From b0225e48b8b9ac6ac38eb9f03289946231ef352a Mon Sep 17 00:00:00 2001
From: Hare <kei.hiracchi.0928@gmail.com>
Date: Sat, 20 Jun 2026 15:56:29 +0900
Subject: [PATCH] ticket: accept mcp stdio config trust

---
 .../artifacts/orchestration-plan.jsonl        |  1 +
 .yoi/tickets/00001KVHR3WRF/item.md            |  4 +-
 .yoi/tickets/00001KVHR3WRF/thread.md          | 66 +++++++++++++++++++
 3 files changed, 69 insertions(+), 2 deletions(-)

diff --git a/.yoi/tickets/00001KVHR3WRF/artifacts/orchestration-plan.jsonl b/.yoi/tickets/00001KVHR3WRF/artifacts/orchestration-plan.jsonl
index 9d601353..b32ba35f 100644
--- a/.yoi/tickets/00001KVHR3WRF/artifacts/orchestration-plan.jsonl
+++ b/.yoi/tickets/00001KVHR3WRF/artifacts/orchestration-plan.jsonl
@@ -1 +1,2 @@
 {"id":"orch-plan-20260620-060022-1","ticket_id":"00001KVHR3WRF","kind":"waiting_capacity_note","note":"Panel Queue was accepted for routing review, but implementation is held because `00001KVHKWNQS` is currently inprogress with active Coder work. Leave this MCP foundation Ticket queued; reroute when current implementation capacity is free.","author":"yoi-orchestrator","at":"2026-06-20T06:00:22Z"}
+{"id":"orch-plan-20260620-065554-2","ticket_id":"00001KVHR3WRF","kind":"accepted_plan","accepted_plan":{"summary":"Named local stdio MCP server configuration and trust policy metadataを追加する。This Ticket only parses/validates config and diagnostics; it must not spawn subprocesses or implement JSON-RPC lifecycle. Command/env/secret fields must fail closed, redact sensitive values, and document that local MCP executables run with user OS permissions outside Yoi feature sandbox authority.","branch":"impl/00001KVHR3WRF-mcp-stdio-config-trust","worktree":"/home/hare/Projects/yoi/.worktree/00001KVHR3WRF-mcp-stdio-config-trust","role_plan":"Orchestrator は acceptance records を commit 後、専用 implementation worktree `.worktree/00001KVHR3WRF-mcp-stdio-config-trust` を作成し、Coder をその child worktree への narrow write scope で起動する。Coder 実装後、Reviewer が config schema、trust boundary docs、secret redaction、fail-closed validation、no auto-start/no process execution、Profile/config layering separation を確認する。"},"author":"yoi-orchestrator","at":"2026-06-20T06:55:54Z"}
diff --git a/.yoi/tickets/00001KVHR3WRF/item.md b/.yoi/tickets/00001KVHR3WRF/item.md
index b4d8d486..985051d0 100644
--- a/.yoi/tickets/00001KVHR3WRF/item.md
+++ b/.yoi/tickets/00001KVHR3WRF/item.md
@@ -1,8 +1,8 @@
 ---
 title: 'MCP: add local stdio server config and trust policy'
-state: 'queued'
+state: 'inprogress'
 created_at: '2026-06-20T05:30:04Z'
-updated_at: '2026-06-20T06:00:44Z'
+updated_at: '2026-06-20T06:56:23Z'
 assignee: null
 readiness: 'implementation_ready'
 risk_flags: ['mcp', 'config', 'trust-boundary', 'secrets', 'process-exec']
diff --git a/.yoi/tickets/00001KVHR3WRF/thread.md b/.yoi/tickets/00001KVHR3WRF/thread.md
index c1ad93f7..84e975a2 100644
--- a/.yoi/tickets/00001KVHR3WRF/thread.md
+++ b/.yoi/tickets/00001KVHR3WRF/thread.md
@@ -33,3 +33,69 @@ Next:
 - `00001KVHKWNQS` が完了して実装 capacity が空いた後、改めて reroute する。
 
 ---
+
+<!-- event: decision author: yoi-orchestrator at: 2026-06-20T06:56:16Z -->
+
+## Decision
+
+Routing decision: implementation_ready
+
+Reason:
+- Panel Queue により、この Ticket は Orchestrator routing 対象として明示許可された。
+- Ticket body は local stdio MCP server configuration / trust policy の範囲を、spawning/lifecycle を含まない config parse/validation/diagnostics Ticket として明確に定義している。
+- 前回の waiting_capacity note は `00001KVHKWNQS` が inprogress だったためだが、現在 `00001KVHKWNQS` は closed で capacity blocker は解消済み。
+- `00001KVHR3WRF` 自身には未解決 blocking relation はない。Incoming `00001KVHR3WRY depends_on this` は後続 Ticket であり blocker ではない。
+- 現在 inprogress は 0 件、child implementation Pods はなし、matching branch/worktree はなし、Orchestrator worktree は clean。
+- Risk domain は mcp / config / trust-boundary / secrets / process-exec だが、Ticket は no process spawning、no auto-start、secret redaction、local executable trust boundary、Plugin permissions / `pod::feature` authority separation などの invariants を明示している。bounded context check 後も implementation 前に必要な追加 human decision は見つからなかった。
+
+Evidence checked:
+- Ticket `00001KVHR3WRF` body / thread / relations / artifacts。
+- `TicketRelationQuery(00001KVHR3WRF)`: no outgoing blocking dependency; incoming lifecycle Ticket depends on this。
+- `TicketOrchestrationPlanQuery(00001KVHR3WRF)`: previous waiting capacity note resolved by `00001KVHKWNQS` closure; accepted plan recorded now。
+- Workspace state:
+  - Orchestrator worktree clean at `a5df9e37`。
+  - queued: MCP chain remains queued。
+  - inprogress: 0。
+  - visible Pods: self + peers only; spawned children 0。
+  - no matching MCP implementation branch/worktree。
+
+IntentPacket:
+
+Intent:
+- Add typed Profile/config support for named local stdio MCP servers and the trust-policy diagnostics around that config。
+- This Ticket is intentionally config-only: parse, validate, redact, and document; do not spawn processes or implement JSON-RPC lifecycle。
+
+Binding decisions / invariants:
+- No package/workspace presence auto-start。Config alone must not spawn an MCP process。
+- Local stdio MCP servers are local executables running with user OS permissions; Yoi feature authority does not sandbox OS-level side effects。
+- Keep MCP config/trust policy separate from Plugin permissions and `pod::feature` authority。
+- Config must be explicit and named; no implicit discovery or auto-enablement。
+- Command/args/cwd/env/secret-related configuration must validate fail-closed with bounded diagnostics。
+- Secret/env values must be redacted in diagnostics/log/model-facing surfaces; do not persist plaintext secrets through errors/debug output。
+- This Ticket must not implement initialize/capability negotiation, tool/resource/prompt registration, streamable HTTP/OAuth/remote MCP, or subprocess spawning。
+
+Requirements / acceptance criteria:
+- A Profile/config can declare a named local stdio MCP server。
+- Invalid command/env/secret config is rejected with bounded diagnostic。
+- Secrets are not emitted in plaintext diagnostics/log/model context。
+- Config alone does not spawn a process。
+- Docs explain that configured local MCP servers are not OS-sandboxed by Yoi feature authority。
+- Tests cover valid config, invalid config, secret redaction, and no auto-start。
+
+Escalate if:
+- Existing Profile/config model cannot represent MCP server declarations without a broader config/profile schema decision。
+- Secret reference representation would require changing the local secret-store policy rather than referencing existing secret/env abstractions。
+- Tests require actual process spawning; that belongs to a later Ticket, not this one。
+
+Next action:
+- Record `queued -> inprogress` and commit Ticket records before creating the implementation worktree and spawning Coder。
+
+---
+
+<!-- event: state_changed author: yoi-orchestrator at: 2026-06-20T06:56:23Z from: queued to: inprogress reason: orchestrator_acceptance_mcp_stdio_config_trust field: state -->
+
+## State changed
+
+Ticket body/thread, relation metadata, resolved capacity blocker, Orchestrator worktree state, visible Pods, existing branch/worktree, and bounded MCP config/trust context were checked. There is no unresolved blocking dependency, no inprogress/capacity blocker, and no missing planning decision. Accepting this queued Ticket for implementation before worktree/Pod side effects.
+
+---