chore: add conditional subset and lower than cases

Author: gagik

src/common/config/configOverrides.ts

@@ -8,7 +8,8 @@ export const CONFIG_QUERY_PREFIX = "mongodbMcp";
 
 /**
  * Applies config overrides from request context (headers and query parameters).
- * Query parameters take precedence over headers.
+ * Query parameters take precedence over headers. Can be used within the createSessionConfig
+ * hook to manually apply the overrides. Requires `allowRequestOverrides` to be enabled.
  *
  * @param baseConfig - The base user configuration
  * @param request - The request context containing headers and query parameters

src/common/config/configUtils.ts

@@ -138,3 +138,38 @@ export function oneWayOverride<T>(allowedValue: T): CustomOverrideLogic {
         throw new Error(`Can only set to ${String(allowedValue)}`);
     };
 }
+
+/** Allow overriding only to a value lower than the specified value */
+export function onlyLowerThanBaseValueOverride(): CustomOverrideLogic {
+    return (oldValue, newValue) => {
+        if (typeof oldValue !== "number") {
+            throw new Error(`Unsupported type for base value for override: ${typeof oldValue}`);
+        }
+        if (typeof newValue !== "number") {
+            throw new Error(`Unsupported type for new value for override: ${typeof newValue}`);
+        }
+        if (newValue >= oldValue) {
+            throw new Error(`Can only set to a value lower than the base value`);
+        }
+        return newValue;
+    };
+}
+
+/** Allow overriding only to a subset of an array but not a superset */
+export function onlySubsetOfBaseValueOverride(): CustomOverrideLogic {
+    return (oldValue, newValue) => {
+        if (!Array.isArray(oldValue)) {
+            throw new Error(`Unsupported type for base value for override: ${typeof oldValue}`);
+        }
+        if (!Array.isArray(newValue)) {
+            throw new Error(`Unsupported type for new value for override: ${typeof newValue}`);
+        }
+        if (newValue.length > oldValue.length) {
+            throw new Error(`Can only override to a subset of the base value`);
+        }
+        if (!newValue.every((value) => oldValue.includes(value))) {
+            throw new Error(`Can only override to a subset of the base value`);
+        }
+        return newValue as unknown;
+    };
+}

src/common/config/userConfig.ts

@@ -6,6 +6,8 @@ import {
     getExportsPath,
     getLogPath,
     oneWayOverride,
+    onlyLowerThanBaseValueOverride,
+    onlySubsetOfBaseValueOverride,
     parseBoolean,
 } from "./configUtils.js";
 import { previewFeatureValues, similarityValues } from "../schemas.js";
@@ -38,7 +40,7 @@ export const UserConfigSchema = z4.object({
         .describe(
             "MongoDB connection string for direct database connections. Optional, if not set, you'll need to call the connect tool before interacting with MongoDB data."
         )
-        .register(configRegistry, { isSecret: true, overrideBehavior: "override" }),
+        .register(configRegistry, { isSecret: true, overrideBehavior: "not-allowed" }),
     loggers: z4
         .preprocess(
             (val: string | string[] | undefined) => commaSeparatedToArray(val),
@@ -54,7 +56,7 @@ export const UserConfigSchema = z4.object({
         .describe("An array of logger types.")
         .register(configRegistry, {
             defaultValueDescription: '`"disk,mcp"` see below*',
-            overrideBehavior: "merge",
+            overrideBehavior: "not-allowed",
         }),
     logPath: z4
         .string()
@@ -133,12 +135,12 @@ export const UserConfigSchema = z4.object({
         .number()
         .default(600_000)
         .describe("Idle timeout for a client to disconnect (only applies to http transport).")
-        .register(configRegistry, { overrideBehavior: "override" }),
+        .register(configRegistry, { overrideBehavior: onlyLowerThanBaseValueOverride() }),
     notificationTimeoutMs: z4.coerce
         .number()
         .default(540_000)
         .describe("Notification timeout for a client to be aware of disconnect (only applies to http transport).")
-        .register(configRegistry, { overrideBehavior: "override" }),
+        .register(configRegistry, { overrideBehavior: onlyLowerThanBaseValueOverride() }),
     maxBytesPerQuery: z4.coerce
         .number()
         .default(16_777_216)
@@ -167,21 +169,21 @@ export const UserConfigSchema = z4.object({
         .number()
         .default(120_000)
         .describe("Time in milliseconds between export cleanup cycles that remove expired export files.")
-        .register(configRegistry, { overrideBehavior: "override" }),
+        .register(configRegistry, { overrideBehavior: "not-allowed" }),
     atlasTemporaryDatabaseUserLifetimeMs: z4.coerce
         .number()
         .default(14_400_000)
         .describe(
             "Time in milliseconds that temporary database users created when connecting to MongoDB Atlas clusters will remain active before being automatically deleted."
         )
-        .register(configRegistry, { overrideBehavior: "override" }),
+        .register(configRegistry, { overrideBehavior: onlyLowerThanBaseValueOverride() }),
     voyageApiKey: z4
         .string()
         .default("")
         .describe(
             "API key for Voyage AI embeddings service (required for vector search operations with text-to-embedding conversion)."
         )
-        .register(configRegistry, { isSecret: true, overrideBehavior: "not-allowed" }),
+        .register(configRegistry, { isSecret: true, overrideBehavior: "override" }),
     disableEmbeddingsValidation: z4
         .preprocess(parseBoolean, z4.boolean())
         .default(false)
@@ -206,7 +208,7 @@ export const UserConfigSchema = z4.object({
         )
         .default([])
         .describe("An array of preview features that are enabled.")
-        .register(configRegistry, { overrideBehavior: "merge" }),
+        .register(configRegistry, { overrideBehavior: onlySubsetOfBaseValueOverride() }),
     allowRequestOverrides: z4
         .preprocess(parseBoolean, z4.boolean())
         .default(false)

src/lib.ts

@@ -24,3 +24,4 @@ export { Telemetry } from "./telemetry/telemetry.js";
 export { Keychain, registerGlobalSecretToRedact } from "./common/keychain.js";
 export type { Secret } from "./common/keychain.js";
 export { Elicitation } from "./elicitation.js";
+export { applyConfigOverrides } from "./common/config/configOverrides.js";

src/transports/base.ts

@@ -100,13 +100,12 @@ export abstract class TransportRunnerBase {
     }
 
     protected async setupServer(request?: RequestContext): Promise<Server> {
-        // Apply config overrides from request context (headers and query parameters)
-        let userConfig = applyConfigOverrides({ baseConfig: this.userConfig, request });
+        let userConfig: UserConfig = this.userConfig;
 
-        // Call the config provider hook if provided, allowing consumers to
-        // fetch or modify configuration after applying request context overrides
         if (this.createSessionConfig) {
             userConfig = await this.createSessionConfig({ userConfig, request });
+        } else {
+            userConfig = applyConfigOverrides({ baseConfig: this.userConfig, request });
         }
 
         const mcpServer = new McpServer({

tests/integration/transports/configOverrides.test.ts

@@ -95,21 +95,26 @@ describe("Config Overrides via HTTP", () => {
             expect(readTools.length).toBe(1);
         });
 
-        it("should override connectionString with header", async () => {
+        it("should not be able tooverride connectionString with header", async () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
                 connectionString: undefined,
                 allowRequestOverrides: true,
             });
 
-            await connectClient({
-                ["x-mongodb-mcp-connection-string"]: "mongodb://override:27017",
-            });
-
-            const response = await client.listTools();
-
-            expect(response).toBeDefined();
+            try {
+                await connectClient({
+                    ["x-mongodb-mcp-connection-string"]: "mongodb://override:27017",
+                });
+                expect.fail("Expected an error to be thrown");
+            } catch (error) {
+                if (!(error instanceof Error)) {
+                    throw new Error("Expected an error to be thrown");
+                }
+                expect(error.message).toContain("Error POSTing to endpoint (HTTP 400)");
+                expect(error.message).toContain(`Config key connectionString is not allowed to be overridden`);
+            }
         });
     });
 
@@ -415,4 +420,131 @@ describe("Config Overrides via HTTP", () => {
             expect(findTool).toBeDefined();
         });
     });
+
+    describe("onlyLowerThanBaseValueOverride behavior", () => {
+        it("should allow override to a lower value", async () => {
+            await startRunner({
+                ...defaultTestConfig,
+                httpPort: 0,
+                idleTimeoutMs: 600_000,
+                allowRequestOverrides: true,
+            });
+
+            await connectClient({
+                ["x-mongodb-mcp-idle-timeout-ms"]: "300000",
+            });
+
+            const response = await client.listTools();
+            expect(response).toBeDefined();
+        });
+
+        it("should reject override to a higher value", async () => {
+            await startRunner({
+                ...defaultTestConfig,
+                httpPort: 0,
+                idleTimeoutMs: 600_000,
+                allowRequestOverrides: true,
+            });
+
+            try {
+                await connectClient({
+                    ["x-mongodb-mcp-idle-timeout-ms"]: "900000",
+                });
+                expect.fail("Expected an error to be thrown");
+            } catch (error) {
+                if (!(error instanceof Error)) {
+                    throw new Error("Expected an error to be thrown");
+                }
+                expect(error.message).toContain("Error POSTing to endpoint (HTTP 400)");
+                expect(error.message).toContain(
+                    "Cannot apply override for idleTimeoutMs: Can only set to a value lower than the base value"
+                );
+            }
+        });
+
+        it("should reject override to equal value", async () => {
+            await startRunner({
+                ...defaultTestConfig,
+                httpPort: 0,
+                idleTimeoutMs: 600_000,
+                allowRequestOverrides: true,
+            });
+
+            try {
+                await connectClient({
+                    ["x-mongodb-mcp-idle-timeout-ms"]: "600000",
+                });
+                expect.fail("Expected an error to be thrown");
+            } catch (error) {
+                if (!(error instanceof Error)) {
+                    throw new Error("Expected an error to be thrown");
+                }
+                expect(error.message).toContain("Error POSTing to endpoint (HTTP 400)");
+                expect(error.message).toContain(
+                    "Cannot apply override for idleTimeoutMs: Can only set to a value lower than the base value"
+                );
+            }
+        });
+    });
+
+    describe("onlySubsetOfBaseValueOverride behavior", () => {
+        describe("previewFeatures", () => {
+            it("should allow override to same value", async () => {
+                await startRunner({
+                    ...defaultTestConfig,
+                    httpPort: 0,
+                    previewFeatures: ["vectorSearch"],
+                    allowRequestOverrides: true,
+                });
+
+                await connectClient({
+                    ["x-mongodb-mcp-preview-features"]: "vectorSearch",
+                });
+
+                const response = await client.listTools();
+                expect(response).toBeDefined();
+            });
+
+            it("should allow override to an empty array (subset of any array)", async () => {
+                await startRunner({
+                    ...defaultTestConfig,
+                    httpPort: 0,
+                    previewFeatures: ["vectorSearch"],
+                    allowRequestOverrides: true,
+                });
+
+                await connectClient({
+                    ["x-mongodb-mcp-preview-features"]: "",
+                });
+
+                const response = await client.listTools();
+                expect(response).toBeDefined();
+            });
+
+            it("should reject override when base is empty array and trying to add items", async () => {
+                await startRunner({
+                    ...defaultTestConfig,
+                    httpPort: 0,
+                    previewFeatures: [],
+                    allowRequestOverrides: true,
+                });
+
+                // Empty array trying to override with non-empty should fail (superset)
+                try {
+                    await connectClient({
+                        ["x-mongodb-mcp-preview-features"]: "vectorSearch",
+                    });
+                    expect.fail("Expected an error to be thrown");
+                } catch (error) {
+                    if (!(error instanceof Error)) {
+                        throw new Error("Expected an error to be thrown");
+                    }
+                    expect(error.message).toContain("Error POSTing to endpoint (HTTP 400)");
+                    expect(error.message).toContain(
+                        "Cannot apply override for previewFeatures: Can only override to a subset of the base value"
+                    );
+                }
+            });
+        });
+    });
 });