Add anonymous sandbox for unauthenticated MCP requests

[haasonsaas]

Summary

• allow unauthenticated MCP requests to enter a short-lived anonymous sandbox session
• return structured step-up auth guidance for gated tools while keeping evalops_check_action available in dry-run mode
• expose public/default MCP resources for anonymous sessions and enforce in-memory anonymous rate limits

Testing

• go test ./internal/agentmcp ./internal/http -count=1
• go test ./... -count=1
• GOTOOLCHAIN=go1.26.0 go run github.com/golangci/golangci-lint/v2/cmd/golangci-lint@latest run ./...

[cursor]

PR Summary

High Risk
Introduces a new unauthenticated execution path (anonymous sessions) and modifies MCP auth middleware/session handling, which is security-sensitive and could inadvertently broaden access if misconfigured. Rate limiting is in-memory and IP-derived, so behavior differs behind proxies/replicas and may be bypassed or overly restrictive.

Overview
Unauthenticated POST /mcp requests now enter a short-lived anonymous sandbox session instead of always returning 401, with an in-memory per-IP rate limit and automatic creation/rehydration of SessionTypeAnonymous sessions.

Tool behavior is gated for anonymous sessions: write/identity-affecting tools (e.g., evalops_register, evalops_heartbeat, evalops_deregister, API key management, approvals, metering) return a structured authentication_required error including step-up options, while evalops_check_action remains available but returns an allow dry-run response with heuristic risk_level and upgrade guidance.

MCP resources now surface anonymous-aware payloads (e.g., evalops://agent/status, habits, operating rules), and shutdown cleanup skips deregistering anonymous sessions. Dependencies were updated (notably service-runtime to v0.1.48) to support the new wiring.

^{Reviewed by Cursor Bugbot for commit 9d9fb73. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	github.com/​evalops/​service-runtime@​v0.1.45-0.20260415082800-4de81511447f ⏵ v0.1.48	-2

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 3 potential issues.

^{Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.}

^{Reviewed by Cursor Bugbot for commit 9d9fb73. Configure here.}

[cursor]

Duplicated inferFederationProvider diverges between middleware and handler

High Severity

inferFederationProvider is duplicated across mcp_auth.go and tools_lifecycle.go with divergent logic. The middleware version matches both "claude" and "anthropic" for the anthropic provider, but the handler version only matches "claude". For agentType = "anthropic" with multiple federation providers, hasConfiguredFederationCredential returns true (bypassing anonymous session creation), but the handler's configuredFederationCredential fails to resolve a provider, resulting in a "missing user token" error. configuredFederationProviders is similarly duplicated with different strings.TrimSpace semantics.

Additional Locations (2)

• internal/agentmcp/tools_lifecycle.go#L221-L236
• internal/http/mcp_auth.go#L287-L303

 

^{Reviewed by Cursor Bugbot for commit 9d9fb73. Configure here.}

[cursor]

Anonymous rate limiter entries never evicted, unbounded growth

Medium Severity

The anonymousAccessLimiter map (entries) grows without bound because entries are never removed. Window counters reset on new time windows, but the map keys (one per unique client IP) accumulate indefinitely. In production, this is an unbounded memory leak proportional to the number of distinct client addresses seen over the process lifetime.

 

^{Reviewed by Cursor Bugbot for commit 9d9fb73. Configure here.}

[cursor]

Rate limit keyed on spoofable X-Forwarded-For header

Medium Severity

clientAddress trusts the X-Forwarded-For header directly, which clients can trivially spoof. An anonymous user can bypass the per-IP rate limit entirely by rotating this header value on each request, defeating the anonymous sandbox rate limiting protection.

 

^{Reviewed by Cursor Bugbot for commit 9d9fb73. Configure here.}