docs: add best practices for server and client implementors#36
Draft
tadasant wants to merge 11 commits into
Draft
docs: add best practices for server and client implementors#36tadasant wants to merge 11 commits into
tadasant wants to merge 11 commits into
Conversation
Add docs/best-practices.md with two sections — one for server implementors (serve and fully populate a Server Card; link it from an AI catalog entry at your primary/internal domain) and one for client implementors (detect catalogs on touched domains, surface install opportunities, install mid-turn with tool-like permissions, and let enterprises configure the flow). Link it from the README overview and References. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Address fresh-eyes review: discovery.md distinguishes the present-day "MCP Catalog" from the broader, forward-looking "AI Catalog". Lead with "MCP Catalog" where the concrete current mechanism is meant, keeping the AI Catalog reference for the cross-protocol form. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per maintainer feedback, distinguish the two purposes: a Server Card is the connection entry point (how to connect, plus incoming requirements like auth) and is useful on its own when a client already knows the URL, whereas a catalog distributes discovery points so clients can find that URL. Link the pending auth-scenarios (#13) and tool-metadata (#30) backlog issues where the card's incoming requirements are being expanded. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Address re-review: the card "advertises" connection requirements as a hint and is read before connecting, so cross-link discovery.md's "MUST NOT treat as authoritative for access control" caveat to avoid implying the card is a security source of truth. Also trim a redundant connect-vs-find sentence in the catalog bullet. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The "notice the domains you touch" guidance was too vague. Reframe it around the real trigger — any moment a domain enters the session — and enumerate concrete hook points: a pre-tool-invocation hook on native fetch/browse tooling (e.g. a PreToolUse-style hook on WebFetch), URLs surfaced by already-connected MCP servers (tool results, resource links), domains revealed structurally during OAuth/connection, and user/project signals. Add a "keep probing cheap and respectful" note covering negative caching, Cache-Control, and the privacy reason to let enterprises scope it. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per re-review: CORS is a MUST on discovery endpoints but caching is only a SHOULD, so phrase it "CORS headers (and usually cache headers)" and note the probe works even from a browser client. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Per maintainer direction, this PR no longer mentions the MCP Catalog. Frame catalog discovery solely around the AI Catalog: link Server Cards from an AI Catalog entry (/.well-known/ai-catalog.json), probe domains for an AI Catalog with an MCP entry, and reference discovery.md's "Relationship to AI Catalog" section. discovery.md itself is left unchanged (its MCP Catalog content is out of scope for this docs PR). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Rework the client probing guidance from a generic "probe every domain that surfaces" list into a few intentional integration points grounded in Goose (Block's OSS MCP agent), per maintainer feedback that scanning every message for domains is heavy-handed. New subsections: - Probe on a deliberate fetch (PreToolUse hook matched to the Computer Controller web_scrape tool) - Probe domains a project already points at (.goosehints / AGENTS.md / recipes via a SessionStart/UserPromptSubmit hook) - Offer a hit as a one-click extension install (goose:// deep link / config.yaml — a Goose extension is itself an MCP server) - Gate the install behind Goose's existing permission modes - Keep probing cheap, and let enterprises scope it (caching, privacy, gateway escalation) All Goose specifics verified against the live docs at goose-docs.ai. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Address re-review:
- The intro implied discovery.md normatively defines the catalog probing
path; scope that pointer to Server Cards and point the catalog format
at the AI Catalog spec, so it does not over-promise (discovery.md does
not normatively define the AI Catalog flow). No MCP Catalog mention.
- Soften the web_scrape reference ("`web_scrape` in current builds")
since Goose's public extension docs do not enumerate tool names.
- Use "never allow" to match Goose's per-tool permission label.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…spectrum Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Adds
docs/best-practices.md— advisory guidance for the two sides of the Server Card ecosystem — and links it from the README. Docs-only; no schema or code changes.Server Implementors
Recommends serving a Server Card for any remote MCP server, framed as the server's connection entry point (advertises transport endpoints, protocol versions, and a hint at incoming requirements like auth, before initialization). Notes the card is valuable on its own even without a catalog (a client that already knows your URL can point at it directly), that it's advisory and MUST NOT be treated as authoritative for access control, that non-remote servers belong in the MCP Registry's
server.jsoninstead, that internal-but-remote servers should still serve a card, and that you should also list it in an AI Catalog entry on the domain people associate with your service. Links the pending auth-scenarios (#13) and tool-metadata (#30) discussions.Client Implementors
Frames in-session discovery as a spectrum of integration points rather than prescribing one approach — explicitly "do what fits your client." All examples are grounded in Goose, Block's open-source MCP agent (whose extensions are themselves MCP servers), and verified against the live docs:
blocked.txt), discovery can ride the same seam — probe new destination domains in the background and cachedomain → catalog.PreToolUselifecycle hook matched to a web-fetch tool reads the target URL and probes that host..goosehints/AGENTS.md/ a recipe, probed once per session viaSessionStart/UserPromptSubmit.goose://extension?...&type=streamable_httpdeep link (or aconfig.yamlblock); installs mid-turn, making clear which domain.Cache-Control, allow enterprise disable / allowlist / gateway escalation.Why
The repo had no implementor-facing guidance on when/why to serve a card or how a client should discover and offer servers. This collects recommendations on top of the normative mechanics in the README,
discovery.md, and the AI Catalog spec.Scope notes
/.well-known/ai-catalog.json) as the discovery document, per maintainer direction to focus on AI Catalog and not the MCP Catalog.discovery.mdstill documents the older MCP Catalog; reconciling it is intentionally out of scope (tracked separately by Remove the MCP Catalog #26). The intro is scoped so the two docs don't actively contradict.Verification
npm run checkpasses (schema.json in sync with schema.ts; tsc compiles) — green in CInpm run validatepasses (examples validate against schema.json) — green in CInpm run format:check/ prettier passes on the new and edited Markdown — green in CIdiscovery.md#relationship-to-ai-catalog,#consistency-with-runtime-behavior,README.md#relationship-to-the-mcp-registry, intra-file#keep-probing-cheap-and-let-enterprises-scope-it)blocked.txt, lifecycle hooks, extension deep-link format, permission modes) verified against live goose-docs.aiwell-known/mcpreferences introduced (grep-clean)docs/andREADME.md