mochengqian opened a new pull request, #953:
URL: https://github.com/apache/dubbo-go-pixiu/pull/953
## What this does
Implements intelligent MCP tool routing for the MCP server filter,
addressing #937.
When Pixiu exposes many backend APIs as MCP tools, sending the full tool
list to
every LLM/Agent causes tool overload, context bloat, and an uncontrolled
exposure
surface. This PR adds an opt-in routing layer that selects a smaller, more
appropriate set of tools per session, and enforces that selection at call
time.
The router lives **inside** the `mcpserver` filter as a pluggable
`ToolSelector`
(not a separate HTTP filter): `tools/list` cannot reach a downstream filter
because
it returns `filter.Stop` in the decode phase, so the selection must happen
where the
list is built. It is wired at three hook points: `initialize`, `tools/list`
(discovery-time trimming), and `tools/call` (runtime enforcement).
## Design principles
- **Minimal exposure first**: deterministic policy / workflow rules decide
authorization; semantic ranking is left as a future, non-authoritative
stage.
- **Discovery vs. execution split**: `tools/list` is trimmed AND
`tools/call` is
re-checked against the session plan, so a client cannot bypass trimming by
calling a tool name it learned elsewhere.
- **Session-bound**: selections are bound to the existing `Mcp-Session-Id`.
- **Explainable**: every drop carries a stage/rule/reason, inspectable via an
opt-in loopback admin endpoint.
- **Zero-config compatible**: with no `router` block (or
`router.enabled=false`),
behavior is identical to current develop — no breaking change.
## Pipeline stages (this PR)
1. **PolicyFilter** — hard filter on JWT claims / tenant / risk / tags
(always on).
2. **WorkflowSelector** — named tool bundles, optionally claim-gated.
3. **ProgressiveGate** — tier-based progressive disclosure (opt-in).
Schema matching and LLM/embedding rerank are intentionally **not** included;
they
are future, opt-in, non-authoritative stages per the issue's staging.
## Safety / fallback
- `enforce_on_call` (default true): tools not in the session plan are denied.
- Fallback: `bundle_default` (fall back to a named safe bundle) or
`fail_closed`
(expose nothing). There is no `fail_open` — a failure in the governance
layer
never widens the exposure surface.
## Observability
- Prometheus metrics (selection latency, candidate/selected counts, denials,
fallbacks).
- Structured decision logs (sampled; payloads redacted unless explicitly
opted in).
- Loopback-only admin endpoint `GET /__mcp/router/plan/{session_id}`, gated
by
`audit.payload_logging`.
## Testing
- Unit tests for each stage (policy, workflow, progressive), session plan
store,
decision log, and config builder.
- Integration tests: tenant isolation over `tools/list`, cross-tenant and
bypass-list `tools/call` denial, zero-config passthrough.
- Benchmarks: cold selection at 50 / 1k tools and warm (cached) reuse.
- A runnable example is provided under `docs/ai/mcp/router-example/`.
`go test ./pkg/filter/mcp/mcpserver/...` passes; rebased onto current develop
(includes #931).
## Notes
- Default-off and additive to `ToolConfig`/`McpServerConfig` (all new fields
`omitempty`); existing MCP configs are unaffected.
- Relates to #937.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
