vikunja/pkg/modules
kolaente 8fbc6b62a2 feat(mcp): enforce per-tool api token scopes
Filter MCP tool visibility and invocation by the requesting API token's
(group, permission) scopes. tools/list now returns only the tools the
token's APIPermissions authorise; tools/call additionally re-checks the
scope in the dispatcher as defence-in-depth, so a session created with
one token cannot be reused to invoke tools that token never had access to.

The per-session filter runs at session-init via the StreamableHTTPHandler
getServer factory (which the SDK calls once per session, before caching
the *mcp.Server). The dispatcher check runs on every tools/call and
returns ErrScopeDenied, which the AddTool wrapper renders as an IsError
tool result.
2026-05-26 23:54:02 +02:00
..
auth fix(oauth2server): accept all loopback redirect forms 2026-05-07 22:03:49 +00:00
avatar feat(avatar): use distinct marble palette for bot users 2026-05-01 14:44:10 +00:00
background fix: add timeouts to Gravatar, Unsplash, and SSRF-safe HTTP clients 2026-04-09 07:31:08 +00:00
dump chore(lint): suppress known gosec false positives 2026-03-23 16:23:15 +01:00
keyvalue fix: fatal with clear message when keyvalue type is redis but redis is not enabled 2026-04-12 09:43:31 +00:00
mcp feat(mcp): enforce per-tool api token scopes 2026-05-26 23:54:02 +02:00
migration test(trello): drop redundant BackgroundImage assignment in getTestBoard 2026-05-15 15:16:11 +00:00