Improve MCP server security with token-in-path authentication

- Add token-based authentication using path segments (/$token/endpoint)
- Generate random 128-bit secret per Docker session
- Remove sessionId parameter from ExecuteCommand (single session model)
- Add --verbose flag to control HTTP logging
- Add --secret flag for authentication token
- Pass token via MCP_APPROVAL_SERVER_TOKEN environment variable
- Update CLAUDE.md with security model documentation

Author: gfraiteur

.claude/settings.local.json

@@ -16,7 +16,10 @@
       "Bash(findstr:*)",
       "Bash(docker run:*)",
       "Bash(.DockerBuild.ps1 -Claude -SkipBuild)",
-      "Bash(dotnet restore:*)"
+      "Bash(dotnet restore:*)",
+      "WebFetch(domain:github.com)",
+      "Bash(cat:*)",
+      "Bash(npx @anthropic-ai/claude-code:*)"
     ],
     "deny": [],
     "ask": []

CLAUDE.md

@@ -18,6 +18,14 @@ Before any work in this repo, read these skills:
 
 When running inside a Docker container, you have access to the `host-approval` MCP server for executing privileged commands on the host machine. These commands require human approval before execution.
 
+### Security Model
+
+The MCP server uses token-based authentication:
+- DockerBuild.ps1 generates a random 128-bit secret when starting the MCP server
+- The secret is passed to the container via the `MCP_APPROVAL_SERVER_TOKEN` environment variable
+- All MCP requests include this secret as a URL parameter for authentication
+- The MCP server validates the token before processing any commands
+
 ### When to Use the MCP Server
 
 Use the `ExecuteCommand` tool from the `host-approval` MCP server for:
@@ -48,7 +56,6 @@ Use the `ExecuteCommand` tool from the `host-approval` MCP server for:
 ### How to Use
 
 Call the `ExecuteCommand` tool with:
-- `sessionId`: Use a consistent session ID for your conversation (e.g., "session-{timestamp}")
 - `command`: The command to execute
 - `workingDirectory`: The working directory (use forward slashes: `X:/src/RepoName`)
 - `claimedPurpose`: A clear explanation of why this command is needed
@@ -58,7 +65,6 @@ Call the `ExecuteCommand` tool with:
 To push a feature branch:
 ```
 ExecuteCommand(
-  sessionId: "session-20241214",
   command: "git push origin feature/my-feature",
   workingDirectory: "X:/src/PostSharp.Engineering",
   claimedPurpose: "Push the feature branch with MCP implementation to remote for PR creation"

src/PostSharp.Engineering.BuildTools/Docker/ClaudeComponent.cs

@@ -15,17 +15,61 @@ public class ClaudeComponent : ContainerComponent
 
     public override ContainerComponentKind Kind => ContainerComponentKind.Claude;
 
+    /// <summary>
+    /// Gets the list of marketplace URLs to add in the container.
+    /// These should be GitHub repository URLs (e.g., https://github.com/org/repo).
+    /// Marketplaces are added first, then plugins can be installed from them.
+    /// </summary>
+    public string[] Marketplaces { get; init; } =
+    [
+        "https://github.com/metalama/Metalama.AI.Skills",
+        "https://github.com/postsharp/PostSharp.Engineering.AISkills"
+    ];
+
+    /// <summary>
+    /// Gets the list of plugin names to install from the added marketplaces.
+    /// </summary>
+    public string[] Plugins { get; init; } =
+    [
+        "metalama",
+        "metalama-dev",
+        "eng"
+    ];
+
     public override void WriteDockerfile( TextWriter writer )
     {
         writer.WriteLine(
             """
             # Configure npm global directory to avoid Windows container path issues
-            ENV NPM_CONFIG_PREFIX=C:\npm
-            ENV PATH="C:\npm;${PATH}"
+            ENV NPM_CONFIG_PREFIX=C:\\npm
+            ENV PATH="C:\\npm;${PATH}"
 
             # Install Claude CLI using cmd shell to avoid HCS issues with PowerShell
             SHELL ["cmd", "/S", "/C"]
-            RUN C:\nodejs\npm.cmd install --global @anthropic-ai/claude-code
+            RUN C:\\nodejs\\npm.cmd install --global @anthropic-ai/claude-code
+
+            # Set HOME/USERPROFILE so Claude CLI finds credentials during build
+            ENV HOME=C:\\Users\\ContainerUser
+            ENV USERPROFILE=C:\\Users\\ContainerUser
+
+            # Create Claude config directory (credentials are mounted at runtime)
+            RUN mkdir C:\Users\ContainerUser\.claude
+            """ );
+
+        // Add marketplaces if any are specified
+        foreach ( var marketplace in this.Marketplaces )
+        {
+            writer.WriteLine( $"RUN C:\\npm\\claude.cmd plugin marketplace add {marketplace}" );
+        }
+
+        // Install plugins from the added marketplaces
+        foreach ( var plugin in this.Plugins )
+        {
+            writer.WriteLine( $"RUN C:\\npm\\claude.cmd plugin install {plugin}" );
+        }
+
+        writer.WriteLine(
+            """
 
             # Restore PowerShell shell using full path
             SHELL ["C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", "-Command"]
@@ -55,4 +99,4 @@ public override void AddRequirements( IReadOnlyList<ContainerComponent> componen
             add( new GitHubCliComponent() );
         }
     }
-}
+}

src/PostSharp.Engineering.BuildTools/Mcp/McpServerCommand.cs

@@ -63,16 +63,26 @@ public override async Task<int> ExecuteAsync( CommandContext context, McpServerC
 
             var app = builder.Build();
 
-            // Add request logging middleware
-            app.Use( async ( httpContext, next ) =>
+            // Add request logging middleware (only if verbose mode is enabled)
+            if ( settings.Verbose )
             {
-                AnsiConsole.MarkupLine( $"[dim]HTTP {httpContext.Request.Method} {httpContext.Request.Path}[/]" );
+                app.Use( async ( httpContext, next ) =>
+                {
+                    AnsiConsole.MarkupLine( $"[dim]HTTP {httpContext.Request.Method} {httpContext.Request.Path}[/]" );
 
-                await next();
-            } );
+                    await next();
+                } );
+            }
 
-            // Map MCP endpoints
-            app.MapMcp();
+            // Map MCP endpoints with token as base path (if configured)
+            if ( !string.IsNullOrEmpty( settings.Secret ) )
+            {
+                app.MapMcp( $"/{settings.Secret}" );
+            }
+            else
+            {
+                app.MapMcp();
+            }
 
             // Start the server
             await app.StartAsync();
@@ -92,9 +102,6 @@ public override async Task<int> ExecuteAsync( CommandContext context, McpServerC
             AnsiConsole.MarkupLine( "[dim]Press Ctrl+C to stop the server[/]" );
             AnsiConsole.WriteLine();
 
-            // Write to stdout for programmatic consumption
-            Console.WriteLine( $"MCP_SERVER_PORT={actualPort}" );
-
             // Wait for shutdown signal
             await app.WaitForShutdownAsync();
 

src/PostSharp.Engineering.BuildTools/Mcp/McpServerCommandSettings.cs

@@ -18,4 +18,13 @@ public sealed class McpServerCommandSettings : CommandSettings
     [CommandOption( "--port-file" )]
     [Description( "File path to write the assigned port number. Used for dynamic port discovery." )]
     public string? PortFile { get; init; }
+
+    [CommandOption( "--verbose" )]
+    [Description( "Enable verbose logging including HTTP requests." )]
+    [DefaultValue( false )]
+    public bool Verbose { get; init; }
+
+    [CommandOption( "--secret" )]
+    [Description( "Security token for authenticating requests. Required for production use." )]
+    public string? Secret { get; init; }
 }

src/PostSharp.Engineering.BuildTools/Mcp/Tools/ExecuteCommandTool.cs

@@ -37,8 +37,6 @@ public ExecuteCommandTool(
     [McpServerTool]
     [Description( "Execute a PowerShell command on the host machine. Requires human approval. Use this for git push, GitHub operations, and other actions that affect external systems or require privileges or tokens that the container does not have." )]
     public async Task<CommandResult> ExecuteCommand(
-        [Description( "Unique session identifier for tracking command history" )]
-        string sessionId,
         [Description( "The command to execute (e.g., 'git push origin main'). Must be valid PowerShell script." )]
         string command,
         [Description( "The working directory for command execution" )]
@@ -47,11 +45,13 @@ public async Task<CommandResult> ExecuteCommand(
         string claimedPurpose,
         CancellationToken cancellationToken = default )
     {
+        // Use a constant session ID for single session model
+        const string sessionId = "default";
+
         // Log incoming request
         AnsiConsole.WriteLine();
         AnsiConsole.Write( new Rule( "[yellow]Incoming Command Request[/]" ) );
         AnsiConsole.MarkupLine( $"[dim]Time:[/] {DateTime.Now:yyyy-MM-dd HH:mm:ss}" );
-        AnsiConsole.MarkupLine( $"[dim]Session:[/] {sessionId}" );
         AnsiConsole.MarkupLine( $"[dim]Command:[/] [white]{command.EscapeMarkup()}[/]" );
         AnsiConsole.MarkupLine( $"[dim]Working Directory:[/] {workingDirectory.EscapeMarkup()}" );
         AnsiConsole.MarkupLine( $"[dim]Purpose:[/] {claimedPurpose.EscapeMarkup()}" );

src/PostSharp.Engineering.BuildTools/Resources/DockerBuild.ps1

@@ -560,12 +560,19 @@ if (-not $BuildImage)
         # Start MCP approval server on host with dynamic port in new terminal tab
         $mcpPort = $null
         $mcpPortFile = $null
+        $mcpSecret = $null
         if (-not $NoMcp) {
             Write-Host "Starting MCP approval server..." -ForegroundColor Green
             $mcpPortFile = Join-Path $env:TEMP "mcp-port-$([System.Guid]::NewGuid().ToString('N').Substring(0,8)).txt"
 
+            # Generate 128-bit (16 byte) random secret for authentication
+            $randomBytes = New-Object byte[] 16
+            [Security.Cryptography.RandomNumberGenerator]::Fill($randomBytes)
+            $mcpSecret = [Convert]::ToBase64String($randomBytes)
+            Write-Host "Generated MCP authentication secret" -ForegroundColor Cyan
+
             # Build the command to run in the new tab
-            $mcpCommand = "& '$SourceDirName\Build.ps1' tools mcp-server --port-file '$mcpPortFile'"
+            $mcpCommand = "& '$SourceDirName\Build.ps1' tools mcp-server --port-file '$mcpPortFile' --secret '$mcpSecret'"
 
             # Try Windows Terminal first (wt.exe), fall back to conhost
             $wtPath = Get-Command wt.exe -ErrorAction SilentlyContinue
@@ -676,6 +683,11 @@ if (-not $BuildImage)
             "-e", "USERPROFILE=$containerUserProfile"
         )
 
+        # Pass MCP secret to container if MCP server is running
+        if ($mcpSecret) {
+            $envArgs += @("-e", "MCP_APPROVAL_SERVER_TOKEN=$mcpSecret")
+        }
+
         Write-Host "Executing: ``docker run --rm --memory=12g $dockerArgsAsString $VolumeMappingsAsString -e HOME=$containerUserProfile -e USERPROFILE=$containerUserProfile -w $ContainerSourceDir $ImageTag `"$pwshPath`" -Command `"$inlineScript`"" -ForegroundColor Cyan
 
         try {

src/PostSharp.Engineering.BuildTools/Resources/RunClaude.ps1

@@ -17,8 +17,17 @@ if ($env:RUNNING_IN_DOCKER -ne "true")
 # Configure MCP approval server if port is specified
 $mcpConfigArg = ""
 if ($McpPort -gt 0) {
-    $sseUrl = "http://host.docker.internal:$McpPort/sse"
-    Write-Host "Configuring MCP approval server: $sseUrl" -ForegroundColor Cyan
+    # Get MCP secret from environment variable
+    $mcpSecret = $env:MCP_APPROVAL_SERVER_TOKEN
+    if ([string]::IsNullOrEmpty($mcpSecret)) {
+        Write-Error "MCP_APPROVAL_SERVER_TOKEN environment variable is not set. Cannot authenticate to MCP server."
+        exit 1
+    }
+
+    # URL-encode the secret for path segment
+    $encodedSecret = [System.Web.HttpUtility]::UrlEncode($mcpSecret)
+    $sseUrl = "http://host.docker.internal:$McpPort/$encodedSecret/sse"
+    Write-Host "Configuring MCP approval server (authenticated)" -ForegroundColor Cyan
 
     # Create temporary MCP config file
     $mcpConfigPath = "$env:TEMP\mcp-config.json"