Skip to content

MCP calls join the audit trail; servers gain a readonly flag#49

Merged
RatulMaharaj merged 1 commit into
mainfrom
feat/mcp-audit-readonly
Jul 5, 2026
Merged

MCP calls join the audit trail; servers gain a readonly flag#49
RatulMaharaj merged 1 commit into
mainfrom
feat/mcp-audit-readonly

Conversation

@RatulMaharaj

Copy link
Copy Markdown
Member

The app-level half of Plan 6's MCP gap (gap 2): MCP tool calls were invisible to the audit trail, and there was no way to constrain a server to its read-only tools.

What changed

  • Audit: every mcp__<server>__<tool> call is recorded to the audit trail (kind mcp, tool name + whether it succeeded), alongside the run's permission decisions. Implemented as a per-run wrap in AgentService.#buildTools via withMcpAudit, so the MCP connection layer stays unchanged.
  • readonly: server flag: readonly: true under tools.mcp exposes only tools whose readOnlyHint annotation marks them read-only. The hint is self-reported by the server, so this guards against misconfiguration; declaring the server remains the trust decision. Composes with include:.
  • Schema: schema/agent.json regenerated with the new field.
  • Plan 6 (plans/006-security.md, new): enforcement layers, the egress gaps, hermetic mode design, per-agent egress enforcement deferred to the platform, include: recognized as the MCP permission surface.
  • Docs: permission-model.md rebuilt around the four permission types with allowed/blocked examples and a "Where the boundaries stop today" section; permissions.md documents the wrapper-binary limits of run allowlists (bash -c, interpreters); tools.md documents readonly: and MCP auditing.
  • Changeset: @looped/core minor.

Tests

  • mcpToolsFromClient readonly filtering (annotation-less tools drop out)
  • withMcpAudit records every call and marks errors ok: false
  • Full suite: 103 passed, fmt/lint/check clean

Related: #48 (af validate warnings), plans/006-security.md sequencing.

🤖 Generated with Claude Code

Plan 6 (security): the app-level half of the MCP gap. Every
mcp__<server>__<tool> call is recorded to the audit trail (kind "mcp",
tool name + success), so a transcript is no longer the only record of
what an agent did over MCP. A new `readonly: true` server option
exposes only tools whose readOnlyHint annotation marks them read-only.

Also lands plans/006-security.md (enforcement layers, egress gaps,
hermetic mode; egress enforcement deferred to the platform) and the
docs rework: permission-model.md rebuilt around the four permission
types with allowed/blocked examples and an honest boundaries section,
permissions.md documents the wrapper-binary limits of run allowlists.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@RatulMaharaj RatulMaharaj force-pushed the feat/mcp-audit-readonly branch from 1baaff1 to 08de18b Compare July 5, 2026 20:57
@RatulMaharaj RatulMaharaj merged commit a88d189 into main Jul 5, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant