46 lines
1.7 KiB
Markdown
46 lines
1.7 KiB
Markdown
---
|
|
title: 'MCP: expose resources and prompts as explicit tool operations'
|
|
state: 'closed'
|
|
created_at: '2026-06-20T05:30:04Z'
|
|
updated_at: '2026-06-20T10:05:16Z'
|
|
assignee: null
|
|
readiness: 'implementation_ready'
|
|
risk_flags: ['mcp', 'resources', 'prompts', 'prompt-context', 'history', 'untrusted-content']
|
|
queued_by: 'workspace-panel'
|
|
queued_at: '2026-06-20T05:58:57Z'
|
|
---
|
|
|
|
## Background
|
|
|
|
MCP resources and prompts must not become hidden context injection. They should be exposed as explicit Yoi tool operations whose results are recorded through ordinary Tool result/history paths.
|
|
|
|
## Requirements
|
|
|
|
- Expose MCP resources/prompts as explicit namespaced Yoi tool operations: `resources/list`, `resources/read`, `prompts/list`, and `prompts/get`.
|
|
- Treat returned content/templates as untrusted tool result data.
|
|
- Do not inject resource/prompt content directly into context outside history/tool result.
|
|
- Bound result sizes and rich/embedded content serialization.
|
|
- Handle pagination/list bounds where applicable.
|
|
- Diagnostics identify server/resource/prompt operation without leaking secrets.
|
|
|
|
## Acceptance criteria
|
|
|
|
- `resources/list` and `resources/read` can be invoked as explicit tools.
|
|
- `prompts/list` and `prompts/get` can be invoked as explicit tools.
|
|
- Results are ordinary Tool results and history records.
|
|
- No hidden context injection path is introduced.
|
|
- Oversize/rich content is bounded.
|
|
- Tests cover list/read/get happy paths, untrusted content, bounds, and no hidden injection.
|
|
|
|
## Non-goals
|
|
|
|
- MCP tool execution itself.
|
|
- list_changed notification refresh.
|
|
- Sampling/elicitation.
|
|
|
|
## Related work
|
|
|
|
- Depends on `00001KVHR3WRY`.
|
|
- Related to `00001KVHR3WSD` for result serialization policy.
|
|
- Objective: `00001KTR80WMN`.
|