Skip to main content

Shared taxonomies and decorator for MCP tools to self-declare ADR 0016 Layer-1 facts (risk, content trust, idempotency, lifecycle).

Project description

mcp-tool-contract

Shared taxonomies and a @tool decorator that let an MCP tool self-declare the facts about itself that only its author knows for certain: risk level, content trustworthiness, idempotency, and lifecycle (version/deprecation).

This implements Layer 1 ("Facts") of ADR 0016 in central-mcp-gateway. Every upstream MCP service the gateway aggregates is owned by the same team, so instead of the gateway guessing these facts from a tool's name/description (or requiring them to be re-declared by hand in a separate catalog file), the tool's own definition is the single source of truth and the gateway reads it from tools/list.

Install

pip install mcp-tool-contract

or with uv:

uv add mcp-tool-contract

Usage

from mcp_tool_contract import tool, tool_annotations

@tool(
    risk="external-publication",   # one of RISK_LEVELS
    content_trust="trusted",       # one of CONTENT_TRUST_LEVELS
    idempotent=False,
    version="2.1.0",
)
def post_update(...):
    ...

When your MCP server framework builds the tools/list response for a tool, merge tool_annotations(post_update) into that tool's annotations dict alongside its real inputSchema and description (which this package does not touch — your framework already derives those from the function signature/docstring).

tool_annotations() returns {} for an undeclared function, so adoption can be incremental: undecorated tools simply fall back to the gateway's existing name/description heuristic, exactly as before.

Taxonomies

  • RISK_LEVELS / RISK_LEVEL_ORDERread-only < low-risk-write < high-risk-write < external-publication < paid-operation < destructive.
  • CONTENT_TRUST_LEVELStrusted, untrusted, sensitive, prompt-injection-prone. Orthogonal to risk: a read-only tool can still return untrusted or adversarial content.

An unrecognised value for either field raises ValueError at decoration time — a typo in the upstream fails that upstream's own CI, instead of silently falling back to the gateway's heuristic.

Trust boundary

The gateway remains the single point of control (ADR 0001). A declared fact is the default; the gateway's static catalog may still veto or override any tool's effective risk, content-trust, or schema (ADR 0016 Layer 3), and an anti-downgrade check flags any tool whose effective risk or content-trust weakens between discovery cycles without a recorded catalog override.

Release

Bump version in pyproject.toml, then tag and push:

git tag v0.2.0
git push origin v0.2.0

.github/workflows/publish.yml builds and publishes the tagged version to PyPI.

Development

uv sync --extra dev
uv run pytest
uv run ruff check .

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcp_tool_contract-0.1.0.tar.gz (5.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcp_tool_contract-0.1.0-py3-none-any.whl (5.1 kB view details)

Uploaded Python 3

File details

Details for the file mcp_tool_contract-0.1.0.tar.gz.

File metadata

  • Download URL: mcp_tool_contract-0.1.0.tar.gz
  • Upload date:
  • Size: 5.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mcp_tool_contract-0.1.0.tar.gz
Algorithm Hash digest
SHA256 bdcba3506a3c73a79797e86c7e84857bddde504e0e2d34b4d3c8405a6cbe5596
MD5 5b87a6280eda6000eaa0fc2318d1f927
BLAKE2b-256 478365b7aa7c495d39d4fc4e89c6e3e710342dfb174b84a9d7ced00ab8d5b4ea

See more details on using hashes here.

File details

Details for the file mcp_tool_contract-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for mcp_tool_contract-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 35e7c53373eb00ad447343cc36a4499749c411ca920273fb67a24c7623646938
MD5 e7aee9fa5ac9b5c580cb15bfa94edc04
BLAKE2b-256 7bfa49344f2510958852473dae62c605b8c5027d69146e2447d3013c688d86ab

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page