Skip to content

SEP-XXX: Adding constraints to thr MCP#2778

Open
schlpbch wants to merge 2 commits into
modelcontextprotocol:mainfrom
schlpbch:main
Open

SEP-XXX: Adding constraints to thr MCP#2778
schlpbch wants to merge 2 commits into
modelcontextprotocol:mainfrom
schlpbch:main

Conversation

@schlpbch
Copy link
Copy Markdown

@schlpbch schlpbch commented May 23, 2026
edited
Loading

By adding constraints this SEP :

  • Introduces 30+ JSDoc security constraint annotations in schema/draft/schema.ts
  • Enhances validation rules to mitigate common attack vectors (XSS, open redirects, injection, DoS)
  • Establishes clear expectations for message formats and limits to improve client/server alignment and interoperability
  • Ensures backward compatibility while enforcing new constraints for improved security and robustness
  • Updates documentation and generates artifacts to reflect the new constraints

Motivation and Context

  • Security: Mitigates common attack vectors (XSS, open redirects, injection, DoS)
  • Client/Server Alignment: Establishes clear expectations for message formats and limits
  • SDK Support: Enables SDK implementors to enforce constraints and provide better developer feedback
  • Cross-language Consistency for SDKs: Ensures that SDKs in different languages behave consistently with respect to validation rules, improving overall ecosystem reliability
  • Future-proofing: Establishes a foundation for further schema enhancements
  • Documentation Clarity: Provides explicit constraints that can be referenced in API documentation and guidelines
  • Testing Rigor: Enables more comprehensive test cases that validate constraint enforcement

How Has This Been Tested?

The enriched schema.ts functionally fully equivaltent to the existing one.

Breaking Changes

Changes are needed if and only if very uncommon values are used. E.g. negatice counters or strings of large sizes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Maybe Breaking change iff uncommon values for basic types (negative numbers, huge string sizes) are used in existing implementations
  • Documentation update

Checklist

  • I have read the MCP Documentation
  • My code follows the repository's style guidelines
  • New and existing tests pass locally, but not all SDK implmentations have been tested by the SEP's author
  • I have added appropriate error handling
  • I have added or updated documentation as needed

Additional context

For each constraint, especially string size limits, a common census has to be reached.

@schlpbch
feat(schema): add security constraints to MCP protocol schema
0b14d82 
- Introduced 30+ JSDoc security constraint annotations in `schema/draft/schema.ts`
- Enhanced validation rules to mitigate common attack vectors (XSS, open redirects, injection, DoS)
- Established clear expectations for message formats and limits to improve client/server alignment and interoperability
- Ensured backward compatibility while enforcing new constraints for improved security and robustness
- Updated documentation and generated artifacts to reflect the new constraints
@schlpbch schlpbch requested a review from a team as a code owner May 23, 2026 09:57
@schlpbch schlpbch changed the title feat(schema): add security constraints to MCP protocol schema SEP-XXX: Adding constraints to MCP May 23, 2026
@schlpbch schlpbch changed the title SEP-XXX: Adding constraints to MCP SEP-XXX: Adding constraints to thr MCP May 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@schlpbch