Rails MCP Server 1.5.0: Security Hardening and Sandboxed Environment Support
Version 1.5.0 brings comprehensive security improvements from community contributor hellvinz, plus support for sandboxed AI agents like GitHub Copilot and Claude Code.
Open source projects get better when people contribute back. Rails MCP Server 1.5.0 is a direct result of that—a release shaped significantly by a community contribution that I didn’t write.
The most important change in this version is a comprehensive security overhaul contributed by GitHub user hellvinz through PR #25. It’s the kind of work that doesn’t get enough recognition.
The Security Contribution
When you give an AI model access to your codebase through MCP tools, security matters. The execute_ruby sandbox already restricted dangerous operations, but the file-accessing analyzers needed more rigorous input validation. I knew this, but hadn’t prioritized it.
hellvinz did the work.
PathValidator Module
A centralized validation layer now protects all file-accessing analyzers. Path traversal attempts are blocked. Sensitive files are filtered automatically. The implementation is clean:
# Path traversal attempts are blocked
get_file(path: "../../../etc/passwd")
# => "Access denied: Path is outside the project directory"
# Sensitive files are filtered
list_files(pattern: "config/*.key")
# => master.key, credentials.yml.enc excluded from results
The validator catches:
- Path traversal attacks (
../sequences) - Absolute path access outside the project
- Attempts to read sensitive files (master.key, credentials.yml.enc, .env)
Injection Prevention
Shell commands now use IO.popen with array arguments instead of string interpolation. Table names in schema queries are validated against a strict pattern. These changes close potential injection vectors that existed in earlier versions.
CI Infrastructure
Beyond the code changes, hellvinz added security infrastructure I should have set up from the start:
- Dependabot for dependency updates
- CodeQL for static analysis
- OpenSSF Scorecard integration
- A proper SECURITY.md for vulnerability reporting
This kind of contribution takes real effort. Reviewing an unfamiliar codebase, identifying gaps, implementing fixes that don’t break existing functionality, setting up CI pipelines—it’s unglamorous work that makes the project better for everyone who uses it.
I’m grateful for the contribution.
Sandboxed Environment Support
AI coding agents increasingly run in sandboxed environments—containers or restricted shells where they can only access the current project directory. GitHub Copilot Agent and Claude Code Agent both work this way.
Previous versions of Rails MCP Server assumed access to a user home directory for configuration files. That doesn’t work in a sandbox.
The --single-project flag solves this. It tells the server to use the current working directory as the only project, skipping configuration files entirely:
rails-mcp-server --single-project
GitHub Copilot Agent configuration goes in .vscode/mcp.json:
{
"servers": {
"rails-mcp": {
"command": "rails-mcp-server",
"args": ["--single-project"]
}
}
}
Claude Code Agent can use the same flag. The server detects it’s running in a Rails directory and works immediately—no setup required.
This also simplifies CI/CD pipelines and any environment where you want the server to just work with the current directory.
The Copilot Agent documentation covers the setup in detail.
Simplified Project Configuration
Previous versions required manual configuration in ~/.config/rails-mcp/projects.yml. That still works, but 1.5.0 adds flexibility:
| Method | Use Case |
|---|---|
--single-project flag |
Sandboxed agents (Copilot, Claude Code), CI/CD |
RAILS_MCP_PROJECT_PATH env var |
Explicit path control |
| Auto-detection | Finds Rails apps from Gemfile, engines from gemspec |
projects.yml |
Multiple projects with named references |
The server now auto-detects Rails applications by checking for a Gemfile with the rails gem, and Rails engines by looking for gemspec files with Rails dependencies. When only one project is available, it switches automatically.
Rails 8.1 Compatibility
Rails 8.1 changed the internal callback API. The analyze_controller_views tool was calling callback.options to extract :only and :except conditions, but that method no longer exists.
The fix maintains backward compatibility:
callbacks: controller._process_action_callbacks.map { |cb|
h = { kind: cb.kind.to_s, filter: cb.filter.to_s }
if cb.respond_to?(:options)
h[:only] = Array(cb.options[:only]).map(&:to_s)
h[:except] = Array(cb.options[:except]).map(&:to_s)
end
h
}
This works with Rails 6.0 through 8.1. The callback conditions are extracted when available, omitted when not.
Other Changes
Error messages now include hints. When you ask for a model named users instead of User, the error explains the naming convention. Small things that reduce friction.
Parameter passing in execute_tool is fixed. The params schema now generates correctly for MCP clients, so tools like analyze_models can actually receive their parameters. This was a real bug that made the tool harder to use than it should have been.
Input validation for load_guide prevents path traversal in guide names. Another gap that hellvinz’s security review prompted me to address.
Breaking Change
The load_guide analyzer renamed its parameter from guides to library:
# Before (1.4.x)
execute_tool("load_guide", { guides: "rails", guide: "active_record" })
# After (1.5.0)
execute_tool("load_guide", { library: "rails", guide: "active_record" })
The change clarifies that you’re selecting a documentation library (rails, turbo, stimulus, kamal, custom), not multiple guides. It’s a small breaking change, but the naming is more accurate.
Upgrading
gem update rails-mcp-server
If you’re using Claude Desktop, restart it to pick up the new version. The server binary path in your configuration doesn’t change.
For new installations:
gem install rails-mcp-server
rails-mcp-config
The interactive configuration tool handles Claude Desktop setup, project registration, and guide downloads.
What’s Next
The MCP specification continues to evolve. As more AI tools adopt the protocol, Rails MCP Server will adapt to support them.
If you find issues or have ideas, the issue tracker is open. Pull requests are welcome. As this release shows, community contributions make a real difference—sometimes more than you might expect.