""" mcp_manager.py Manages connections to MCP (Model Context Protocol) tool servers. Each server exposes tools that are made available to the agent loop. """ import json import logging import os import re from typing import Any, Dict, List, Optional, Set, Tuple logger = logging.getLogger(__name__) def _format_mcp_connection_error(name: str, command: str = "", args: Optional[List[str]] = None, error: Exception = None) -> str: """Return a user-actionable MCP connection error message.""" args = args or [] raw_error = str(error) if error else "Unknown error" command_line = " ".join([command or "", *args]).strip() lower_command = command_line.lower() if "@playwright/mcp" in lower_command: return ( f"{raw_error}\n\n" "Browser MCP could not start. On fresh installs, cache the Playwright MCP package once before connecting:\n\n" "npx -y @playwright/mcp@latest --version\n\n" "Then restart Odysseus and reconnect the Browser MCP server." ) return raw_error # Caps for rendering untrusted MCP tool schemas into the agent prompt (issue #2660). # MCP servers are third-party/user-added, so field names and parameter counts are # untrusted input — bound them so an odd or hostile schema cannot distort the prompt. _MCP_PARAM_MAX = 12 # max params rendered per tool _MCP_TOKEN_MAX = 40 # max chars per rendered name / type token _MCP_HINT_MAX = 300 # total-length backstop for the whole hint def _sanitize_schema_token(value: Any, limit: int = _MCP_TOKEN_MAX) -> str: """Make an untrusted JSON-Schema token safe to splice into the prompt. Replaces control chars / newlines with a space, collapses whitespace, and length-caps the result, so a weird field name or type cannot inject newlines or run on. Normal short identifiers pass through unchanged. """ text = re.sub(r"[\x00-\x1f\x7f]+", " ", str(value)) text = re.sub(r"\s+", " ", text).strip() if len(text) > limit: text = text[:limit].rstrip() + "…" return text def _format_mcp_params(input_schema: Any) -> str: """Render an MCP tool's JSON-Schema inputs as a compact prompt hint. Without this the agent only sees a tool's name + description and has to guess its arguments (issue #2509). Produces e.g. ` Args (JSON): {"path": string (required), "limit": integer}` — names, coarse types, and required-ness, kept short so it stays prompt-friendly. Returns "" when there are no parameters. MCP servers are third-party, so names/types are sanitized and the parameter count + total length are capped (issue #2660); normal schemas are unaffected. """ if not isinstance(input_schema, dict): return "" props = input_schema.get("properties") if not isinstance(props, dict) or not props: return "" required = set(input_schema.get("required") or []) parts = [] for pname, pinfo in list(props.items())[:_MCP_PARAM_MAX]: pinfo = pinfo if isinstance(pinfo, dict) else {} ptype = pinfo.get("type") or "any" if isinstance(ptype, list): ptype = "|".join(str(x) for x in ptype) tag = f'"{_sanitize_schema_token(pname)}": {_sanitize_schema_token(ptype)}' if pname in required: tag += " (required)" parts.append(tag) extra = len(props) - len(parts) if extra > 0: parts.append(f"…+{extra} more") hint = " Args (JSON): {" + ", ".join(parts) + "}" if len(hint) > _MCP_HINT_MAX: hint = hint[:_MCP_HINT_MAX - 1].rstrip() + "…" return hint # Tool-name prefixes that denote a read-only/inspection operation. Used to # classify MCP tools for plan mode when the server provides no readOnlyHint. # These are PREFIXES, not whole words (matched via str.startswith below), so a # stem like "summar" intentionally covers "summarise"/"summarize"/"summary". _MCP_READONLY_VERBS = ( "list", "get", "read", "search", "fetch", "query", "find", "describe", "show", "view", "lookup", "count", "status", "info", "inspect", "summar", ) def mcp_tool_is_readonly(tool: Dict) -> bool: """Classify an MCP tool as safe (non-mutating) for plan mode. Prefer the server's own annotations (readOnlyHint / destructiveHint). When absent, fall back to a tool-name verb heuristic, and FAIL CLOSED (treat as write) for anything that doesn't clearly read — plan mode must not run a write tool just because its intent is ambiguous. """ ann = tool.get("annotations") # annotations may be a dict or a pydantic model read_hint = None destructive = None if ann is not None: if isinstance(ann, dict): read_hint = ann.get("readOnlyHint") destructive = ann.get("destructiveHint") else: read_hint = getattr(ann, "readOnlyHint", None) destructive = getattr(ann, "destructiveHint", None) if read_hint is True: return True if read_hint is False or destructive is True: return False # No usable hint — heuristic on the tool name's leading verb. name = (tool.get("name") or "").lower() return name.startswith(_MCP_READONLY_VERBS) class McpManager: """Manages MCP server connections and tool routing.""" def __init__(self): # server_id -> connection state self._connections: Dict[str, Dict[str, Any]] = {} # server_id -> list of tool schemas self._tools: Dict[str, List[Dict]] = {} # server_id -> MCP ClientSession self._sessions: Dict[str, Any] = {} # server_id -> exit stack (for cleanup) self._stacks: Dict[str, Any] = {} # server_id -> background connect task (HTTP transport / OAuth) self._connect_tasks: Dict[str, Any] = {} # Tracking updates to tools/connections for RAG indexing / prompt cache self._generation = 0 async def connect_server( self, server_id: str, name: str, transport: str, command: Optional[str] = None, args: Optional[List[str]] = None, env: Optional[Dict[str, str]] = None, url: Optional[str] = None, ) -> bool: """Connect to an MCP server via stdio, SSE, or Streamable HTTP transport.""" try: if transport == "stdio": res = await self._connect_stdio(server_id, name, command, args or [], env or {}) elif transport == "sse": res = await self._connect_sse(server_id, name, url) elif transport == "http": res = await self._start_http_connect(server_id, name, url) else: logger.error(f"Unknown MCP transport: {transport}") res = False if res: self._generation += 1 return res except Exception as e: logger.error(f"Failed to connect MCP server {name} ({server_id}): {e}") error_message = _format_mcp_connection_error(name, command or "", args or [], e) self._connections[server_id] = {"status": "error", "error": error_message, "name": name} self._generation += 1 return False async def _connect_stdio(self, server_id: str, name: str, command: str, args: List[str], env: Dict[str, str]) -> bool: """Connect to an MCP server via stdio transport.""" try: from mcp import ClientSession, StdioServerParameters from mcp.client.stdio import stdio_client from contextlib import AsyncExitStack server_params = StdioServerParameters( command=command, args=args, env={**os.environ, **env} if env else None, ) stack = AsyncExitStack() try: transport = await stack.enter_async_context(stdio_client(server_params)) read_stream, write_stream = transport session = await stack.enter_async_context(ClientSession(read_stream, write_stream)) await session.initialize() # Discover tools tools_result = await session.list_tools() except Exception: await stack.aclose() raise tools = [] for tool in tools_result.tools: tools.append({ "name": tool.name, "description": tool.description or "", "input_schema": tool.inputSchema if hasattr(tool, 'inputSchema') else {}, # MCP tool annotations (readOnlyHint / destructiveHint) drive # plan-mode read-only gating. Absent on many servers, so we # fall back to a name heuristic in mcp_tool_is_readonly(). "annotations": getattr(tool, 'annotations', None), }) self._sessions[server_id] = session self._stacks[server_id] = stack self._tools[server_id] = tools # Extract identity hints from env vars (e.g. email address, API name) # so tool descriptions can distinguish between multiple instances of # the same MCP server (e.g. two email accounts). identity_hints = [] for k, v in (env or {}).items(): k_lower = k.lower() if any(x in k_lower for x in ['email_address', 'account', 'user', 'username']): identity_hints.append(v) identity = ", ".join(identity_hints) if identity_hints else "" self._connections[server_id] = { "status": "connected", "name": name, "transport": "stdio", "tool_count": len(tools), "identity": identity, } logger.info(f"MCP server connected: {name} ({server_id}) - {len(tools)} tools via stdio") return True except ImportError: logger.warning("MCP package not installed. Install with: pip install mcp") self._connections[server_id] = {"status": "error", "error": "mcp package not installed", "name": name} return False async def _connect_sse(self, server_id: str, name: str, url: str) -> bool: """Connect to an MCP server via SSE transport.""" try: from mcp import ClientSession from mcp.client.sse import sse_client from contextlib import AsyncExitStack stack = AsyncExitStack() try: transport = await stack.enter_async_context(sse_client(url)) read_stream, write_stream = transport session = await stack.enter_async_context(ClientSession(read_stream, write_stream)) await session.initialize() # Discover tools tools_result = await session.list_tools() except Exception: await stack.aclose() raise tools = [] for tool in tools_result.tools: tools.append({ "name": tool.name, "description": tool.description or "", "input_schema": tool.inputSchema if hasattr(tool, 'inputSchema') else {}, # MCP tool annotations (readOnlyHint / destructiveHint) drive # plan-mode read-only gating. Absent on many servers, so we # fall back to a name heuristic in mcp_tool_is_readonly(). "annotations": getattr(tool, 'annotations', None), }) self._sessions[server_id] = session self._stacks[server_id] = stack self._tools[server_id] = tools self._connections[server_id] = { "status": "connected", "name": name, "transport": "sse", "tool_count": len(tools), } logger.info(f"MCP server connected: {name} ({server_id}) - {len(tools)} tools via SSE") return True except ImportError: logger.warning("MCP package not installed. Install with: pip install mcp") self._connections[server_id] = {"status": "error", "error": "mcp package not installed", "name": name} return False async def _start_http_connect(self, server_id: str, name: str, url: str, wait: float = 8.0) -> bool: """Begin a Streamable HTTP connect in the background. Returns within `wait` seconds: True if it connected (cached-token path), otherwise the flow is awaiting browser authorization and status becomes 'needs_auth'.""" import asyncio self._connections[server_id] = {"status": "connecting", "name": name, "transport": "http"} task = asyncio.create_task(self._connect_http(server_id, name, url)) self._connect_tasks[server_id] = task done, _ = await asyncio.wait({task}, timeout=wait) if task in done: try: return task.result() except Exception as e: self._connections[server_id] = {"status": "error", "error": str(e), "name": name} return False # Still running → either awaiting authorization, or discovery/DCR is # still in flight. If _on_redirect already published needs_auth+auth_url, # leave it; otherwise mark needs_auth (auth_url filled in once it fires). from src.mcp_oauth import pop_auth_url cur = self._connections.get(server_id, {}) if cur.get("status") != "needs_auth": self._connections[server_id] = { "status": "needs_auth", "name": name, "transport": "http", "auth_url": pop_auth_url(server_id), } return False async def _connect_http(self, server_id: str, name: str, url: str) -> bool: """Connect to a Streamable HTTP MCP server (with automatic OAuth).""" try: from mcp import ClientSession from mcp.client.streamable_http import streamablehttp_client from contextlib import AsyncExitStack from src.mcp_oauth import build_provider, clear_auth_url def _on_redirect(auth_url): # Publish needs_auth the moment the URL is known, independent of # how long discovery/DCR took (may exceed the bounded start wait). self._connections[server_id] = { "status": "needs_auth", "name": name, "transport": "http", "auth_url": auth_url, } provider = build_provider(server_id, url, on_redirect=_on_redirect) stack = AsyncExitStack() transport = await stack.enter_async_context(streamablehttp_client(url, auth=provider)) read_stream, write_stream, _get_session_id = transport session = await stack.enter_async_context(ClientSession(read_stream, write_stream)) await session.initialize() tools_result = await session.list_tools() tools = [] for tool in tools_result.tools: tools.append({ "name": tool.name, "description": tool.description or "", "input_schema": tool.inputSchema if hasattr(tool, "inputSchema") else {}, }) self._sessions[server_id] = session self._stacks[server_id] = stack self._tools[server_id] = tools self._connections[server_id] = { "status": "connected", "name": name, "transport": "http", "tool_count": len(tools), } clear_auth_url(server_id) # Tools changed (this can complete after connect_server already # returned, via the background OAuth flow), so bump the generation # to invalidate the tool-prompt cache. self._generation += 1 logger.info(f"MCP server connected: {name} ({server_id}) - {len(tools)} tools via http") return True except ImportError: logger.warning("MCP package not installed. Install with: pip install mcp") self._connections[server_id] = {"status": "error", "error": "mcp package not installed", "name": name} return False except Exception as e: logger.error(f"Failed to connect HTTP MCP server {name} ({server_id}): {e}") self._connections[server_id] = {"status": "error", "error": str(e), "name": name} return False async def disconnect_server(self, server_id: str): """Disconnect from an MCP server.""" # Cancel any in-flight HTTP/OAuth background connect so it stops # publishing status for a server that may be getting deleted. task = self._connect_tasks.pop(server_id, None) if task is not None and not task.done(): task.cancel() try: from src.mcp_oauth import clear_auth_url clear_auth_url(server_id) except Exception: pass stack = self._stacks.pop(server_id, None) if stack: try: await stack.aclose() except Exception as e: logger.warning(f"Error closing MCP server {server_id}: {e}") self._sessions.pop(server_id, None) self._tools.pop(server_id, None) self._connections.pop(server_id, None) self._generation += 1 logger.info(f"MCP server disconnected: {server_id}") async def disconnect_all(self): """Disconnect from all MCP servers.""" ids = list(self._sessions.keys()) for sid in ids: await self.disconnect_server(sid) async def connect_all_enabled(self): """Connect to all enabled MCP servers from the database.""" from src.database import McpServer, SessionLocal db = SessionLocal() try: servers = db.query(McpServer).filter(McpServer.is_enabled == True).all() for srv in servers: args = json.loads(srv.args) if srv.args else [] env = json.loads(srv.env) if srv.env else {} await self.connect_server( server_id=srv.id, name=srv.name, transport=srv.transport, command=srv.command, args=args, env=env, url=srv.url, ) finally: db.close() async def call_tool(self, qualified_name: str, arguments: Dict) -> Dict: """Call an MCP tool by its qualified name (mcp__{server_id}__{tool_name}). Returns a result dict compatible with agent_tools format. """ parts = qualified_name.split("__", 2) if len(parts) != 3 or parts[0] != "mcp": return {"error": f"Invalid MCP tool name: {qualified_name}", "exit_code": 1} server_id = parts[1] tool_name = parts[2] session = self._sessions.get(server_id) if not session: return {"error": f"MCP server not connected: {server_id}", "exit_code": 1} try: result = await self._do_call(session, tool_name, arguments) except Exception as e: # Auto-reconnect for builtin servers whose subprocess may have died if self.is_builtin(server_id): logger.warning(f"MCP call failed for {qualified_name}, attempting reconnect: {e}") reconnected = await self._reconnect_builtin(server_id) if reconnected: session = self._sessions.get(server_id) if session: try: result = await self._do_call(session, tool_name, arguments) except Exception as e2: logger.error(f"MCP tool call failed after reconnect: {qualified_name}: {e2}") return {"error": str(e2), "exit_code": 1} else: return {"error": f"Reconnected but no session for {server_id}", "exit_code": 1} else: logger.error(f"MCP reconnect failed for {server_id}") return {"error": f"MCP server crashed and reconnect failed: {server_id}", "exit_code": 1} else: logger.error(f"MCP tool call failed: {qualified_name}: {e}") return {"error": str(e), "exit_code": 1} return result async def _do_call(self, session, tool_name: str, arguments: Dict) -> Dict: """Execute a single MCP tool call and return result dict.""" result = await session.call_tool(tool_name, arguments) output_parts = [] images = [] for content in result.content: if hasattr(content, 'text'): output_parts.append(content.text) elif getattr(content, 'type', '') == 'image' and hasattr(content, 'data'): # Image content (e.g. Playwright screenshots) mime = getattr(content, 'mimeType', 'image/png') images.append({"data": content.data, "mimeType": mime}) output_parts.append(f"[Screenshot captured ({mime})]") elif hasattr(content, 'data'): output_parts.append(str(content.data)) output = "\n".join(output_parts) is_error = getattr(result, 'isError', False) result_dict = { "stdout": output if not is_error else "", "stderr": output if is_error else "", "exit_code": 1 if is_error else 0, } if images: result_dict["images"] = images return result_dict async def _reconnect_builtin(self, server_id: str) -> bool: """Tear down and reconnect a crashed builtin MCP server.""" import sys from src.builtin_mcp import _BUILTIN_SERVERS if server_id not in _BUILTIN_SERVERS: return False script_rel, name = _BUILTIN_SERVERS[server_id] base_dir = os.path.dirname(os.path.dirname(os.path.abspath(__file__))) script_path = os.path.join(base_dir, script_rel) # Clean up old connection await self.disconnect_server(server_id) try: ok = await self.connect_server( server_id=server_id, name=name, transport="stdio", command=sys.executable, args=[script_path], env={"PYTHONPATH": base_dir}, ) if ok: logger.info(f"Reconnected builtin MCP server: {name}") return ok except Exception as e: logger.error(f"Failed to reconnect builtin MCP server {name}: {e}") return False def get_all_openai_schemas(self, disabled_map: Optional[Dict[str, set]] = None) -> List[Dict]: """Return all MCP tools in OpenAI function-calling format. Tool names are namespaced as mcp__{server_id}__{tool_name}. disabled_map: optional {server_id: set_of_disabled_tool_names} to filter out. """ schemas = [] for server_id, tools in self._tools.items(): # Skip builtin Python servers — they use the code-block tool format # But include NPX-based builtins (like browser) which need function calling if self.is_builtin(server_id) and server_id != "builtin_browser": continue conn = self._connections.get(server_id, {}) server_name = conn.get("name", server_id) disabled = (disabled_map or {}).get(server_id, set()) identity = conn.get("identity", "") label = f"{server_name} ({identity})" if identity else server_name for tool in tools: if tool["name"] in disabled: continue qualified = f"mcp__{server_id}__{tool['name']}" schema = { "type": "function", "function": { "name": qualified, "description": f"[MCP:{label}] {tool['description']}", "parameters": tool.get("input_schema", {"type": "object", "properties": {}}), }, } schemas.append(schema) return schemas def get_all_tools(self, disabled_map: Optional[Dict[str, set]] = None) -> List[Dict]: """Return a flat list of all discovered tools with server info.""" result = [] for server_id, tools in self._tools.items(): conn = self._connections.get(server_id, {}) disabled = (disabled_map or {}).get(server_id, set()) for tool in tools: result.append({ "server_id": server_id, "server_name": conn.get("name", server_id), "name": tool["name"], "qualified_name": f"mcp__{server_id}__{tool['name']}", "description": tool.get("description", ""), "input_schema": tool.get("input_schema") or {}, "is_disabled": tool["name"] in disabled, }) return result def plan_mode_blocked_mcp(self) -> Tuple[Dict[str, Set[str]], Set[str]]: """Plan mode: block every MCP tool that isn't clearly read-only. Returns (disabled_map, qualified_names): - disabled_map: {server_id: {tool_name, ...}} to hide write tools from the prompt/schemas (merged into the existing mcp_disabled_map). - qualified_names: {"mcp____", ...} for runtime rejection in execute_tool_block (which matches the qualified name). """ disabled_map: Dict[str, Set[str]] = {} qualified: Set[str] = set() for server_id, tools in self._tools.items(): for tool in tools: if not mcp_tool_is_readonly(tool): disabled_map.setdefault(server_id, set()).add(tool["name"]) qualified.add(f"mcp__{server_id}__{tool['name']}") return disabled_map, qualified def is_builtin(self, server_id: str) -> bool: """Check if a server is a built-in (auto-registered) server.""" return server_id.startswith("builtin_") or server_id in { "image_gen", "memory", "rag", "email", } def get_server_status(self, server_id: str) -> Dict: """Get connection status for a server.""" return self._connections.get(server_id, {"status": "disconnected"}) def get_all_statuses(self) -> Dict[str, Dict]: """Get connection statuses for all servers.""" return dict(self._connections) _cached_prompt_desc = None _cached_prompt_desc_key = None def get_tool_descriptions_for_prompt(self, disabled_map: Optional[Dict[str, set]] = None) -> str: """Generate text describing MCP tools for the agent system prompt. Cached.""" cache_key = ( frozenset((k, frozenset(v)) for k, v in (disabled_map or {}).items()), len(self._tools), self._generation, ) if self._cached_prompt_desc is not None and self._cached_prompt_desc_key == cache_key: return self._cached_prompt_desc tools = self.get_all_tools(disabled_map) if not tools: return "" lines = ["\n\nYou also have access to external MCP tool servers. These tools are called via native function calling:"] by_server = {} for t in tools: # Skip builtin Python servers — they're already in the agent prompt # But include NPX-based builtins (like browser) which aren't hardcoded if self.is_builtin(t["server_id"]) and t["server_id"] != "builtin_browser": continue if t.get("is_disabled"): continue sn = t["server_name"] if sn not in by_server: by_server[sn] = [] by_server[sn].append(t) if not by_server: return "" for server_name, server_tools in by_server.items(): # Include identity (e.g. email address) if available sid = server_tools[0]["server_id"] if server_tools else "" identity = self._connections.get(sid, {}).get("identity", "") label = f"{server_name} ({identity})" if identity else server_name lines.append(f"\n**{label}:**") for t in server_tools: # Truncate long descriptions desc = t['description'][:120] + '...' if len(t['description']) > 120 else t['description'] # Include the tool's declared inputs so the model calls it with # real argument names instead of guessing from the description # alone (issue #2509). args_hint = _format_mcp_params(t.get("input_schema")) lines.append(f" - {t['qualified_name']}: {desc}{args_hint}") result = "\n".join(lines) self._cached_prompt_desc = result self._cached_prompt_desc_key = cache_key return result