Hi maintainers,
Per CONTRIBUTING.md ("PRs are for execution, not exploration"), opening an issue first to gauge appetite before writing code.
Question
Would the maintainers accept an examples/snippets/security/ directory with a single self-contained file that demonstrates how to scan MCP tool responses through a detection-rule callback before they reach the client?
The intended file would:
- Be additive only (new file under
examples/, no changes to SDK core or existing examples)
- Use the MCP Server API only (no SDK-internal hooks)
- Depend on one optional third-party package (
pip install pyatr) for the rule engine itself; not added to the SDK's own requirements
- Pass ruff + the existing example file conventions
Why this might be in scope
Production MCP deployments increasingly need a tool-response scanning hook for prompt-injection / tool-poisoning detection. The example would not advocate for any single detection product. The same pattern works with any callable detector. Showing the wiring once removes a class of "how do I plug security in" questions.
Reference for the rule engine
I maintain ATR (Agent Threat Rules), an MIT-licensed open detection rule format. It is in production at Microsoft Agent Governance Toolkit (PRs #908 and #1277, both merged) and Cisco AI Defense skill-scanner (PRs #79 and #99, both merged), and integrated into MISP/CIRCL via misp-taxonomies #323 and misp-galaxy #1207 (both merged by @adulau).
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
If you say yes
I will draft the PR and link it back to this issue. Self-contained, ~80 lines including docstring, no SDK changes.
If you say no
Totally fine. I will not push a PR or follow up.
Hi maintainers,
Per CONTRIBUTING.md ("PRs are for execution, not exploration"), opening an issue first to gauge appetite before writing code.
Question
Would the maintainers accept an
examples/snippets/security/directory with a single self-contained file that demonstrates how to scan MCP tool responses through a detection-rule callback before they reach the client?The intended file would:
examples/, no changes to SDK core or existing examples)pip install pyatr) for the rule engine itself; not added to the SDK's own requirementsWhy this might be in scope
Production MCP deployments increasingly need a tool-response scanning hook for prompt-injection / tool-poisoning detection. The example would not advocate for any single detection product. The same pattern works with any callable detector. Showing the wiring once removes a class of "how do I plug security in" questions.
Reference for the rule engine
I maintain ATR (Agent Threat Rules), an MIT-licensed open detection rule format. It is in production at Microsoft Agent Governance Toolkit (PRs #908 and #1277, both merged) and Cisco AI Defense skill-scanner (PRs #79 and #99, both merged), and integrated into MISP/CIRCL via misp-taxonomies #323 and misp-galaxy #1207 (both merged by @adulau).
Repo: https://github.com/Agent-Threat-Rule/agent-threat-rules
If you say yes
I will draft the PR and link it back to this issue. Self-contained, ~80 lines including docstring, no SDK changes.
If you say no
Totally fine. I will not push a PR or follow up.