@botbotgo/agent-harness 0.0.161 → 0.0.163

package/README.md

@@ -578,6 +578,7 @@ Example workspaces:
 
 Workspace-local tool modules in `resources/tools/` should be exported with `tool({...})`.
 Any other local module shape is not supported, and unsupported shapes are rejected at load time.
+When a local function tool declares its schema in the module, runtime governance treats that module-defined schema as the source of truth; duplicating it into YAML `inputSchema.ref` is optional rather than required for schema-bound metadata.
 When local tools use Zod-authored schemas, keep the workspace or isolated `resources` package on `zod@^4` so raw-shape validators and runtime parsing stay on one supported major version.
 
 Default wiring guidance:
@@ -911,3 +912,4 @@ ACP transport notes:
 - `serveAcpStdio(runtime)` exposes newline-delimited JSON-RPC over stdio for local IDE, CLI, or subprocess clients.
 - `serveAcpHttp(runtime)` exposes JSON-RPC over HTTP plus SSE runtime events so remote operator surfaces can connect without importing the runtime in-process.
 - `exportRunPackage(...)` and `exportSessionPackage(...)` package stable runtime records, transcript, approvals, events, and artifacts for operator tooling without reaching into persistence internals.
+- `runtime/default.governance.remoteMcp` can now deny or allow specific MCP servers, raise approval requirements by transport, and stamp transport-based risk tiers into runtime governance bundles.

package/README.zh.md

@@ -542,6 +542,7 @@ await stop(runtime);
 
 `resources/tools/` 下的工作区本地工具模块应统一用 `tool({...})` 导出。
 不支持历史/兼容写法，任何不带该导出形式的工具模块都会在工作区加载时被拒绝。
+本地 function tool 如果在模块里声明了 schema，runtime governance 会直接把该模块 schema 视为事实来源；不需要为了 schema-bound 元数据再额外复制一份 YAML `inputSchema.ref`。
 若本地工具使用 Zod schema，请让工作区或隔离的 `resources` 包统一使用 `zod@^4`，避免 raw shape validator 与 runtime 解析落在不同 major 版本上。
 
 主要有三层配置：
@@ -870,3 +871,4 @@ ACP transport 说明：
 - `serveAcpStdio(runtime)` 提供基于 stdio 的 newline-delimited JSON-RPC，适合本地 IDE、CLI 或子进程客户端。
 - `serveAcpHttp(runtime)` 提供基于 HTTP 的 JSON-RPC 与 SSE runtime events，适合远程 operator surface 或独立控制面接入。
 - `exportRunPackage(...)` 与 `exportSessionPackage(...)` 可把稳定 runtime 记录、transcript、approvals、events 和 artifacts 打包给 operator tooling，而不必直接访问 persistence 内部实现。
+- `runtime/default.governance.remoteMcp` 现在可以按 MCP server 或 transport 做 allow/deny、审批升级，并把 transport 风险等级写进 runtime governance bundles。

package/dist/contracts/runtime.d.ts

@@ -102,6 +102,8 @@ export type RuntimeGovernanceToolPolicy = {
     toolId: string;
     toolType: string;
     category: "local" | "backend" | "mcp" | "provider-native";
+    mcpServerRef?: string;
+    mcpTransport?: string;
     risk: RuntimeGovernanceRiskLevel;
     requiresApproval: boolean;
     approvalPolicy: "explicit-hitl" | "runtime-default" | "none";

package/dist/contracts/workspace.d.ts

@@ -83,6 +83,7 @@ export type ParsedToolObject = {
     config?: Record<string, unknown>;
     subprocess?: boolean;
     inputSchemaRef?: string;
+    hasModuleSchema?: boolean;
     embeddingModelRef?: string;
     backendOperation?: string;
     mcpRef?: string;
@@ -132,6 +133,7 @@ export type CompiledTool = {
     config?: Record<string, unknown>;
     subprocess?: boolean;
     inputSchemaRef?: string;
+    hasModuleSchema?: boolean;
     embeddingModelRef?: string;
     backendOperation?: string;
     mcpRef?: string;

package/dist/extensions.js

@@ -124,6 +124,7 @@ registerToolKind({
                 config: tool.config,
                 subprocess: tool.subprocess,
                 inputSchemaRef: tool.inputSchemaRef,
+                hasModuleSchema: tool.hasModuleSchema,
                 embeddingModelRef: tool.embeddingModelRef,
                 bundleRefs: [],
                 hitl: tool.hitl
@@ -158,6 +159,7 @@ registerToolKind({
                 config: tool.config,
                 subprocess: tool.subprocess,
                 inputSchemaRef: tool.inputSchemaRef,
+                hasModuleSchema: tool.hasModuleSchema,
                 embeddingModelRef: tool.embeddingModelRef,
                 backendOperation: tool.backendOperation,
                 bundleRefs: [],
@@ -193,6 +195,7 @@ registerToolKind({
                 config: tool.config,
                 subprocess: tool.subprocess,
                 inputSchemaRef: tool.inputSchemaRef,
+                hasModuleSchema: tool.hasModuleSchema,
                 embeddingModelRef: tool.embeddingModelRef,
                 mcpRef: tool.mcpRef,
                 bundleRefs: [],
@@ -234,6 +237,7 @@ registerToolKind({
                 config: tool.config,
                 subprocess: tool.subprocess,
                 inputSchemaRef: tool.inputSchemaRef,
+                hasModuleSchema: tool.hasModuleSchema,
                 embeddingModelRef: tool.embeddingModelRef,
                 bundleRefs: [],
                 hitl: tool.hitl

package/dist/package-version.d.ts

@@ -1 +1 @@
-export declare const AGENT_HARNESS_VERSION = "0.0.160";
+export declare const AGENT_HARNESS_VERSION = "0.0.162";

package/dist/package-version.js

@@ -1 +1 @@
-export const AGENT_HARNESS_VERSION = "0.0.160";
+export const AGENT_HARNESS_VERSION = "0.0.162";

package/dist/runtime/harness/bindings.js

@@ -1,6 +1,7 @@
 import { resolveBindingTimeout, resolveProviderRetryPolicy, resolveStreamIdleTimeout } from "../adapter/resilience.js";
 import { toolRequiresRuntimeApproval } from "../adapter/tool/tool-hitl.js";
 import { getBindingPrimaryTools } from "../support/compiled-binding.js";
+import { compiledToolHasInputSchema } from "./tool-schema.js";
 export function getWorkspaceBinding(workspace, agentId) {
     return workspace.bindings.get(agentId);
 }
@@ -29,7 +30,7 @@ export function projectBindingToolExecutionPolicy(binding) {
         toolId: tool.id,
         name: tool.name,
         retryable: tool.retryable === true,
-        hasInputSchema: typeof tool.inputSchemaRef === "string" && tool.inputSchemaRef.trim().length > 0,
+        hasInputSchema: compiledToolHasInputSchema(tool),
         requiresApproval: toolRequiresRuntimeApproval(tool),
     }));
     const retryableToolCount = projectedTools.filter((tool) => tool.retryable).length;

package/dist/runtime/harness/run/governance.js

@@ -1,5 +1,6 @@
 import { getBindingPrimaryTools } from "../../support/compiled-binding.js";
 import { toolRequiresRuntimeApproval } from "../../adapter/tool/tool-hitl.js";
+import { compiledToolHasInputSchema } from "../tool-schema.js";
 const WRITE_LIKE_PATTERN = /\b(write|edit|delete|create|update|append|insert|push|commit|publish|send|post|apply|merge|sync|upload|save)\b/i;
 function inputHints(binding, tool) {
     const hints = new Set();
@@ -57,6 +58,25 @@ function readRisk(value) {
 function readApprovalPolicy(value) {
     return value === "explicit-hitl" || value === "runtime-default" || value === "none" ? value : undefined;
 }
+function normalizeServerRef(value) {
+    if (typeof value !== "string" || value.trim().length === 0) {
+        return undefined;
+    }
+    const trimmed = value.trim();
+    return trimmed.startsWith("mcp/") ? trimmed : `mcp/${trimmed}`;
+}
+function readRemoteMcpMetadata(tool) {
+    const config = asObject(tool.config);
+    const mcpReference = asObject(config?.mcp);
+    const inlineServer = asObject(config?.mcpServer);
+    const transport = typeof inlineServer?.transport === "string" && inlineServer.transport.trim().length > 0
+        ? inlineServer.transport.trim()
+        : undefined;
+    return {
+        ...(normalizeServerRef(mcpReference?.serverRef) ? { serverRef: normalizeServerRef(mcpReference?.serverRef) } : {}),
+        ...(transport ? { transport } : {}),
+    };
+}
 function matchesToolPolicy(rule, policy) {
     const match = asObject(rule.match) ?? rule;
     const toolName = typeof match.toolName === "string" ? match.toolName.trim() : undefined;
@@ -102,14 +122,49 @@ function applyGovernanceOverrides(binding, policies) {
         return merged;
     });
 }
+function applyRemoteMcpGovernance(binding, policies) {
+    const governance = asObject(binding.harnessRuntime.governance);
+    const remoteMcp = asObject(governance?.remoteMcp);
+    if (!remoteMcp) {
+        return policies;
+    }
+    const requireApprovalTransports = new Set(readStringArray(remoteMcp.requireApprovalTransports));
+    const riskByTransport = asObject(remoteMcp.riskByTransport);
+    const inputRiskHintsByTransport = asObject(remoteMcp.inputRiskHintsByTransport);
+    return policies.map((policy) => {
+        if (policy.category !== "mcp") {
+            return policy;
+        }
+        const merged = { ...policy };
+        const transport = merged.mcpTransport;
+        if (transport && requireApprovalTransports.has(transport)) {
+            merged.requiresApproval = true;
+            if (merged.approvalPolicy === "none") {
+                merged.approvalPolicy = "runtime-default";
+            }
+        }
+        const transportRisk = transport ? readRisk(riskByTransport?.[transport]) : undefined;
+        if (transportRisk) {
+            merged.risk = transportRisk;
+        }
+        const transportHints = transport ? readStringArray(inputRiskHintsByTransport?.[transport]) : [];
+        if (transportHints.length > 0) {
+            merged.inputRiskHints = Array.from(new Set([...merged.inputRiskHints, ...transportHints]));
+        }
+        return merged;
+    });
+}
 export function buildRuntimeGovernanceBundles(binding) {
-    const toolPolicies = applyGovernanceOverrides(binding, getBindingPrimaryTools(binding).map((tool) => {
+    const toolPolicies = applyGovernanceOverrides(binding, applyRemoteMcpGovernance(binding, getBindingPrimaryTools(binding).map((tool) => {
         const requiresApproval = toolRequiresRuntimeApproval(tool);
+        const remoteMcp = readRemoteMcpMetadata(tool);
         return {
             toolName: tool.name,
             toolId: tool.id,
             toolType: tool.type,
             category: toCategory(tool.type),
+            ...(remoteMcp.serverRef ? { mcpServerRef: remoteMcp.serverRef } : {}),
+            ...(remoteMcp.transport ? { mcpTransport: remoteMcp.transport } : {}),
             risk: classifyRisk({
                 toolType: tool.type,
                 requiresApproval,
@@ -119,10 +174,10 @@ export function buildRuntimeGovernanceBundles(binding) {
             }),
             requiresApproval,
             approvalPolicy: tool.hitl?.enabled === true ? "explicit-hitl" : requiresApproval ? "runtime-default" : "none",
-            hasInputSchema: typeof tool.inputSchemaRef === "string" && tool.inputSchemaRef.trim().length > 0,
+            hasInputSchema: compiledToolHasInputSchema(tool),
             inputRiskHints: inputHints(binding, tool),
         };
-    }));
+    })));
     if (toolPolicies.length === 0) {
         return [];
     }

package/dist/runtime/harness/system/policy-engine.js

@@ -12,6 +12,9 @@ export class PolicyEngine {
         const governance = typeof binding.harnessRuntime.governance === "object" && binding.harnessRuntime.governance
             ? binding.harnessRuntime.governance
             : undefined;
+        const remoteMcp = typeof governance?.remoteMcp === "object" && governance.remoteMcp
+            ? governance.remoteMcp
+            : undefined;
         const denyConfig = typeof governance?.deny === "object" && governance.deny
             ? governance.deny
             : undefined;
@@ -38,6 +41,72 @@ export class PolicyEngine {
                 reasons.push(`runtime governance denied tool access: ${blocked.map((tool) => tool.name).join(", ")}`);
             }
         }
+        if (remoteMcp) {
+            const normalizeServerRef = (value) => {
+                if (typeof value !== "string" || value.trim().length === 0) {
+                    return undefined;
+                }
+                const trimmed = value.trim();
+                return trimmed.startsWith("mcp/") ? trimmed : `mcp/${trimmed}`;
+            };
+            const allowServerRefs = new Set(Array.isArray(remoteMcp.allowServerRefs)
+                ? remoteMcp.allowServerRefs
+                    .map((item) => normalizeServerRef(item))
+                    .filter((item) => Boolean(item))
+                : []);
+            const denyServerRefs = new Set(Array.isArray(remoteMcp.denyServerRefs)
+                ? remoteMcp.denyServerRefs
+                    .map((item) => normalizeServerRef(item))
+                    .filter((item) => Boolean(item))
+                : []);
+            const denyTransports = new Set(Array.isArray(remoteMcp.denyTransports)
+                ? remoteMcp.denyTransports.filter((item) => typeof item === "string" && item.trim().length > 0).map((item) => item.trim())
+                : []);
+            const tools = binding.execution?.params?.tools ?? binding.langchainAgentParams?.tools ?? binding.deepAgentParams?.tools ?? [];
+            const deniedRemoteTools = tools.flatMap((tool) => {
+                if (tool.type !== "mcp") {
+                    return [];
+                }
+                const config = typeof tool.config === "object" && tool.config && !Array.isArray(tool.config)
+                    ? tool.config
+                    : undefined;
+                const mcpRef = typeof config?.mcp === "object" && config.mcp && !Array.isArray(config.mcp)
+                    ? config.mcp
+                    : undefined;
+                const inlineMcpServer = typeof config?.mcpServer === "object" && config.mcpServer && !Array.isArray(config.mcpServer)
+                    ? config.mcpServer
+                    : undefined;
+                const serverRef = normalizeServerRef(mcpRef?.serverRef);
+                const transport = typeof inlineMcpServer?.transport === "string" && inlineMcpServer.transport.trim().length > 0
+                    ? inlineMcpServer.transport.trim()
+                    : undefined;
+                const serverDenied = serverRef ? denyServerRefs.has(serverRef) || (allowServerRefs.size > 0 && !allowServerRefs.has(serverRef)) : false;
+                const transportDenied = transport ? denyTransports.has(transport) : false;
+                return serverDenied || transportDenied
+                    ? [{
+                            toolName: tool.name,
+                            ...(serverRef ? { serverRef } : {}),
+                            ...(transport ? { transport } : {}),
+                        }]
+                    : [];
+            });
+            if (deniedRemoteTools.length > 0) {
+                allowed = false;
+                const details = deniedRemoteTools.map((tool) => {
+                    if (tool.serverRef && tool.transport) {
+                        return `${tool.toolName} (${tool.serverRef}, ${tool.transport})`;
+                    }
+                    if (tool.serverRef) {
+                        return `${tool.toolName} (${tool.serverRef})`;
+                    }
+                    if (tool.transport) {
+                        return `${tool.toolName} (${tool.transport})`;
+                    }
+                    return tool.toolName;
+                });
+                reasons.push(`runtime governance denied remote MCP access: ${details.join(", ")}`);
+            }
+        }
         for (const evaluator of getPolicyEvaluators()) {
             const decision = evaluator.evaluate(binding);
             if (!decision) {

package/dist/runtime/harness/tool-schema.d.ts

@@ -0,0 +1,2 @@
+import type { CompiledTool } from "../../contracts/types.js";
+export declare function compiledToolHasInputSchema(tool: Pick<CompiledTool, "inputSchemaRef" | "hasModuleSchema">): boolean;

package/dist/runtime/harness/tool-schema.js

@@ -0,0 +1,3 @@
+export function compiledToolHasInputSchema(tool) {
+    return (typeof tool.inputSchemaRef === "string" && tool.inputSchemaRef.trim().length > 0) || tool.hasModuleSchema === true;
+}

package/dist/tool-modules.d.ts

@@ -4,6 +4,7 @@ export type LoadedToolModule = {
     implementationName: string;
     invoke: (input: unknown, context?: Record<string, unknown>) => Promise<unknown> | unknown;
     schema: ReturnType<typeof normalizeToolSchema>;
+    hasModuleSchema: boolean;
     description: string;
     retryable?: boolean;
     memory?: {

package/dist/tool-modules.js

@@ -20,6 +20,7 @@ function loadToolObjectDefinition(imported, exportName) {
         implementationName: definition.name?.trim() || exportName,
         invoke: definition.invoke,
         schema: normalizeToolSchema(definition.schema),
+        hasModuleSchema: true,
         description: definition.description.trim(),
         retryable: definition.retryable === true,
         ...(definition.memory ? { memory: { ...definition.memory } } : {}),

package/dist/workspace/object-loader.js

@@ -4,7 +4,7 @@ import { readdir, readFile } from "node:fs/promises";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import { resolveIsolatedResourceModulePath } from "../resource/isolation.js";
 import { isExternalSourceLocator, resolveResourcePackageRoot } from "../resource/sources.js";
-import { discoverToolModuleDefinitions, isSupportedToolModulePath } from "../tool-modules.js";
+import { discoverToolModuleDefinitions, isSupportedToolModulePath, loadToolModuleDefinition } from "../tool-modules.js";
 import { fileExists } from "../utils/fs.js";
 import { readNamedYamlItems, readYamlItems, } from "./yaml-object-reader.js";
 export { normalizeYamlItem, readYamlItems } from "./yaml-object-reader.js";
@@ -633,12 +633,22 @@ async function readModuleToolItems(root) {
             if (inferredType === "function" && !discoveredPath) {
                 throw new Error(`Module tool ${workspaceObject.id} must define implementation.path or provide index.mjs|index.js|index.cjs`);
             }
+            const implementationName = typeof normalizedItem.implementationName === "string" && normalizedItem.implementationName.trim().length > 0
+                ? normalizedItem.implementationName.trim()
+                : typeof implementation?.export === "string" && implementation.export.trim().length > 0
+                    ? implementation.export.trim()
+                    : workspaceObject.id;
+            const schemaMetadata = inferredType === "function" && discoveredPath
+                ? await readModuleToolSchemaMetadata({
+                    sourcePath: discoveredPath,
+                    implementationName,
+                })
+                : { hasModuleSchema: false };
             records.push({
                 item: {
                     ...normalizedItem,
-                    ...(typeof implementation?.export === "string" && !normalizedItem.implementationName
-                        ? { implementationName: implementation.export }
-                        : {}),
+                    ...(typeof implementation?.export === "string" && !normalizedItem.implementationName ? { implementationName } : {}),
+                    ...(schemaMetadata.hasModuleSchema ? { hasModuleSchema: true } : {}),
                 },
                 sourcePath: discoveredPath ?? sourcePath,
             });
@@ -646,6 +656,32 @@ async function readModuleToolItems(root) {
     }
     return records;
 }
+function findToolPackageRoot(startPath) {
+    let current = path.dirname(startPath);
+    for (;;) {
+        const packageJsonPath = path.join(current, "package.json");
+        if (existsSync(packageJsonPath)) {
+            return current;
+        }
+        const parent = path.dirname(current);
+        if (parent === current) {
+            return path.dirname(startPath);
+        }
+        current = parent;
+    }
+}
+async function readModuleToolSchemaMetadata(input) {
+    if (!isSupportedToolModulePath(input.sourcePath)) {
+        return { hasModuleSchema: false };
+    }
+    const packageRoot = findToolPackageRoot(input.sourcePath);
+    const isolatedSourcePath = await resolveIsolatedResourceModulePath(packageRoot, input.sourcePath);
+    const imported = await import(pathToFileURL(isolatedSourcePath).href);
+    const definition = loadToolModuleDefinition(imported, input.implementationName);
+    return {
+        hasModuleSchema: definition.hasModuleSchema,
+    };
+}
 async function loadModuleObjectsForRoot(root, mergedObjects) {
     for (const { item, sourcePath } of await readModuleToolItems(root)) {
         const workspaceObject = parseWorkspaceObject(item, sourcePath);
@@ -728,6 +764,7 @@ export async function readToolModuleItems(root) {
                     name: definition.implementationName,
                     description: definition.description,
                     implementationName: definition.implementationName,
+                    hasModuleSchema: definition.hasModuleSchema,
                     ...(definition.retryable !== undefined ? { retryable: definition.retryable } : {}),
                     ...(definition.memory ? { config: { memory: definition.memory } } : {}),
                 },

package/dist/workspace/resource-compilers.js

@@ -269,6 +269,7 @@ export function parseToolObject(object) {
             : undefined),
         subprocess: value.subprocess === true,
         inputSchemaRef: typeof asObject(value.inputSchema)?.ref === "string" ? String(asObject(value.inputSchema)?.ref) : undefined,
+        hasModuleSchema: value.hasModuleSchema === true,
         embeddingModelRef: typeof value.embeddingModelRef === "string"
             ? value.embeddingModelRef
             : typeof value.embeddingModel === "string"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@botbotgo/agent-harness",
-  "version": "0.0.161",
+  "version": "0.0.163",
   "description": "Workspace runtime for multi-agent applications",
   "type": "module",
   "packageManager": "npm@10.9.2",