docs(rfc-003): canonical MCP implementation blueprint (omnigraph-mcp crate)

[ragnorc]

Summary

Updates RFC-003 into the authoritative, build-from-scratch spec for the in-server MCP surface, with a dedicated omnigraph-mcp crate from the start. Docs-only (one file); no code.

A reference implementation shipped in #157 (it proved rmcp 1.7 integrates on edition 2024, the auth-extension passthrough works, the conformance MUSTs are met, and the surface splits cleanly into a transport crate + a server backend). This RFC folds those learnings into a clean spec so the surface can be implemented properly from main with the crate baked in — not retrofitted.

What's in the new "Implementation Blueprint" (B.1–B.13)

A self-contained, ordered build guide:

• B.1 Crate architecture + dependency rule — crates/omnigraph-mcp (rmcp Streamable-HTTP transport + an McpBackend trait + rmcp re-exports); omnigraph-server depends on it and implements the trait. The dependency must go server → mcp (a mcp → server dep cycles at the package level: server-bin → mcp → server-lib). The trait inverts the direction, so the crate never names an omnigraph type.
• B.2–B.3 Seam + transport — the &http::request::Parts passthrough (how the server-injected ResolvedActor / GraphHandle reach the backend), and the verified rmcp config that gives GET→405, Origin→403, and MCP-Protocol-Version validation for free.
• B.4 Backend reuse — factor 10 thin do_* fns; reuse run_query/run_mutate/authorize/api::query_catalog_entry/ApiError.
• B.5–B.9 — the 13-tool catalog + Cedar mapping, ParamKind → JSON Schema, deny-masking + isError split, stored-query double-gate, two resources.
• B.10 Routing (resolved) — per-graph /mcp; graphs_list / omnigraph://graphs dropped from MCP (graph discovery stays REST-only via GET /graphs); explicitly rules out a single flat /mcp with graph_id-in-call (breaks per-graph stored-query listing + isolation).
• B.11 Auth — the decoupling invariant + a client-compatibility matrix (static bearer works for Claude Code / Cursor / VS Code / the API connector; claude.ai web + ChatGPT need the OAuth/RFC-9728 fast-follow).
• B.12–B.13 — test plan + verification (cargo tree | grep rmcp confirms rmcp is not a direct server dep), and the locked decisions (resolves the Open Questions).

Housekeeping in the same edit

• Marked the old "Reconciliation with shipped code" section as pre-MCP history.
• Marked the §5 sketches as design rationale (superseded by the Blueprint where they differ — e.g. the per-tool McpTool trait became a Builtin enum + the McpBackend crate trait).
• Resolved the Open Questions inline.

Relationship to #157

#157 is the working reference implementation (in-server MCP without the crate split). This RFC is the spec for the clean version; the implementation will be built on a fresh branch from main following B.1–B.13, cribbing from #157.

---

Note

Low Risk
Documentation-only change to a single RFC file; no runtime, auth, or deployment behavior is modified. The only follow-up risk is a minor spec inconsistency in the §15 routing example versus the documented mcp_router arity.

Overview
Rewrites RFC-003 from a shorter “Proposed” sketch into a buildable v0.8.x spec for in-server MCP on Streamable HTTP (MCP 2025-11-25, rmcp 1.7), folding in reference work from #157.

The doc now centers a omnigraph-mcp crate (McpBackend + stateless transport) with omnigraph-server → omnigraph-mcp dependency direction, &http::request::Parts extension passthrough for ResolvedActor / GraphHandle, and server-side OmnigraphMcpBackend dispatch that reuses existing authorize, run_query, run_mutate, and stored-query gates.

Behavioral/product decisions are locked or reframed: domain-qualified tool ids (e.g. graph_query), explicit ToolAnnotations, per_query vs meta stored-query projection with auto threshold, structuredContent + outputSchema, SEP-1303-style classify error mapping, deny-masking for unknown/denied tools, per-graph /mcp routing with no graphs_list / omnigraph://graphs on MCP (discovery via GET /graphs only), plus provider/auth matrices (static bearer Phase 1, OAuth/RFC 9728 Phase 2, PRM config-gated for #59467).

Adds rollout, test/verification plans, and defers per-query InvokeQuery scope and stdio→HTTP proxy collapse. Note: the §15 build_app snippet shows mcp::mcp_router(state.clone()) while the prose documents a three-arg host_policy_from_bind wrapper—implementers should follow the full signature in §7/§15 text.

^{Reviewed by Cursor Bugbot for commit de9e28e. Bugbot is set up for automated code reviews on this repo. Configure here.}

Greptile Summary

Promotes RFC-003 from "Proposed" to the canonical, authoritative build spec for a clean omnigraph-mcp crate implementation, folding in every verified decision from the reference work in #157. One concrete spec inconsistency was found.

• Implementation Blueprint (B.1–B.13) is the bulk of the addition: it specifies the crate split (omnigraph-mcp transport + omnigraph-server backend), the McpBackend trait seam using &http::request::Parts for auth passthrough, host/origin policy derived from deployment context, the 13-tool Cedar-mapped catalog, stored-query projection, classify error mapping, and a full test/verification plan.
• Housekeeping: the old Reconciliation section is marked historical, §5 is reframed as superseded design rationale, Open Questions are resolved inline pointing to B.13, and the stdio package figures are refreshed to v0.6.1 / 16 tools.
• Spec inconsistency: B.4's mcp_router call site passes only two arguments while B.3 defines the function with three (backend, body_limit, hosts: McpHostPolicy); following B.4 literally would produce a compile error.

Confidence Score: 4/5

Documentation-only change; safe to merge with the B.4 call-site inconsistency corrected before the implementation branch begins.

The only changed file is an RFC markdown document with no runtime impact. The spec is internally consistent except for one call site in B.4 that omits the required hosts: McpHostPolicy argument that B.3 defines — an implementer following that example verbatim would hit a compile error at the first build. No code, migrations, or configs are modified.

docs/dev/rfc-003-mcp-server-surface.md — the B.4 mcp_router call site needs the hosts argument added before implementation begins.

Important Files Changed

Filename	Overview
docs/dev/rfc-003-mcp-server-surface.md	Comprehensive implementation blueprint (B.1–B.13) added for the omnigraph-mcp crate; one spec inconsistency: B.4's example call to mcp_router omits the required hosts: McpHostPolicy third argument defined in B.3

Sequence Diagram

sequenceDiagram
    participant Client as MCP Client
    participant Middleware as Auth Middleware
    participant McpCrate as omnigraph-mcp McpService
    participant Backend as OmnigraphMcpBackend
    participant Cedar as Cedar Policy Engine
    participant Engine as Graph Engine

    Client->>Middleware: "POST /graphs/{id}/mcp Authorization: Bearer"
    Middleware->>McpCrate: "Extensions: ResolvedActor + Arc<GraphHandle>"
    McpCrate->>Backend: call_tool(parts, name, args)
    Backend->>Cedar: authorize(PolicyAction, actor, branch)
    Cedar-->>Backend: "Allowed | Denied"
    alt Denied
        Backend-->>McpCrate: -32602 unknown tool
    else Allowed
        Backend->>Engine: "do_* / run_query"
        Engine-->>Backend: "Ok(result) | Err(ApiError)"
        Backend->>Backend: classify(result)
        Backend-->>McpCrate: "CallToolResult | McpError"
    end
    McpCrate-->>Client: JSON-RPC response

Loading

_{Reviews (2): Last reviewed commit: "docs(rfc-003): correct-by-construction f..." | Re-trigger Greptile}

Greptile also left 1 inline comment on this PR.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 3009564437

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Configure allowed hosts for non-loopback MCP deployments

In any remote or cloud deployment, keeping rmcp's default allowed_hosts makes /mcp reject valid clients before bearer auth, because rmcp 1.7 defaults Host validation to loopback authorities only (localhost, 127.0.0.1, ::1). This RFC explicitly targets remotely reachable MCP clients, so the blueprint should require a server-configured allowed-host allowlist (or a documented reverse-proxy Host validation setup) instead of preserving the loopback default.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Reconcile the stale rollout with locked decisions

These locked decisions conflict with the still-active Rollout and Testing sections below, which continue to tell implementers to ship graphs_list, read/change aliases, a server-level /mcp, and an mcp.allow_adhoc switch. Since the status says the blueprint only supersedes the older §5 sketches, someone following the Rollout section would build surface area this canonical section says was dropped; please update those later sections or explicitly mark them historical too.

Useful? React with 👍 / 👎.

[ragnorc]

Addressed the valid review findings as correct-by-construction fixes (commit 2ade97f) so a from-scratch build can't reintroduce them:

• allowed_hosts loopback-only → 403s remote clients (codex/greptile here; cursor/devin on feat(server): in-server MCP surface over Streamable HTTP (RFC-003) #157): host/origin policy is now derived from the server bind + config (B.3.1), never rmcp's fixed loopback default. Loopback bind → loopback hosts; non-loopback → configured public host, else Host-allowlisting off (bearer + Origin are the controls).
• stored-query branch/snapshot param collision (feat(server): in-server MCP surface over Streamable HTTP (RFC-003) #157: cursor High, greptile P1, devin): params nested under a params object (B.6/B.7), mirroring POST /queries/{name} — the knobs and query params are separate namespaces, so collision is unrepresentable. Mutation tools omit snapshot + additionalProperties:false, so "mutation against a snapshot" is unrepresentable (vs silently dropped).
• 5xx surfaced as isError (feat(server): in-server MCP surface over Streamable HTTP (RFC-003) #157): one canonical classify(Result<_, ApiError>) for tool errors (B.8) — 5xx → JSON-RPC, 4xx/409 → isError; no second mapper to drift.
• vector_dim: None → 0-length-array schema (feat(server): in-server MCP surface over Streamable HTTP (RFC-003) #157): dim made intrinsic to the Vector kind (B.7); unwrap_or(0) can't exist.
• branch-scope preflight hides callable tools (codex on feat(server): in-server MCP surface over Streamable HTTP (RFC-003) #157): list visibility now uses the call-path default-branch authorization, not a branch: None probe (B.8).
• stale Rollout/Testing + Summary count (codex/greptile here): reconciled with banners pointing at B.12/B.4/B.13 and the count corrected.

The "missing server.md MCP section" finding was stale — reviewers saw commit 94bbf67, before the docs commit added it.

[greptile-apps]

B.4 call site missing hosts: McpHostPolicy argument

The mcp_router function defined in B.3 has the signature pub fn mcp_router<B: McpBackend>(backend: B, body_limit: usize, hosts: McpHostPolicy) -> axum::Router (three parameters), but the mounting example in B.4 only passes two: omnigraph_mcp::mcp_router(OmnigraphMcpBackend::new(state), INGEST_REQUEST_BODY_LIMIT_BYTES). The hosts: McpHostPolicy argument is absent. An implementer following B.4 verbatim would get a Rust compile error at that call site. The call should be updated to pass the McpHostPolicy computed at startup per B.3.1 — for example omnigraph_mcp::mcp_router(OmnigraphMcpBackend::new(state), INGEST_REQUEST_BODY_LIMIT_BYTES, McpHostPolicy::from_bind_config(&state.config)).

[greptile-apps]

ragnorc has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[greptile-apps]

ragnorc has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 20233a3. Configure here.}

[cursor]

Server-scoped health contradicts routing

Medium Severity

The tool catalog still lists health as server-scoped MCP, while routing and locked decisions require every MCP tool to be graph-scoped with no server-level /mcp. Unlike graphs_list, which was dropped for the same reason, health has no mount point—implementers cannot satisfy both sections without guessing intent.

Additional Locations (2)

• docs/dev/rfc-003-mcp-server-surface.md#L662-L667
• docs/dev/rfc-003-mcp-server-surface.md#L715-L716

 

^{Reviewed by Cursor Bugbot for commit 20233a3. Configure here.}

[cursor]

Meta list tool lacks Cedar mapping

Medium Severity

In meta stored-query mode the spec adds stored_query_list alongside stored_query_run, but the Cedar mapping table only authorizes stored_query_run. Listing can expose query names and descriptions without a defined InvokeQuery (or equivalent) gate for the list tool.

Additional Locations (1)

• docs/dev/rfc-003-mcp-server-surface.md#L439-L440

 

^{Reviewed by Cursor Bugbot for commit 20233a3. Configure here.}

[greptile-apps]

ragnorc has reached the 50-review limit for trial accounts. To continue receiving code reviews, upgrade your plan.