feat(mcp): add safeguards and rate limiting

[joshrotenberg]

Summary

Add safeguards to protect against unintended consequences when AI agents use the MCP server to manage Redis infrastructure.

Current Safeguards

• --read-only mode blocks write operations
• Credential masking in profile tool outputs

Proposed Safeguards

Priority 1: Rate Limiting / Request Quotas

• Add configurable request quotas (e.g., max 100 requests/minute)
• Add per-tool rate limits for expensive operations
• Leverage tower-mcp middleware for implementation
• CLI flags: --max-requests-per-minute, --quota-window

Priority 2: Tool Filtering

This extends the current --read-only concept to more granular control:

• Allow disabling specific tools via config or CLI
• Example: --disable-tools=profile_delete,profile_set_*
• Or allowlist mode: --allow-tools=profile_list,profile_show
• Separate read-only flags per service: --cloud-read-only, --enterprise-read-only
• Filter by operation type: --allow-operations=read,list vs create,update,delete

Note: When we add write tools (database creation, updates, deletions), tool filtering becomes critical. The --read-only flag already demonstrates this pattern - we just need to extend it.

Priority 3: Destructive Operation Guards

• Add confirmation requirements for destructive operations
• Consider --require-confirmation flag for delete operations
• Return warning messages before executing destructive actions

Priority 4: Audit Logging

• Log all tool invocations with timestamps
• Include: tool name, input parameters (masked), result status
• Configurable log destination: stderr, file, or structured JSON
• CLI flag: --audit-log=/path/to/audit.jsonl

Priority 5: Scope Limiting

• Restrict operations to specific profiles
• Restrict to specific subscriptions/databases
• Example: --allowed-profiles=prod,staging

Priority 6: Cost Awareness

• Add cost warnings for operations that incur charges
• Future: integrate with cost-report for budget checks
• Mark tools with has_cost_implications metadata

Priority 7: Dry-Run Mode

• --dry-run flag to preview changes without executing
• Return what would happen without side effects
• Useful for testing and validation

Implementation Notes

• tower-mcp provides middleware layers for rate limiting
• Could use tower's RateLimitLayer and ConcurrencyLimitLayer
• Tool filtering could be done at router construction time using tower-mcp's filtering APIs
• Audit logging fits naturally as middleware
• The existing --read-only implementation in AppState is a good pattern to extend

Related

• MCP: Add profile management tools #530 Profile management tools (merged)
• feat(mcp): add write tools with read-only mode filtering #601 Write tools (closed, folded into this issue)

[joshrotenberg]

Progress Update

Completed

• Rate Limiting: Implemented via --max-concurrent (default 10) and --rate-limit-ms (default 100ms) using tower middleware
• Request Timeout: --request-timeout-secs (default 30) for HTTP mode
• Read-Only Mode: --read-only flag with tower-mcp CapabilityFilter - hides write tools from tools/list and returns 'method not found' if called directly
• Credential Masking: Profile tool outputs mask sensitive values

Remaining

• Tool filtering beyond read-only (allowlist/blocklist)
• Audit logging
• Per-profile scope limiting
• Dry-run mode