerCatalogName)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot create catalog 'docker-mcp' as it is reserved for Docker's official catalog")
+	})
+
+	t.Run("TestRemoveDockerCatalogPrevented", func(t *testing.T) {
+		err := catalog.Rm(catalog.DockerCatalogName)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot remove catalog 'docker-mcp' as it is managed by Docker")
+	})
+
+	t.Run("TestForkToDockerCatalogPrevented", func(t *testing.T) {
+		// First create a source catalog to fork from
+		require.NoError(t, catalog.Create("source-catalog"))
+		
+		err := catalog.Fork("source-catalog", catalog.DockerCatalogName)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot create catalog 'docker-mcp' as it is reserved for Docker's official catalog")
+	})
+
+	t.Run("TestForkFromDockerCatalogAllowed", func(t *testing.T) {
+		// Create a minimal docker-mcp.yaml file to fork from
+		dockerCatalog := `
+registry:
+  test-server:
+    title: "Test Server"
+    description: "A test server"
+    image: "test/server:latest"
+`
+		dockerCatalogPath := filepath.Join(catalogsDir, "docker-mcp.yaml")
+		require.NoError(t, os.WriteFile(dockerCatalogPath, []byte(dockerCatalog), 0644))
+
+		// Forking FROM Docker catalog should work
+		err := catalog.Fork(catalog.DockerCatalogName, "my-docker-fork")
+		assert.NoError(t, err)
+		
+		// Verify the fork was created
+		cfg, err := catalog.ReadConfig()
+		require.NoError(t, err)
+		_, exists := cfg.Catalogs["my-docker-fork"]
+		assert.True(t, exists)
+	})
+
+	t.Run("TestAddToDockerCatalogPrevented", func(t *testing.T) {
+		// Create a source catalog file
+		sourceCatalog := `
+registry:
+  source-server:
+    title: "Source Server"
+    description: "A source server"
+    image: "source/server:latest"
+`
+		sourcePath := filepath.Join(catalogsDir, "source.yaml")
+		require.NoError(t, os.WriteFile(sourcePath, []byte(sourceCatalog), 0644))
+
+		// Try to add to Docker catalog
+		args := catalog.ParseAddArgs(catalog.DockerCatalogName, "test-server", sourcePath)
+		err := catalog.ValidateArgs(*args)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot add servers to catalog 'docker-mcp' as it is managed by Docker")
+	})
+
+	t.Run("TestExportDockerCatalogPrevented", func(t *testing.T) {
+		outputPath := filepath.Join(tempHome, "exported-docker.yaml")
+		err := catalog.Export(ctx, catalog.DockerCatalogName, outputPath)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot export the Docker MCP catalog as it is managed by Docker")
+	})
+
+	t.Run("TestExportDockerCatalogFilenamePrevented", func(t *testing.T) {
+		outputPath := filepath.Join(tempHome, "exported-docker.yaml")
+		err := catalog.Export(ctx, catalog.DockerCatalogFilename, outputPath)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "cannot export the Docker MCP catalog as it is managed by Docker")
+	})
+
+	t.Run("TestNormalCatalogOperationsStillWork", func(t *testing.T) {
+		// Create a normal catalog
+		err := catalog.Create("normal-catalog")
+		assert.NoError(t, err)
+
+		// Verify it exists
+		cfg, err := catalog.ReadConfig()
+		require.NoError(t, err)
+		_, exists := cfg.Catalogs["normal-catalog"]
+		assert.True(t, exists)
+
+		// Fork it
+		err = catalog.Fork("normal-catalog", "forked-catalog")
+		assert.NoError(t, err)
+
+		// Add to it (create source file first)
+		sourceCatalog := `
+registry:
+  normal-server:
+    title: "Normal Server"
+    description: "A normal server"
+    image: "normal/server:latest"
+`
+		sourcePath := filepath.Join(catalogsDir, "normal-source.yaml")
+		require.NoError(t, os.WriteFile(sourcePath, []byte(sourceCatalog), 0644))
+
+		args := catalog.ParseAddArgs("normal-catalog", "normal-server", sourcePath)
+		err = catalog.ValidateArgs(*args)
+		assert.NoError(t, err)
+
+		err = catalog.Add(*args, false)
+		assert.NoError(t, err)
+
+		// Export it
+		outputPath := filepath.Join(tempHome, "exported-normal.yaml")
+		err = catalog.Export(ctx, "normal-catalog", outputPath)
+		assert.NoError(t, err)
+		
+		// Verify export file exists
+		_, err = os.Stat(outputPath)
+		assert.NoError(t, err)
+
+		// Remove it
+		err = catalog.Rm("normal-catalog")
+		assert.NoError(t, err)
+
+		// Verify it's gone
+		cfg, err = catalog.ReadConfig()
+		require.NoError(t, err)
+		_, exists = cfg.Catalogs["normal-catalog"]
+		assert.False(t, exists)
+	})
+}

cmd/docker-mcp/commands/gateway.go

@@ -44,7 +44,7 @@ func gatewayCommand(docker docker.Client, dockerCli command.Cli) *cobra.Command
 	} else {
 		// On-host.
 		options = gateway.Config{
-			CatalogPath:  []string{"docker-mcp.yaml"},
+			CatalogPath:  []string{catalog.DockerCatalogFilename},
 			RegistryPath: []string{"registry.yaml"},
 			ConfigPath:   []string{"config.yaml"},
 			ToolsPath:    []string{"tools.yaml"},

cmd/docker-mcp/internal/catalog/catalog.go

@@ -16,8 +16,12 @@ import (
 	"github.com/docker/mcp-gateway/cmd/docker-mcp/internal/user"
 )
 
+const (
+	DockerCatalogFilename = "docker-mcp.yaml"
+)
+
 func Get(ctx context.Context) (Catalog, error) {
-	return ReadFrom(ctx, []string{"docker-mcp.yaml"})
+	return ReadFrom(ctx, []string{DockerCatalogFilename})
 }
 
 func ReadFrom(ctx context.Context, fileOrURLs []string) (Catalog, error) {
@@ -115,7 +119,7 @@ func isURL(fileOrURL string) bool {
 
 // GetWithOptions loads catalogs with enhanced options for configured catalogs and additional catalogs
 func GetWithOptions(ctx context.Context, useConfigured bool, additionalCatalogs []string) (Catalog, error) {
-	catalogPaths := []string{"docker-mcp.yaml"}
+	catalogPaths := []string{DockerCatalogFilename}
 
 	// Add configured catalogs if enabled
 	if useConfigured {