From 57659d07a7248fd57ebe2a708dd60fe97e77c70a Mon Sep 17 00:00:00 2001 From: heznpc Date: Sat, 2 May 2026 10:44:12 +0900 Subject: [PATCH] feat: enforce greet(name) input constraints via pydantic.Field MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Audit (2026-05-01, P2.16): the TS sibling validates greet's name with Zod (1–200 chars). Python equivalent was untyped — empty strings and megastring inputs reached the handler. Switch the parameter annotation from `name: str` to `name: Annotated[str, Field(min_length=1, max_length=200, description=...)]`. FastMCP picks up the Annotated metadata and emits the constraint into the tool's JSON schema, so violations are rejected at protocol level. Tests pass; mypy strict still clean. --- src/my_mcp_server/server.py | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/src/my_mcp_server/server.py b/src/my_mcp_server/server.py index 65ec224..d615a5e 100644 --- a/src/my_mcp_server/server.py +++ b/src/my_mcp_server/server.py @@ -6,9 +6,11 @@ import logging import os +from typing import Annotated from mcp.server.fastmcp import FastMCP from mcp.types import ToolAnnotations +from pydantic import Field from my_mcp_server.prompts.code_review import register as register_code_review from my_mcp_server.resources.server_info import register as register_server_info @@ -60,14 +62,22 @@ def err(message: str) -> dict[str, object]: openWorldHint=False, ), ) -async def greet(name: str) -> str: +async def greet( + name: Annotated[ + str, + Field( + min_length=1, + max_length=200, + description="Name to greet (1–200 characters).", + ), + ], +) -> str: """Greet someone by name. - Args: - name: Name to greet. - - Returns: - A greeting message. + The Annotated[..., Field(...)] form propagates the constraint into + FastMCP's generated JSON schema, so empty strings and oversized inputs + are rejected by the protocol layer before the handler runs. The TS + sibling enforces the same shape via Zod. """ logger.info("Greeting %s", name) return f"Hello, {name}!"