Add a way to validate that MCP tool descriptions

geoand · geoand · commit 882fc50df138 · 2025-04-02T16:20:28.000+03:00
This is done by utilizing an LLM to detect whether the
tool description is malicious and could lead to
a Tool Poisoning Attack (TPA)
diff --git a/mcp/deployment/src/main/java/io/quarkiverse/langchain4j/mcp/deployment/McpProcessor.java b/mcp/deployment/src/main/java/io/quarkiverse/langchain4j/mcp/deployment/McpProcessor.java
@@ -10,9 +10,13 @@
 import org.jboss.jandex.AnnotationInstance;
 import org.jboss.jandex.ClassType;
 import org.jboss.jandex.DotName;
+import org.jboss.jandex.ParameterizedType;
+import org.jboss.jandex.Type;
 
 import dev.langchain4j.mcp.client.McpClient;
+import dev.langchain4j.model.chat.ChatLanguageModel;
 import dev.langchain4j.service.tool.ToolProvider;
+import io.quarkiverse.langchain4j.deployment.DotNames;
 import io.quarkiverse.langchain4j.mcp.runtime.McpClientName;
 import io.quarkiverse.langchain4j.mcp.runtime.McpRecorder;
 import io.quarkiverse.langchain4j.mcp.runtime.config.McpBuildTimeConfiguration;
@@ -48,12 +52,14 @@ public void registerMcpClients(McpBuildTimeConfiguration mcpBuildTimeConfigurati
                 beanProducer.produce(SyntheticBeanBuildItem
                         .configure(MCP_CLIENT)
                         .addQualifier(qualifier)
+                        .addInjectionPoint(ParameterizedType.create(DotNames.CDI_INSTANCE,
+                                new Type[] { ClassType.create(ChatLanguageModel.class) }, null))
                         .setRuntimeInit()
                         .defaultBean()
                         .unremovable()
                         // TODO: should we allow other scopes?
                         .scope(ApplicationScoped.class)
-                        .supplier(
+                        .createWith(
                                 recorder.mcpClientSupplier(client.getKey(), mcpBuildTimeConfiguration, mcpRuntimeConfiguration))
                         .done());
             }
diff --git a/mcp/runtime/src/main/java/io/quarkiverse/langchain4j/mcp/runtime/McpRecorder.java b/mcp/runtime/src/main/java/io/quarkiverse/langchain4j/mcp/runtime/McpRecorder.java
@@ -4,7 +4,6 @@
 import java.util.List;
 import java.util.Set;
 import java.util.function.Function;
-import java.util.function.Supplier;
 
 import dev.langchain4j.mcp.McpToolProvider;
 import dev.langchain4j.mcp.client.DefaultMcpClient;
@@ -24,42 +23,40 @@
 @Recorder
 public class McpRecorder {
 
-    public Supplier<McpClient> mcpClientSupplier(String key, McpBuildTimeConfiguration buildTimeConfiguration,
+    public Function<SyntheticCreationalContext<McpClient>, McpClient> mcpClientSupplier(String clientName,
+            McpBuildTimeConfiguration buildTimeConfiguration,
             McpRuntimeConfiguration mcpRuntimeConfiguration) {
-        return new Supplier<McpClient>() {
+        return new Function<>() {
             @Override
-            public McpClient get() {
-                McpTransport transport = null;
-                McpClientBuildTimeConfig buildTimeConfig = buildTimeConfiguration.clients().get(key);
-                McpClientRuntimeConfig runtimeConfig = mcpRuntimeConfiguration.clients().get(key);
-                switch (buildTimeConfig.transportType()) {
-                    case STDIO:
+            public McpClient apply(SyntheticCreationalContext<McpClient> context) {
+                McpTransport transport;
+                McpClientBuildTimeConfig buildTimeConfig = buildTimeConfiguration.clients().get(clientName);
+                McpClientRuntimeConfig runtimeConfig = mcpRuntimeConfiguration.clients().get(clientName);
+                transport = switch (buildTimeConfig.transportType()) {
+                    case STDIO -> {
                         List<String> command = runtimeConfig.command().orElseThrow(() -> new ConfigurationException(
-                                "MCP client configuration named " + key + " is missing the 'command' property"));
-                        transport = new StdioMcpTransport.Builder()
+                                "MCP client configuration named " + clientName + " is missing the 'command' property"));
+                        yield new StdioMcpTransport.Builder()
                                 .command(command)
                                 .logEvents(runtimeConfig.logResponses().orElse(false))
                                 .environment(runtimeConfig.environment())
                                 .build();
-                        break;
-                    case HTTP:
-                        transport = new QuarkusHttpMcpTransport.Builder()
-                                .sseUrl(runtimeConfig.url().orElseThrow(() -> new ConfigurationException(
-                                        "MCP client configuration named " + key + " is missing the 'url' property")))
-                                .logRequests(runtimeConfig.logRequests().orElse(false))
-                                .logResponses(runtimeConfig.logResponses().orElse(false))
-                                .build();
-                        break;
-                    default:
-                        throw new IllegalArgumentException("Unknown transport type: " + buildTimeConfig.transportType());
-                }
-                return new DefaultMcpClient.Builder()
+                    }
+                    case HTTP -> new QuarkusHttpMcpTransport.Builder()
+                            .sseUrl(runtimeConfig.url().orElseThrow(() -> new ConfigurationException(
+                                    "MCP client configuration named " + clientName + " is missing the 'url' property")))
+                            .logRequests(runtimeConfig.logRequests().orElse(false))
+                            .logResponses(runtimeConfig.logResponses().orElse(false))
+                            .build();
+                };
+                var result = new DefaultMcpClient.Builder()
                         .transport(transport)
                         .toolExecutionTimeout(runtimeConfig.toolExecutionTimeout())
                         .resourcesTimeout(runtimeConfig.resourcesTimeout())
                         // TODO: it should be possible to choose a log handler class via configuration
-                        .logHandler(new QuarkusDefaultMcpLogHandler(key))
+                        .logHandler(new QuarkusDefaultMcpLogHandler(clientName))
                         .build();
+                return result;
             }
         };
     }
diff --git a/mcp/runtime/src/main/java/io/quarkiverse/langchain4j/mcp/runtime/config/McpClientRuntimeConfig.java b/mcp/runtime/src/main/java/io/quarkiverse/langchain4j/mcp/runtime/config/McpClientRuntimeConfig.java
@@ -58,4 +58,10 @@ public interface McpClientRuntimeConfig {
     @WithDefault("60s")
     Duration resourcesTimeout();
 
+    /**
+     * The named model to use in order to judge whether the descriptions of the tools provided by the MCP server
+     * are malicious. If they are, a warning will be printed and the tool will never be used.
+     */
+    Optional<String> guardrailModelName();
+
 }
