Skip to content

feat(mcp): wire tool discovery to spec.safety via meta.mcp_flags #125

Open
Open
feat(mcp): wire tool discovery to spec.safety via meta.mcp_flags#125
Labels
enhancementNew feature or requestspecYAML spectoolsTools
@leo-aa88

Description

@leo-aa88
leo-aa88
opened on Jun 1, 2026

Summary

PR #124 introduced spec.SafetyFromMCPMeta and spec.MergeToolSafety for mapping MCP tool descriptor metadata onto spec.safety, but no production path calls them yet. Author-set spec.safety in YAML is the only source of truth today.

This issue tracks wiring MCP tool discovery / registry merge so server-provided flags populate tool safety with correct precedence.

Motivation

Issue #103 defined precedence:

explicit Policy rule  >  spec.safety (author-set)  >  MCP meta.mcp_flags  >  fail-closed default

Without discovery wiring, MCP tools always fall through to fail-closed defaults unless authors duplicate flags in YAML.

Scope

In scope

  • When MCP tools are listed/discovered (stdio or HTTP transport), read meta.mcp_flags.{trusted,side_effects,requires_approval} and map via spec.SafetyFromMCPMeta.
  • Merge with author spec.safety using spec.MergeToolSafety (author wins per field when set).
  • Run merge before or as part of NormalizeProjectGraph / graph load so validate, plan, and run see effective safety.
  • Unit/integration tests: MCP meta only, author overrides MCP, missing meta → fail-closed.

Out of scope

Acceptance criteria

  • MCP-discovered tools without author spec.safety inherit flags from meta.mcp_flags when present.
  • Author spec.safety fields override MCP for the same field; unset author fields can fall back to MCP.
  • Documented in CHANGELOG when shipped; remove or update the “Not yet wired” note in CHANGELOG.md.
  • Tests cover merge precedence and at least one MCP transport path (mock server acceptable).

References

Notes

Discovery hook point may be internal/tools/mcp and/or project loader / registry — confirm where tool descriptors are first merged into ProjectGraph.Tools before implementing.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestspecYAML spectoolsTools

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions