Conversation
📝 WalkthroughWalkthroughThe PR converts the MCP server from YAML manifest-generation tools to a debugging-focused service: it removes creation handlers and release documentation, embeds debugging markdown resources, adds debug prompts (notably debug-authpolicy), updates server registration calls, and bumps the MCP server version to 2.0.0. Changes
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/debugging/authpolicy.md`:
- Line 418: Update the dead kuadrant URI used in the docs: replace the outdated
"kuadrant://docs/authorino-features" reference with the new server-registered
scheme and path "kuadrant://debug/authorino-features" so the link resolves
correctly; search for any other occurrences of
"kuadrant://docs/authorino-features" and update them similarly to the
"kuadrant://debug/..." form to ensure all internal references use the new
scheme.
- Around line 116-130: Update the quick-answer and Step 1 text around the
TargetNotFound examples so they do not instruct users to send the "'was not
found'" case back to edits of targetRef.group; specifically, remove or rephrase
the default fix that suggests adding a missing group for the "'was not found'"
scenario and instead only suggest adding targetRef.group when the reference
shape is actually malformed, leaving the "'was not found'" branch to indicate
the resource itself is missing; change the examples and explanatory sentences in
the blocks referencing TargetNotFound, targetRef.group, and the
Gateway/HTTPRoute guidance (the sections around the TargetNotFound example at
the shown diff and the similar block at lines ~306-323) to ensure the missing
group is not presented as the default fix for the "'was not found'" message.
- Around line 187-226: Replace all explicit kubectl command examples in the
authpolicy.md sections that mention targetRef.kind, Gateway, and HTTPRoute
(including the other occurrence referenced) with equivalent MCP actions/prompts
that invoke the Kubernetes MCP server; remove the shell snippets that call
`kubectl get gateway` / `kubectl get httproute` and instead provide MCP request
templates to (1) query the target resource existence by name and namespace, (2)
verify namespace equality between AuthPolicy and targetRef, and (3) check
readiness by querying status.conditions for types "Programmed" (Gateway) and
"Accepted" (HTTPRoute); update the “Resource not found”, “wrong namespace”, and
readiness checks to show MCP action examples and expected responses rather than
kubectl commands.
In `@docs/debugging/status-conditions.md`:
- Around line 176-196: The TargetNotFound example currently tells readers to add
targetRef.group, which conflicts with the new AuthPolicy guidance; update the
Pattern 1 block (symbols: TargetNotFound, status.conditions, targetRef.group,
AuthPolicy) so the diagnosis and Fix YAML no longer instruct adding
targetRef.group but instead align with the AuthPolicy guidance—replace the Fix
snippet with a corrected example that references the appropriate
AuthPolicy-related fields (kind/name or the AuthPolicy-specific resolution
guidance) and update the message/diagnosis text to match that behavior.
In `@go.mod`:
- Line 7: The go.mod currently requires github.com/modelcontextprotocol/go-sdk
at v0.1.0 which is vulnerable; update the module requirement to
github.com/modelcontextprotocol/go-sdk v1.4.1 and then refresh dependencies
(e.g., run go get github.com/modelcontextprotocol/go-sdk@v1.4.1 and go mod tidy)
so the build uses the fixed release; ensure any code relying on API changes in
the SDK is adjusted (search for imports referencing
github.com/modelcontextprotocol/go-sdk) and run tests to verify nothing breaks.
In `@prompts.go`:
- Around line 10-37: The prompt renderer debugAuthPolicySimple currently ignores
the provided namespace and only injects policyName into the title, which can
cause ambiguity for duplicate AuthPolicy names; update debugAuthPolicySimple to
include the namespace parameter in the formatted string (e.g., include namespace
in the title and any references inside the body) so the rendered prompt shows
both policyName and namespace; ensure any other similar functions (the analogous
function around lines referenced, e.g., the second auth policy helper at 52-55)
are updated the same way to use the namespace parameter when composing the
prompt.
In `@resources.go`:
- Around line 23-75: The debugResourceMapping currently registers only
"kuadrant://debug/authpolicy" and "kuadrant://debug/status-conditions" but other
debug guides referenced elsewhere (e.g., "kuadrant://debug/gateway-istio",
"kuadrant://debug/dnspolicy", "kuadrant://debug/ratelimitpolicy",
"kuadrant://debug/tlspolicy", "kuadrant://debug/policy-conflicts") are still
commented out, causing broken resource links at runtime; update the
debugResourceMapping map to either (A) uncomment and fully populate the missing
entries for those keys with correct path/name/description so the referenced
guides resolve, or (B) remove references to those keys from the embedded guides
so only present keys in debugResourceMapping are linked, ensuring consistency
between debugResourceMapping and any code/content that looks up those resource
keys.
- Around line 12-13: The go:embed line and embeddedDocs variable are causing
build failures when docs/debugging/*.md is absent; remove the //go:embed
docs/debugging/*.md directive and the embeddedDocs embed.FS variable, and
replace direct uses of embeddedDocs with a runtime loader function (e.g.,
LoadDebugDocs or similar) that reads files from disk via os.ReadDir/os.ReadFile
under "docs/debugging" and returns the content (or an empty result) so builds no
longer fail when those files are missing; update any code that referenced
embeddedDocs to call this loader.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 9879c860-6c32-49fb-8364-d3ad75a4eb66
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
RELEASE.mddocs/debugging/authpolicy.mddocs/debugging/status-conditions.mddocs/designs/2026-03-20-debugging-mcp-design.mdgo.modmain.goprompts.goresources.go
💤 Files with no reviewable changes (1)
- RELEASE.md
| ``` | ||
| # If targetRef.kind is Gateway: | ||
| kubectl get gateway <targetRef.name> -n <authpolicy-namespace> | ||
|
|
||
| # If targetRef.kind is HTTPRoute: | ||
| kubectl get httproute <targetRef.name> -n <authpolicy-namespace> | ||
| ``` | ||
|
|
||
| **Possible outcomes:** | ||
|
|
||
| 1. **Resource not found** (most common with TargetNotFound error) | ||
| ``` | ||
| Error from server (NotFound): gateways.gateway.networking.k8s.io "my-gateway" not found | ||
| ``` | ||
| **This is the problem!** The targetRef points to a resource that doesn't exist. | ||
|
|
||
| **Fixes:** | ||
| - Create the Gateway/HTTPRoute resource | ||
| - Fix the `name` in targetRef if it's a typo | ||
| - Check if target is in a different namespace (AuthPolicy and target MUST be in same namespace) | ||
|
|
||
| 2. **Resource exists but in wrong namespace** | ||
| ```bash | ||
| # Policy is in namespace 'apps' | ||
| # But Gateway is in namespace 'istio-system' | ||
| ``` | ||
| **Fix:** Move the AuthPolicy to the same namespace as the Gateway, OR use an HTTPRoute in the same namespace | ||
|
|
||
| 3. **Resource exists and is ready** - Good! Move to next step | ||
|
|
||
| For **Gateway** targets - check it's ready: | ||
| ``` | ||
| kubectl get gateway <name> -n <namespace> -o jsonpath='{.status.conditions[?(@.type=="Programmed")].status}' | ||
| ``` | ||
| Should return "True" | ||
|
|
||
| For **HTTPRoute** targets - check it's ready: | ||
| ``` | ||
| kubectl get httproute <name> -n <namespace> -o jsonpath='{.status.conditions[?(@.type=="Accepted")].status}' | ||
| ``` |
There was a problem hiding this comment.
Replace the kubectl snippets with Kubernetes MCP actions.
This guide is shipped as MCP prompt/resource content, and the design explicitly says there should be no kubectl instructions. Leaving shell commands here will pull the model away from the companion Kubernetes MCP server.
Also applies to: 331-333
🧰 Tools
🪛 markdownlint-cli2 (0.22.0)
[warning] 187-187: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
[warning] 198-198: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
[warning] 218-218: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
[warning] 224-224: Fenced code blocks should have a language specified
(MD040, fenced-code-language)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/debugging/authpolicy.md` around lines 187 - 226, Replace all explicit
kubectl command examples in the authpolicy.md sections that mention
targetRef.kind, Gateway, and HTTPRoute (including the other occurrence
referenced) with equivalent MCP actions/prompts that invoke the Kubernetes MCP
server; remove the shell snippets that call `kubectl get gateway` / `kubectl get
httproute` and instead provide MCP request templates to (1) query the target
resource existence by name and namespace, (2) verify namespace equality between
AuthPolicy and targetRef, and (3) check readiness by querying status.conditions
for types "Programmed" (Gateway) and "Accepted" (HTTPRoute); update the
“Resource not found”, “wrong namespace”, and readiness checks to show MCP action
examples and expected responses rather than kubectl commands.
|
|
||
| ## Troubleshooting Authorino Features | ||
|
|
||
| For detailed Authorino authentication/authorization features, see: `kuadrant://docs/authorino-features` |
There was a problem hiding this comment.
kuadrant://docs/authorino-features still uses a dead URI scheme.
The server now registers kuadrant://debug/... resources, so this reference will fail as written.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/debugging/authpolicy.md` at line 418, Update the dead kuadrant URI used
in the docs: replace the outdated "kuadrant://docs/authorino-features" reference
with the new server-registered scheme and path
"kuadrant://debug/authorino-features" so the link resolves correctly; search for
any other occurrences of "kuadrant://docs/authorino-features" and update them
similarly to the "kuadrant://debug/..." form to ensure all internal references
use the new scheme.
| ### Pattern 1: TargetNotFound | ||
|
|
||
| ```yaml | ||
| status: | ||
| conditions: | ||
| - type: Accepted | ||
| status: "False" | ||
| reason: TargetNotFound | ||
| message: "targetRef not found: Gateway.gateway.networking.k8s.io my-gateway not found" | ||
| ``` | ||
|
|
||
| **Diagnosis:** targetRef.group likely missing or target doesn't exist | ||
|
|
||
| **Fix:** | ||
| ```yaml | ||
| spec: | ||
| targetRef: | ||
| group: gateway.networking.k8s.io # Add this | ||
| kind: Gateway | ||
| name: my-gateway | ||
| ``` |
There was a problem hiding this comment.
Keep this TargetNotFound example aligned with the new AuthPolicy guidance.
This pattern treats the sample ... was not found message as a reason to add targetRef.group. That sends readers back to YAML edits for the exact missing-resource case this PR is trying to clarify.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/debugging/status-conditions.md` around lines 176 - 196, The
TargetNotFound example currently tells readers to add targetRef.group, which
conflicts with the new AuthPolicy guidance; update the Pattern 1 block (symbols:
TargetNotFound, status.conditions, targetRef.group, AuthPolicy) so the diagnosis
and Fix YAML no longer instruct adding targetRef.group but instead align with
the AuthPolicy guidance—replace the Fix snippet with a corrected example that
references the appropriate AuthPolicy-related fields (kind/name or the
AuthPolicy-specific resolution guidance) and update the message/diagnosis text
to match that behavior.
| github.com/modelcontextprotocol/go-sdk v0.1.0 | ||
| gopkg.in/yaml.v3 v3.0.1 | ||
| ) | ||
| require github.com/modelcontextprotocol/go-sdk v0.1.0 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "Pinned version in go.mod:"
rg -n '^require\s+github\.com/modelcontextprotocol/go-sdk' go.mod
echo
echo "OSV advisories and fixed versions for v0.1.0:"
curl -s https://api.osv.dev/v1/query \
-H 'Content-Type: application/json' \
-d '{"version":"0.1.0","package":{"name":"github.com/modelcontextprotocol/go-sdk","ecosystem":"Go"}}' \
| jq '{vulns: [.vulns[] | {id, aliases, summary, fixed: ([.affected[].ranges[]?.events[]?.fixed] | map(select(. != null)) | unique)}]}'Repository: Kuadrant/kuadrant-mcp-server
Length of output: 1876
🏁 Script executed:
fd -e go -type f -name main.goRepository: Kuadrant/kuadrant-mcp-server
Length of output: 242
🏁 Script executed:
fd main.go -type fRepository: Kuadrant/kuadrant-mcp-server
Length of output: 242
🏁 Script executed:
find . -name main.go -type fRepository: Kuadrant/kuadrant-mcp-server
Length of output: 81
🏁 Script executed:
wc -l main.go && head -100 main.goRepository: Kuadrant/kuadrant-mcp-server
Length of output: 1582
Upgrade github.com/modelcontextprotocol/go-sdk from v0.1.0 before release.
v0.1.0 is flagged for multiple high-severity advisories affecting HTTP servers and JSON parsing. This binary exposes SSE and HTTP transports via the -transport flag, making these vulnerabilities directly exploitable. Upgrade to v1.4.1 to address all known advisories before cutting 2.0.0.
🧰 Tools
🪛 OSV Scanner (2.3.5)
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity in github.com/modelcontextprotocol/go-sdk
(GO-2026-4569)
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk
(GO-2026-4770)
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: Cross-Site Tool Execution for HTTP Servers without Authorizatrion in github.com/modelcontextprotocol/go-sdk
(GO-2026-4773)
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: Cross-Site Tool Execution for HTTP Servers without Authorizatrion in github.com/modelcontextprotocol/go-sdk
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: Improper handling of null Unicode character when parsing JSON in github.com/modelcontextprotocol/go-sdk
[HIGH] 7-7: github.com/modelcontextprotocol/go-sdk 0.1.0: MCP Go SDK Vulnerable to Improper Handling of Case Sensitivity
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@go.mod` at line 7, The go.mod currently requires
github.com/modelcontextprotocol/go-sdk at v0.1.0 which is vulnerable; update the
module requirement to github.com/modelcontextprotocol/go-sdk v1.4.1 and then
refresh dependencies (e.g., run go get
github.com/modelcontextprotocol/go-sdk@v1.4.1 and go mod tidy) so the build uses
the fixed release; ensure any code relying on API changes in the SDK is adjusted
(search for imports referencing github.com/modelcontextprotocol/go-sdk) and run
tests to verify nothing breaks.
| //go:embed docs/debugging/*.md | ||
| var embeddedDocs embed.FS |
There was a problem hiding this comment.
This go:embed pattern is currently a build blocker.
The Docker pipeline is already failing with pattern docs/debugging/*.md: no matching files found. Once this lands, the build context has to copy docs/debugging/*.md before go build, otherwise the binary cannot compile.
🧰 Tools
🪛 GitHub Actions: Docker Build and Publish
[error] 12-12: Go build failed: pattern docs/debugging/*.md: no matching files found
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@resources.go` around lines 12 - 13, The go:embed line and embeddedDocs
variable are causing build failures when docs/debugging/*.md is absent; remove
the //go:embed docs/debugging/*.md directive and the embeddedDocs embed.FS
variable, and replace direct uses of embeddedDocs with a runtime loader function
(e.g., LoadDebugDocs or similar) that reads files from disk via
os.ReadDir/os.ReadFile under "docs/debugging" and returns the content (or an
empty result) so builds no longer fail when those files are missing; update any
code that referenced embeddedDocs to call this loader.
Signed-off-by: R-Lawton <rlawton@redhat.com>
R-Lawton
force-pushed
the
authpolicy-error
branch
from
34c7f78 to
25bad49
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (4)
docs/debugging/authpolicy.md (2)
9-13:⚠️ Potential issue | 🟠 MajorDrive these checks through Kubernetes MCP, keyed off
targetRef.kind.The missing-target branch says the target may be a
GatewayorHTTPRoute, but the concrete examples always querygatewaywithkubectl; the later enforcement/debug steps do the same with shell commands. That will mislead HTTPRoute cases and contradict the MCP-only workflow this resource is supposed to teach.Also applies to: 26-30, 55-60, 89-93
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/debugging/authpolicy.md` around lines 9 - 13, Update the debugging doc to drive existence checks via the MCP keyed by targetRef.kind instead of hardcoding "Gateway": replace the literal kubectl examples that always query gateway with logic/examples that use targetRef.kind (e.g., conditional kubectl get Gateway ... vs kubectl get HTTPRoute ...) or, better, show the MCP-centric query pattern that uses targetRef.kind to resolve the target; update the "missing-target" branch text and the repeated sections (lines referenced around 26-30, 55-60, 89-93) so examples and enforcement/debug commands reference targetRef.kind and cover both Gateway and HTTPRoute cases consistently.
124-128:⚠️ Potential issue | 🟡 MinorTwo related-resource links are dead in the current resource map.
kuadrant://debug/policy-conflictsis not registered yet, andkuadrant://docs/authorino-featuresstill uses the retiredkuadrant://docs/...scheme. Please point these at registered resources or drop them for now.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/debugging/authpolicy.md` around lines 124 - 128, The two related-resource entries "Policy Conflicts" and "Authorino Features" are pointing to invalid schemes; update or remove them: replace `kuadrant://debug/policy-conflicts` with a registered debug resource (or remove the "Policy Conflicts" bullet) and change `kuadrant://docs/authorino-features` to the current registered docs scheme (or remove the "Authorino Features" bullet) so the Related Resources list contains only valid/registered kuadrant:// links.docs/debugging/status-conditions.md (1)
176-196:⚠️ Potential issue | 🟠 MajorDo not diagnose this fully-qualified
TargetNotFoundas a missinggroup.The sample message already includes
Gateway.gateway.networking.k8s.io, so thetargetRefshape is present. Telling readers to addgrouphere contradicts the new AuthPolicy guidance and diverts them from the actual missing-resource, name, or namespace checks.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@docs/debugging/status-conditions.md` around lines 176 - 196, The diagnosis and fix for the TargetNotFound pattern are incorrect: do not recommend adding a targetRef.group when the status message already shows a fully-qualified reference (Gateway.gateway.networking.k8s.io); instead update the doc to remove the "Add this group" suggestion and instruct users to verify the actual resource existence by checking the targetRef fields (name, namespace, kind) and cluster resource availability for the referenced Gateway and any AuthPolicy interactions; reference the status condition type Accepted, the reason TargetNotFound, the targetRef object, and the fully qualified Gateway.gateway.networking.k8s.io string when describing the correct checks to perform.go.mod (1)
7-7:⚠️ Potential issue | 🔴 CriticalDo not ship 2.0.0 on
go-sdkv0.1.0.The pinned SDK is still carrying the high-severity advisories already reported on this PR, and
main.gokeeps both SSE and StreamableHTTP transports reachable. Please bump to a fixed release before cutting this major version.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@go.mod` at line 7, Update the pinned SDK in the require line (replace github.com/modelcontextprotocol/go-sdk v0.1.0) to the patched release that fixes the reported advisories (use the fixed semver >= the security patch), run go mod tidy to update go.sum, and ensure you recompile to confirm the new version is used; additionally check main.go and remove or guard the SSE and StreamableHTTP transport code paths (the transport selection logic referencing SSE and StreamableHTTP) so the vulnerable transports are not reachable with this release cut.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docs/debugging/status-conditions.md`:
- Around line 275-280: The Related Resources list contains URIs that the server
doesn't expose; update docs to match the actual debugResourceMapping by either
removing the dead links (`kuadrant://debug/ratelimitpolicy`,
`kuadrant://debug/dnspolicy`, `kuadrant://debug/tlspolicy`,
`kuadrant://debug/policy-conflicts`) or register those debug endpoints in the
debugResourceMapping so they resolve; locate references to debugResourceMapping
and the current working URIs (`kuadrant://debug/authpolicy`,
`kuadrant://debug/status-conditions`) and ensure the docs only list URIs that
are actually registered by the server.
In `@main.go`:
- Around line 25-26: The prompt registered via addDebugPromptsSimple currently
instructs clients to run kubectl commands; update the implementation so it no
longer embeds any `kubectl get ...` or `kubectl get pods ...` text and instead
describes or invokes the equivalent Kubernetes MCP actions (e.g., use the MCP
action names and parameters your platform exposes for listing resources and
pods). Locate addDebugPromptsSimple and replace the raw command examples in the
prompt text with references to the Kubernetes MCP action names and their
required parameters (or a brief instruction to use the MCP action) so the server
surface exposes only MCP-based instructions to clients.
---
Duplicate comments:
In `@docs/debugging/authpolicy.md`:
- Around line 9-13: Update the debugging doc to drive existence checks via the
MCP keyed by targetRef.kind instead of hardcoding "Gateway": replace the literal
kubectl examples that always query gateway with logic/examples that use
targetRef.kind (e.g., conditional kubectl get Gateway ... vs kubectl get
HTTPRoute ...) or, better, show the MCP-centric query pattern that uses
targetRef.kind to resolve the target; update the "missing-target" branch text
and the repeated sections (lines referenced around 26-30, 55-60, 89-93) so
examples and enforcement/debug commands reference targetRef.kind and cover both
Gateway and HTTPRoute cases consistently.
- Around line 124-128: The two related-resource entries "Policy Conflicts" and
"Authorino Features" are pointing to invalid schemes; update or remove them:
replace `kuadrant://debug/policy-conflicts` with a registered debug resource (or
remove the "Policy Conflicts" bullet) and change
`kuadrant://docs/authorino-features` to the current registered docs scheme (or
remove the "Authorino Features" bullet) so the Related Resources list contains
only valid/registered kuadrant:// links.
In `@docs/debugging/status-conditions.md`:
- Around line 176-196: The diagnosis and fix for the TargetNotFound pattern are
incorrect: do not recommend adding a targetRef.group when the status message
already shows a fully-qualified reference (Gateway.gateway.networking.k8s.io);
instead update the doc to remove the "Add this group" suggestion and instruct
users to verify the actual resource existence by checking the targetRef fields
(name, namespace, kind) and cluster resource availability for the referenced
Gateway and any AuthPolicy interactions; reference the status condition type
Accepted, the reason TargetNotFound, the targetRef object, and the fully
qualified Gateway.gateway.networking.k8s.io string when describing the correct
checks to perform.
In `@go.mod`:
- Line 7: Update the pinned SDK in the require line (replace
github.com/modelcontextprotocol/go-sdk v0.1.0) to the patched release that fixes
the reported advisories (use the fixed semver >= the security patch), run go mod
tidy to update go.sum, and ensure you recompile to confirm the new version is
used; additionally check main.go and remove or guard the SSE and StreamableHTTP
transport code paths (the transport selection logic referencing SSE and
StreamableHTTP) so the vulnerable transports are not reachable with this release
cut.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: ec80e144-fe12-4f65-a38b-3e419b5ab945
⛔ Files ignored due to path filters (1)
go.sumis excluded by!**/*.sum
📒 Files selected for processing (8)
RELEASE.mddocs/debugging/authpolicy.mddocs/debugging/status-conditions.mddocs/designs/2026-03-20-debugging-mcp-design.mdgo.modmain.goprompts.goresources.go
💤 Files with no reviewable changes (1)
- RELEASE.md
✅ Files skipped from review due to trivial changes (2)
- prompts.go
- resources.go
| ## Related Resources | ||
|
|
||
| - AuthPolicy Debugging: `kuadrant://debug/authpolicy` | ||
| - RateLimitPolicy Debugging: `kuadrant://debug/ratelimitpolicy` | ||
| - DNSPolicy Debugging: `kuadrant://debug/dnspolicy` | ||
| - TLSPolicy Debugging: `kuadrant://debug/tlspolicy` |
There was a problem hiding this comment.
Most of these related-resource URIs do not resolve in the current server.
debugResourceMapping currently exposes kuadrant://debug/authpolicy and kuadrant://debug/status-conditions only, so the DNS/RateLimit/TLS/policy-conflicts links here will be dead when this page is served. Either register them first or remove them from this list for now.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@docs/debugging/status-conditions.md` around lines 275 - 280, The Related
Resources list contains URIs that the server doesn't expose; update docs to
match the actual debugResourceMapping by either removing the dead links
(`kuadrant://debug/ratelimitpolicy`, `kuadrant://debug/dnspolicy`,
`kuadrant://debug/tlspolicy`, `kuadrant://debug/policy-conflicts`) or register
those debug endpoints in the debugResourceMapping so they resolve; locate
references to debugResourceMapping and the current working URIs
(`kuadrant://debug/authpolicy`, `kuadrant://debug/status-conditions`) and ensure
the docs only list URIs that are actually registered by the server.
| // Add debugging prompts (replaces tools) | ||
| addDebugPromptsSimple(server) |
There was a problem hiding this comment.
Do not register a prompt that still tells clients to run kubectl.
addDebugPromptsSimple currently embeds kubectl get ... / kubectl get pods ... instructions in the prompt text. Since this call makes that prompt part of the 2.0.0 server surface, please switch it to Kubernetes MCP actions before shipping.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@main.go` around lines 25 - 26, The prompt registered via
addDebugPromptsSimple currently instructs clients to run kubectl commands;
update the implementation so it no longer embeds any `kubectl get ...` or
`kubectl get pods ...` text and instead describes or invokes the equivalent
Kubernetes MCP actions (e.g., use the MCP action names and parameters your
platform exposes for listing resources and pods). Locate addDebugPromptsSimple
and replace the raw command examples in the prompt text with references to the
Kubernetes MCP action names and their required parameters (or a brief
instruction to use the MCP action) so the server surface exposes only MCP-based
instructions to clients.
| The Gateway or HTTPRoute **does not exist in the cluster**. The targetRef YAML is correct - don't modify it. | ||
|
|
||
| **What to do:** | ||
| 1. Run: `kubectl get gateway <target-name> -n <namespace>` |
There was a problem hiding this comment.
hmm why run kubectl rather than using the kube mcp server?
There was a problem hiding this comment.
no real reason tbh mainly becuase of the poc nature wanted to see if there were different outcomes with using kubectl vs the k8s mcp server. I used the mcp server in the simple prompt i had to semi hardcode for the model i was using in the console plugin.
There was a problem hiding this comment.
actually question do we plan on building upon this code or is this pure POC throw away? "i" (claude) was writing this as if its just to show its possible and the quality of code being not the greatest
2 participants
Summary by CodeRabbit
New Features
Documentation
Changes