feat: implement MCP Roots protocol for dynamic allowed-directories

[nicholasjayantylearns]

What

Implement the MCP Roots protocol so that docling-mcp honors the allowed-directories the client (Claude Desktop, Claude Code, etc.) authorizes at runtime via roots/list_changed, with a static --allowed-directories CLI fallback for clients that don't support Roots.

Closes the Roots half of #86. (PR #88 fixes the tensor-padding crash; this PR fixes the path-resolution failure for clients that send Roots, which is the other reason the issue is open.)

Why

Per the canonical MCP filesystem reference at modelcontextprotocol/servers/tree/main/src/filesystem:

MCP clients that support Roots can dynamically update the Allowed directories. Roots notified by Client to Server, completely replace any server-side Allowed directories when provided.

Today, when a client like Claude Desktop sends notifications/roots/list_changed to docling-mcp, the server does not subscribe to it. Path resolution then fails for every path the client considered authorized — even when the user has explicitly granted access in the client UI. Multiple users in #86 hit this.

This PR brings docling-mcp in line with that reference behavior, in idiomatic Python on top of the existing FastMCP-based server, with no new top-level dependencies (the MCP SDK already pinned at >=1.9.4 exposes everything we need).

How

Five commits, each independently reviewable:

1. feat(roots): add AllowedRootsRegistry + URL-vs-path utilities — pure, dependency-free state and helpers. AllowedRootsRegistry keeps two layers (static seed + client-provided) and exposes validate_source(source: str) that raises PermissionError for filesystem paths outside the active root set. Remote URLs (http://, https://, ftp://, s3://, …) pass through unchecked — Roots authorize filesystem access, not network access. file:// URLs are treated as filesystem paths.

2. feat(roots): authorize source paths in conversion tools — wire validate_source into both convert_document_into_docling_document and convert_directory_files_into_docling_document. When the registry is unconstrained (no static flag, no client roots), it's a no-op — preserves the current behavior for users who haven't opted in.

3. feat(roots): wire notification handlers + --allowed-directories CLI — adds the Typer flag and registers the two notification handlers on the underlying low-level Server:

   • notifications/initialized → seeds the registry by calling session.list_roots() if the client advertised the roots capability.
   • notifications/roots/list_changed → refreshes the registry the same way.

   The MCP Python SDK's notification dispatcher does not propagate the active ServerSession to handler callables, so this commit also installs a tiny ContextVar-based shim that captures session per-message in Server._handle_message. The patch is idempotent.

4. test(roots): cover registry, path utils, and notification handlers — 29 unit tests covering: URL/path discriminator (incl. case-insensitive schemes), inside/outside path validation, remote-URL passthrough when constrained, the canonical "client roots fully replace static set" semantics, clear-then-restore-static, non-file:// URI filtering, symlink resolution (preventing bypass), ..-resolution (preventing escape), idempotent handler installation, and async handlers refreshing the registry against fake sessions.

5. docs(roots): document MCP Roots support and --allowed-directories — new "Filesystem access (MCP Roots)" section in the README explaining the three states (Roots-capable client / static fallback / unconstrained legacy) and a concrete uvx invocation example.

Acceptance criteria checklist

• PR opened against docling-project/docling-mcp main.
• Implementation matches the pattern in modelcontextprotocol/servers/tree/main/src/filesystem — same "client roots completely replace static dirs" semantics, same notification subscription model.
• References issue Not able to get docling mcp working on Claude Desktop #86 and explains how it closes the open half.
• --allowed-directories backward-compat path is wired and unit-tested.
• README updated to explicitly describe Roots support and the user-facing benefit.
• Local test: Docling MCP installed via uvx in Claude Desktop, given a path under an allowed root, parses a PDF. (Pending live test on the PR author's machine — see follow-up comment.)
• Local test: Docling MCP installed via uvx in Claude Code, given a cwd-derived root, parses a PNG with do_table_structure=True. (Pending — see follow-up comment.)
• Local test: server with --allowed-directories and a non-Roots-capable client successfully parses a PDF under the allowed dir and rejects a path outside it. (Pending — see follow-up comment.)

The three live tests will be reported in a follow-up PR comment with screenshots / log excerpts so reviewers don't have to take it on faith.

Backward compatibility

• Existing users running with no flag and no Roots-capable client see zero behavior change — validate_source is a no-op when the registry is unconstrained.
• Existing users with Roots-capable clients (Claude Desktop, Claude Code, etc.) start getting filesystem-scoping for free as soon as they update.
• New users who want path containment without a Roots-capable client get --allowed-directories as a first-class CLI flag.

Notes for reviewers

• The ContextVar shim in _roots_wiring.py exists because the MCP Python SDK doesn't currently propagate session into notification handlers. If a future SDK release exposes a public hook for this, the shim should be replaced — there's a comment to that effect in the file.
• I deliberately did not advertise a server-side capability for roots: roots is a client capability in the MCP spec; the server consumes it.
• The conversion tools already accept both URLs and local paths in a single source parameter. The validator only gates filesystem-style sources; this is documented in the new README section and in the registry's docstring.

Provenance

Authored as a deliverable for an upstream-tracking ticket (SKILLS-4) in the wearethehumansintheloop HITL project. The framing motivation is V-tax compression at the document-ingestion seam — every blueprint, PDF, screenshot, or structured doc that reaches a Docling-MCP-equipped Claude session today pays the V-tax independently because path resolution silently fails. With this fix, structure flows once and downstream consumers inherit it.

[github-actions]

✅ DCO Check Passed

Thanks @nicholasjayantylearns, all your commits are properly signed off. 🎉

[mergify]

Merge Protections

Your pull request matches the following merge protections and will not be merged until they are valid.

🟢 Enforce conventional commit

Wonderful, this rule succeeded.

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

• title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert)(?:\(.+\))?(!)?:

[nicholasjayantylearns]

Marking this draft. Accurate update on what was verified and what wasn't.

What works (verified live on macOS + Claude Desktop)

• Server boots via uvx from this branch; all 19 tools register through the MCP tools/list handshake.
• Client-sent roots populate the server's allowed-paths registry via notifications/roots/list_changed. Verified by inspecting the active-roots list in validate_source() error messages — the folders Claude Desktop authorized in its file-access permissions appeared in the registry.
• The server correctly rejects paths outside any active root with a clean PermissionError-derived McpError. No silent failure.
• Bug found and fixed live during testing (commit 6, fix(roots): URL-decode percent-escapes): clients send file:// roots with percent-encoded characters like %20 for space in macOS paths under Application Support/. The original implementation stored encoded paths and compared against real filesystem paths, so authorized folders containing spaces were silently rejected. Now decoded at the seam.
• 33/33 unit tests passing on macOS including 4 new regression cases for the URL-decode fix.

What's blocked from "ship" (not introduced by this PR)

The single-document conversion path (convert_document_into_docling_document) hits Claude Desktop's 60-second MCP request timeout because Docling's first-call cold start (PyTorch import, OCR model load, layout detector initialization) exceeds that window. The same timeout reproduces against main for the same PDF in the same environment — this PR doesn't cause it, but the PR also doesn't deliver a usable end-to-end experience until it's addressed.

What was ruled out as a workaround for this PR:

• notifications/progress as keepalive. The MCP Python SDK uses anyio.fail_after(timeout) — a hard wall-clock — and dispatches progress notifications via callback without resetting that timeout. The TypeScript client used by Claude Desktop appears to behave similarly. So plumbing progress reporting into the single-document tool (the way convert_directory_files_into_docling_document already does it) wouldn't reliably extend the timeout window.

Proposed path forward: an eager-model-preload option at server startup, behind a CLI flag, so cold-start happens during server boot (where Claude Desktop's startup timeout is more generous) instead of during the first user-facing tool call. Tracked separately at #98.

Why draft, not merged

This PR was filed for issue #86 (Roots support). Roots are functional and unit-tested. But the user-facing workflow — install via uvx, ask Claude Desktop to parse a PDF in an authorized folder — doesn't complete cleanly inside the MCP timeout. Shipping the PR while the workflow doesn't work would misrepresent what it delivers, even though the cold-start cause is outside this PR's scope.

Marking draft, filed the cold-start issue at #98, and proposing this PR re-opens to "ready for review" once either (a) the cold-start has a viable fix that lives alongside it, or (b) the maintainers prefer to merge this independently and track cold-start in its own ticket.

Happy with either path — your call.

cc maintainers from MAINTAINERS.md for guidance on which path you'd prefer.

[nicholasjayantylearns]

Update — live verification passed, moving out of draft

The blocker described in the previous "marking draft" comment was addressed in subsequent commits (45528a8, 80860b3): a new --preload-models CLI flag warms DocumentConverter in a daemon thread at server boot, so the first user-facing convert call returns inside the MCP client's per-request timeout window.

End-to-end live test on macOS, 2026-05-13

• Server installed via uvx from this branch with --preload-models --transport stdio
• Claude Desktop ⌘Q + relaunch; server attached cleanly via the background-preload pattern (no spawn-timeout failure)
• Tool called: convert_document_into_docling_document
• Source: a real PDF under a Claude-Desktop-authorized roots path
• Result: {"from_cache": false, "document_key": "ea2094342aaf57cf2968192326f0e835"}

Boot breadcrumbs from the server log confirm the full warm-up path executed before any tool call:

[docling-mcp-boot] main() entered (transport=stdio, preload=True)
[docling-mcp-boot] preload: background thread launched; proceeding to mcp.run()
[docling-mcp-boot] preload thread: _get_converter() returned; initializing pipelines
[docling-mcp-boot] preload thread: initialize_pipeline(PDF)
[docling-mcp-boot] preload thread: initialize_pipeline(IMAGE)
[docling-mcp-boot] preload thread: DocumentConverter READY

35/35 unit tests still passing on macOS (33 from earlier plus 2 wiring tests for the --preload-models flag).

Both halves of the original blocker (Roots + cold-start) are now functional in a single branch.

Acceptance criteria

• PR opened against docling-project/docling-mcp main
• Implementation matches the pattern in modelcontextprotocol/servers/tree/main/src/filesystem
• PR description references Not able to get docling mcp working on Claude Desktop #86 and explains how it closes the Roots half (fix: tensor padding errors when converting images and PDFs #88 covers tensor padding only)
• Backward-compat path wired (--allowed-directories), unit-tested
• README updated with Roots support section
• Live test against Claude Desktop with --preload-models: document_key returned (above)

Independent finding worth noting (out of scope for this PR)

On image-heavy PDFs with stylized fonts over graphics, Docling's OCR layer produces hallucinated text in image-overlay regions. Reproduces against main; not introduced by this PR. Tracked separately in our internal corpus work — happy to file an upstream issue against docling-project/docling if maintainers want.

#98 (cold-start timeout) is also addressed by the --preload-models work in this PR; comfortable closing it once this PR merges.

cc @cau-git @dolfim-ibm @vagenas @cberrosp @PeterStaar-IBM @Zaalouk for review when convenient.

[PeterStaar-IBM]

@nicholasjayantylearns lovely, thanks for the PR!

[PeterStaar-IBM]

@nicholasjayantylearns please run,

1. linter:

uv run pre-commit run --all-files

2. do DCO (essentially always commit with the flag -s)