Skip to content

Merge feature branches into main#99

Merged
Patel230 merged 16 commits into
mainfrom
merge/feature-branches
Jul 16, 2026
Merged

Merge feature branches into main#99
Patel230 merged 16 commits into
mainfrom
merge/feature-branches

Conversation

@Patel230

Copy link
Copy Markdown
Contributor

Merging fix/hawk-sandbox-mcp and release/0.2.0 into main.

Patel230 and others added 16 commits July 13, 2026 20:17
Add a new drift check that compares hawk's own go.mod requirements for
tracked pins against what each external/ submodule declares. This helps
detect version mismatches that could cause silent build-time upgrades.

Related: docs/compatibility.md explains the drift concern in detail.
PatchTool, StructuredEditTool, and SmartCreateTool wrote/deleted files
from LLM-authored paths without calling validatePathAllowed, the sandbox
guard already used by file_write.go and file_edit.go. This let an LLM
escape the working directory / allowed-directories sandbox via these
three tools even though the equivalent Write/Edit tools were guarded.

Thread ctx through PatchParser.ApplyAll so each patch's path (including
the Delete File directive, which shares the same Apply function) is
validated before any filesystem mutation. Add the same guard check to
StructuredEditTool.Execute and SmartCreateTool.Execute before their
ReadFile/WriteFile/MkdirAll calls.

Add a regression test asserting PatchTool.Execute rejects a Create File
patch targeting a path outside the allowed directories and does not
create the file.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
configuredStartupMCPServers only ever read cfg.Command/cfg.Args and skipped
any entry without a Command — configuring "type": "http"/"sse"/"websocket"
in settings.json had zero effect, since nothing dispatched to
mcp.ConnectHTTP/ConnectSSE/ConnectWS from config at all. Even the existing
static Headers-based auth mechanism was unreachable as a result.

Adds LoadRemoteMCPTools and dispatches on cfg.Type; unifies tool-wrapping
across all three transports via a minimal mcpClient interface (CallTool +
Close, which already have identical signatures on mcp.Server/HTTPServer/
WSServer) so MCPTool can wrap any of them without changing any of those
concrete types. Resource listing (ListResources/ReadResource) stays
stdio-only via a type assertion, matching what those transports actually
implement today.
…remote servers

Hand-rolled to match internal/mcp's existing zero-SDK-dependency style
(no mark3labs/mcp-go added as a dependency). internal/mcp/oauth.go:
RFC 9728 protected-resource discovery falling back to RFC 8414
authorization-server discovery falling back to the previous guessed
defaults; RFC 7591 dynamic client registration when no client_id is
configured; PKCE (S256); a from-scratch loopback callback listener
(hawk had no redirect-listener pattern before — only the existing
device-code/poll flow used for Hawk Cloud login, which doesn't fit MCP's
authorization-code+PKCE requirement); token exchange/refresh.

internal/mcp/oauth_store.go persists tokens via internal/auth.SecureStorage
(the real keychain-backed store — internal/auth.TokenStore looks similar
but its Load/Save are literal no-ops).

internal/tool/mcp_auth.go completes the previously half-built McpAuthTool:
Execute now runs discovery through PKCE and starts the loopback listener,
with a background goroutine that awaits the callback, exchanges the code,
and saves the token — matching hawk's agent-tool-call UX (returns the
authorization URL immediately, picks up asynchronously once the user
authorizes). AuthHeaderForMCPServer wires the stored token into the
Authorization header the transport-dispatch fix already reads, refreshing
first if it's close to expiring.
Add the hawk-mcpkit replace directive so the shared MCP scaffolding
resolves as a sibling module, and bump the external/yaad submodule to
the mcpkit-migrated commit.
…create

PatchTool, StructuredEditTool, and SmartCreateTool wrote or deleted files
via LLM-authored paths without calling validatePathAllowed, the guard
every other read/write tool uses. An LLM could direct them at paths
outside the workspace.

Add validatePathAllowed(ctx, path) to each tool's Execute method. Patch
validates each parsed patch target in Execute (the only method that has
a ctx) before ApplyAll, so the package-level Apply/ApplyAll signatures
stay stable. Added regression tests asserting out-of-workspace paths are
rejected and in-sandbox paths still succeed.
Advance the three submodule pointers to commits that include the fixes
made in the sibling repos:

  eyrie -> f6abb1e  delete dead errors package + stop falling back to
                OPENAI base URL for non-OpenAI providers (credential
                hijack fix)
  trace -> 164d86b  serialize V2GitStore storer access under StorerMu
                (git object corruption race)
  yaad  -> 7a796a0  migrate MCP server onto hawk-mcpkit (yaad MCPkit
                replace path corrected for the external/ layout)

The sibling repos (../eyrie, ../trace, ../yaad) hold the matching
source commits; these pointers make hawk build against the fixed code.
# Conflicts:
#	internal/tool/patch.go
@Patel230
Patel230 merged commit c28fc4f into main Jul 16, 2026
19 of 20 checks passed
@Patel230
Patel230 deleted the merge/feature-branches branch July 16, 2026 01:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant