github · python-sdke8e64842781c

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

Remediation

Replace shell-based execution with list-arg subprocess calls (shell=False) or escape every interpolated value with shlex.quote (Python) / shell-escape (Node). Treat every MCP tool input as hostile.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

Remediation

Canonicalise the path with `os.path.realpath` + `os.path.commonpath`, or `path.resolve` + a prefix check against the allowed root; alternatively `pathlib.Path(uri).resolve().relative_to(allowed_root)` and reject on the ValueError. For TS/JS, use `path.resolve(root, sub)` then verify `resolved.startsWith(root + path.sep)`. Never read the URI directly into `open()` / `fs.readFile`.

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

Remediation

Canonicalise the path with `os.path.realpath` + `os.path.commonpath`, or `path.resolve` + a prefix check against the allowed root; alternatively `pathlib.Path(uri).resolve().relative_to(allowed_root)` and reject on the ValueError. For TS/JS, use `path.resolve(root, sub)` then verify `resolved.startsWith(root + path.sep)`. Never read the URI directly into `open()` / `fs.readFile`.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.server.mcpserver.prompts import base

mcp = MCPServer(name="Prompt Example")

@mcp.prompt(title="Code Review")

def review_code(code: str) -> str:

    return f"Please review this code:\n\n{code}"

@mcp.prompt(title="Debug Assistant")

def debug_error(error: str) -> list[base.Message]:

    return [

        base.UserMessage("I'm seeing this error:"),

        base.UserMessage(error),

        base.AssistantMessage("I'll help debug that. What have y

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

Evidence

"""MCPServer Echo Server"""

from mcp.server.mcpserver import MCPServer

# Create server

mcp = MCPServer("Echo Server")

@mcp.tool()

def echo_tool(text: str) -> str:

    """Echo the input text"""

    return text

@mcp.resource("echo://static")

def echo_resource() -> str:

    return "Echo!"

@mcp.resource("echo://{text}")

def echo_template(text: str) -> str:

    """Echo the input text"""

    return f"Echo: {text}"

@mcp.prompt("echo")

def echo_prompt(text: str) -> str:

    return text

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

Evidence

from mcp.server.mcpserver import MCPServer

from mcp.types import (

    Completion,

    CompletionArgument,

    CompletionContext,

    PromptReference,

    ResourceTemplateReference,

)

mcp = MCPServer(name="Example")

@mcp.resource("github://repos/{owner}/{repo}")

def github_repo(owner: str, repo: str) -> str:

    """GitHub repository resource."""

    return f"Repository: {owner}/{repo}"

@mcp.prompt(description="Code review prompt")

def review_code(language: str, code: str) -> str:

    """Gen

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

Remediation

Wrap the parameter in `<untrusted>...</untrusted>` so the LLM treats it as data, run it through `escape_for_prompt` / `sanitize_prompt`, or pass via `json.dumps` / `JSON.stringify`. If you control the prompt template, prefer keeping it static and putting user data in a separate `role: "user"` message.

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

Remediation

Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s

Evidence

"""MCP Server Module

This module provides a framework for creating an MCP (Model Context Protocol) server.

It allows you to easily define and handle various types of requests and notifications

using constructor-based handler registration.

Usage:

1. Define handler functions:

   async def my_list_tools(ctx, params):

       return types.ListToolsResult(tools=[...])

   async def my_call_tool(ctx, params):

       return types.CallToolResult(content=[...])

2. Create a Server instance with on_* han

Remediation

Apply auth middleware at the route or router level: - Express / Fastify / Koa: `passport.authenticate(...)`, `requireAuth`, `verifyToken`, or an equivalent JWT middleware applied via `router.use(authMw)` or as a per-route handler. - FastAPI: `Depends(get_current_user)`, `OAuth2PasswordBearer`, `HTTPBearer`, or `verify_jwt` dependency. - Flask: `@login_required`, `@auth_required`, `@jwt_required`, or call `verify_jwt_in_request()` in the handler. Mounting MCP behind a s

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

Remediation

Pick one: 1. Switch to stdio transport (preferred — `mcp.run(transport="stdio")`). 2. Require an `Authorization: Bearer <token>` check on every request. Token MUST be unguessable; rotate per-launch. 3. Bind to a Unix domain socket (`path="/var/run/mcp.sock"`) with file-system permissions instead of TCP. Localhost-only TCP without auth is NOT safe — DNS-rebinding lets a malicious web page reach `http://127.0.0.1:<port>` from inside the browser.

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

Remediation

Pick one: 1. Switch to stdio transport (preferred — `mcp.run(transport="stdio")`). 2. Require an `Authorization: Bearer <token>` check on every request. Token MUST be unguessable; rotate per-launch. 3. Bind to a Unix domain socket (`path="/var/run/mcp.sock"`) with file-system permissions instead of TCP. Localhost-only TCP without auth is NOT safe — DNS-rebinding lets a malicious web page reach `http://127.0.0.1:<port>` from inside the browser.

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

Remediation

Pick one: 1. Switch to stdio transport (preferred — `mcp.run(transport="stdio")`). 2. Require an `Authorization: Bearer <token>` check on every request. Token MUST be unguessable; rotate per-launch. 3. Bind to a Unix domain socket (`path="/var/run/mcp.sock"`) with file-system permissions instead of TCP. Localhost-only TCP without auth is NOT safe — DNS-rebinding lets a malicious web page reach `http://127.0.0.1:<port>` from inside the browser.

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/oauth_server.py

"""

from pydantic import AnyHttpUrl

from mcp.server.auth.provider import AccessToken, TokenVerifier

from mcp.server.auth.settings import AuthSettings

from mcp.server.mcpserver import MCPServer

class SimpleTokenVerifier(TokenVerifier):

    """Simple token verifier for demonstration."""

    async def verify_token(self, token: str) -> AccessToken | None:

        pass  # This is where you would implement actual to

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

LLM consensus

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Move this content back to README.md when v2 is released -->

> [!IMPORTANT]

> **This documents v2 of the SDK (currentl

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

# MCP Python SDK

<div align="center">

<strong>Python implementation of the Model Context Protocol (MCP)</strong>

[![PyPI][pypi-badge]][pypi-url]

[![MIT licensed][mit-badge]][mit-url]

[![Python Version][python-badge]][python-url]

[![Documentation][docs-badge]][docs-url]

[![Protocol][protocol-badge]][protocol-url]

[![Specification][spec-badge]][spec-url]

</div>

<!-- TODO(v2): Replace this README with README.v2.md when v2 is released -->

> [!NOTE]

> **This README documents v1.x of the MCP Pyt

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

"""MCPServer quickstart example.

Run from the repository root:

    uv run examples/snippets/servers/mcpserver_quickstart.py

"""

from mcp.server.mcpserver import MCPServer

# Create an MCP server

mcp = MCPServer("Demo")

# Add an addition tool

@mcp.tool()

def add(a: int, b: int) -> int:

    """Add two numbers"""

    return a + b

# Add a dynamic greeting resource

@mcp.resource("greeting://{name}")

def get_greeting(name: str) -> str:

    """Get a personalized greeting"""

    return f"Hello, {n

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

"""Run from the repository root:

uv run examples/snippets/servers/streamable_config.py

"""

from mcp.server.mcpserver import MCPServer

mcp = MCPServer("StatelessServer")

# Add a simple tool to demonstrate the server

@mcp.tool()

def greet(name: str = "World") -> str:

    """Greet someone by name."""

    return f"Hello, {name}!"

# Run server with streamable_http transport

# Transport-specific options (stateless_http, json_response) are passed to run()

if __name__ == "__main__":

    # Stateles

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

#!/usr/bin/env python3

"""MCP Everything Server - Conformance Test Server

Server implementing all MCP features for conformance testing based on Conformance Server Specification.

"""

import asyncio

import base64

import json

import logging

import click

from mcp.server import ServerRequestContext

from mcp.server.mcpserver import Context, MCPServer

from mcp.server.mcpserver.prompts.base import UserMessage

from mcp.server.streamable_http import EventCallback, EventMessage, EventStore

from mcp.type

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

# Migration Guide: v1 to v2

This guide covers the breaking changes introduced in v2 of the MCP Python SDK and how to update your code.

## Overview

Version 2 of the MCP Python SDK introduces several breaking changes to improve the API, align with the MCP specification, and provide better type safety.

## Breaking Changes

### `streamablehttp_client` removed

The deprecated `streamablehttp_client` function has been removed. Use `streamable_http_client` instead.

**Before (v1):**

```python

from

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

# MCP Python SDK

!!! info "You are viewing the in-development v2 documentation"

    For the current stable release, see the [v1.x documentation](https://py.sdk.modelcontextprotocol.io/).

The **Model Context Protocol (MCP)** allows applications to provide context for LLMs in a standardized way, separating the concerns of providing context from the actual LLM interaction.

This Python SDK implements the full MCP specification, making it easy to:

- **Build MCP servers** that expose resources, pr

Remediation

Pick one: 1. Upgrade to `@modelcontextprotocol/sdk` ≥ 1.24.0 and use `createMcpExpressApp()` — Host validation is on by default. 2. Wire `hostHeaderValidation({ allowedHosts: [...] })` middleware into your custom Express setup. 3. Add a request-scoped Host check: `if (req.headers.host !== "127.0.0.1:<port>") return res.status(403).end();` 4. Add FastAPI `TrustedHostMiddleware(allowed_hosts=["127.0.0.1"])` (Python). Even with `Authorization: Bearer` checks, a missing

Evidence

# Or for SSE

mcp = MCPServer("Server")

mcp.run(transport="sse", host="0.0.0.0", port=9000, sse_path="/events")

```

**For mounted apps:**

Remediation

Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.

Evidence

mcp.run(transport="streamable-http")

# Or for SSE

mcp = FastMCP("Server", host="0.0.0.0", port=9000, sse_path="/events")

mcp.run(transport="sse")

```

Remediation

Bind to 127.0.0.1 for local-only access. If cross-host access is truly required, put the service behind an authenticated reverse proxy rather than exposing it on 0.0.0.0.

Evidence

message = params.message

    if not url:

        print("Error: No URL provided in elicitation request")

        return types.ElicitResult(action="cancel")

    # Reject dangerous URL schemes before prompting the user

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def handle_progress(ctx: ServerRequestContext, params: ProgressNotificationParams) -> None:

    print(f"Progress: {params.progress}/{params.total}")

server = Server("my-server", on_progress=handle_progress)

```

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def handle_elicitation(context, params: ElicitRequestParams) -> ElicitResult:

    # Display the message to the user

    print(f"Server asks: {params.message}")

    # Collect user input (this is a simplified example)

    response = input("Your response (y/n): ")

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def handle_sampling_message(

    context: RequestContext[ClientSession, None], params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def handle_sampling_message(

    context: ClientRequestContext, params: types.CreateMessageRequestParams

) -> types.CreateMessageResult:

    print(f"Sampling request: {params.messages}")

    return types.CreateMessageResult(

        role="assistant",

        content=types.TextContent(

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

async def elicitation_callback(context, params: ElicitRequestParams) -> ElicitResult:

    print(f"\n[Elicitation] {params.message}")

    response = input("Confirm? (y/n): ")

    return ElicitResult(action="accept", content={"confirm": response.lower() == "y"})

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

def main() -> None:

    """Main entry point for the conformance client."""

    if len(sys.argv) < 2:

        print(f"Usage: {sys.argv[0]} <server-url>", file=sys.stderr)

        sys.exit(1)

    server_url = sys.argv[1]

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

params: ElicitRequestParams,

) -> ElicitResult:

    """Handle elicitation requests from the server."""

    print(f"\n[Elicitation] Server asks: {params.message}")

    # Simple terminal prompt

    response = input("Your response (y/n): ").strip().lower()

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

return f"Elicitation result: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class EnumSchemasTestSchema(BaseModel):

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

return f"LLM response: {model_response}"

    except Exception as e:

        return f"Sampling not supported or error: {str(e)}"

class UserResponse(BaseModel):

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

return f"User response: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

class SEP1034DefaultsSchema(BaseModel):

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

return f"Elicitation completed: action={result.action}, content={content}"

    except Exception as e:

        return f"Elicitation not supported or error: {str(e)}"

@mcp.tool()

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except MCPError:

            raise

        except Exception as e:

            return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True)

        if isinstance(result, CallToolResult):

            return result

        if isinstance(result, tuple) and len(result) == 2:

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

# Try both npx.cmd and npx.exe on Windows

        for cmd in ["npx.cmd", "npx.exe", "npx"]:

            try:

                subprocess.run([cmd, "--version"], check=True, capture_output=True, shell=True)

                return cmd

            except subprocess.CalledProcessError:

                continue

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

Evidence

async def update_importance(user_embedding: list[float], deps: Deps):

    async with deps.pool.acquire() as conn:

        rows = await conn.fetch("SELECT id, importance, access_count, embedding FROM memories")

        for row in rows:

            memory_embedding = row["embedding"]

            similarity = cosine_similarity(user_embedding, memory_embedding)

Remediation

Pass timeout= on every call: - HTTP: `requests.get(url, timeout=5)`, `httpx.get(url, timeout=5.0)` - Node fetch: `AbortSignal.timeout(5000)` - Subprocess: `subprocess.run(["cmd"], timeout=30, check=True)` Pick a value short enough to fail fast and retry.

LLM consensus

Evidence

# /// script

# dependencies = ["pydantic-ai-slim[openai]", "asyncpg", "numpy", "pgvector"]

# ///

# uv pip install 'pydantic-ai-slim[openai]' asyncpg numpy pgvector

"""Recursive memory system inspired by the human brain's clustering of memories.

Uses OpenAI's 'text-embedding-3-small' model and pgvector for efficient

similarity search.

"""

import asyncio

import math

import os

from dataclasses import dataclass

from datetime import datetime, timezone

from pathlib import Path

from typing import An

Remediation

Pick one confirmation mechanism and add it to the destructive handler: - make the client confirm via `elicit()` before touching the sink, - accept a `dry_run` / `dryRun` boolean input and branch off the sink when true (return what would change), - require an `idempotency_key` / `idempotencyKey` the caller provides on the first call and echoes back to commit, - require a `confirmation` / `confirm` token as an input field. If the destructive call is genuinely irrelevant to the tool

LLM consensus

Evidence

description="Query the database",

            inputSchema={

                "type": "object",

                "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                "required": ["query"],

            },

        )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# see OAuthClientMetadata; we only support `code`

    response_type: Literal["code"] = Field(..., description="Must be 'code' for authorization code flow")

    code_challenge: str = Field(..., description="PKCE code challenge")

    code_challenge_method: Literal["S256"] = Field("S256", description="PKCE code challenge method, must be S256")

    state: str | None = Field(None, description="Optional state parameter")

    scope: str | None = Field(

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing an sse_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"""Parameters for initializing a streamable_http_client."""

    # The endpoint URL.

    url: str

    # Optional headers to include in requests.

    headers: dict[str, Any] | None = None

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

"type": "object",

                    "required": ["url"],

                    "properties": {

                        "url": {

                            "type": "string",

                            "description": "URL to fetch",

                        }

                    },

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class HttpResource(Resource):

    """A resource that reads from an HTTP endpoint."""

    url: str = Field(description="URL to fetch content from")

    mime_type: str = Field(default="application/json", description="MIME type of the resource content")

    async def read(self) -> str | bytes:

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationParams(BaseModel):

    state: str | None

    scopes: list[str] | None

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

message: str

    """The message to present to the user explaining why the interaction is needed."""

    url: str

    """The URL that the user should navigate to."""

    elicitation_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCode(BaseModel):

    code: str

    scopes: list[str]

    expires_at: float

    client_id: str

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

scopes: list[str]

    expires_at: float

    client_id: str

    code_challenge: str

    redirect_uri: AnyUrl

    redirect_uri_provided_explicitly: bool

    resource: str | None = None  # RFC 8707 resource indicator

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

    client_secret: str | None = None

    # See https://datatracker.ietf.org/doc/html/rfc7636#section-4.5

    code_verifier: str = Field(..., description="PKCE code verifier")

    # RFC 8707 resource indicator

    resource: str | None = Field(None, description="Resource indicator for the token")

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class StdioServerParameters(BaseModel):

    command: str

    """The executable to run to start the server."""

    args: list[str] = Field(default_factory=list)

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

class AuthorizationCodeRequest(BaseModel):

    # See https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.3

    grant_type: Literal["authorization_code"]

    code: str = Field(..., description="The authorization code")

    redirect_uri: AnyUrl | None = Field(None, description="Must be the same as redirect URI provided in /authorize")

    client_id: str

    # we use the client_secret param, per https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

description="Query the database",

                input_schema={

                    "type": "object",

                    "properties": {"query": {"type": "string", "description": "SQL query to execute"}},

                    "required": ["query"],

                },

            )

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

{

  "mcpServers": {

    "sqlite": {

      "command": "uvx",

      "args": ["mcp-server-sqlite", "--db-path", "./test.db"]

    },

    "puppeteer": {

      "command": "npx",

      "args": ["-y", "@modelcontextprotocol/server-puppeteer"]

    }

  }

}

Remediation

Declare a real authentication mechanism in the manifest, matching what the running server actually enforces: - `"auth": "bearer"` with a token scheme documented for callers - `"auth": "oauth"` / `"oauth2": { ... }` for delegated flows - `"apiKey": { "header": "X-API-Key", "prefix": "..." }` - `"mtls": true` when client certificates are required If the server is intentionally unauthenticated (stdio-only, local developer tool, trusted-host network), document the assumption in the manifest via a `"

Evidence

"""URL Elicitation Client Example.

Demonstrates how clients handle URL elicitation requests from servers.

This is the Python equivalent of TypeScript SDK's elicitationUrlExample.ts,

focused on URL elicitation patterns without OAuth complexity.

Features demonstrated:

1. Client elicitation capability declaration

2. Handling elicitation requests from servers via callback

3. Catching UrlElicitationRequiredError from tool calls

4. Browser interaction with security warnings

5. Interactive CLI for te

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

from __future__ import annotations

from datetime import datetime

from typing import Annotated, Any, Final, Generic, Literal, TypeAlias, TypeVar

from pydantic import BaseModel, ConfigDict, Field, FileUrl, TypeAdapter

from pydantic.alias_generators import to_camel

from typing_extensions import NotRequired, TypedDict

from mcp.types.jsonrpc import RequestId

LATEST_PROTOCOL_VERSION = "2025-11-25"

"""The latest version of the Model Context Protocol.

You can find the latest specification at https:

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

"""Unified MCP Client that wraps ClientSession with transport management."""

from __future__ import annotations

from contextlib import AsyncExitStack

from dataclasses import KW_ONLY, dataclass, field

from typing import Any

from mcp.client._memory import InMemoryTransport

from mcp.client._transport import Transport

from mcp.client.session import ClientSession, ElicitationFnT, ListRootsFnT, LoggingFnT, MessageHandlerFnT, SamplingFnT

from mcp.client.streamable_http import streamable_http_client

Remediation

Tool descriptions should describe what the tool does — not what the model should do with other tools. If a tool's correct operation legitimately requires another tool to be called, document that as a `composition` requirement in human-readable docs and let the calling code orchestrate, not the LLM. If the directive phrasing is coming from external content the tool retrieved (RAG, web fetch), wrap in `<untrusted>` tags and rely on the system prompt to flag tag-bound content as data, not instruct

Evidence

#!/usr/bin/env python3

"""Simple MCP client example with OAuth authentication support.

This client connects to an MCP server using streamable HTTP transport with OAuth.

"""

from __future__ import annotations as _annotations