Hare/yoi
1
1
Fork 0
Code Actions Packages Releases Activity
dbdae3c63f
yoi/.yoi/tickets/00001KVHR3WSN/thread.md

15 KiB
Raw Blame History

作成

LocalTicketBackend によって作成されました。

State changed

Ticket を workspace-panel が queued にしました。

Decision

Routing decision: blocked_pending_dependency

Panel Queue により routing 対象として確認したが、00001KVHR3WSN00001KVHR3WRYdepends_on している。MCP resources/prompts operations は initialized stdio lifecycle を前提にするため、00001KVHR3WRY が closed になるまで実装開始せず queued のまま保持する。

Next:

  • 00001KVHR3WRY が closed になった後、改めて reroute する。

Decision

Routing decision: implementation_ready_parallel

Reason:

  • User directive: 「blocker無いなら並列にやっちゃえよ」。現在 inprogress は 0 件であり、依存 blocker も解消済みのため、この queued Ticket を開始する。
  • 前回は 00001KVHR3WRY stdio lifecycle が未完了だったため blocked/queued hold としたが、現在 00001KVHR3WRY は closed。
  • Ticket body は resources/list, resources/read, prompts/list, prompts/get を explicit tool operations として exposeし、hidden context injection を禁止し、ordinary Tool result/history path・untrusted/bounded content handling・pagination/list bounds を明確にしている。
  • Orchestrator worktree は clean、matching branch/worktree はなし。
  • Risk domain は mcp / resources / prompts / prompt-context / history / untrusted-content だが、Ticket は explicit Tool operations、ordinary history、no hidden injection、bounded/rich content serialization を明示している。bounded context check 後も implementation 前に必要な追加 human decision は見つからなかった。

Evidence checked:

  • Ticket 00001KVHR3WSN body / thread / relations / artifacts。
  • TicketRelationQuery(00001KVHR3WSN): outgoing depends_on 00001KVHR3WRY is now closed。
  • TicketOrchestrationPlanQuery(00001KVHR3WSN): previous blocked_by 00001KVHR3WRY is resolved; accepted plan recorded now。
  • Workspace state:
    • Orchestrator worktree clean at 6ac916c7
    • queued: 00001KVHR3WSN, 00001KVHR3WSW
    • inprogress: 0。
    • spawned child implementation Pods: 0。
    • no matching MCP resources/prompts branch/worktree。

IntentPacket:

Intent:

  • Expose MCP resources/prompts as explicit namespaced Yoi tool operations: resources/list, resources/read, prompts/list, prompts/get
  • Returned resources/prompt templates are untrusted Tool result data and must be recorded through ordinary Tool result/history paths。
  • Do not inject resource/prompt content directly into model context outside Tool history。

Binding decisions / invariants:

  • No hidden context injection path。
  • All returned content/templates are untrusted data。
  • Bound result sizes and rich/embedded content serialization。
  • Handle pagination/list bounds where applicable。
  • Diagnostics identify server/resource/prompt operation without leaking secrets。
  • Do not implement MCP tool execution itself beyond existing completed support。
  • Do not implement list_changed refresh, sampling, or elicitation in this Ticket。
  • Preserve prior MCP lifecycle/tool-call redaction/bounds/ordinary Tool path behavior。

Requirements / acceptance criteria:

  • resources/list and resources/read can be invoked as explicit tools。
  • prompts/list and prompts/get can be invoked as explicit tools。
  • Results are ordinary Tool results and history records。
  • No hidden context injection path is introduced。
  • Oversize/rich content is bounded。
  • Tests cover list/read/get happy paths, untrusted content, bounds, and no hidden injection。

Escalate if:

  • Existing ToolRegistry/provider path cannot represent resources/prompts operations without broad provider-substrate changes。
  • MCP prompt message/content serialization requires product decision beyond safe bounded Tool result data。
  • Hidden context injection would be needed to satisfy a feature expectation; that would violate Ticket intent and must stop。

Next action:

  • Record queued -> inprogress and commit Ticket records before creating implementation worktree and spawning Coder。

State changed

User explicitly authorized parallel implementation when no blocker exists. Ticket body/thread, relation metadata, closed MCP lifecycle dependency, Orchestrator worktree state, visible Pods, existing branch/worktree, and bounded MCP resources/prompts context were checked. Dependency 00001KVHR3WRY is closed, no inprogress/capacity blocker exists, no matching worktree/branch exists, and no missing planning decision was found. Accepting this queued Ticket for implementation before worktree/Pod side effects.

Implementation report

Implementation orchestration start:

  • Acceptance records were committed on Orchestrator branch: b2b4764f ticket: accept mcp resources prompts tools
  • Created implementation worktree /home/hare/Projects/yoi/.worktree/00001KVHR3WSN-mcp-resources-prompts-tools on branch impl/00001KVHR3WSN-mcp-resources-prompts-tools at b2b4764f
  • Spawned Coder Pod yoi-coder-00001KVHR3WSN with write scope limited to the implementation worktree and read-only root scope only for runtime workspace identity。
  • Coder task explicitly forbids root/original workspace implementation, hidden context injection, list_changed/sampling/elicitation scope creep, merge, Ticket close, and cleanup。

Next action:

  • Wait for Coder implementation report, then inspect branch diff/validation evidence and route to Reviewer。

Implementation report

Coder implementation report received from yoi-coder-00001KVHR3WSN.

Implementation commit:

  • 3a22360a mcp: expose resources prompts tools

Changed areas reported:

  • crates/mcp/src/stdio.rs:
    • Added typed MCP protocol structs/helpers for resources/list, resources/read, prompts/list, and prompts/get
    • Added resource/prompt request/result models preserving untrusted server-owned fields as data。
  • crates/pod/src/feature/mcp.rs:
    • Registers explicit namespaced MCP operation tools when server capabilities advertise resources/prompts:
      • Mcp_<server>_resources_list
      • Mcp_<server>_resources_read
      • Mcp_<server>_prompts_list
      • Mcp_<server>_prompts_get
    • Executes these through ordinary Tool path using ToolOutput
    • Serializes resource/prompt content as bounded untrusted JSON tool-result data。
    • Bounds list items, resource contents, prompt messages, text fields, JSON depth/node count, rich embedded blobs/images/audio, and total output bytes。
    • Preserves existing MCP tools/call behavior and redacted diagnostics。
    • Does not add hidden context injection; prompt/resource data is not appended as user/system messages。

Tests reported:

  • Operation tool naming/origin/schema。
  • Discovery registers resource/prompt operations without requiring tools capability。
  • resources/list and resources/read happy paths through ordinary tool output。
  • prompts/list and prompts/get happy paths through ordinary tool output。
  • Untrusted prompt/resource content remains data。
  • Rich/oversize resource/prompt content is bounded/omitted/truncated。

Coder validation reported:

  • cargo test -p pod mcp::tests: passed, 13 tests。
  • cargo check -p pod -p mcp: passed。
  • cargo fmt --all --check: passed。
  • git diff --check: passed。
  • cargo test -p mcp: passed, 12 stdio lifecycle tests。
  • nix build .#yoi --no-link: passed; dirty-tree warning expected because validation ran before commit。

Known deferrals / notes:

  • list_changed refresh remains deferred。
  • Sampling/elicitation not implemented。
  • MCP resources/prompts tools are registered from advertised server capabilities; unsupported capabilities are not exposed as model-visible tools。

Orchestrator evidence checked before review dispatch:

  • Implementation worktree is clean。
  • HEAD is 3a22360a
  • Diff from acceptance b2b4764f..HEAD is one implementation commit touching 2 files, about 1225 insertions / 36 deletions。
  • git diff --check b2b4764f..HEAD produced no diagnostics。

Next action:

  • Dispatch Reviewer for r1 review against Ticket requirements, with focus on explicit tool operations, ordinary Tool result/history path, no hidden context injection, untrusted/bounded content serialization, capability-gated registration, pagination/bounds, no list_changed/sampling/elicitation scope creep, and tests。

Plan

Review dispatch:

  • Spawned Reviewer Pod yoi-reviewer-00001KVHR3WSN-r1 against implementation branch impl/00001KVHR3WSN-mcp-resources-prompts-tools
  • Review target commit: 3a22360a mcp: expose resources prompts tools
  • Review baseline: b2b4764f
  • Reviewer task focuses on explicit tool operations, ordinary Tool result/history path, no hidden context injection, untrusted/bounded resource/prompt content serialization, capability-gated registration, pagination/bounds, diagnostics redaction, no list_changed/sampling/elicitation scope creep, tests, and package validation。
  • Reviewer is instructed not to edit source, commit, merge, close the Ticket, or use TicketReview directly; it will report verdict/evidence back to Orchestrator。

Review: approve

Verdict: approve

確認範囲:

  • Ticket contract / Orchestrator IntentPacket。
  • Implementation diff: b2b4764f..3a22360a
  • 変更 source files:
    • crates/mcp/src/stdio.rs
    • crates/pod/src/feature/mcp.rs
  • Focus: explicit tool exposure、capability-gated registration、ordinary ToolOutput execution、untrusted/bounded serialization、pagination behavior、diagnostics、hidden context injection / sampling / elicitation / list_changed scope creep absence。

Blocking issues: none。

Approval evidence:

  • crates/mcp/src/stdio.rs に resources/prompts protocol structs and request helpers が追加されている。
    • ListResourcesResult, ReadResourceRequest, ReadResourceResult
    • ListPromptsResult, GetPromptRequest, GetPromptResult
    • McpPromptMessage and resource/prompt metadata fields。
  • McpStdioClient exposes explicit request methods only:
    • list_resources_page -> resources/list
    • read_resource -> resources/read
    • list_prompts_page -> prompts/list
    • get_prompt -> prompts/get
  • Registration is capability-gated:
    • resources capability registers only Mcp_<server>_resources_list and Mcp_<server>_resources_read
    • prompts capability registers only Mcp_<server>_prompts_list and Mcp_<server>_prompts_get
    • Existing tools/list discovery is also gated by advertised tools capability。
  • Resource/prompt operations are ordinary Tool implementations:
    • McpStdioProviderOperationTool implements Tool::execute
    • Results are returned as ToolOutput { summary, content }
    • No new SystemItem, hidden history append, hidden user/system message append, or direct context injection path found。
  • Returned content is serialized as JSON-ish untrusted data with explicit marker fields:
    • untrusted_mcp_resources_list_result
    • untrusted_mcp_resources_read_result
    • untrusted_mcp_prompts_list_result
    • untrusted_mcp_prompts_get_result
  • Bounds are applied to list items, resource content count, prompt message count, text fields, _meta, extra/structured JSON depth/node count, rich image/audio blob omitted-data markers, and final rendered content bytes。
  • Stdio reader remains fail-closed for unsupported server-to-client requests; no sampling, elicitation, or list_changed refresh was added。
  • Tests cover operation namespacing, capability-gated registration without tools, resource list/read happy paths, prompt list/get happy paths, untrusted/bounded output, and existing MCP tool execution result serialization/bounds。

Non-blocking follow-ups:

  • “no context injection” は operation tool path / ToolOutput content unit testsで確認されており、E2E history inspection ではない。E2E 未設計の現状では許容だが、将来 MCP/history integration test があるとよい。
  • Shutdown-warning text は result serialization 後に append される。bounded_diagnostic では bounded だが、厳密に post-append final content <= max result output bytes を要求するなら follow-up で final re-bound を追加してもよい。

Reviewer validation:

  • git diff --check b2b4764f..HEAD: passed。
  • cargo fmt --all --check: passed。
  • cargo test -p pod mcp::tests: passed, 13 tests。
  • cargo test -p mcp: passed, 12 tests。
  • cargo check -p pod -p mcp: passed。
  • nix build .#yoi --no-link: passed。

Worktree status at review end: clean。

Implementation report

Merge and final validation report:

Merged implementation branch into Orchestrator branch:

  • Merge commit: 4a4590f8 merge: mcp resources prompts tools
  • Implementation commit included:
    • 3a22360a mcp: expose resources prompts tools

Reviewer outcome:

  • r1 approved with no blocking issues。
  • Reviewer confirmed explicit resources/prompts tool operations, capability-gated registration, ordinary ToolOutput execution, no hidden context injection path, untrusted/bounded serialization, no sampling/elicitation/list_changed scope creep, and focused tests。

Orchestrator validation after merge passed:

  • cargo fmt --all --check
  • git diff --check HEAD^1..HEAD
  • cargo test -p pod mcp::tests
  • cargo test -p mcp
  • cargo check -p pod -p mcp
  • nix build .#yoi --no-link
  • nix path-info -S .#yoi: 113403880

Validation log:

  • /run/user/1000/yoi/yoi-orchestrator/bash-output/bash-4oVSE2.log

Final state:

  • Orchestrator worktree clean at 4a4590f8 after validation。
  • Implementation worktree remains available for cleanup after Ticket completion records are committed。

State changed

Implementation was merged into Orchestrator branch at 4a4590f8, review approved, and final Orchestrator validation passed: cargo fmt --all --check, git diff --check HEAD^1..HEAD, cargo test -p pod mcp::tests, cargo test -p mcp, cargo check -p pod -p mcp, and nix build .#yoi --no-link.