From 9e972cf20c85797e45a7f0dc8ae47656386cdc13 Mon Sep 17 00:00:00 2001
From: Omar Abdelwahab <omara@fb.com>
Date: Fri, 7 Nov 2025 14:05:48 -0800
Subject: [PATCH] docs: clarify security mechanism comments in
 get_headers_from_request

Based on user feedback, improved comments to distinguish between
the two security layers:

1. PRIMARY: Line 89 - Architectural prevention
   - get_request_provider_data() only reads from request body
   - Never accesses HTTP Authorization header
   - This is what actually prevents inference token leakage

2. SECONDARY: Lines 97-104 - Validation prevention
   - Rejects Authorization in mcp_headers dict
   - Enforces using dedicated mcp_authorization field
   - Prevents users from misusing the API

Previous comment was misleading by suggesting the validation
prevented inference token leakage, when the architecture
already ensures that isolation.
---
 .../model_context_protocol/model_context_protocol.py        | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/llama_stack/providers/remote/tool_runtime/model_context_protocol/model_context_protocol.py b/src/llama_stack/providers/remote/tool_runtime/model_context_protocol/model_context_protocol.py
index b844e445e..506aadf82 100644
--- a/src/llama_stack/providers/remote/tool_runtime/model_context_protocol/model_context_protocol.py
+++ b/src/llama_stack/providers/remote/tool_runtime/model_context_protocol/model_context_protocol.py
@@ -86,6 +86,9 @@ class ModelContextProtocolToolRuntimeImpl(ToolGroupsProtocolPrivate, ToolRuntime
         headers = {}
         authorization = None
 
+        # PRIMARY SECURITY: This line prevents inference token leakage
+        # provider_data only contains X-LlamaStack-Provider-Data (request body),
+        # never the HTTP Authorization header (which contains the inference token)
         provider_data = self.get_request_provider_data()
         if provider_data:
             # Extract headers (excluding Authorization)
@@ -95,7 +98,8 @@ class ModelContextProtocolToolRuntimeImpl(ToolGroupsProtocolPrivate, ToolRuntime
                         continue
 
                     # Security check: reject Authorization header in mcp_headers
-                    # This prevents accidentally passing inference tokens to MCP servers
+                    # This enforces using the dedicated mcp_authorization field for auth tokens
+                    # Note: Inference tokens are already isolated by line 89 (provider_data only contains request body)
                     for key in values.keys():
                         if key.lower() == "authorization":
                             raise ValueError(