security: restrict set_config_value to known configuration keys (#353)

Add an allowlist of keys that can be set via the set_config_value
MCP tool. Previously, any key could be set — including internal
keys like clientId, usageStats, and abTest_* flags — because the
ServerConfig interface uses `[key: string]: any`.

This prevents a prompt injection or malicious MCP client from
tampering with internal state. Internal keys are still writable
by the server itself via configManager.setValue() directly; only
the client-facing tool handler is restricted.

Allowed keys: blockedCommands, allowedDirectories, defaultShell,
telemetryEnabled, fileReadLineLimit, fileWriteLineLimit.

Co-authored-by: Peter McDade <pmcdade@pmcdadePersonal.pmcdade.org>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: 3 people

src/tools/config.ts

@@ -55,6 +55,18 @@ export async function getConfig() {
   }
 }
 
+// Keys that can be set via the set_config_value MCP tool.
+// Internal keys (clientId, usageStats, abTest_*, onboardingState, etc.)
+// are managed by the server itself and should not be settable by clients.
+const ALLOWED_CONFIG_KEYS = new Set([
+  'blockedCommands',
+  'allowedDirectories',
+  'defaultShell',
+  'telemetryEnabled',
+  'fileReadLineLimit',
+  'fileWriteLineLimit',
+]);
+
 /**
  * Set a specific config value
  */
@@ -73,6 +85,16 @@ export async function setConfigValue(args: unknown) {
       };
     }
 
+    if (!ALLOWED_CONFIG_KEYS.has(parsed.data.key)) {
+      return {
+        content: [{
+          type: "text",
+          text: `Key "${parsed.data.key}" is not configurable via this tool. Allowed keys: ${[...ALLOWED_CONFIG_KEYS].join(', ')}`
+        }],
+        isError: true
+      };
+    }
+
     try {
       // Parse string values that should be arrays or objects
       let valueToStore = parsed.data.value;