docs: reconcile rulebook with the 102-rule pack and index the mcp family#3
Merged
Conversation
The pack grew to 102 rules across 45 files (incl. the new 14-rule mcp pack), but the rulebook totals were stale and its generated indexes omitted mcp entirely. - tools/gen_index.py: add the mcp family to SDK_ORDER/SDK_LABEL/SDK_FULL so MCP rules are projected into the index instead of silently dropped. - Regenerate POLICY_INDEX.md (master + per-SDK) and add mcp/POLICY_INDEX.md; gen_index.py --check now passes at 102 rules. - README.md: correct the stale "Current totals" table to 102 shipped / 88 documented, with an honest note on the 14 undocumented MCP rules. - docs/policy-rationale-doc-template-guide.md: fix broken example paths. Authoring the 14 MCP rationale docs (MCP-001..014) remains the standing gap and is intentionally out of scope here.
The consistency gate (check_rulebook.py --strict) requires a rationale doc
for every shipped rule; the mcp/ pack (MCP-001..014) had none, so CI was
red on 14 coverage errors.
Add docs/Policy/mcp/{tool_definition,network,path_safety,error_handling,
idempotency,ssrf,code_execution,shell_safety}.md, each modeled on the
existing same-topic docs in the other SDK chapters and framed for the MCP
trust boundary (model-controlled inputs from an external orchestrator, no
human in the loop, server shared across clients). Front-matter
severity/confidence/scope copied verbatim from the pack.
check_rulebook.py --strict and gen_index.py --check both pass (102 rules,
45 docs).
PR #2 (feat/mcp-rationale-docs) added the MCP rationale docs to main concurrently with this branch. Resolved the 8 docs/Policy/mcp/*.md add/add conflicts in favor of main's already-merged versions. This branch retains its unique contribution, which PR #2 did not include: the tools/gen_index.py `mcp` family fix, the regenerated indexes (master + per-SDK + new mcp/POLICY_INDEX.md), the README totals, and the template-guide path fixes. Without the gen_index fix, main's index silently omits all 14 MCP rules. Both gates green: check_rulebook.py --strict and gen_index.py --check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Catches the rulebook up to the current 102-rule pack (which now includes the 14-rule
mcp/pack) on every axis: the generated indexes, the totals, and the per-rule rationale docs. CI is green.Commit 1 — index the mcp family + fix stale totals
tools/gen_index.py— added themcpfamily toSDK_ORDER/SDK_LABEL/SDK_FULL. Without it the generator omitted all MCP rules from the index.POLICY_INDEX.md(master + per-SDK) + newmcp/POLICY_INDEX.md— regenerated from the pack.gen_index.py --checknow passes (102 rules); it was failing on 4 stale index files.README.md— the "Current totals" table was badly stale (~43 rules). Reconciled to the real counts.docs/policy-rationale-doc-template-guide.md— fixed broken example paths in the guide.Commit 2 — rationale docs for all 14 MCP rules
The consistency gate (
check_rulebook.py --strict) requires a rationale doc for every shipped rule; themcp/pack had none, so CI was red on 14 coverage errors. Addeddocs/Policy/mcp/{tool_definition,network,path_safety,error_handling,idempotency,ssrf,code_execution,shell_safety}.md(8 docs covering MCP-001..014).references,fix_type, and threat-model structure are grounded in already-reviewed precedent rather than invented.severity/confidence/scopeis copied verbatim from the pack (the gate checks to 1e-9).has_code_exec_call,code_execfact ints_handler_facts.go, the HTTP-callee sets inheuristics.go/ts_handler_facts.go), including the MCP-specific trust-boundary framing (model-controlled inputs from an external orchestrator, no human in the loop, server shared across clients).Result
check_rulebook.py --strict→ OK (102 rules, 45 docs, 0 errors).gen_index.py --check→ OK (102 rules).Reviewer notes
tools/gen_index.py(the index generator); the regeneratedPOLICY_INDEX.mdfiles are its output.gen_index.pywrite path needs 3.10+; the machine default is 3.9 — a latent tooling nit, noted but not fixed here).