fix(catalog): populate securityIndicators from YAML MCP server configs (kubeflow#2461)

The YAML provider lacked a securityIndicators field, so demo and rh-mcp
manifests stored verifiedSource, secureEndpoint, sast, and readOnlyTools
as custom properties. This left securityIndicators null in API responses
and broke named queries on these fields, since the converter reads them
from standard properties. Add yamlMCPSecurityIndicator struct and
SecurityIndicators field to yamlMCPServer, convert the values to standard
bool properties in ToMCPServerProviderRecord(), and update all affected
YAML manifests to use the new top-level securityIndicators field.

Signed-off-by: Paul Boyd <paul@pboyd.io>
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: pboyd

catalog/clients/python/tests/mcp_servers/test_named_queries.py

@@ -17,7 +17,7 @@ class TestMCPServerNamedQueries:
     """Test suite for MCP server named query functionality."""
 
     @pytest.mark.parametrize(
-        "named_query, expected_custom_properties",
+        "named_query, expected_security_indicators",
         [
             pytest.param(
                 "production_ready",
@@ -36,18 +36,18 @@ def test_named_query_execution(
         api_client: CatalogAPIClient,
         suppress_ssl_warnings: None,
         named_query: str,
-        expected_custom_properties: dict[str, bool],
+        expected_security_indicators: dict[str, bool],
     ):
-        """TC-API-011: Test executing a named query filters servers by custom properties."""
+        """TC-API-011: Test executing a named query filters servers by security indicators."""
         response = api_client.get_mcp_servers(named_query=named_query)
         items = response.get("items", [])
         assert len(items) == 1, f"Expected 1 server matching '{named_query}', got {len(items)}"
         assert items[0]["name"] == "calculator"
 
-        custom_props = items[0].get("customProperties", {})
-        for prop_name, expected_value in expected_custom_properties.items():
-            assert custom_props.get(prop_name, {}).get("bool_value") is expected_value, (
-                f"Expected {prop_name}={expected_value}, got {custom_props.get(prop_name)}"
+        security_indicators = items[0].get("securityIndicators", {})
+        for prop_name, expected_value in expected_security_indicators.items():
+            assert security_indicators.get(prop_name) is expected_value, (
+                f"Expected {prop_name}={expected_value}, got {security_indicators.get(prop_name)}"
             )
 
     @pytest.mark.parametrize(

catalog/internal/catalog/mcpcatalog/providers.go

@@ -93,6 +93,14 @@ func GetMCPProvider(typeName string) (MCPServerProviderFunc, bool) {
 	return providerFunc, exists
 }
 
+// yamlMCPSecurityIndicator represents the security indicators for an MCP server
+type yamlMCPSecurityIndicator struct {
+	VerifiedSource *bool `yaml:"verifiedSource,omitempty"`
+	SecureEndpoint *bool `yaml:"secureEndpoint,omitempty"`
+	Sast           *bool `yaml:"sast,omitempty"`
+	ReadOnlyTools  *bool `yaml:"readOnlyTools,omitempty"`
+}
+
 // yamlMCPServer represents an MCP server definition in YAML
 type yamlMCPServer struct {
 	Name                     string                              `yaml:"name"`
@@ -115,6 +123,7 @@ type yamlMCPServer struct {
 	Endpoints                *yamlMCPEndpoints                   `yaml:"endpoints,omitempty"`
 	RuntimeMetadata          *apimodels.MCPRuntimeMetadata       `yaml:"runtimeMetadata,omitempty"`
 	Tags                     []string                            `yaml:"tags,omitempty"`
+	SecurityIndicators       *yamlMCPSecurityIndicator           `yaml:"securityIndicators,omitempty"`
 	CustomProperties         *map[string]apimodels.MetadataValue `yaml:"customProperties,omitempty"`
 	CreateTimeSinceEpoch     *string                             `yaml:"createTimeSinceEpoch,omitempty"`
 	LastUpdateTimeSinceEpoch *string                             `yaml:"lastUpdateTimeSinceEpoch,omitempty"`
@@ -381,6 +390,23 @@ func (ys *yamlMCPServer) ToMCPServerProviderRecord() MCPServerProviderRecord {
 		}
 	}
 
+	// Convert security indicators to standard bool properties
+	if ys.SecurityIndicators != nil {
+		si := ys.SecurityIndicators
+		if si.VerifiedSource != nil {
+			properties = append(properties, mrmodels.NewBoolProperty("verifiedSource", *si.VerifiedSource, false))
+		}
+		if si.SecureEndpoint != nil {
+			properties = append(properties, mrmodels.NewBoolProperty("secureEndpoint", *si.SecureEndpoint, false))
+		}
+		if si.Sast != nil {
+			properties = append(properties, mrmodels.NewBoolProperty("sast", *si.Sast, false))
+		}
+		if si.ReadOnlyTools != nil {
+			properties = append(properties, mrmodels.NewBoolProperty("readOnlyTools", *si.ReadOnlyTools, false))
+		}
+	}
+
 	server.Properties = &properties
 
 	// Convert custom properties

catalog/internal/catalog/mcpcatalog/providers_test.go

@@ -817,6 +817,105 @@ func TestYamlMCPProviderEmitWithRuntimeMetadata(t *testing.T) {
 	assert.Equal(t, "API_KEY", *parsed.Prerequisites.Secrets[0].Keys[0].EnvVarName)
 }
 
+func TestYamlMCPServerSecurityIndicatorsToStandardProperties(t *testing.T) {
+	trueVal := true
+	falseVal := false
+	yamlServer := &yamlMCPServer{
+		Name: "test-server",
+		SecurityIndicators: &yamlMCPSecurityIndicator{
+			VerifiedSource: &trueVal,
+			SecureEndpoint: &falseVal,
+			Sast:           &trueVal,
+			ReadOnlyTools:  &falseVal,
+		},
+	}
+
+	record := yamlServer.ToMCPServerProviderRecord()
+
+	require.NotNil(t, record.Server)
+	require.Nil(t, record.Error)
+
+	// Security indicators must land in standard properties, not custom properties
+	props := record.Server.GetProperties()
+	require.NotNil(t, props)
+
+	propMap := make(map[string]bool)
+	for _, p := range *props {
+		if p.BoolValue != nil {
+			propMap[p.Name] = *p.BoolValue
+		}
+	}
+
+	assert.True(t, propMap["verifiedSource"], "verifiedSource should be true in standard properties")
+	assert.False(t, propMap["secureEndpoint"], "secureEndpoint should be false in standard properties")
+	assert.True(t, propMap["sast"], "sast should be true in standard properties")
+	assert.False(t, propMap["readOnlyTools"], "readOnlyTools should be false in standard properties")
+
+	// Security indicators must NOT appear in custom properties
+	customProps := record.Server.GetCustomProperties()
+	if customProps != nil {
+		for _, p := range *customProps {
+			assert.NotEqual(t, "verifiedSource", p.Name)
+			assert.NotEqual(t, "secureEndpoint", p.Name)
+			assert.NotEqual(t, "sast", p.Name)
+			assert.NotEqual(t, "readOnlyTools", p.Name)
+		}
+	}
+}
+
+func TestYamlMCPServerSecurityIndicatorsNil(t *testing.T) {
+	yamlServer := &yamlMCPServer{
+		Name:               "test-server",
+		SecurityIndicators: nil,
+	}
+
+	record := yamlServer.ToMCPServerProviderRecord()
+
+	require.NotNil(t, record.Server)
+	require.Nil(t, record.Error)
+
+	props := record.Server.GetProperties()
+	if props != nil {
+		for _, p := range *props {
+			assert.Nil(t, p.BoolValue, "no bool properties should exist when SecurityIndicators is nil (prop: %s)", p.Name)
+		}
+	}
+}
+
+func TestYamlMCPServerSecurityIndicatorsPartial(t *testing.T) {
+	trueVal := true
+	yamlServer := &yamlMCPServer{
+		Name: "test-server",
+		SecurityIndicators: &yamlMCPSecurityIndicator{
+			VerifiedSource: &trueVal,
+			// SecureEndpoint, Sast, ReadOnlyTools intentionally unset
+		},
+	}
+
+	record := yamlServer.ToMCPServerProviderRecord()
+
+	require.NotNil(t, record.Server)
+	require.Nil(t, record.Error)
+
+	props := record.Server.GetProperties()
+	require.NotNil(t, props)
+
+	boolProps := make(map[string]bool)
+	for _, p := range *props {
+		if p.BoolValue != nil {
+			boolProps[p.Name] = *p.BoolValue
+		}
+	}
+
+	assert.True(t, boolProps["verifiedSource"], "verifiedSource should be true")
+	_, hasSecureEndpoint := boolProps["secureEndpoint"]
+	assert.False(t, hasSecureEndpoint, "secureEndpoint should not be present when unset")
+	_, hasSast := boolProps["sast"]
+	assert.False(t, hasSast, "sast should not be present when unset")
+	_, hasReadOnlyTools := boolProps["readOnlyTools"]
+	assert.False(t, hasReadOnlyTools, "readOnlyTools should not be present when unset")
+}
+
 // Helper function
 func strPtr(s string) *string {
 	return &s