fix: route ResourcesAsTools/PromptsAsTools through server middleware#3495
fix: route ResourcesAsTools/PromptsAsTools through server middleware#3495
Conversation
…or non-FastMCP providers 🤖 Co-authored-by: Claude <[email protected]>
jlowin
added
the
bug
marvin-context-protocol
Bot
added
server
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
…er wrappers Co-authored-by: Claude <[email protected]>
Test Failure Analysis
Summary: Root Cause: The PR adds a new # directory_provider.py
async def _list_resources(self) -> Sequence[Resource]:
await self._ensure_discovered() # <-- re-scans directory on reload=True
return await super()._list_resources()Before this PR, Suggested Solution: Override the public # src/fastmcp/server/providers/skills/directory_provider.py
async def list_resources(self, *, _scope=None) -> Sequence[Resource]:
await self._ensure_discovered()
return await super().list_resources(_scope=_scope)
async def list_resource_templates(self, *, _scope=None) -> Sequence[ResourceTemplate]:
await self._ensure_discovered()
return await super().list_resource_templates(_scope=_scope)The private Detailed AnalysisFailing test and error: The test creates a Call chain before this PR: Call chain after this PR: Affected platforms: All (lowest-direct deps / Python 3.10 ubuntu / Python 3.13 ubuntu / Python 3.10 windows). Related Files
|
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
jlowin
added
the
security
Instead of manually reimplementing auth, visibility, and session transforms in the transform layer, tool functions now call ctx.fastmcp.read_resource() / ctx.fastmcp.render_prompt() which routes through the server's full middleware chain. This matches the pattern CodeMode uses with ctx.fastmcp.call_tool(). The isinstance(provider, FastMCP) branching is removed entirely.
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
AggregateProvider can now filter which child providers to query when listing components. ResourcesAsTools and PromptsAsTools use this to scope listings to their configured provider while still routing through ctx.fastmcp for full middleware coverage. The scope matching walks wrapped providers, so a WrappedProvider(Namespace, inner=MyProvider) matches if MyProvider is in the scope list.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 191d52d1b9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if isinstance(provider, _WrappedProvider): | ||
| return _provider_matches_scope(provider._inner, scope) |
There was a problem hiding this comment.
_provider_matches_scope only peels _WrappedProvider, but AggregateProvider.add_provider wraps FastMCP inputs in FastMCPProvider; as a result, scoped calls like ctx.fastmcp.list_resources(_scope=[child_fastmcp])/list_prompts never match that child and return empty lists. This breaks ResourcesAsTools(child_fastmcp) and PromptsAsTools(child_fastmcp) for aggregated FastMCP subservers (including namespaced ones), so valid components disappear from tool listings.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8841654f6e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if isinstance(provider, _WrappedProvider): | ||
| return _provider_matches_scope(provider._inner, scope) | ||
| if isinstance(provider, FastMCPProvider): | ||
| return provider.server in scope | ||
| return False |
There was a problem hiding this comment.
_provider_matches_scope only unwraps _WrappedProvider and FastMCPProvider before returning False, so scoped listings cannot match providers that are nested under another AggregateProvider. In a server that mounts AggregateProvider([p1, p2]), calls like ctx.fastmcp.list_resources(_scope=[p1]) (and the parallel prompt/template list calls) return nothing, which breaks ResourcesAsTools(p1)/PromptsAsTools(p1) for nested-provider topologies that previously worked when transforms queried p1 directly.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: d1382a70bf
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| return await super().list_resources() | ||
| providers = self._providers_for_scope(_scope) | ||
| results = await gather( | ||
| *[p.list_resources() for p in providers], |
There was a problem hiding this comment.
When _scope matches a provider nested inside another AggregateProvider, _providers_for_scope keeps only the parent aggregate, but list_resources then calls p.list_resources() without passing _scope, so the child aggregate returns all of its providers instead of the scoped subset. This makes scoped listings leak sibling resources (and the same pattern in list_resource_templates/list_prompts leaks templates and prompts), which breaks provider isolation for transforms like ResourcesAsTools(provider) in nested aggregate topologies.
Useful? React with 👍 / 👎.
Reverts the _scope parameter from Provider/AggregateProvider/Server. ResourcesAsTools and PromptsAsTools now simply route through ctx.fastmcp for all operations. Apply to a FastMCP server instance for proper auth/visibility/middleware coverage. Tests rewritten to use FastMCP server directly instead of raw providers.
jlowin
changed the title
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 279948ed39
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| resources = await provider.list_resources() | ||
| templates = await provider.list_resource_templates() | ||
| ctx = get_context() | ||
| resources = await ctx.fastmcp.list_resources() |
There was a problem hiding this comment.
ResourcesAsTools(provider) no longer uses provider at runtime and always calls ctx.fastmcp, so in multi-provider servers the generated list_resources/read_resource tools can expose resources from sibling providers that were not intended to be bridged by this transform instance. I verified this by attaching ResourcesAsTools(p1) to a server with p1 and p2: list_resources returned both providers’ URIs.
Useful? React with 👍 / 👎.
| """ | ||
| prompts = await provider.list_prompts() | ||
| ctx = get_context() | ||
| prompts = await ctx.fastmcp.list_prompts() |
There was a problem hiding this comment.
PromptsAsTools(provider) now ignores the passed provider and queries ctx.fastmcp directly, so list_prompts/get_prompt can surface prompts from other mounted providers when the server hosts more than one provider. In practice this breaks provider isolation for transform instances that were configured to expose only a specific provider’s prompts.
Useful? React with 👍 / 👎.
jlowin
added
the
breaking change
Co-authored-by: Claude Opus 4.6 <[email protected]> Co-authored-by: Jeremiah Lowin <[email protected]> Co-authored-by: Marvin Context Protocol <41898282+Marvin Context [email protected]> Co-authored-by: voidborne-d <[email protected]> Co-authored-by: marvin-context-protocol[bot] <225465937+marvin-context-protocol[bot]@users.noreply.github.com> Co-authored-by: Claude <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: d 🔹 <[email protected]> Co-authored-by: Jeremiah Lowin <[email protected]> Co-authored-by: nightcityblade <[email protected]> Co-authored-by: Claude Opus 4.6 (1M context) <[email protected]> Co-authored-by: Claude Sonnet 4.6 <[email protected]> Co-authored-by: Bill Easton <[email protected]> Co-authored-by: Sumanshu Nankana <[email protected]> Co-authored-by: Eric Robinson <[email protected]> Co-authored-by: Martim Santos <[email protected]> Co-authored-by: d 🔹 <[email protected]> Co-authored-by: Matthieu B <[email protected]> Co-authored-by: Sascha Buehrle <[email protected]> Co-authored-by: Hakancan <[email protected]> Co-authored-by: nightcityblade <[email protected]> Co-authored-by: Matt Hallowell <[email protected]> Co-authored-by: nate nowack <[email protected]> Co-authored-by: Bill Easton <[email protected]> Co-authored-by: Marcus Shu <[email protected]> Co-authored-by: Rushabh Doshi <[email protected]> Co-authored-by: AIKAWA Shigechika <[email protected]> Co-authored-by: Jeremy Simon <[email protected]> Co-authored-by: Miguel Miranda Dias <[email protected]> Co-authored-by: Anthony James Padavano <[email protected]> Co-authored-by: Mostafa Kamal <[email protected]> Fix auto-close MRE script posting comment without closing (#3386) Fix WorkOS token scope verification bypass 🤖 Generated with Codex (#3407) Fix initialize McpError fallthrough 🤖 Generated with Codex (#3413) Fix transform arg collisions with passthrough params (#3431) Fix get_* returning None when latest version is disabled (#3439) Fix get_* returning None when latest version is disabled (#3421) Fix server lifespan overlap teardown (#3415) Fix $ref output schema object detection regression (#3420) resolved annotations (#3429) Fix async partial callables rejected by iscoroutinefunction (#3438) Fix async partial callables rejected by iscoroutinefunction (#3423) fix: add version to components (#3458) fix: use intent-based flag for OIDC scope patch in load_access_token (#3465) Fixes #3461 fix: normalize Google scope shorthands and surface valid_scopes (#3477) fix: resolve ty 0.0.23 type-checking errors and bump pin (#3481) fix: shield lifespan teardown from cancellation (#3480) fix: forward custom_route endpoints from mounted servers (#3462) fix updates _get_additional_http_routes() to traverse providers, Fixes #3457 fix: remove hardcoded version from CLI help text (#3456) fix: monty 0.0.8 compatibility, drop external_functions from constructor (#3468) fix: task test teardown hanging 5s per test (#3499) Closes #3498 fix: validate workspace path is a directory before cursor install (#3440) Fixes #3426 fix: handle re.error from malformed URI templates in build_regex (#3501) fix: reject empty/OIDC-only required_scopes in AzureProvider (#3503) fix: restrict $ref resolution to local refs only (SSRF/LFI) (#3502) fix warnings and timeouts (#3504) close upgrade check issue when build passes (#3505) Closes #3484 fix: URL-encode path params to prevent SSRF/path traversal (GHSA-vv7q-7jx5-f767) (#3507) fix: prevent path traversal in skill download (#3493) fix: prefer IdP-granted scopes over client-requested scopes in OAuthProxy (#3492) fix: remove unrelated transform and http.py changes from PR scope fix: remove forced follow_redirects from httpx_client_factory calls (#3496) fix: stop passing follow_redirects to httpx_client_factory fix: restore follow_redirects=True for custom httpx client factories Closes #3509 fix: CSRF double-submit cookie check in consent flow (#3519) fix: validate server names in install commands (#3522) fix: use raw strings for regex in pytest.raises match (#3523) fix: reject refresh tokens used as Bearer access tokens (#3524) fix: route ResourcesAsTools/PromptsAsTools through server middleware (#3495) fix: resolve Pyright "Module is not callable" on @tool, @resource, @prompt decorators (#3540) fix: filter warnings by message in KEY_PREFIX test (#3549) fix: suppress output schema for ToolResult subclass annotations (#3548) fix: increase sleep duration in proxy cache tests (#3567) fix: store absolute token expiry to prevent stale expires_in on reload (#3572) fix: preserve tool properties named 'title' during schema compression (#3582) Fix loopback redirect URI port matching per RFC 8252 §7.3 (#3589) Fix app tool routing: visibility check and middleware propagation (#3591) Fix query parameter serialization to respect OpenAPI explode/style settings (#3595) Fix dev apps form: union types, textarea support, JSON parsing (#3597) fix(google): replace deprecated /oauth2/v1/tokeninfo with /oauth2/v3/userinfo (#3603) fix: resolve EntraOBOToken dependency injection through MultiAuth (#3609) fix(docs): correct misleading stateless_http header (#3622) fix: filesystem provider import machinery (#3626) Closes #3625 (issues 2, 3, 6) fix: recover StdioTransport after subprocess exits (#3630) fix(server): preserve mounted tool task metadata (#3632) fix: scope deprecation warning filter to FastMCPDeprecationWarning (#3649) fix imports, add PrefabAppConfig (#3650) fix: resolve CurrentFastMCP/ctx.fastmcp to child server in mounted background tasks (#3651) Fix blocking docs issues: chart imports, Select API, Rx consistency (#3652) closed by default (#3657) Fix prompt caching middleware missing wrap/unwrap round-trip (#3666) fix: serialize object query params per OpenAPI style/explode rules (#3662) Fixes #2857 fix: HTTP request headers not accessible in background task workers (#3631) fix: restore HTTP headers in worker execution path for background tasks (#3681) fix: strip discriminator after dereferencing schemas (#3682) fix: remove stale ty:ignore directives for ty 0.0.26 (#3684) Fix docs gaps in app provider pages (#3690) fix: dev apps log panel UX improvements (#3698) fix dev server empty string args (#3700)
1 participant
ResourcesAsTools and PromptsAsTools previously called provider methods directly, bypassing the server's auth, visibility, and middleware chain. This meant auth-protected or disabled resources/prompts could be accessed through the auto-generated tools.
The fix routes all runtime operations through
ctx.fastmcp— the same pattern CodeMode uses withctx.fastmcp.call_tool(). Listing callsctx.fastmcp.list_resources()/ctx.fastmcp.list_prompts(), and reads callctx.fastmcp.read_resource()/ctx.fastmcp.render_prompt(). The server's full middleware chain fires for every operation.Breaking change:
ResourcesAsToolsandPromptsAsToolsnow require a FastMCP server instance and will raiseTypeErrorif passed a raw Provider. This is unlikely to affect most users since the documented pattern has always beenResourcesAsTools(mcp), but code that passed a plain Provider will need to wrap it in a FastMCP server first.