molecule-ai/molecule-mcp-server
35
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: expand KI-002 resolution with MCP SDK validateToolInput explanation

Browse Source 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Molecule AI · plugin-dev 2026-04-21 08:10:17 +00:00
parent 2e044ee2f9
commit fa91d82c41
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
known-issues.md
View File

@ -54,16 +54,32 @@ from the platform trace header (`X-Trace-ID` or similar).
## KI-002 — Tool input schemas are not validated before passing to handlers
**File:** `src/tools/*.ts` (tool handlers)
**Status:** Resolved
**Status:** Resolved — validation is handled by the MCP SDK framework
**Severity:** High
### Resolution
The `@modelcontextprotocol/sdk` server framework already calls
The `@modelcontextprotocol/sdk` server framework (`src/server/mcp.js`) calls
`validateToolInput(tool, args, toolName)` before dispatching to any handler.
It uses `zod.safeParseAsync()` against the tool's `inputSchema` (a Zod object
or raw shape) and returns `INVALID_ARGUMENTS` on parse failure — no handler
code change needed. Each tool's `srv.tool(..., inputSchema)` already satisfies
this requirement. No code change required.
It uses `safeParseAsync()` against the tool's `inputSchema` (a Zod object
or raw shape) and throws `McpError(ErrorCode.InvalidParams, ...)` on parse
failure — which the SDK maps to an `INVALID_ARGUMENTS` MCP response.
Concretely:
1. `srv.tool(name, desc, inputSchema, handler)` registers the schema.
2. On every call, the SDK calls `validateToolInput(tool, request.params.arguments)`.
3. `safeParseAsync(schemaToParse, args)` runs — `args` must match the Zod schema.
4. On failure, an `INVALID_ARGUMENTS` MCP error is returned. **Handlers never
receive invalid input** — the SDK short-circuits before the handler is called.
Each handler in `src/tools/*.ts` therefore does **not** need its own Zod
validation layer. Adding one would be redundant. The existing `srv.tool(..., inputSchema)`
registration is sufficient and already satisfies the KI requirement.
### What would break this
If a tool's `inputSchema` is missing required fields, or if `safeParseAsync`
fails for a valid input (e.g. due to `anyOf` in the generated JSON Schema —
see KI-006), the validation would incorrectly reject valid calls.
---