Skip to content

cx-devassist: guard the MCP bridge spawn against unfit cx builds#7

Open
cx-anurag-dalke wants to merge 6 commits into
masterfrom
feature/cloude-code-cli-plugin-2
Open

cx-devassist: guard the MCP bridge spawn against unfit cx builds#7
cx-anurag-dalke wants to merge 6 commits into
masterfrom
feature/cloude-code-cli-plugin-2

Conversation

@cx-anurag-dalke

Copy link
Copy Markdown

Updated asset for Claude Code CLI Plugin

cx-rakesh-kadu and others added 6 commits July 9, 2026 16:59
Signed-off-by: Rakesh Kadu <141014001+cx-rakesh-kadu@users.noreply.github.com>
Signed-off-by: Rakesh Kadu <141014001+cx-rakesh-kadu@users.noreply.github.com>
The Checkmarx MCP server is spawned by Claude Code (cx_run.sh mcp bridge)
entirely outside the PreToolUse hook system, so an old or capability-
incomplete cx would die on the unsupported `mcp bridge` subcommand mid
JSON-RPC handshake -- surfaced as a generic, undiagnosable "-32000 failed
to reconnect" with no indication it was a version problem.

- Add scripts/cx-mcp-guard.sh: a shared version+capability decision for
  `cx mcp bridge`, sourced by both cx_run.sh (before spawning the MCP
  bridge) and cx-bootstrap.sh's verify() (after placing a fresh download),
  so the two no longer carry independently drifting copies of the same
  check.
- cx_run.sh now refuses to exec an unfit binary instead of corrupting the
  stdio transport, and logs every connect/reconnect attempt (success or
  denial) to cx-devassist.jsonl via a new mcp_connect event in cx_log.py,
  with an exact, human-readable reason.
- Track which resolution tier (CX_BINARY / canonical store / PATH)
  supplied an unfit binary, since a CX_BINARY pin does not self-heal from
  the suggested upgrade bootstrap (it only ever writes the canonical
  store) -- the deny/log messages now say so explicitly.
- Close a related gap in the upgrade doc flow: it could finish without
  ever telling the developer to /reload-plugins + /mcp, leaving the MCP
  bridge silently running the old binary after an otherwise-successful
  upgrade.
- Replace scan_decision's raw exit_code with a reason_code
  (vulnerability_detected / error_during_block / no_issues_found) so the
  stage-2 scanner's own log entries are self-explanatory too.
- Bump the minimum cx version floor to 2.3.55 and consolidate the fallback
  constant duplication introduced above down to one copy.
- Change the plugin's marketplace category to "security".
@cx-anurag-dalke cx-anurag-dalke added the workflows-approved StepSecurity Secret Exfiltration Prevention 2F approval mechanism label Jul 12, 2026
@cx-anurag-dalke cx-anurag-dalke requested a review from a team as a code owner July 12, 2026 12:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

workflows-approved StepSecurity Secret Exfiltration Prevention 2F approval mechanism

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants