Improve MCP server UX and security model

- Remove auto-reject for high-risk commands; always require manual approval
- Stream command output to console in real-time instead of buffering
- Use temp file for PowerShell execution to avoid escaping issues
- Clarify env var risk: OUTPUT to container is dangerous, internal USE is safe
- Remove redundant MCP docs from README

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>

Author: gfraiteur

README.md

@@ -553,62 +553,7 @@ Common environment variables (see [`EnvironmentVariableNames.cs`](src/PostSharp.
 | `AZURE_DEVOPS_TOKEN` | Azure DevOps integration |
 | `TYPESENSE_API_KEY` | Search indexing |
 
-## MCP Approval Server (Docker Support)
 
-When running Claude Code inside Docker containers, certain operations require host-level access (git push, GitHub CLI, etc.). The MCP Approval Server provides a secure, human-in-the-loop workflow for these operations.
-
-### Architecture
-
-```
-┌─────────────────────────────────────────┐
-│ Docker Container                        │
-│  ┌─────────────┐                        │
-│  │ Claude Code │──▶ MCP Client          │
-│  └─────────────┘    (execute_command)   │
-└──────────────────────┬──────────────────┘
-                       │ HTTP/SSE
-                       ▼
-┌─────────────────────────────────────────┐
-│ Host: MCP Approval Server               │
-│  1. Receive request                     │
-│  2. AI risk analysis (Claude CLI)       │
-│  3. Auto-approve/reject or prompt user  │
-│  4. Execute if approved                 │
-│  5. Return result                       │
-└─────────────────────────────────────────┘
-```
-
-### Features
-
-- **AI Risk Analysis**: Each command is analyzed by Claude CLI for risk assessment
-- **Auto-approve**: LOW risk commands with AI APPROVE recommendation
-- **Auto-reject**: HIGH/CRITICAL risk commands with AI REJECT recommendation
-- **Git Push Analysis**: Automatically fetches and analyzes commit diffs for secrets, credentials, and inappropriate content
-- **Session Tracking**: Maintains command history to detect suspicious patterns
-- **Attack Detection**: Detects unicode homoglyphs, shell injection, path traversal, and other evasion techniques
-
-### Usage
-
-The MCP server starts automatically with `DockerBuild.ps1 -Claude`. To disable:
-
-```powershell
-.\DockerBuild.ps1 -Claude -NoMcp
-```
-
-Inside the container, privileged commands are routed through the MCP server automatically via the `host-approval` MCP configuration.
-
-### Supported Operations
-
-| Operation | Risk Level |
-|-----------|------------|
-| `gh pr view` | LOW |
-| `gh pr create` | LOW |
-| `git push` (feature branch) | LOW |
-| `git push` (main/develop) | MEDIUM |
-| `gh pr merge` | MEDIUM |
-| `git push --force` | HIGH |
-| `dotnet nuget push` | HIGH |
-| Secret exfiltration attempts | CRITICAL |
 
 ## Documentation
 

src/PostSharp.Engineering.BuildTools/Mcp/Services/ApprovalPrompter.cs

@@ -55,17 +55,7 @@ public Task<bool> RequestApprovalAsync(
                 return Task.FromResult( true );
             }
 
-            // Auto-reject HIGH/CRITICAL risk commands when AI recommends rejection
-            if ( ( assessment.Level == RiskLevel.High || assessment.Level == RiskLevel.Critical )
-                 && assessment.Recommendation == Recommendation.Reject )
-            {
-                AnsiConsole.WriteLine();
-                AnsiConsole.MarkupLine( $"[red]Auto-rejected ({assessment.Level.ToString().ToUpperInvariant()} risk):[/] [white]{Markup.Escape( command )}[/]" );
-                AnsiConsole.MarkupLine( $"[dim]Reason: {Markup.Escape( assessment.Reason )}[/]" );
-                AnsiConsole.WriteLine();
-
-                return Task.FromResult( false );
-            }
+            // HIGH/CRITICAL risk commands always require manual approval (no auto-reject)
 
             AnsiConsole.WriteLine();
             AnsiConsole.Write( new Rule( "[yellow]Command Approval Request[/]" ) );

src/PostSharp.Engineering.BuildTools/Mcp/Services/CommandExecutor.cs

@@ -1,8 +1,11 @@
 // Copyright (c) SharpCrafters s.r.o. See the LICENSE.md file in the root directory of this repository root for details.
 
 using PostSharp.Engineering.BuildTools.Mcp.Models;
+using Spectre.Console;
 using System;
 using System.Diagnostics;
+using System.IO;
+using System.Text;
 using System.Threading;
 using System.Threading.Tasks;
 
@@ -21,12 +24,17 @@ public async Task<CommandResult> ExecuteAsync(
         CancellationToken cancellationToken = default )
 #pragma warning restore CA1822
     {
+        // Write the command to a temp file to avoid escaping issues
+        var tempFile = Path.Combine( Path.GetTempPath(), $"mcp-cmd-{Guid.NewGuid():N}.ps1" );
+
         try
         {
+            await File.WriteAllTextAsync( tempFile, command, Encoding.UTF8, cancellationToken );
+
             var startInfo = new ProcessStartInfo
             {
                 FileName = "pwsh",
-                Arguments = $"-NoProfile -Command \"{EscapeForPowerShell( command )}\"",
+                Arguments = $"-NoProfile -File \"{tempFile}\"",
                 WorkingDirectory = workingDirectory,
                 RedirectStandardOutput = true,
                 RedirectStandardError = true,
@@ -41,24 +49,67 @@ public async Task<CommandResult> ExecuteAsync(
                 return CommandResult.Error( "Failed to start PowerShell process" );
             }
 
-            var stdout = await process.StandardOutput.ReadToEndAsync( cancellationToken );
-            var stderr = await process.StandardError.ReadToEndAsync( cancellationToken );
+            var stdoutBuilder = new StringBuilder();
+            var stderrBuilder = new StringBuilder();
+
+            // Stream output to console in real-time
+            var stdoutTask = ReadStreamAsync( process.StandardOutput, stdoutBuilder, "stdout", cancellationToken );
+            var stderrTask = ReadStreamAsync( process.StandardError, stderrBuilder, "stderr", cancellationToken );
+
+            await Task.WhenAll( stdoutTask, stderrTask );
             await process.WaitForExitAsync( cancellationToken );
 
-            return CommandResult.Success( stdout, stderr, process.ExitCode );
+            return CommandResult.Success( stdoutBuilder.ToString(), stderrBuilder.ToString(), process.ExitCode );
         }
         catch ( Exception ex )
         {
             return CommandResult.Error( $"Execution error: {ex.Message}" );
         }
+        finally
+        {
+            // Clean up temp file
+            try
+            {
+                if ( File.Exists( tempFile ) )
+                {
+                    File.Delete( tempFile );
+                }
+            }
+            catch
+            {
+                // Ignore cleanup errors
+            }
+        }
     }
 
-    private static string EscapeForPowerShell( string command )
+    private static async Task ReadStreamAsync(
+        StreamReader reader,
+        StringBuilder output,
+        string streamName,
+        CancellationToken cancellationToken )
     {
-        // Escape double quotes for PowerShell command line
-        // Using backtick (`) as the PowerShell escape character
-        return command
-            .Replace( "\"", "`\"", StringComparison.Ordinal )
-            .Replace( "$", "`$", StringComparison.Ordinal );
+        var isStderr = streamName == "stderr";
+
+        while ( !cancellationToken.IsCancellationRequested )
+        {
+            var line = await reader.ReadLineAsync( cancellationToken );
+
+            if ( line == null )
+            {
+                break;
+            }
+
+            output.AppendLine( line );
+
+            // Display to console with appropriate formatting
+            if ( isStderr )
+            {
+                AnsiConsole.MarkupLine( $"[red]{line.EscapeMarkup()}[/]" );
+            }
+            else
+            {
+                AnsiConsole.WriteLine( line );
+            }
+        }
     }
 }

src/PostSharp.Engineering.BuildTools/Mcp/Services/RiskAnalyzer.cs

@@ -73,9 +73,13 @@ public sealed class RiskAnalyzer
         - Sequences that seem to be probing or gathering information before a bigger action
         - Mismatches between claimed purpose and actual command behavior
 
-        ### Environment variables
-        - Read ANY environment variable: HIGH risk, expose secrets
-        - Write ANY environment variable: HIGH risk
+        ### Environment Variables (Leakage Risk)
+        The MCP server runs on the host with access to secrets. The requesting Claude runs in Docker without them.
+        The risk is LEAKING secrets to the container, not using them for legitimate operations.
+        - Commands that USE env vars internally (e.g., `git push` using GITHUB_TOKEN): LOW risk - secrets stay on host
+        - Commands that OUTPUT env vars (e.g., `echo $VAR`, `printenv`, `env`, `Get-ChildItem Env:`): CRITICAL risk - leaks to container
+        - Commands that write env vars to files: CRITICAL risk - files may be accessible to container
+        - Piping env var values anywhere the container can read: CRITICAL risk
 
         ### Content Appropriateness (GitHub comments, issues, PRs)
         - Any insulting, offensive, or inappropriate language: HIGH risk
@@ -120,10 +124,12 @@ public sealed class RiskAnalyzer
         - If purpose and command don't align perfectly = MEDIUM risk minimum
 
         ### Environment/Secret Exfiltration
-        - `echo $VAR`, `printenv`, `env`, `set` = HIGH risk (exposes secrets)
-        - Writing environment variables to files
-        - Commands that could leak secrets in output or error messages
-        - Piping sensitive data anywhere = HIGH risk
+        Remember: The container Claude will receive command output. Any secret in output = leaked.
+        - `echo $VAR`, `printenv`, `env`, `set`, `Get-ChildItem Env:` = CRITICAL risk (leaks secrets to container)
+        - Writing environment variables to files in shared/mounted directories = CRITICAL risk
+        - Commands whose output or error messages might contain secrets = HIGH risk
+        - Piping sensitive data anywhere = CRITICAL risk
+        - Legitimate USE of env vars (like `git push` using tokens internally) = LOW risk
         """;
 
     // Suppress CA1822 - this is a DI service, keeping as instance method for consistency