You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Return MCP discovery warnings from ApplyMCPSafetyDiscovery and surface them
on validate (table + JSON). Use per-tool timeouts instead of a shared budget.
Add config.Resolve integration tests, digest drift/stability coverage, named
MCP meta key constants, and CHANGELOG guidance to pin spec.safety for stable
plan→run digests when relying on MCP flags.
Co-authored-by: Cursor <cursoragent@cursor.com>
Copy file name to clipboardExpand all lines: CHANGELOG.md
+2-1Lines changed: 2 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -21,7 +21,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
21
21
-**`spec.safety` on Tool resources** (issue #103): optional `trusted`, `sideEffects`, and `requiresApproval` fields. [NormalizeProjectGraph] materializes fail-closed defaults on load.
22
22
-**Policy safety fallback**: when no `approvals.requiredFor` entry matches the exact `uses` string, [policy.Derive] consults resolved safety metadata. Unattended mutating tools require `--approve` (exit code **5**, `approval_required`).
23
23
-**Plan risk hints** for tools that will require approval at run, including decision source (`explicit_policy_rule`, `safety_metadata`, `fail_closed_default`).
24
-
-**MCP tool safety discovery** (issue #125): during config resolution, MCP `tools/list` descriptors supply `meta.mcp_flags` (`trusted`, `side_effects`, `requires_approval`) merged into `spec.safety` via [spec.SafetyFromMCPMeta] and [spec.MergeToolSafety]. Author-set YAML fields override MCP per field; discovery failures fall back to fail-closed defaults.
24
+
-**MCP tool safety discovery** (issue #125): during config resolution, MCP `tools/list` descriptors supply `meta.mcp_flags` (`trusted`, `side_effects`, `requires_approval`) merged into `spec.safety` via [spec.SafetyFromMCPMeta] and [spec.MergeToolSafety]. Author-set YAML fields override MCP per field; discovery failures fall back to fail-closed defaults and emit validate-time warnings on [config.ResolvedConfig.MCPDiscoveryWarnings].
25
25
26
26
### Changed
27
27
@@ -40,3 +40,4 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
40
40
```
41
41
2. For tools where you accept **tool-wide** unattended use but still gate specific operations, set `trusted: true` and list write operations under `Policy.spec.approvals.requiredFor` (exact `uses` strings).
42
42
3. Do **not** set `trusted: true` unless you intend every operation on that tool to run without safety-derived approval; per-action gating remains `requiredFor` only (exact match at runtime).
43
+
4. For **MCP tools** that rely on server-provided `meta.mcp_flags`, pin explicit `spec.safety` in YAML when you need stable `validate`/`plan`→`run` digests. Resolved-config digests include normalized tool safety; if MCP `tools/list` fails at `plan` time but succeeds at `run` time (or vice versa), effective safety and the digest can change even when project YAML is unchanged (exit **3** drift). `agentctl validate` surfaces non-fatal MCP discovery warnings when listing fails.
0 commit comments