@poncho-ai/harness 0.33.1 → 0.34.1

package/.turbo/turbo-build.log

@@ -1,5 +1,5 @@
 
-> @poncho-ai/harness@0.33.1 build /home/runner/work/poncho-ai/poncho-ai/packages/harness
+> @poncho-ai/harness@0.34.1 build /home/runner/work/poncho-ai/poncho-ai/packages/harness
 > node scripts/embed-docs.js && tsup src/index.ts --format esm --dts
 
 [embed-docs] Generated poncho-docs.ts with 4 topics
@@ -8,8 +8,8 @@
 CLI tsup v8.5.1
 CLI Target: es2022
 ESM Build start
-ESM dist/index.js 335.08 KB
-ESM ⚡️ Build success in 167ms
+ESM dist/index.js 336.65 KB
+ESM ⚡️ Build success in 155ms
 DTS Build start
-DTS ⚡️ Build success in 7028ms
-DTS dist/index.d.ts 33.55 KB
+DTS ⚡️ Build success in 7364ms
+DTS dist/index.d.ts 34.28 KB

package/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @poncho-ai/harness
 
+## 0.34.1
+
+### Patch Changes
+
+- [`59a88cc`](https://github.com/cesr/poncho-ai/commit/59a88cc52b5c3aa7432b820424bb8067174233e5) Thanks [@cesr](https://github.com/cesr)! - fix: improve token estimation accuracy and handle missing attachments
+  - Use a JSON-specific token ratio for tool definitions to avoid inflating counts with many MCP tools.
+  - Track actual context size from model responses for compaction triggers instead of cumulative input tokens.
+  - Gracefully degrade when file attachments are missing or expired instead of crashing.
+
+## 0.34.0
+
+### Minor Changes
+
+- [`3f096f2`](https://github.com/cesr/poncho-ai/commit/3f096f28b9ab797b52f1b725778976929156cce9) Thanks [@cesr](https://github.com/cesr)! - fix: scope MCP tools to skills via server-level claiming
+
+  MCP tools from configured servers are now globally available by default. When a skill claims any tool from a server via `allowed-tools`, the entire server becomes skill-managed — its tools are only available when the claiming skill is active (or declared in AGENT.md `allowed-tools`).
+
 ## 0.33.1
 
 ### Patch Changes

package/dist/index.d.ts

@@ -83,6 +83,11 @@ declare const resolveCompactionConfig: (explicit?: Partial<CompactionConfig>) =>
 declare const estimateTokens: (text: string) => number;
 /**
  * Estimate the total token count of a system prompt + messages + tool defs.
+ *
+ * Tool definitions are structured JSON (property names, braces, enum values)
+ * which tokenizes more efficiently than natural language — roughly 5-6
+ * chars/token vs ~4 chars/token for prose.  We estimate them separately to
+ * avoid inflating the count when there are many MCP tools (100+).
  */
 declare const estimateTotalTokens: (systemPrompt: string, messages: Message[], toolDefinitionsJson?: string) => number;
 /**
@@ -759,6 +764,14 @@ declare class AgentHarness {
     private getAgentScriptIntent;
     private getAgentMcpApprovalPatterns;
     private getAgentScriptApprovalPatterns;
+    /**
+     * Return the set of MCP server names that have at least one tool claimed by
+     * any loaded skill's `allowedTools.mcp`.  When ANY skill claims tools from a
+     * server, the entire server is considered "skill-managed" — none of its tools
+     * are auto-exposed globally; only explicitly declared tools become available
+     * (via agent-level allowed-tools or active skill allowed-tools).
+     */
+    private getSkillManagedMcpServers;
     private getRequestedMcpPatterns;
     private getRequestedScriptPatterns;
     private getRequestedMcpApprovalPatterns;

package/dist/index.js

@@ -397,10 +397,11 @@ var estimateTotalTokens = (systemPrompt, messages, toolDefinitionsJson) => {
       return sum + 200;
     }, 0);
   }
+  let tokens = Math.ceil(chars / 4 * OVERHEAD_MULTIPLIER);
   if (toolDefinitionsJson) {
-    chars += toolDefinitionsJson.length;
+    tokens += Math.ceil(toolDefinitionsJson.length / 6);
   }
-  return Math.ceil(chars / 4 * OVERHEAD_MULTIPLIER);
+  return tokens;
 };
 var findSafeSplitPoint = (messages, keepRecentMessages) => {
   const candidateIdx = messages.length - keepRecentMessages;
@@ -882,6 +883,7 @@ Connect your Poncho agent to messaging platforms so it responds to @mentions.
 1. Go to [api.slack.com/apps](https://api.slack.com/apps) and create a new app "From scratch"
 2. Under **OAuth & Permissions**, add these Bot Token Scopes:
    - \`app_mentions:read\`
+   - \`channels:history\` (needed to fetch thread context when mentioned in a reply)
    - \`chat:write\`
    - \`reactions:write\`
 3. Under **Event Subscriptions**, enable events:
@@ -6301,6 +6303,25 @@ var AgentHarness = class _AgentHarness {
   getAgentScriptApprovalPatterns() {
     return this.parsedAgent?.frontmatter.approvalRequired?.scripts ?? [];
   }
+  /**
+   * Return the set of MCP server names that have at least one tool claimed by
+   * any loaded skill's `allowedTools.mcp`.  When ANY skill claims tools from a
+   * server, the entire server is considered "skill-managed" — none of its tools
+   * are auto-exposed globally; only explicitly declared tools become available
+   * (via agent-level allowed-tools or active skill allowed-tools).
+   */
+  getSkillManagedMcpServers() {
+    const servers = /* @__PURE__ */ new Set();
+    for (const skill of this.loadedSkills) {
+      for (const pattern of skill.allowedTools.mcp) {
+        const slash = pattern.indexOf("/");
+        if (slash > 0) {
+          servers.add(pattern.slice(0, slash));
+        }
+      }
+    }
+    return servers;
+  }
   getRequestedMcpPatterns() {
     const patterns = new Set(this.getAgentMcpIntent());
     for (const skillName of this.activeSkillNames) {
@@ -6312,6 +6333,17 @@ var AgentHarness = class _AgentHarness {
         patterns.add(pattern);
       }
     }
+    if (this.mcpBridge) {
+      const managedServers = this.getSkillManagedMcpServers();
+      const discoveredTools = this.mcpBridge.listDiscoveredTools();
+      for (const toolName of discoveredTools) {
+        const slash = toolName.indexOf("/");
+        const serverName = slash > 0 ? toolName.slice(0, slash) : toolName;
+        if (!managedServers.has(serverName)) {
+          patterns.add(toolName);
+        }
+      }
+    }
     return [...patterns];
   }
   getRequestedScriptPatterns() {
@@ -7258,19 +7290,24 @@ ${textContent}` };
                   };
                 }
                 let resolvedData;
-                if (part.data.startsWith(PONCHO_UPLOAD_SCHEME) && this.uploadStore) {
-                  const buf = await this.uploadStore.get(part.data);
-                  resolvedData = buf.toString("base64");
-                } else if (part.data.startsWith("https://") || part.data.startsWith("http://")) {
-                  if (this.uploadStore) {
+                try {
+                  if (part.data.startsWith(PONCHO_UPLOAD_SCHEME) && this.uploadStore) {
                     const buf = await this.uploadStore.get(part.data);
                     resolvedData = buf.toString("base64");
+                  } else if (part.data.startsWith("https://") || part.data.startsWith("http://")) {
+                    if (this.uploadStore) {
+                      const buf = await this.uploadStore.get(part.data);
+                      resolvedData = buf.toString("base64");
+                    } else {
+                      const resp = await fetch(part.data);
+                      resolvedData = Buffer.from(await resp.arrayBuffer()).toString("base64");
+                    }
                   } else {
-                    const resp = await fetch(part.data);
-                    resolvedData = Buffer.from(await resp.arrayBuffer()).toString("base64");
+                    resolvedData = part.data;
                   }
-                } else {
-                  resolvedData = part.data;
+                } catch {
+                  const label = part.filename ?? part.mediaType;
+                  return { type: "text", text: `[Attached file: ${label} \u2014 file is no longer available]` };
                 }
                 if (isSupportedImage) {
                   return {
@@ -7299,8 +7336,8 @@ ${textContent}` };
         const compactionConfig = resolveCompactionConfig(agent.frontmatter.compaction);
         if (compactionConfig.enabled && (step === 1 || step % COMPACTION_CHECK_INTERVAL_STEPS === 0)) {
           const estimated = estimateTotalTokens(systemPrompt, messages, toolDefsJsonForEstimate);
-          const lastReportedInput = totalInputTokens > 0 ? totalInputTokens : 0;
-          const effectiveTokens = Math.max(estimated, lastReportedInput);
+          const lastReportedContext = latestContextTokens > 0 ? latestContextTokens + toolOutputEstimateSinceModel : 0;
+          const effectiveTokens = Math.max(estimated, lastReportedContext);
           if (effectiveTokens > compactionConfig.trigger * contextWindow) {
             yield pushEvent({ type: "compaction:started", estimatedTokens: effectiveTokens });
             const compactResult = await compactMessages(

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@poncho-ai/harness",
-  "version": "0.33.1",
+  "version": "0.34.1",
   "description": "Agent execution runtime - conversation loop, tool dispatch, streaming",
   "repository": {
     "type": "git",

package/src/compaction.ts

@@ -49,6 +49,11 @@ export const estimateTokens = (text: string): number =>
 
 /**
  * Estimate the total token count of a system prompt + messages + tool defs.
+ *
+ * Tool definitions are structured JSON (property names, braces, enum values)
+ * which tokenizes more efficiently than natural language — roughly 5-6
+ * chars/token vs ~4 chars/token for prose.  We estimate them separately to
+ * avoid inflating the count when there are many MCP tools (100+).
  */
 export const estimateTotalTokens = (
   systemPrompt: string,
@@ -64,10 +69,13 @@ export const estimateTotalTokens = (
           return sum + 200; // rough estimate for file/image references
         }, 0);
   }
+  let tokens = Math.ceil((chars / 4) * OVERHEAD_MULTIPLIER);
   if (toolDefinitionsJson) {
-    chars += toolDefinitionsJson.length;
+    // JSON-specific ratio — no overhead multiplier (structural tokens are
+    // already accounted for by the higher chars-per-token ratio).
+    tokens += Math.ceil(toolDefinitionsJson.length / 6);
   }
-  return Math.ceil((chars / 4) * OVERHEAD_MULTIPLIER);
+  return tokens;
 };
 
 /**

package/src/harness.ts

@@ -995,8 +995,30 @@ export class AgentHarness {
     return this.parsedAgent?.frontmatter.approvalRequired?.scripts ?? [];
   }
 
+  /**
+   * Return the set of MCP server names that have at least one tool claimed by
+   * any loaded skill's `allowedTools.mcp`.  When ANY skill claims tools from a
+   * server, the entire server is considered "skill-managed" — none of its tools
+   * are auto-exposed globally; only explicitly declared tools become available
+   * (via agent-level allowed-tools or active skill allowed-tools).
+   */
+  private getSkillManagedMcpServers(): Set<string> {
+    const servers = new Set<string>();
+    for (const skill of this.loadedSkills) {
+      for (const pattern of skill.allowedTools.mcp) {
+        const slash = pattern.indexOf("/");
+        if (slash > 0) {
+          servers.add(pattern.slice(0, slash));
+        }
+      }
+    }
+    return servers;
+  }
+
   private getRequestedMcpPatterns(): string[] {
     const patterns = new Set<string>(this.getAgentMcpIntent());
+
+    // Add patterns from active skills.
     for (const skillName of this.activeSkillNames) {
       const skill = this.loadedSkills.find((entry) => entry.name === skillName);
       if (!skill) {
@@ -1006,6 +1028,26 @@ export class AgentHarness {
         patterns.add(pattern);
       }
     }
+
+    // MCP servers whose tools are NOT claimed by any skill are "unmanaged" —
+    // all their discovered tools are globally available so that configuring a
+    // server in poncho.config.js makes its tools accessible by default.
+    //
+    // Once ANY skill claims tools from a server (even a single tool), that
+    // server becomes "skill-managed" and ALL of its tools require explicit
+    // declaration (agent-level or active-skill) to be available.
+    if (this.mcpBridge) {
+      const managedServers = this.getSkillManagedMcpServers();
+      const discoveredTools = this.mcpBridge.listDiscoveredTools();
+      for (const toolName of discoveredTools) {
+        const slash = toolName.indexOf("/");
+        const serverName = slash > 0 ? toolName.slice(0, slash) : toolName;
+        if (!managedServers.has(serverName)) {
+          patterns.add(toolName);
+        }
+      }
+    }
+
     return [...patterns];
   }
 
@@ -2112,19 +2154,24 @@ ${boundedMainMemory.trim()}`
                 // Always resolve to base64 so the model doesn't need to
                 // fetch URLs itself (which fails for private blob stores).
                 let resolvedData: string;
-                if (part.data.startsWith(PONCHO_UPLOAD_SCHEME) && this.uploadStore) {
-                  const buf = await this.uploadStore.get(part.data);
-                  resolvedData = buf.toString("base64");
-                } else if (part.data.startsWith("https://") || part.data.startsWith("http://")) {
-                  if (this.uploadStore) {
+                try {
+                  if (part.data.startsWith(PONCHO_UPLOAD_SCHEME) && this.uploadStore) {
                     const buf = await this.uploadStore.get(part.data);
                     resolvedData = buf.toString("base64");
+                  } else if (part.data.startsWith("https://") || part.data.startsWith("http://")) {
+                    if (this.uploadStore) {
+                      const buf = await this.uploadStore.get(part.data);
+                      resolvedData = buf.toString("base64");
+                    } else {
+                      const resp = await fetch(part.data);
+                      resolvedData = Buffer.from(await resp.arrayBuffer()).toString("base64");
+                    }
                   } else {
-                    const resp = await fetch(part.data);
-                    resolvedData = Buffer.from(await resp.arrayBuffer()).toString("base64");
+                    resolvedData = part.data;
                   }
-                } else {
-                  resolvedData = part.data;
+                } catch {
+                  const label = part.filename ?? part.mediaType;
+                  return { type: "text" as const, text: `[Attached file: ${label} — file is no longer available]` };
                 }
                 if (isSupportedImage) {
                   return {
@@ -2158,8 +2205,13 @@ ${boundedMainMemory.trim()}`
         const compactionConfig = resolveCompactionConfig(agent.frontmatter.compaction);
         if (compactionConfig.enabled && (step === 1 || step % COMPACTION_CHECK_INTERVAL_STEPS === 0)) {
           const estimated = estimateTotalTokens(systemPrompt, messages, toolDefsJsonForEstimate);
-          const lastReportedInput = totalInputTokens > 0 ? totalInputTokens : 0;
-          const effectiveTokens = Math.max(estimated, lastReportedInput);
+          // Use the actual context size from the last model response (input tokens
+          // + tool output accumulated since), not totalInputTokens which is a
+          // cumulative sum across all steps and would wildly overcount.
+          const lastReportedContext = latestContextTokens > 0
+            ? latestContextTokens + toolOutputEstimateSinceModel
+            : 0;
+          const effectiveTokens = Math.max(estimated, lastReportedContext);
 
           if (effectiveTokens > compactionConfig.trigger * contextWindow) {
             yield pushEvent({ type: "compaction:started", estimatedTokens: effectiveTokens });

package/test/harness.test.ts

@@ -1037,6 +1037,360 @@ allowed-tools:
     await new Promise<void>((resolveClose) => mcpServer.close(() => resolveClose()));
   });
 
+  it("unclaimed MCP tools are globally available without allowed-tools declaration", async () => {
+    process.env.LINEAR_TOKEN = "token-123";
+    const mcpServer = createServer(async (req, res) => {
+      if (req.method === "DELETE") {
+        res.statusCode = 200;
+        res.end();
+        return;
+      }
+      const chunks: Buffer[] = [];
+      for await (const chunk of req) chunks.push(Buffer.from(chunk));
+      const body = Buffer.concat(chunks).toString("utf8");
+      const payload = body.trim().length > 0 ? (JSON.parse(body) as any) : {};
+      if (payload.method === "initialize") {
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Mcp-Session-Id", "sess");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              protocolVersion: "2025-03-26",
+              capabilities: { tools: { listChanged: true } },
+              serverInfo: { name: "remote", version: "1.0.0" },
+            },
+          }),
+        );
+        return;
+      }
+      if (payload.method === "notifications/initialized") {
+        res.statusCode = 202;
+        res.end();
+        return;
+      }
+      if (payload.method === "tools/list") {
+        res.setHeader("Content-Type", "application/json");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              tools: [
+                { name: "list_issues", inputSchema: { type: "object", properties: {} } },
+                { name: "save_issue", inputSchema: { type: "object", properties: {} } },
+              ],
+            },
+          }),
+        );
+        return;
+      }
+      res.statusCode = 404;
+      res.end();
+    });
+    await new Promise<void>((resolveOpen) => mcpServer.listen(0, () => resolveOpen()));
+    const address = mcpServer.address();
+    if (!address || typeof address === "string") throw new Error("Unexpected address");
+    const dir = await mkdtemp(join(tmpdir(), "poncho-harness-unclaimed-mcp-"));
+    // AGENT.md with no allowed-tools and no skills — MCP tools should be globally available
+    await writeFile(
+      join(dir, "AGENT.md"),
+      `---
+name: unclaimed-mcp-agent
+model:
+  provider: anthropic
+  name: claude-opus-4-5
+---
+
+# Agent with unclaimed MCP tools
+`,
+      "utf8",
+    );
+    await writeFile(
+      join(dir, "poncho.config.js"),
+      `export default {
+  mcp: [
+    {
+      name: "linear",
+      url: "http://127.0.0.1:${address.port}/mcp",
+      auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }
+    }
+  ]
+};
+`,
+      "utf8",
+    );
+    const harness = new AgentHarness({ workingDir: dir });
+    await harness.initialize();
+    const toolNames = () => harness.listTools().map((t) => t.name);
+    // Unclaimed tools should be globally available
+    expect(toolNames()).toContain("linear/list_issues");
+    expect(toolNames()).toContain("linear/save_issue");
+    await harness.shutdown();
+    await new Promise<void>((resolveClose) => mcpServer.close(() => resolveClose()));
+  });
+
+  it("claiming any tool from a server scopes the entire server", async () => {
+    process.env.LINEAR_TOKEN = "token-123";
+    const mcpServer = createServer(async (req, res) => {
+      if (req.method === "DELETE") {
+        res.statusCode = 200;
+        res.end();
+        return;
+      }
+      const chunks: Buffer[] = [];
+      for await (const chunk of req) chunks.push(Buffer.from(chunk));
+      const body = Buffer.concat(chunks).toString("utf8");
+      const payload = body.trim().length > 0 ? (JSON.parse(body) as any) : {};
+      if (payload.method === "initialize") {
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Mcp-Session-Id", "sess");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              protocolVersion: "2025-03-26",
+              capabilities: { tools: { listChanged: true } },
+              serverInfo: { name: "remote", version: "1.0.0" },
+            },
+          }),
+        );
+        return;
+      }
+      if (payload.method === "notifications/initialized") {
+        res.statusCode = 202;
+        res.end();
+        return;
+      }
+      if (payload.method === "tools/list") {
+        res.setHeader("Content-Type", "application/json");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              tools: [
+                { name: "list_issues", inputSchema: { type: "object", properties: {} } },
+                { name: "save_issue", inputSchema: { type: "object", properties: {} } },
+                { name: "other_tool", inputSchema: { type: "object", properties: {} } },
+              ],
+            },
+          }),
+        );
+        return;
+      }
+      if (payload.method === "tools/call") {
+        res.setHeader("Content-Type", "application/json");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: { result: { ok: true } },
+          }),
+        );
+        return;
+      }
+      res.statusCode = 404;
+      res.end();
+    });
+    await new Promise<void>((resolveOpen) => mcpServer.listen(0, () => resolveOpen()));
+    const address = mcpServer.address();
+    if (!address || typeof address === "string") throw new Error("Unexpected address");
+    const dir = await mkdtemp(join(tmpdir(), "poncho-harness-server-scoped-"));
+    await writeFile(
+      join(dir, "AGENT.md"),
+      `---
+name: server-scoped-agent
+model:
+  provider: anthropic
+  name: claude-opus-4-5
+---
+
+# Server Scoped Agent
+`,
+      "utf8",
+    );
+    await writeFile(
+      join(dir, "poncho.config.js"),
+      `export default {
+  mcp: [
+    {
+      name: "remote",
+      url: "http://127.0.0.1:${address.port}/mcp",
+      auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }
+    }
+  ]
+};
+`,
+      "utf8",
+    );
+    // Skill claims only 2 of the 3 tools from "remote" server
+    await mkdir(join(dir, "skills", "linear"), { recursive: true });
+    await writeFile(
+      join(dir, "skills", "linear", "SKILL.md"),
+      `---
+name: linear
+description: Linear issue tracking
+allowed-tools:
+  - mcp:remote/list_issues
+  - mcp:remote/save_issue
+---
+# Linear Skill
+`,
+      "utf8",
+    );
+    const harness = new AgentHarness({ workingDir: dir });
+    await harness.initialize();
+    const toolNames = () => harness.listTools().map((t) => t.name);
+
+    // Before activation: entire server is skill-managed, so ALL tools are hidden
+    // (even other_tool which the skill didn't explicitly claim)
+    expect(toolNames()).not.toContain("remote/list_issues");
+    expect(toolNames()).not.toContain("remote/save_issue");
+    expect(toolNames()).not.toContain("remote/other_tool");
+
+    // Activate the linear skill — only its declared tools appear
+    const activate = harness.listTools().find((t) => t.name === "activate_skill")!;
+    const deactivate = harness.listTools().find((t) => t.name === "deactivate_skill")!;
+    await activate.handler({ name: "linear" }, {} as any);
+
+    expect(toolNames()).toContain("remote/list_issues");
+    expect(toolNames()).toContain("remote/save_issue");
+    // other_tool is NOT claimed by any active skill, and the server is managed
+    expect(toolNames()).not.toContain("remote/other_tool");
+
+    // Deactivate — all tools from the managed server hidden again
+    await deactivate.handler({ name: "linear" }, {} as any);
+    expect(toolNames()).not.toContain("remote/list_issues");
+    expect(toolNames()).not.toContain("remote/save_issue");
+    expect(toolNames()).not.toContain("remote/other_tool");
+
+    await harness.shutdown();
+    await new Promise<void>((resolveClose) => mcpServer.close(() => resolveClose()));
+  });
+
+  it("wildcard skill claim scopes all tools from that server", async () => {
+    process.env.LINEAR_TOKEN = "token-123";
+    const mcpServer = createServer(async (req, res) => {
+      if (req.method === "DELETE") {
+        res.statusCode = 200;
+        res.end();
+        return;
+      }
+      const chunks: Buffer[] = [];
+      for await (const chunk of req) chunks.push(Buffer.from(chunk));
+      const body = Buffer.concat(chunks).toString("utf8");
+      const payload = body.trim().length > 0 ? (JSON.parse(body) as any) : {};
+      if (payload.method === "initialize") {
+        res.setHeader("Content-Type", "application/json");
+        res.setHeader("Mcp-Session-Id", "sess");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              protocolVersion: "2025-03-26",
+              capabilities: { tools: { listChanged: true } },
+              serverInfo: { name: "linear", version: "1.0.0" },
+            },
+          }),
+        );
+        return;
+      }
+      if (payload.method === "notifications/initialized") {
+        res.statusCode = 202;
+        res.end();
+        return;
+      }
+      if (payload.method === "tools/list") {
+        res.setHeader("Content-Type", "application/json");
+        res.end(
+          JSON.stringify({
+            jsonrpc: "2.0",
+            id: payload.id,
+            result: {
+              tools: [
+                { name: "list_issues", inputSchema: { type: "object", properties: {} } },
+                { name: "save_issue", inputSchema: { type: "object", properties: {} } },
+                { name: "save_comment", inputSchema: { type: "object", properties: {} } },
+              ],
+            },
+          }),
+        );
+        return;
+      }
+      res.statusCode = 404;
+      res.end();
+    });
+    await new Promise<void>((resolveOpen) => mcpServer.listen(0, () => resolveOpen()));
+    const address = mcpServer.address();
+    if (!address || typeof address === "string") throw new Error("Unexpected address");
+    const dir = await mkdtemp(join(tmpdir(), "poncho-harness-wildcard-claim-"));
+    await writeFile(
+      join(dir, "AGENT.md"),
+      `---
+name: wildcard-agent
+model:
+  provider: anthropic
+  name: claude-opus-4-5
+---
+
+# Wildcard Agent
+`,
+      "utf8",
+    );
+    await writeFile(
+      join(dir, "poncho.config.js"),
+      `export default {
+  mcp: [
+    {
+      name: "linear",
+      url: "http://127.0.0.1:${address.port}/mcp",
+      auth: { type: "bearer", tokenEnv: "LINEAR_TOKEN" }
+    }
+  ]
+};
+`,
+      "utf8",
+    );
+    // Skill claims all linear tools with wildcard
+    await mkdir(join(dir, "skills", "linear"), { recursive: true });
+    await writeFile(
+      join(dir, "skills", "linear", "SKILL.md"),
+      `---
+name: linear
+description: Linear integration
+allowed-tools:
+  - mcp:linear/*
+---
+# Linear Skill
+`,
+      "utf8",
+    );
+    const harness = new AgentHarness({ workingDir: dir });
+    await harness.initialize();
+    const toolNames = () => harness.listTools().map((t) => t.name);
+
+    // None of the linear tools should be available (all claimed by wildcard)
+    expect(toolNames()).not.toContain("linear/list_issues");
+    expect(toolNames()).not.toContain("linear/save_issue");
+    expect(toolNames()).not.toContain("linear/save_comment");
+
+    // Activate the skill
+    const activate = harness.listTools().find((t) => t.name === "activate_skill")!;
+    await activate.handler({ name: "linear" }, {} as any);
+
+    // All linear tools now available
+    expect(toolNames()).toContain("linear/list_issues");
+    expect(toolNames()).toContain("linear/save_issue");
+    expect(toolNames()).toContain("linear/save_comment");
+
+    await harness.shutdown();
+    await new Promise<void>((resolveClose) => mcpServer.close(() => resolveClose()));
+  });
+
   it("supports flat tool access config format", async () => {
     const dir = await mkdtemp(join(tmpdir(), "poncho-harness-flat-tool-access-"));
     await writeFile(