mirror of
https://github.com/compiler-explorer/compiler-explorer.git
synced 2026-05-16 04:21:12 -04:00
5841cc57b7
## Summary Anthropic's [connector review criteria](https://claude.com/docs/connectors/building/review-criteria) and [submission requirements](https://claude.com/docs/connectors/building/submission) call out two things our `/mcp` endpoint is missing today: - every tool needs a `title` plus `readOnlyHint` / `destructiveHint` annotation - a public docs page covering setup and usage must exist by publish date This PR adds both: - **Tool annotations** on all 7 MCP tools (`compile`, `list_compilers`, `list_languages`, `list_libraries`, `lookup_asm_instruction`, `generate_short_url`, `get_shortlink_info`). All read-only tools get `readOnlyHint: true`. `generate_short_url` is marked `readOnlyHint: false` + `destructiveHint: false` + `idempotentHint: true` (it's additive and the storage layer dedupes by config hash). Every tool gets `openWorldHint: false` since none reach out to third-party services. - **`docs/MCP.md`** describing the endpoint URL, transport, tool catalogue, and a Claude Code setup line. A judgement call worth flagging: `compile` is annotated `readOnlyHint: true` even though `execute=true` runs user code. The CE service is stateless from the connector's point of view and sandbox effects don't escape the call, so the hint matches the spirit of the annotation, but we may want to revisit if Anthropic pushes back during review. Two known gaps not addressed here, that I'd like to discuss separately before submission: - **Origin-header validation** — required by the submission doc as DNS-rebinding mitigation. The threat model mostly applies to localhost-bound desktop servers; we're a public HTTPS service with no auth, so the public REST API's `Allow-Origin: *` posture is consistent. Suggest asking Anthropic to confirm exemption, or add an allowlist with a missing-Origin pass-through (Claude Code currently sends none). - **Submission form prep** — name/tagline/description/screenshots/logo, and a pass through MCP Inspector. Operational, not code. ## Test plan - [x] `npm run ts-check` - [x] `npm run lint` - [x] `npm run test -- --run mcp` (78 tests pass) - [x] pre-commit hook runs clean - [ ] manual smoke test from a fresh Claude Code MCP install (`claude mcp add --transport http compiler-explorer https://godbolt.org/mcp` once deployed) - [ ] confirm tool annotations show up correctly in MCP Inspector 🤖 Generated with [Claude Code](https://claude.com/claude-code)