Skip to content

MCP: trust-by-default file access via --disable-file-reference#40

Closed
Chenglong-MS wants to merge 3 commits into
mainfrom
mcp-disable-file-reference
Closed

MCP: trust-by-default file access via --disable-file-reference#40
Chenglong-MS wants to merge 3 commits into
mainfrom
mcp-disable-file-reference

Conversation

@Chenglong-MS

Copy link
Copy Markdown
Contributor

Summary

Replaces the directory-whitelist file-access model in flint-chart-mcp with a simpler trust-by-default model plus a single boolean opt-out.

File access

  • Default (trust mode): local files referenced by data.url (.json/.csv/.tsv) are readable. Relative paths resolve against the working directory; remote URLs remain blocked (SSRF protection).
  • New flag --disable-file-reference (env FLINT_MCP_DISABLE_FILE_REFERENCE): rejects all local file references; agents must pass rows inline via data.values.
  • Deprecated and ignored: --data-roots, --data-root, and FLINT_MCP_DATA_ROOTS. They emit a warning and no longer take effect. The warning steers migrators to simply remove the old flag (not to --disable-file-reference, which is the opposite intent) so existing whitelist users do not accidentally disable file charting.

Docs / site / skills

  • Updated READMEs, agent SKILL files, docs/overview.md, docs/tutorials/setup-flint-mcp.md, and the site MCP page to reflect trust-by-default and the new flag.

Also included

  • Aggregate support: aggregate now collapses rows itself (average/mean synonyms), with related flint-js + docs/api-reference.md updates.

Testing

  • npm run build — success
  • flint-js: 360 tests passing
  • flint-mcp: 44 tests passing

@Chenglong-MS

Copy link
Copy Markdown
Contributor Author

Superseded by #41, which is the same changes opened from dev (identical commit). Closing to remove the duplicate head branch.

@Chenglong-MS Chenglong-MS deleted the mcp-disable-file-reference branch June 30, 2026 01:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant