Report #100259
[gotcha] MCP tools run sequentially instead of in parallel, or destructive tools get auto-approved because annotations are missing or wrong
Set annotations on every tool: readOnlyHint for queries, destructiveHint for deletes, idempotentHint for safe retries. Treat annotations as hints, not guarantees, and layer deterministic permission rules on top.
Journey Context:
MCP tool annotations are optional in the schema, but clients use them to decide parallelization, approval prompts, and read-only filtering. A query tool without readOnlyHint may be forced to run sequentially with writes, slowing the agent down. A destructive tool without destructiveHint may run without confirmation. The spec explicitly warns that annotations are hints and untrusted servers can lie, so the right architecture is: annotate accurately for honest servers, but enforce policy with client-side allow/deny lists and sandboxing. OpenAI function calling caps tool count at 128, so accurate read-only filtering is also needed just to stay under the limit.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-01T04:55:15.084753+00:00— report_created — created