Skip to content

feat(mcp): add server FGA authorization overrides#17529

Merged
abhiaiyer91 merged 3 commits into
mainfrom
graysonhicks/17508-mcp-fga-tool-authorization
Jun 9, 2026
Merged

feat(mcp): add server FGA authorization overrides#17529
abhiaiyer91 merged 3 commits into
mainfrom
graysonhicks/17508-mcp-fga-tool-authorization

Conversation

@graysonhicks

@graysonhicks graysonhicks commented Jun 3, 2026

Copy link
Copy Markdown
Member

Description

Adds MCPServer Fine-Grained Authorization mapping overrides so MCP tools/list and tools/call checks can use server-specific resource and permission mappings without changing the instance-level tool mapping used by internal agent and workflow tool execution.

Related Issue(s)

Fixes #17508

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Code refactoring
  • Performance improvement
  • Test update

Checklist

  • I have made corresponding changes to the documentation (if applicable)
  • I have added tests that prove my fix is effective or that my feature works

ELI5

This PR lets each MCP server set its own access rules for listing and calling tools, so server requests are authorized using server-specific mappings instead of the global tool mapping used by internal agents and workflows.

Overview

Adds an optional fga config to MCPServer that provides per-server Fine-Grained Authorization (FGA) overrides for resource and permission mapping used by tools/list and tools/call, decoupling MCP server authorization from the instance-level tool mapping used for internal agent/workflow tool execution.

Problem Statement

Both MCP tool checks and internal agent/workflow tool execution previously used the shared instance-level resourceMapping.tool, causing scoping conflicts:

  • Internal tool execution is often team/tenant-scoped (e.g., toolteam, deriveId uses teamId).
  • MCP callers are org+user-scoped and span teams; MCP responses are not team-specific.
    Sharing the mapping forced trade-offs (weakened agent gates or synthetic context), making correct scoping difficult.

Solution

Implements per-server FGA mapping overrides on MCPServer (solution #1 from the linked issue) via an optional fga property: fga.resourceMapping (with optional deriveId) and fga.permissionMapping. MCP tools/list and tools/call authorization resolve their resource type/ID and permission using these server-level overrides without changing the instance-level tool mapping.

Changes

  • packages/core/src/mcp/types.ts

    • Added types: MCPServerFGAResourceMappingEntry (optional deriveId), MCPServerFGAPermissionMapping, MCPServerFGAConfig.
    • Extended MCPServerConfig with optional fga?: MCPServerFGAConfig.
  • packages/mcp/src/server/server.ts

    • Added fga private field wired from constructor options.
    • Replaced fixed { type: 'tool', id: resourceId } / raw MastraFGAPermissions.TOOLS_EXECUTE with a new resolveToolFGAParams helper that applies fga.resourceMapping and fga.permissionMapping (including derived IDs) and calls requireFGA with the resolved resource and permission.
  • packages/mcp/src/server/tests/server-fga.test.ts

    • Added tests for tools/list and tools/call verifying:
      • deriveId is invoked with { user, resourceId, requestContext }.
      • The FGA provider is called with overridden resource type, derived ID, and mapped permission.
      • Tool execution proceeds only after successful authorization.
  • docs

    • docs/src/content/en/docs/server/auth/fga.mdx: Clarified enforcement points table: MCP tool default resource ID is JSON.stringify([serverName, toolName]) unless overridden via fga.resourceMapping.
    • docs/src/content/en/reference/tools/mcp-server.mdx: Added fga constructor docs and a "Scope MCP tool FGA separately" section with a TypeScript example demonstrating deriveId and permission mapping usage.
  • .changeset/lazy-hornets-hide.md

    • Added changeset documenting the new fga option for @mastra/mcp and @mastra/core (minor release).

Tests & Docs

  • New unit tests cover mapping overrides for both listing and calling tools.
  • Documentation updated with examples and enforcement clarification.

Impact

  • MCP servers can scope tool authorization independently (e.g., org+user) while preserving existing agent/workflow scoping (e.g., team).
  • Backward compatible: fga is optional; absence retains prior behavior.
  • Fixes issue #17508.

@vercel

vercel Bot commented Jun 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
mastra-docs-1.x Ready Ready Preview, Comment Jun 3, 2026 8:20pm
mastra-playground-ui Ready Ready Preview, Comment Jun 3, 2026 8:20pm

Request Review

@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f8db7621-094f-4dcf-8917-0cb62fe78626

📥 Commits

Reviewing files that changed from the base of the PR and between e127ef8 and 3cd29ef.

📒 Files selected for processing (6)
  • .changeset/lazy-hornets-hide.md
  • docs/src/content/en/docs/server/auth/fga.mdx
  • docs/src/content/en/reference/tools/mcp-server.mdx
  • packages/core/src/mcp/types.ts
  • packages/mcp/src/server/__tests__/server-fga.test.ts
  • packages/mcp/src/server/server.ts
✅ Files skipped from review due to trivial changes (2)
  • docs/src/content/en/docs/server/auth/fga.mdx
  • docs/src/content/en/reference/tools/mcp-server.mdx
🚧 Files skipped from review as they are similar to previous changes (3)
  • packages/mcp/src/server/tests/server-fga.test.ts
  • packages/core/src/mcp/types.ts
  • packages/mcp/src/server/server.ts

Walkthrough

This PR extends MCPServer with optional FGA configuration (fga) to allow per-server authorization mapping overrides for tools/list and tools/call checks, independent of instance-level agent/workflow tool mapping. New types define resource and permission mappings; MCPServer resolves those mappings during tool authorization and applies them to FGA checks.

Changes

MCP Server FGA Mapping Overrides

Layer / File(s) Summary
FGA mapping type contracts
packages/core/src/mcp/types.ts
New types MCPServerFGAResourceMappingEntry (with optional deriveId hook), MCPServerFGAPermissionMapping, and MCPServerFGAConfig are introduced. MCPServerConfig is extended with optional fga property to apply overrides to tools/list and tools/call checks without affecting internal tool execution.
MCPServer FGA override wiring and resolution
packages/mcp/src/server/server.ts
MCPServer adds a private fga field wired from constructor options. New helper resolveToolFGAParams computes FGA resource and permission using optional permissionMapping and resourceMapping (including resource type and optional deriveId), defaulting to { type: 'tool', id: resourceId } when unconfigured. enforceToolExecutionFGA is updated to use resolved mappings instead of hardcoded values.
FGA mapping override test coverage
packages/mcp/src/server/__tests__/server-fga.test.ts
Two tests verify that tools/list and tools/call correctly apply FGA mapping overrides: deriveId is invoked with expected user/resourceId/requestContext arguments, and FGA provider require receives the overridden resource type, derived id, and mapped permission.
Documentation and changeset
docs/src/content/en/reference/tools/mcp-server.mdx, docs/src/content/en/docs/server/auth/fga.mdx, .changeset/lazy-hornets-hide.md
MCPServer constructor documentation adds fga field; new subsection explains scoping MCP tool FGA separately with a TypeScript example. Enforcement points table is clarified to document default resource ID derivation and override behavior. Changeset records the feature as minor for both @mastra/mcp and @mastra/core.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes


Possibly related PRs

  • mastra-ai/mastra#17475: Both PRs modify the MCP server's FGA authorization path for tools/list and tools/call—one adds mapAuthInfoToUser (populating FGA user context), this PR adds per-server FGA mapping overrides.

Suggested labels

tests: green ✅, complexity: high


Suggested reviewers

  • abhiaiyer91
  • rphansen91
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed Title is concise (49 characters), descriptive, uses imperative mood, proper capitalization, and directly summarizes the main change: adding FGA authorization overrides to MCPServer.
Linked Issues check ✅ Passed All code changes directly implement solution 1 from issue #17508: per-server FGA resource and permission mapping overrides for MCPServer, enabling independent scoping of tool authorization.
Out of Scope Changes check ✅ Passed All changes are within scope: type definitions, implementation in MCPServer, comprehensive tests, and documentation all directly address the linked issue's requirements without extraneous modifications.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch graysonhicks/17508-mcp-fga-tool-authorization

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Comment @coderabbitai help to get the list of available commands and usage tips.

@changeset-bot

changeset-bot Bot commented Jun 3, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: a82ad9c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 24 packages
Name Type
@mastra/mcp Minor
@mastra/core Minor
mastracode Patch
@mastra/deployer Minor
@mastra/mcp-docs-server Patch
@internal/playground Patch
@mastra/client-js Patch
@mastra/opencode Patch
@mastra/longmemeval Patch
mastra Patch
@mastra/deployer-cloud Minor
@mastra/deployer-vercel Patch
@mastra/playground-ui Patch
@mastra/react Patch
@mastra/server Minor
create-mastra Patch
@mastra/deployer-cloudflare Patch
@mastra/deployer-netlify Patch
@mastra/temporal Patch
@mastra/express Patch
@mastra/fastify Patch
@mastra/hono Patch
@mastra/koa Patch
@mastra/nestjs Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@dane-ai-mastra

dane-ai-mastra Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

PR triage

Linked issue check skipped for core contributor @graysonhicks.


PR complexity score

Factor Value Score impact
Files changed 6 +12
Lines changed 259 +15
Author merged PRs 164 -20
Test files changed Yes -10
Final score -3

Applied label: complexity: low


Changed test gate

Changed tests failed against the base branch as expected.

Label: tests: green ✅

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
.changeset/lazy-hornets-hide.md (1)

10-27: ⚡ Quick win

Align permissionMapping example with reference docs pattern.

The code example uses string literal 'tools:execute' directly, but the reference docs example (lines 1377, 1409 in mcp-server.mdx) imports and uses the MastraFGAPermissions.TOOLS_EXECUTE constant with bracket notation. For consistency and to demonstrate the type-safe pattern, update the changeset example to match the reference docs.

Suggested alignment
+import { MastraFGAPermissions } from '`@mastra/core/auth/ee`'
+
 const server = new MCPServer({
   name: 'My Server',
   version: '1.0.0',
   tools: { getData },
   fga: {
     resourceMapping: {
       tool: {
         fgaResourceType: 'user',
         deriveId: ({ user }) => user.id,
       },
     },
     permissionMapping: {
-      'tools:execute': 'read',
+      [MastraFGAPermissions.TOOLS_EXECUTE]: 'read',
     },
   },
 });
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.changeset/lazy-hornets-hide.md around lines 10 - 27, Update the changeset
example to use the type-safe constant and bracket notation from the docs:
replace the literal 'tools:execute' in the permissionMapping with the
MastraFGAPermissions.TOOLS_EXECUTE constant and use computed property syntax
(e.g. [MastraFGAPermissions.TOOLS_EXECUTE]: 'read'); ensure the example includes
or assumes the MastraFGAPermissions import and that the mapping remains under
the MCPServer fga.permissionMapping field so it matches the pattern used in the
mcp-server.mdx reference.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/core/src/mcp/types.ts`:
- Around line 230-240: The resourceMapping field on MCPServerFGAConfig is too
permissive (Record<string,...>) allowing typos to slip through; change its type
to a keyed type that only allows the supported aliases ('tool' and 'tools') so
misconfigurations fail at compile time — update
MCPServerFGAConfig.resourceMapping to be something like Partial<Record<'tool' |
'tools', MCPServerFGAResourceMappingEntry>> (keeping
MCPServerFGAPermissionMapping unchanged) so server.ts code that reads
resourceMapping.tool and resourceMapping.tools is type-safe.

---

Nitpick comments:
In @.changeset/lazy-hornets-hide.md:
- Around line 10-27: Update the changeset example to use the type-safe constant
and bracket notation from the docs: replace the literal 'tools:execute' in the
permissionMapping with the MastraFGAPermissions.TOOLS_EXECUTE constant and use
computed property syntax (e.g. [MastraFGAPermissions.TOOLS_EXECUTE]: 'read');
ensure the example includes or assumes the MastraFGAPermissions import and that
the mapping remains under the MCPServer fga.permissionMapping field so it
matches the pattern used in the mcp-server.mdx reference.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: c89481d6-5ceb-4ec0-9246-f3016996034d

📥 Commits

Reviewing files that changed from the base of the PR and between e17e5c1 and e127ef8.

📒 Files selected for processing (6)
  • .changeset/lazy-hornets-hide.md
  • docs/src/content/en/docs/server/auth/fga.mdx
  • docs/src/content/en/reference/tools/mcp-server.mdx
  • packages/core/src/mcp/types.ts
  • packages/mcp/src/server/__tests__/server-fga.test.ts
  • packages/mcp/src/server/server.ts

Comment thread packages/core/src/mcp/types.ts
Add MCPServer-level FGA resource and permission mapping overrides for tools/list and tools/call checks. This lets MCP tool authorization use a different scope from the instance-level tool mapping used by internal agent and workflow tool execution.
@graysonhicks graysonhicks force-pushed the graysonhicks/17508-mcp-fga-tool-authorization branch from e127ef8 to 3cd29ef Compare June 3, 2026 16:50
@dane-ai-mastra dane-ai-mastra Bot added the tests: failing ❌ Changed tests passed against base label Jun 3, 2026
@dane-ai-mastra dane-ai-mastra Bot added tests: green ✅ Changed tests failed against base as expected and removed tests: failing ❌ Changed tests passed against base labels Jun 3, 2026
@abhiaiyer91 abhiaiyer91 merged commit 029a414 into main Jun 9, 2026
94 checks passed
@abhiaiyer91 abhiaiyer91 deleted the graysonhicks/17508-mcp-fga-tool-authorization branch June 9, 2026 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

complexity: low Low-complexity PR Documentation Improvements or additions to documentation tests: green ✅ Changed tests failed against base as expected

Projects

None yet

Development

Successfully merging this pull request may close these issues.

MCPServer: scope tool-authorization (FGA) independently of the instance-level agent tool mapping

2 participants