Apply suggestions from code review

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: jeffhandley

docs/concepts/pagination/pagination.md

@@ -7,7 +7,7 @@ uid: pagination
 
 ## Pagination
 
-MCP uses [cursor-based pagination] for list operations that may return large result sets. This applies to listing tools, prompts, resources, and resource templates.
+MCP uses [cursor-based pagination] for all list operations that may return large result sets.
 
 [cursor-based pagination]: https://modelcontextprotocol.io/specification/2025-11-25/server/utilities/pagination
 

docs/concepts/resources/resources.md

@@ -41,17 +41,34 @@ Template resources use [URI templates (RFC 6570)] with parameters. They are retu
 [McpServerResourceType]
 public class FileResources
 {
+    // Configure a root directory for all file:// resources
+    private static readonly string RootDirectory = Path.GetFullPath(AppContext.BaseDirectory);
+
     [McpServerResource(UriTemplate = "file:///{path}", Name = "File Resource")]
-    [Description("Reads a file by its path")]
+    [Description("Reads a file by its path within the configured root directory")]
     public static ResourceContents ReadFile(string path)
     {
-        if (File.Exists(path))
+        if (string.IsNullOrWhiteSpace(path))
+        {
+            throw new McpException("Path must be provided.");
+        }
+
+        // Combine the requested path with the root directory and canonicalize it
+        var fullPath = Path.GetFullPath(Path.Combine(RootDirectory, path));
+
+        // Ensure the final path is still under the allowed root directory
+        if (!fullPath.StartsWith(RootDirectory, StringComparison.OrdinalIgnoreCase))
+        {
+            throw new McpException("Requested file path is outside the allowed directory.");
+        }
+
+        if (File.Exists(fullPath))
         {
             return new TextResourceContents
             {
                 Uri = $"file:///{path}",
                 MimeType = "text/plain",
-                Text = File.ReadAllText(path)
+                Text = File.ReadAllText(fullPath)
             };
         }
 

docs/concepts/transports/transports.md

@@ -130,7 +130,7 @@ See the `ModelContextProtocol.AspNetCore` package [README](https://github.com/mo
 
 The [SSE (Server-Sent Events)] transport is a legacy mechanism that uses unidirectional server-to-client streaming with a separate HTTP endpoint for client-to-server messages. New implementations should prefer Streamable HTTP.
 
-[SSE (Server-Sent Events)]: https://modelcontextprotocol.io/specification/2025-03-26/basic/transports#http-with-sse
+[SSE (Server-Sent Events)]: https://modelcontextprotocol.io/specification/2024-11-05/basic/transports#http-with-sse
 
 > [!NOTE]
 > The SSE transport is considered legacy. The [Streamable HTTP](#streamable-http-transport) transport is the recommended approach for HTTP-based communication and supports bidirectional streaming.