make headers parsing more robust, draft composite ff checker

kerobbi · kerobbi · commit d16f98b66dc3 · 2026-01-19T12:12:04.000Z
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -31,7 +31,7 @@
             "mode": "auto",
             "cwd": "${workspaceFolder}",
             "program": "cmd/github-mcp-server/main.go",
-            "args": ["http"],
+            "args": ["http", "--port", "8082"],
             "console": "integratedTerminal",
         }
     ]
diff --git a/pkg/http/handler.go b/pkg/http/handler.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 
 	"github.com/github/github-mcp-server/pkg/github"
+	"github.com/github/github-mcp-server/pkg/http/headers"
 	"github.com/github/github-mcp-server/pkg/http/middleware"
 	"github.com/github/github-mcp-server/pkg/inventory"
 	"github.com/github/github-mcp-server/pkg/lockdown"
@@ -78,28 +79,55 @@ func (s *HTTPMcpHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	middleware.ExtractUserToken()(mcpHandler).ServeHTTP(w, r)
 }
 
-func DefaultInventoryFactory(cfg *HTTPServerConfig, t translations.TranslationHelperFunc) InventoryFactoryFunc {
+func DefaultInventoryFactory(cfg *HTTPServerConfig, t translations.TranslationHelperFunc, staticChecker inventory.FeatureFlagChecker) InventoryFactoryFunc {
 	return func(r *http.Request) *inventory.Inventory {
 		b := github.NewInventory(t).WithDeprecatedAliases(github.DeprecatedToolAliases)
+
+		// Feature checker composition
+		headerFeatures := parseCommaSeparatedHeader(r.Header.Get(headers.MCPFeaturesHeader))
+		if checker := ComposeFeatureChecker(headerFeatures, staticChecker); checker != nil {
+			b = b.WithFeatureChecker(checker)
+		}
+
 		b = InventoryFiltersForRequestHeaders(r, b)
 		return b.Build()
 	}
 }
 
+// InventoryFiltersForRequestHeaders applies inventory filters based on HTTP request headers.
+// Whitespace is trimmed from comma-separated values; empty values are ignored.
 func InventoryFiltersForRequestHeaders(r *http.Request, builder *inventory.Builder) *inventory.Builder {
-	if r.Header.Get("X-MCP-Readonly") != "" {
+	if r.Header.Get(headers.MCPReadOnlyHeader) != "" {
 		builder = builder.WithReadOnly(true)
 	}
 
-	if toolsetsStr := r.Header.Get("X-MCP-Toolsets"); toolsetsStr != "" {
-		toolsets := strings.Split(toolsetsStr, ",")
+	if toolsetsStr := r.Header.Get(headers.MCPToolsetsHeader); toolsetsStr != "" {
+		toolsets := parseCommaSeparatedHeader(toolsetsStr)
 		builder = builder.WithToolsets(toolsets)
 	}
 
-	if toolsStr := r.Header.Get("X-MCP-Tools"); toolsStr != "" {
-		tools := strings.Split(toolsStr, ",")
+	if toolsStr := r.Header.Get(headers.MCPToolsHeader); toolsStr != "" {
+		tools := parseCommaSeparatedHeader(toolsStr)
 		builder = builder.WithTools(github.CleanTools(tools))
 	}
 
 	return builder
 }
+
+// parseCommaSeparatedHeader splits a header value by comma, trims whitespace,
+// and filters out empty values.
+func parseCommaSeparatedHeader(value string) []string {
+	if value == "" {
+		return []string{}
+	}
+
+	parts := strings.Split(value, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		trimmed := strings.TrimSpace(p)
+		if trimmed != "" {
+			result = append(result, trimmed)
+		}
+	}
+	return result
+}
diff --git a/pkg/http/headers/headers.go b/pkg/http/headers/headers.go
@@ -23,4 +23,15 @@ const (
 
 	// RequestHmacHeader is used to authenticate requests to the Raw API.
 	RequestHmacHeader = "Request-Hmac"
+
+	// MCP-specific headers.
+
+	// MCPReadOnlyHeader indicates whether the MCP is in read-only mode.
+	MCPReadOnlyHeader = "X-MCP-Readonly"
+	// MCPToolsetsHeader is a comma-separated list of MCP toolsets that the request is for.
+	MCPToolsetsHeader = "X-MCP-Toolsets"
+	// MCPToolsHeader is a comma-separated list of MCP tools that the request is for.
+	MCPToolsHeader = "X-MCP-Tools"
+	// MCPFeaturesHeader is a comma-separated list of feature flags to enable.
+	MCPFeaturesHeader = "X-MCP-Features"
 )
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -82,7 +82,7 @@ func RunHTTPServer(cfg HTTPServerConfig) error {
 		repoAccessOpts = append(repoAccessOpts, lockdown.WithTTL(*cfg.RepoAccessCacheTTL))
 	}
 
-	handler := NewHTTPMcpHandler(&cfg, t, &apiHost, repoAccessOpts, logger, DefaultInventoryFactory(&cfg, t))
+	handler := NewHTTPMcpHandler(&cfg, t, &apiHost, repoAccessOpts, logger, DefaultInventoryFactory(&cfg, t, nil))
 
 	r := chi.NewRouter()
 	r.Mount("/", handler)

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@`
`31`	`31`	`"mode": "auto",`
`32`	`32`	`"cwd": "${workspaceFolder}",`
`33`	`33`	`"program": "cmd/github-mcp-server/main.go",`
`34`		`- "args": ["http"],`
	`34`	`+ "args": ["http", "--port", "8082"],`
`35`	`35`	`"console": "integratedTerminal",`
`36`	`36`	`}`
`37`	`37`	`]`
Original file line number	Diff line number	Diff line change
`@@ -82,7 +82,7 @@ func RunHTTPServer(cfg HTTPServerConfig) error {`
`82`	`82`	`repoAccessOpts = append(repoAccessOpts, lockdown.WithTTL(*cfg.RepoAccessCacheTTL))`
`83`	`83`	`}`
`84`	`84`
`85`		`- handler := NewHTTPMcpHandler(&cfg, t, &apiHost, repoAccessOpts, logger, DefaultInventoryFactory(&cfg, t))`
	`85`	`+ handler := NewHTTPMcpHandler(&cfg, t, &apiHost, repoAccessOpts, logger, DefaultInventoryFactory(&cfg, t, nil))`
`86`	`86`
`87`	`87`	`r := chi.NewRouter()`
`88`	`88`	`r.Mount("/", handler)`