mcp: complete runbook summary metadata

Eilen6316 · Eilen6316 · commit b5ddf6dd7159 · 2026-05-08T23:26:39.000+08:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -19,6 +19,8 @@ Versioning: [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - MCP now exposes configurable read-only resources for runbook and Skill
   summaries without returning command strings, full guidance bodies, or
   execution handles.
+- MCP runbook summaries now include explicit step counts and summary safety
+  posture while keeping command strings redacted.
 - Build verification now installs the built wheel and checks packaged MCP/Skill
   defaults plus importability of the new MCP and Skill modules.
 - Workspace tool activity now includes concise evidence snippets from completed
diff --git a/docs/design/mcp-server.md b/docs/design/mcp-server.md
@@ -71,13 +71,19 @@ configured audit path.
 
 | Resource | Behavior | State mutation |
 |---|---|---|
-| `linuxagent://runbooks/summary` | Returns runbook ids, titles, and step purpose/read-only flags | None |
+| `linuxagent://runbooks/summary` | Returns runbook ids, titles, step counts, safety posture, and step purpose/read-only flags | None |
 | `linuxagent://skills/summary` | Returns Skill name/version/description/permissions/guidance presence/runbook ids | None |
 
 Resources intentionally return summaries. They do not expose command strings,
 planner guidance bodies, execution results, raw audit logs, config secrets, or
 filesystem content.
 
+Runbook safety posture is summary-level metadata:
+
+- `read_only`: every exposed step is declared read-only.
+- `policy_gated`: one or more steps can have side effects and must still go
+  through planner, policy, HITL, sandbox metadata, and audit before execution.
+
 ## Non-Exposed Capabilities
 
 These remain intentionally unavailable over MCP:
diff --git a/docs/zh/CHANGELOG.md b/docs/zh/CHANGELOG.md
@@ -8,6 +8,8 @@ LinuxAgent 的重要变更记录在这里。
 
 ### Changed
 
+- MCP runbook 摘要现在包含显式 step count 和摘要级 safety posture，同时继续
+  隐藏原始命令字符串。
 - Workspace tool 活动现在会展示来自 `read_file`、`list_dir` 和
   `search_files` 完成结果的简短 evidence 摘要。文件修改流程返回“无需修改”时，
   最终回答也会附带引用到的依据，方便操作员看到模型基于哪些文件行或搜索结果做判断。
diff --git a/src/linuxagent/mcp_server.py b/src/linuxagent/mcp_server.py
@@ -252,6 +252,8 @@ def _runbook_summary(runbooks: tuple[Runbook, ...]) -> JsonObject:
             {
                 "id": runbook.id,
                 "title": runbook.title,
+                "step_count": len(runbook.steps),
+                "safety_posture": _runbook_safety_posture(runbook),
                 "steps": [
                     {
                         "purpose": step.purpose,
@@ -265,6 +267,12 @@ def _runbook_summary(runbooks: tuple[Runbook, ...]) -> JsonObject:
     }
 
 
+def _runbook_safety_posture(runbook: Runbook) -> str:
+    if all(step.read_only for step in runbook.steps):
+        return "read_only"
+    return "policy_gated"
+
+
 def _skill_summary(skills: tuple[SkillManifest, ...]) -> JsonObject:
     return {
         "enabled": bool(skills),
diff --git a/tests/unit/test_mcp_server.py b/tests/unit/test_mcp_server.py
@@ -94,12 +94,54 @@ def test_mcp_runbook_summary_resource_is_read_only(tmp_path: Path) -> None:
         {
             "id": "skill.disk.quick",
             "title": "Disk quick check",
+            "step_count": 1,
+            "safety_posture": "read_only",
             "steps": [{"purpose": "Show filesystem usage", "read_only": True}],
         }
     ]
     assert "df -h" not in response["result"]["contents"][0]["text"]
 
 
+def test_mcp_runbook_summary_reports_policy_gated_posture(tmp_path: Path) -> None:
+    server = McpServer(
+        DEFAULT_POLICY_ENGINE,
+        tmp_path / "audit.log",
+        runbooks=(
+            Runbook(
+                id="skill.service.restart",
+                title="Restart service",
+                steps=(
+                    RunbookStep(
+                        command="systemctl status nginx",
+                        purpose="Inspect service status",
+                        read_only=True,
+                    ),
+                    RunbookStep(
+                        command="systemctl restart nginx",
+                        purpose="Restart service",
+                        read_only=False,
+                    ),
+                ),
+            ),
+        ),
+    )
+
+    response = server.handle(
+        {
+            "jsonrpc": "2.0",
+            "id": 12,
+            "method": "resources/read",
+            "params": {"uri": "linuxagent://runbooks/summary"},
+        }
+    )
+
+    assert response is not None
+    content = json.loads(response["result"]["contents"][0]["text"])
+    assert content["runbooks"][0]["step_count"] == 2
+    assert content["runbooks"][0]["safety_posture"] == "policy_gated"
+    assert "systemctl restart nginx" not in response["result"]["contents"][0]["text"]
+
+
 def test_mcp_skill_summary_resource_reports_manifest_metadata(tmp_path: Path) -> None:
     server = McpServer(
         DEFAULT_POLICY_ENGINE,

Original file line number	Diff line number	Diff line change
`@@ -252,6 +252,8 @@ def _runbook_summary(runbooks: tuple[Runbook, ...]) -> JsonObject:`
`252`	`252`	`{`
`253`	`253`	`"id": runbook.id,`
`254`	`254`	`"title": runbook.title,`
	`255`	`+ "step_count": len(runbook.steps),`
	`256`	`+ "safety_posture": _runbook_safety_posture(runbook),`
`255`	`257`	`"steps": [`
`256`	`258`	`{`
`257`	`259`	`"purpose": step.purpose,`
`@@ -265,6 +267,12 @@ def _runbook_summary(runbooks: tuple[Runbook, ...]) -> JsonObject:`
`265`	`267`	`}`
`266`	`268`
`267`	`269`
	`270`	`+def _runbook_safety_posture(runbook: Runbook) -> str:`
	`271`	`+ if all(step.read_only for step in runbook.steps):`
	`272`	`+ return "read_only"`
	`273`	`+ return "policy_gated"`
	`274`	`+`
	`275`	`+`
`268`	`276`	`def _skill_summary(skills: tuple[SkillManifest, ...]) -> JsonObject:`
`269`	`277`	`return {`
`270`	`278`	`"enabled": bool(skills),`