kWwhat mcp#114
Conversation
|
|
||
| ## 3. Transport and protocol | ||
|
|
||
| Use **Streamable HTTP** (MCP spec 2025-03-26). A single `POST /mcp` endpoint handles |
There was a problem hiding this comment.
Latest MCP spec is 2025-11-25. You might want to adopt the latest right-away to avoid creating tech debt
| 2. Client posts to `POST /oauth/token` with `grant_type=client_credentials`, | ||
| `client_id`, `client_secret`. |
There was a problem hiding this comment.
Worth mentioning that the POST should be x-www-form-urlencoded. Example curl:
curl -X POST "$SERVER_URL/oauth2/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=client_credentials" \
-d "client_id=$CLIENT_ID" \
-d "client_secret=$CLIENT_SECRET" \
There was a problem hiding this comment.
@eugene-mobile should I also change endpoint path to /oauth2/token?
| Flow: | ||
| 1. Operator provisions an `API_KEY` (set via env var). | ||
| 2. Client attaches `Authorization: Bearer <api_key>` to every `POST /mcp` request. | ||
| 3. Server compares the header value to `API_KEY` using a constant-time comparison. |
There was a problem hiding this comment.
You probably want a spec on what characters <api_key> can have. HTTP headers have some limitations. Having alpha-numeric requirement is the safest one.
| ## 5. ID validation and PII rejection | ||
|
|
||
| Validated on entry to every tool call, before any database query. | ||
|
|
||
| IDs are passed as-is from the underlying data model — no prefix scheme. Validation | ||
| is limited to: | ||
| - Non-empty string. | ||
| - No `@`, spaces, or other common PII signals (basic heuristic; production would be stricter). | ||
| - Exceeds 64 characters → reject. | ||
|
|
||
| Return `400 Bad Request` with a structured error body (not an MCP tool result) for | ||
| invalid input. Do not log the rejected value. |
There was a problem hiding this comment.
How would you handle queries like this:
"John Doe called from 647-123-1234 and complained he cannot charge his Tesla Model A on a charger near Brickworks. Troubleshoot his problem." ?
There was a problem hiding this comment.
I hope someone else would handle that request, and do 3 tool calls with ids to know more about deriver_id = 1, port_id=2 and finally session_id = 3
| ## 6. Tool output contract | ||
|
|
||
| Every tool returns **both** `structuredContent` (machine-readable, validated against | ||
| `outputSchema`) and a `content[0].text` block (natural-language summary the model can |
There was a problem hiding this comment.
I don't think text is required.
You will need to build a lot in order to form text - which is locked in time.
Just let model on the receiving side get the structured context and create readable text there.
There was a problem hiding this comment.
yeah I am not sure how I am planning to go about this. But it can be a good safeguard against misinterpreting the structured part I think
plan for MCP
corrected terminology
MCP tool definitions
MCP specs version up - Section 3 — added the MCP-Protocol-Version header requirement (HTTP 400 if missing/mismatched) and the HTTP 403 CSRF rule for invalid Origin headers - Section 4 / Mode A — noted that the static env-var credentials are a demo shortcut; production should serve an OAuth Client ID Metadata Document per the 2025-11-25 spec - Section 5 — changed the error response from 400 Bad Request to isError: true tool execution error, matching the spec requirement that lets the model self-correct on bad input
endpoint details
a spec on what characters <api_key> can have
LuuOW
left a comment
LuuOW
left a comment
There was a problem hiding this comment.
Technical audit: Architecture and implementation patterns verified for consistency with MCP ecosystem standards.
daria-sukhareva
force-pushed
the
staging
branch
2 times, most recently
from
5587eb0 to
3a7f992
Compare
3 participants
As part of the demo, there is a value to provide another interface - an MCP with 3 simple tool calls: get context for a charge attempt, a driver and a charger by id.
kWwhat is a narrow ID-in, ID-out context service that returns non-identifying driver, charger, and charge attempt attributes via MCP tool calling.
Currently demo is 3 docker containers - duckdb, dbt, and nao chat.
We will keep adding to it. This PR should deliver an MVP.