OLS-2575: Remove service-side secret keyword tool filtering

[onmete]

Description

Remove service-side substring filtering for "secret" in MCP tool arguments, and rely on MCP server-side denied_resources hardening for v1/Secret to prevent secret content leakage.

This change removes over-blocking of legitimate Kubernetes operations that only reference secrets by name/path (for example secretRef and /var/run/secrets/...).

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change

Related Tickets & Documents

• Related Issue #
• Closes #
• Jira: https://issues.redhat.com/browse/OLS-2575

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• uv run pytest -q tests/unit/tools/test_tools.py
• Verified obsolete sensitive-argument tests were removed and the tools test suite passes.
• Manual behavior validation from code path: no raise_for_sensitive_tool_args gate remains in _execute_single_tool_call.

Made with Cursor

[openshift-ci-robot]

@onmete: This pull request references OLS-2575 which is a valid jira issue.

Details

In response to this:

Description

Remove service-side substring filtering for "secret" in MCP tool arguments, and rely on MCP server-side denied_resources hardening for v1/Secret to prevent secret content leakage.

This change removes over-blocking of legitimate Kubernetes operations that only reference secrets by name/path (for example secretRef and /var/run/secrets/...).

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change

Related Tickets & Documents

• Related Issue #
• Closes #
• Jira: https://issues.redhat.com/browse/OLS-2575

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• uv run pytest -q tests/unit/tools/test_tools.py
• Verified obsolete sensitive-argument tests were removed and the tools test suite passes.
• Manual behavior validation from code path: no raise_for_sensitive_tool_args gate remains in _execute_single_tool_call.

Made with Cursor

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[onmete]

Just try/except was removed here, the rest is an indentation shift.

[openshift-ci]

@onmete: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[blublinsky]

/lgtm

[onmete]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: onmete

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [onmete]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment