cx-devassist: guard the MCP bridge spawn against unfit cx builds#7
Open
cx-anurag-dalke wants to merge 6 commits into
Open
cx-devassist: guard the MCP bridge spawn against unfit cx builds#7cx-anurag-dalke wants to merge 6 commits into
cx-anurag-dalke wants to merge 6 commits into
Conversation
Signed-off-by: Rakesh Kadu <141014001+cx-rakesh-kadu@users.noreply.github.com>
Signed-off-by: Rakesh Kadu <141014001+cx-rakesh-kadu@users.noreply.github.com>
The Checkmarx MCP server is spawned by Claude Code (cx_run.sh mcp bridge) entirely outside the PreToolUse hook system, so an old or capability- incomplete cx would die on the unsupported `mcp bridge` subcommand mid JSON-RPC handshake -- surfaced as a generic, undiagnosable "-32000 failed to reconnect" with no indication it was a version problem. - Add scripts/cx-mcp-guard.sh: a shared version+capability decision for `cx mcp bridge`, sourced by both cx_run.sh (before spawning the MCP bridge) and cx-bootstrap.sh's verify() (after placing a fresh download), so the two no longer carry independently drifting copies of the same check. - cx_run.sh now refuses to exec an unfit binary instead of corrupting the stdio transport, and logs every connect/reconnect attempt (success or denial) to cx-devassist.jsonl via a new mcp_connect event in cx_log.py, with an exact, human-readable reason. - Track which resolution tier (CX_BINARY / canonical store / PATH) supplied an unfit binary, since a CX_BINARY pin does not self-heal from the suggested upgrade bootstrap (it only ever writes the canonical store) -- the deny/log messages now say so explicitly. - Close a related gap in the upgrade doc flow: it could finish without ever telling the developer to /reload-plugins + /mcp, leaving the MCP bridge silently running the old binary after an otherwise-successful upgrade. - Replace scan_decision's raw exit_code with a reason_code (vulnerability_detected / error_during_block / no_issues_found) so the stage-2 scanner's own log entries are self-explanatory too. - Bump the minimum cx version floor to 2.3.55 and consolidate the fallback constant duplication introduced above down to one copy. - Change the plugin's marketplace category to "security".
cx-rakesh-kadu
approved these changes
Jul 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Updated asset for Claude Code CLI Plugin