Scope temporary resources to the creating account by zmofei · Pull Request #205 · mapbox/mcp-server

zmofei · 2026-06-10T13:11:45Z

Summary

Temporary resources (mapbox://temp/...) created from large tool responses are now scoped to the account that created them, enforced on read.

TemporaryResource records the creating account (Mapbox username); temporaryResourceManager.create() accepts an owner.
The directions, isochrone, and static_map_image tools pass the caller's account when storing a temporary resource.
TemporaryDataResource.read resolves the requester the same way tools resolve their token (request auth, then the env token for stdio/single-user) and only returns the resource to the same account; otherwise it returns the standard not-found response — identical to a missing/expired resource.
Adds test/resources/temporary/TemporaryDataResource.test.ts (same-account read, cross-account denial, no-existence-oracle, env-token fallback, image blobs).

npm test — full suite green (incl. the new file)
npm run build, npm run lint
End-to-end: a real directions_tool call creating a temp resource is readable by the creating account and returns not-found to a different account.

zmofei force-pushed the temp-resource-account-binding branch 3 times, most recently from 5cd503f to 79e2e49 Compare June 10, 2026 15:32

fix: scope temporary resources to the creating account

5aeab6f

zmofei force-pushed the temp-resource-account-binding branch from 79e2e49 to 5aeab6f Compare June 10, 2026 15:42

zmofei marked this pull request as ready for review June 10, 2026 15:43

zmofei requested a review from a team as a code owner June 10, 2026 15:43

jussi-sa approved these changes Jun 10, 2026

View reviewed changes

chore: re-trigger CI

6dfa28c

zmofei merged commit fc1056d into main Jun 10, 2026
5 checks passed