feat(http): implement HeaderAllowedFeatureFlags for X-MCP-Features header validation#2332
Merged
SamMorrowDrums merged 3 commits intomainfrom Apr 15, 2026
Merged
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Implements a shared allowlist of feature flags that may be enabled via the X-MCP-Features HTTP header, and wires the HTTP server’s header validation to that allowlist.
Changes:
- Added
github.HeaderAllowedFeatureFlagsas the centralized allowlist for header-enabled feature flags. - Updated the HTTP server feature-flag whitelist to use
github.HeaderAllowedFeatureFlags(instead of an empty list).
Show a summary per file
| File | Description |
|---|---|
| pkg/http/server.go | Uses the centralized allowlist for X-MCP-Features header validation in the HTTP feature checker. |
| pkg/github/tools.go | Introduces HeaderAllowedFeatureFlags listing which feature flags are permitted from X-MCP-Features. |
Copilot's findings
Comments suppressed due to low confidence (1)
pkg/http/server.go:30
knownFeatureFlagsaliases the underlying slice backinggithub.HeaderAllowedFeatureFlags. Even if you keep the exported slice, it’s safer for the HTTP layer to work off a defensive copy so later mutations (or accidental sharing) can’t affect the allowlist used to buildknownSet. Consider cloning the slice when assigning (or calling an accessor that returns a clone).
var knownFeatureFlags = github.HeaderAllowedFeatureFlags
- Files reviewed: 2/2 changed files
- Comments generated: 2
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…() and add tests for feature flag validation
SamMorrowDrums
approved these changes
Apr 15, 2026
SamMorrowDrums
added a commit
that referenced
this pull request
Apr 15, 2026
Rebase PR #2282 onto main (post-#2332) and unify feature flag allowlists into a single source of truth. - Add MCPAppsFeatureFlag, AllowedFeatureFlags, InsidersFeatureFlags, and ResolveFeatureFlags in feature_flags.go - AllowedFeatureFlags includes all user-controllable flags (MCP Apps + granular), InsidersFeatureFlags only includes MCPAppsFeatureFlag - HeaderAllowedFeatureFlags() now delegates to AllowedFeatureFlags - Builder uses feature checker instead of insidersMode bool - Remove InsidersOnly field from ServerTool and WithInsidersMode from Builder - HTTP feature checker uses ResolveFeatureFlags for per-request resolution with insiders expansion - Tool handlers check MCPAppsFeatureFlag via IsFeatureEnabled instead of InsidersMode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
4 tasks
SamMorrowDrums
added a commit
that referenced
this pull request
Apr 16, 2026
Rebase PR #2282 onto main (post-#2332) and unify feature flag allowlists into a single source of truth. - Add MCPAppsFeatureFlag, AllowedFeatureFlags, InsidersFeatureFlags, and ResolveFeatureFlags in feature_flags.go - AllowedFeatureFlags includes all user-controllable flags (MCP Apps + granular), InsidersFeatureFlags only includes MCPAppsFeatureFlag - HeaderAllowedFeatureFlags() now delegates to AllowedFeatureFlags - Builder uses feature checker instead of insidersMode bool - Remove InsidersOnly field from ServerTool and WithInsidersMode from Builder - HTTP feature checker uses ResolveFeatureFlags for per-request resolution with insiders expansion - Tool handlers check MCPAppsFeatureFlag via IsFeatureEnabled instead of InsidersMode Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Why
Fixes #
What changed
MCP impact
Prompts tested (tool changes only)
Security / limits
Tool renaming
deprecated_tool_aliases.goNote: if you're renaming tools, you must add the tool aliases. For more information on how to do so, please refer to the official docs.
Lint & tests
./script/lint./script/testDocs