MCP calls join the audit trail; servers gain a readonly flag#49
Merged
Conversation
Plan 6 (security): the app-level half of the MCP gap. Every mcp__<server>__<tool> call is recorded to the audit trail (kind "mcp", tool name + success), so a transcript is no longer the only record of what an agent did over MCP. A new `readonly: true` server option exposes only tools whose readOnlyHint annotation marks them read-only. Also lands plans/006-security.md (enforcement layers, egress gaps, hermetic mode; egress enforcement deferred to the platform) and the docs rework: permission-model.md rebuilt around the four permission types with allowed/blocked examples and an honest boundaries section, permissions.md documents the wrapper-binary limits of run allowlists. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1baaff1 to
08de18b
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The app-level half of Plan 6's MCP gap (gap 2): MCP tool calls were invisible to the audit trail, and there was no way to constrain a server to its read-only tools.
What changed
mcp__<server>__<tool>call is recorded to the audit trail (kindmcp, tool name + whether it succeeded), alongside the run's permission decisions. Implemented as a per-run wrap inAgentService.#buildToolsviawithMcpAudit, so the MCP connection layer stays unchanged.readonly:server flag:readonly: trueundertools.mcpexposes only tools whosereadOnlyHintannotation marks them read-only. The hint is self-reported by the server, so this guards against misconfiguration; declaring the server remains the trust decision. Composes withinclude:.schema/agent.jsonregenerated with the new field.plans/006-security.md, new): enforcement layers, the egress gaps, hermetic mode design, per-agent egress enforcement deferred to the platform,include:recognized as the MCP permission surface.permission-model.mdrebuilt around the four permission types with allowed/blocked examples and a "Where the boundaries stop today" section;permissions.mddocuments the wrapper-binary limits of run allowlists (bash -c, interpreters);tools.mddocumentsreadonly:and MCP auditing.@looped/coreminor.Tests
mcpToolsFromClientreadonly filtering (annotation-less tools drop out)withMcpAuditrecords every call and marks errorsok: falseRelated: #48 (af validate warnings), plans/006-security.md sequencing.
🤖 Generated with Claude Code