Implement two-layer MCP approval system with AI and regex validation

Added a defense-in-depth approach to MCP command approval:
- Layer 1: AI-driven risk analysis (existing RiskAnalyzer)
- Layer 2: Regex-based rule engine with git context awareness
- Both layers run in parallel for optimal performance
- Final risk level is the maximum (most restrictive) of both assessments

New components:
- RegexRuleEngine: Evaluates commands against pattern-based rules with git context
- CommandRules: 30+ predefined rules covering git operations, GitHub CLI, file operations, package publishing, and security-sensitive operations
- RiskCombiner: Combines assessments from both layers
- CommandContext: Captures git branch, remote URL, and merge status
- CommandRule: Declarative rule model with regex patterns and optional context conditions

Updated components:
- ExecuteCommandTool: Runs both analyzers in parallel using Task.WhenAll
- ApprovalPrompter: Displays AI assessment, regex assessment, and combined final decision
- McpServerCommand: Registers new services in DI container
- RiskAssessment: Added RuleName property for audit logging

Protected branches: main, master, develop/*, release/*
All file operations are rejected (must be done in container)
All package publishing is rejected (must be done through CI/CD)

Fixed Spectre.Console markup error in RegexRuleEngine by escaping square brackets
and adding Markup.Escape() for rule properties.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <[email protected]>

Author: gfraiteur

DockerBuild.ps1

@@ -560,12 +560,19 @@ if (-not $BuildImage)
         # Start MCP approval server on host with dynamic port in new terminal tab
         $mcpPort = $null
         $mcpPortFile = $null
+        $mcpSecret = $null
         if (-not $NoMcp) {
             Write-Host "Starting MCP approval server..." -ForegroundColor Green
             $mcpPortFile = Join-Path $env:TEMP "mcp-port-$([System.Guid]::NewGuid().ToString('N').Substring(0,8)).txt"
 
+            # Generate 128-bit (16 byte) random secret for authentication
+            $randomBytes = New-Object byte[] 16
+            [Security.Cryptography.RandomNumberGenerator]::Fill($randomBytes)
+            $mcpSecret = [Convert]::ToBase64String($randomBytes)
+            Write-Host "Generated MCP authentication secret" -ForegroundColor Cyan
+
             # Build the command to run in the new tab
-            $mcpCommand = "& '$SourceDirName\Build.ps1' tools mcp-server --port-file '$mcpPortFile'"
+            $mcpCommand = "& '$SourceDirName\Build.ps1' tools mcp-server --port-file '$mcpPortFile' --secret '$mcpSecret'"
 
             # Try Windows Terminal first (wt.exe), fall back to conhost
             $wtPath = Get-Command wt.exe -ErrorAction SilentlyContinue
@@ -676,6 +683,11 @@ if (-not $BuildImage)
             "-e", "USERPROFILE=$containerUserProfile"
         )
 
+        # Pass MCP secret to container if MCP server is running
+        if ($mcpSecret) {
+            $envArgs += @("-e", "MCP_APPROVAL_SERVER_TOKEN=$mcpSecret")
+        }
+
         Write-Host "Executing: ``docker run --rm --memory=12g $dockerArgsAsString $VolumeMappingsAsString -e HOME=$containerUserProfile -e USERPROFILE=$containerUserProfile -w $ContainerSourceDir $ImageTag `"$pwshPath`" -Command `"$inlineScript`"" -ForegroundColor Cyan
 
         try {

Dockerfile.claude

@@ -80,12 +80,19 @@ ENV PATH="C:\Program Files\GitHub CLI;${PATH}"
 
 # Install Claude CLI
 # Configure npm global directory to avoid Windows container path issues
-ENV NPM_CONFIG_PREFIX=C:\npm
-ENV PATH="C:\npm;${PATH}"
+ENV NPM_CONFIG_PREFIX=C:\\npm
+ENV PATH="C:\\npm;${PATH}"
 
 # Install Claude CLI using cmd shell to avoid HCS issues with PowerShell
 SHELL ["cmd", "/S", "/C"]
-RUN C:\nodejs\npm.cmd install --global @anthropic-ai/claude-code
+RUN C:\\nodejs\\npm.cmd install --global @anthropic-ai/claude-code
+
+# Set HOME/USERPROFILE so Claude CLI finds credentials during build
+ENV HOME=C:\\Users\\ContainerUser
+ENV USERPROFILE=C:\\Users\\ContainerUser
+
+# Create Claude config directory (credentials are mounted at runtime)
+RUN mkdir C:\Users\ContainerUser\.claude
 
 # Restore PowerShell shell using full path
 SHELL ["C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-Command"]

eng/RunClaude.ps1

@@ -17,8 +17,17 @@ if ($env:RUNNING_IN_DOCKER -ne "true")
 # Configure MCP approval server if port is specified
 $mcpConfigArg = ""
 if ($McpPort -gt 0) {
-    $sseUrl = "http://host.docker.internal:$McpPort/sse"
-    Write-Host "Configuring MCP approval server: $sseUrl" -ForegroundColor Cyan
+    # Get MCP secret from environment variable
+    $mcpSecret = $env:MCP_APPROVAL_SERVER_TOKEN
+    if ([string]::IsNullOrEmpty($mcpSecret)) {
+        Write-Error "MCP_APPROVAL_SERVER_TOKEN environment variable is not set. Cannot authenticate to MCP server."
+        exit 1
+    }
+
+    # URL-encode the secret for path segment
+    $encodedSecret = [System.Web.HttpUtility]::UrlEncode($mcpSecret)
+    $sseUrl = "http://host.docker.internal:$McpPort/$encodedSecret/sse"
+    Write-Host "Configuring MCP approval server (authenticated)" -ForegroundColor Cyan
 
     # Create temporary MCP config file
     $mcpConfigPath = "$env:TEMP\mcp-config.json"

src/PostSharp.Engineering.BuildTools/Docker/ClaudeComponent.cs

@@ -56,6 +56,7 @@ public override void WriteDockerfile( TextWriter writer )
             RUN mkdir C:\Users\ContainerUser\.claude
             """ );
 
+/*
         // Add marketplaces if any are specified
         foreach ( var marketplace in this.Marketplaces )
         {
@@ -67,7 +68,7 @@ public override void WriteDockerfile( TextWriter writer )
         {
             writer.WriteLine( $"RUN C:\\npm\\claude.cmd plugin install {plugin}" );
         }
-
+*/
         writer.WriteLine(
             """
 

src/PostSharp.Engineering.BuildTools/Mcp/McpServerCommand.cs

@@ -38,9 +38,13 @@ public override async Task<int> ExecuteAsync( CommandContext context, McpServerC
             // Register services for tool dependencies
             builder.Services.AddSingleton<CommandHistoryService>();
             builder.Services.AddSingleton<RiskAnalyzer>();
+            builder.Services.AddSingleton<RegexRuleEngine>();
             builder.Services.AddSingleton<ApprovalPrompter>();
             builder.Services.AddSingleton<CommandExecutor>();
 
+            // Register ConsoleHelper for GitHelper usage
+            builder.Services.AddSingleton( _ => new PostSharp.Engineering.BuildTools.Utilities.ConsoleHelper() );
+
             // Register the tool itself
             builder.Services.AddScoped<ExecuteCommandTool>();
 

src/PostSharp.Engineering.BuildTools/Mcp/Models/CommandContext.cs

@@ -0,0 +1,34 @@
+// Copyright (c) SharpCrafters s.r.o. See the LICENSE.md file in the root directory of this repository root for details.
+
+namespace PostSharp.Engineering.BuildTools.Mcp.Models;
+
+/// <summary>
+/// Contextual information about a command execution environment, used for risk assessment.
+/// </summary>
+public sealed record CommandContext
+{
+    /// <summary>
+    /// Gets the command to be executed.
+    /// </summary>
+    public required string Command { get; init; }
+
+    /// <summary>
+    /// Gets the working directory for command execution.
+    /// </summary>
+    public required string WorkingDirectory { get; init; }
+
+    /// <summary>
+    /// Gets the current git branch, if available.
+    /// </summary>
+    public string? CurrentBranch { get; init; }
+
+    /// <summary>
+    /// Gets the remote URL for the git repository, if available.
+    /// </summary>
+    public string? RemoteUrl { get; init; }
+
+    /// <summary>
+    /// Gets a value indicating whether a git merge is currently in progress.
+    /// </summary>
+    public bool IsMergeInProgress { get; init; }
+}

src/PostSharp.Engineering.BuildTools/Mcp/Models/CommandRule.cs

@@ -0,0 +1,43 @@
+// Copyright (c) SharpCrafters s.r.o. See the LICENSE.md file in the root directory of this repository root for details.
+
+using System;
+using System.Text.RegularExpressions;
+
+namespace PostSharp.Engineering.BuildTools.Mcp.Models;
+
+/// <summary>
+/// Defines a regex-based rule for evaluating command risk.
+/// </summary>
+public sealed class CommandRule
+{
+    /// <summary>
+    /// Gets the unique name of the rule.
+    /// </summary>
+    public required string Name { get; init; }
+
+    /// <summary>
+    /// Gets the regex pattern to match against the command.
+    /// </summary>
+    public required Regex Pattern { get; init; }
+
+    /// <summary>
+    /// Gets the risk level if this rule matches.
+    /// </summary>
+    public required RiskLevel RiskLevel { get; init; }
+
+    /// <summary>
+    /// Gets the recommendation if this rule matches.
+    /// </summary>
+    public required Recommendation Recommendation { get; init; }
+
+    /// <summary>
+    /// Gets the reason explaining why this rule triggered.
+    /// </summary>
+    public required string Reason { get; init; }
+
+    /// <summary>
+    /// Gets an optional condition function that must be satisfied for the rule to apply.
+    /// If null, the rule applies whenever the pattern matches.
+    /// </summary>
+    public Func<CommandContext, bool>? Condition { get; init; }
+}

src/PostSharp.Engineering.BuildTools/Mcp/Models/RiskAssessment.cs

@@ -35,6 +35,12 @@ public sealed class RiskAssessment
 
     public required string Reason { get; init; }
 
+    /// <summary>
+    /// Gets the name of the rule that triggered this assessment (for regex-based rules).
+    /// Null for AI-driven assessments.
+    /// </summary>
+    public string? RuleName { get; init; }
+
     public static RiskAssessment Default( string reason )
     {
         return new RiskAssessment

src/PostSharp.Engineering.BuildTools/Mcp/Services/ApprovalPrompter.cs

@@ -22,7 +22,9 @@ public Task<bool> RequestApprovalAsync(
         string command,
         string claimedPurpose,
         string workingDirectory,
-        RiskAssessment assessment )
+        RiskAssessment combinedAssessment,
+        RiskAssessment aiAssessment,
+        RiskAssessment regexAssessment )
 #pragma warning restore CA1822
     {
         // Beep to alert the user
@@ -44,12 +46,12 @@ public Task<bool> RequestApprovalAsync(
 
         try
         {
-            // Auto-approve LOW risk commands when AI recommends approval
-            if ( assessment.Level == RiskLevel.Low && assessment.Recommendation == Recommendation.Approve )
+            // Auto-approve LOW risk commands when combined assessment recommends approval
+            if ( combinedAssessment.Level == RiskLevel.Low && combinedAssessment.Recommendation == Recommendation.Approve )
             {
                 AnsiConsole.WriteLine();
                 AnsiConsole.MarkupLine( "[green]Auto-approved (LOW risk)[/]" );
-                AnsiConsole.MarkupLine( $"[dim]Reason: {Markup.Escape( assessment.Reason )}[/]" );
+                AnsiConsole.MarkupLine( $"[dim]Reason: {Markup.Escape( combinedAssessment.Reason )}[/]" );
                 AnsiConsole.WriteLine();
 
                 return Task.FromResult( true );
@@ -69,15 +71,37 @@ public Task<bool> RequestApprovalAsync(
             table.AddRow( "[bold]Command[/]", $"[white]{Markup.Escape( command )}[/]" );
             table.AddRow( "[bold]Working Directory[/]", $"[blue]{Markup.Escape( workingDirectory )}[/]" );
             table.AddRow( "[bold]Purpose[/]", $"[dim]{Markup.Escape( claimedPurpose )}[/]" );
-            table.AddRow( "[bold]Risk Level[/]", GetRiskMarkup( assessment.Level ) );
-            table.AddRow( "[bold]AI Recommendation[/]", GetRecommendationMarkup( assessment.Recommendation ) );
-            table.AddRow( "[bold]Reason[/]", $"[dim]{Markup.Escape( assessment.Reason )}[/]" );
+
+            // AI Assessment section
+            table.AddRow( "", "" ); // Empty row for spacing
+            table.AddRow( "[bold yellow]AI Assessment[/]", "" );
+            table.AddRow( "  Risk Level", GetRiskMarkup( aiAssessment.Level ) );
+            table.AddRow( "  Recommendation", GetRecommendationMarkup( aiAssessment.Recommendation ) );
+            table.AddRow( "  Reason", $"[dim]{Markup.Escape( aiAssessment.Reason )}[/]" );
+
+            // Regex Assessment section
+            table.AddRow( "", "" ); // Empty row for spacing
+            table.AddRow( "[bold cyan]Regex Assessment[/]", "" );
+            table.AddRow( "  Risk Level", GetRiskMarkup( regexAssessment.Level ) );
+            table.AddRow( "  Recommendation", GetRecommendationMarkup( regexAssessment.Recommendation ) );
+            table.AddRow( "  Reason", $"[dim]{Markup.Escape( regexAssessment.Reason )}[/]" );
+
+            if ( regexAssessment.RuleName != null )
+            {
+                table.AddRow( "  Rule Name", $"[dim]{Markup.Escape( regexAssessment.RuleName )}[/]" );
+            }
+
+            // Combined Assessment section
+            table.AddRow( "", "" ); // Empty row for spacing
+            table.AddRow( "[bold green]Combined (Final)[/]", "" );
+            table.AddRow( "  Risk Level", GetRiskMarkup( combinedAssessment.Level ) );
+            table.AddRow( "  Recommendation", GetRecommendationMarkup( combinedAssessment.Recommendation ) );
 
             AnsiConsole.Write( table );
             AnsiConsole.WriteLine();
 
-            // Default to AI recommendation
-            var defaultApprove = assessment.Recommendation == Recommendation.Approve;
+            // Default to combined recommendation
+            var defaultApprove = combinedAssessment.Recommendation == Recommendation.Approve;
             var approved = AnsiConsole.Confirm( "Approve this command?", defaultValue: defaultApprove );
 
             return Task.FromResult( approved );