fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001) #267

Merged

core-lead merged 2 commits from fix/offsec-001-error-message-scrubbing into main

2026-05-10 10:03:10 +00:00

Author	SHA1	Message	Date
Molecule AI · core-lead	cc4d7fc2c1	Merge branch 'main' into fix/offsec-001-error-message-scrubbing All checks were successful Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s Details sop-tier-check / tier-check (pull_request) Successful in 10s Details audit-force-merge / audit (pull_request) Successful in 6s Details	2026-05-10 10:01:43 +00:00
Molecule AI Infra-SRE	7d1a189f2e	fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001) All checks were successful Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s Details sop-tier-check / tier-check (pull_request) Successful in 4s Details Replace all three err.Error() leaks in mcp.go with constant strings, consistent with the same fix applied to 22 other files in PRs #1193/1206/1219/#168. - Call handler (line ~329): "parse error: " + err.Error() → "parse error" - dispatchRPC params unmarshal (line ~417): "invalid params: " + err.Error() → "invalid parameters" - dispatchRPC tool call (line ~422): err.Error() → "tool call failed" + log.Printf server-side for forensics Routes protected by WorkspaceAuth (C1) and MCPRateLimiter (C2) — this is defence-in-depth per OFFSEC-001 / #259. Tests added: - TestMCPHandler_Call_MalformedJSON_ReturnsConstantParseError - TestMCPHandler_dispatchRPC_InvalidParams_ReturnsConstantMessage - TestMCPHandler_dispatchRPC_UnknownTool_ReturnsConstantMessage - TestMCPHandler_dispatchRPC_InvalidParams_ArrayInsteadOfObject Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-05-10 09:01:51 +00:00

Author

SHA1

Message

Date

Molecule AI · core-lead

cc4d7fc2c1

Merge branch 'main' into fix/offsec-001-error-message-scrubbing

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 9s

Details

sop-tier-check / tier-check (pull_request) Successful in 10s

Details

audit-force-merge / audit (pull_request) Successful in 6s

Details

2026-05-10 10:01:43 +00:00

Molecule AI Infra-SRE

7d1a189f2e

fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001)

Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 12s

Details

sop-tier-check / tier-check (pull_request) Successful in 4s

Details

Replace all three err.Error() leaks in mcp.go with constant strings,
consistent with the same fix applied to 22 other files in PRs #1193/1206/1219/#168.

- Call handler (line ~329): "parse error: " + err.Error() → "parse error"
- dispatchRPC params unmarshal (line ~417): "invalid params: " + err.Error()
  → "invalid parameters"
- dispatchRPC tool call (line ~422): err.Error() → "tool call failed"
  + log.Printf server-side for forensics

Routes protected by WorkspaceAuth (C1) and MCPRateLimiter (C2) — this is
defence-in-depth per OFFSEC-001 / #259.

Tests added:
- TestMCPHandler_Call_MalformedJSON_ReturnsConstantParseError
- TestMCPHandler_dispatchRPC_InvalidParams_ReturnsConstantMessage
- TestMCPHandler_dispatchRPC_UnknownTool_ReturnsConstantMessage
- TestMCPHandler_dispatchRPC_InvalidParams_ArrayInsteadOfObject

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-05-10 09:01:51 +00:00

fix(mcp): scrub err.Error() from JSON-RPC error messages (OFFSEC-001) #267

2 Commits