Add validation for callServerTool params argument#449
Merged
Conversation
@modelcontextprotocol/ext-apps
@modelcontextprotocol/server-basic-react
@modelcontextprotocol/server-basic-vanillajs
@modelcontextprotocol/server-budget-allocator
@modelcontextprotocol/server-cohort-heatmap
@modelcontextprotocol/server-customer-segmentation
@modelcontextprotocol/server-map
@modelcontextprotocol/server-pdf
@modelcontextprotocol/server-scenario-modeler
@modelcontextprotocol/server-shadertoy
@modelcontextprotocol/server-sheet-music
@modelcontextprotocol/server-system-monitor
@modelcontextprotocol/server-threejs
@modelcontextprotocol/server-transcript
@modelcontextprotocol/server-video-resource
@modelcontextprotocol/server-wiki-explorer
commit: |
…tring
Users frequently call callServerTool("tool_name", args) instead of the
correct callServerTool({ name: "tool_name", arguments: args }), resulting
in a silent/confusing failure. Detect this and throw immediately with
a message that shows the correct call shape.
Also fixes the incorrect example in examples/pdf-server/README.md that
demonstrated this same wrong usage pattern.
Fixes #386
https://claude.ai/code/session_01GqAyN4Ux7svWoU2HqsSLZF
ochafik
force-pushed
the
claude/defensive-callservertool-GbZYK
branch
from
64236a2 to
30fcb7d
Compare
Comment on lines
723
to
+732
| async callServerTool( | ||
| params: CallToolRequest["params"], | ||
| options?: RequestOptions, | ||
| ): Promise<CallToolResult> { | ||
| if (typeof params === "string") { | ||
| throw new Error( | ||
| `callServerTool() expects an object as its first argument, but received a string ("${params}"). ` + | ||
| `Did you mean: callServerTool({ name: "${params}", arguments: { ... } })?`, | ||
| ); | ||
| } |
Member
There was a problem hiding this comment.
Checking typeof params === "string" when params: CallToolRequest["params"] feels a bit funny.
Something that puzzles me: in at least one report, the developer is using TypeScript, so why wasn't the error caught by the type checker?
By the way, another alternative would be to add a function overload. (Though the proper fix is still to fix type checking.)
Contributor
Author
There was a problem hiding this comment.
Yeah it's a hack to help w/ errors that shouldn't happen, but that do.
I think given I'd left that bad syntax example in pdf-server/README.md, people end up trying their chances even when their typechecker isn't working well.
A function overload would imply it's a valid syntax.
jonathanhefner
approved these changes
Feb 13, 2026
ochafik
added a commit
that referenced
this pull request
Feb 22, 2026
Features: - registerAppResource now returns the registered resource (#370) - Accept UIResourceMeta in both resources/list and resources/read (#410) - callServerTool throws helpful error when called with a string (#449) - Add double-connect guard to prevent protocol message handling errors (#450) Bug fixes: - Only ignore messages that lack jsonrpc 2.0 in message-transport (#448) - Align basic-host dark mode styles (#438) Spec: - Change Host <> Sandbox communication protocol to SHOULD (#435) - Clarify UIResourceMeta in both list and read responses (#410)
ochafik
added a commit
that referenced
this pull request
Feb 22, 2026
* chore: bump ext-apps to 1.1.0 Features: - registerAppResource now returns the registered resource (#370) - Accept UIResourceMeta in both resources/list and resources/read (#410) - callServerTool throws helpful error when called with a string (#449) - Add double-connect guard to prevent protocol message handling errors (#450) Bug fixes: - Only ignore messages that lack jsonrpc 2.0 in message-transport (#448) - Align basic-host dark mode styles (#438) Spec: - Change Host <> Sandbox communication protocol to SHOULD (#435) - Clarify UIResourceMeta in both list and read responses (#410) * fix(debug-server): add missing npm package config (main, bin, types, exports) Align debug-server package.json with all other server examples: - main: dist/server.js (was server.ts) - types: dist/server.d.ts - bin: mcp-server-debug -> dist/index.js - exports with types - files: only dist (remove source server.ts)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Added input validation to
callServerTool()to catch a common usage error where developers pass a string tool name instead of the required params object ( examples: report 1, report 2). When this mistake occurs, the method now throws a helpful error message with a suggestion for the correct usage pattern.Changes
callServerTool()to detect when a string is passed as the first argument and throw a descriptive error with usage guidancecallServerTool()is called with a stringcallServerTool()API with params object instead of separate argumentsImplementation Details
The validation checks if the
paramsargument is a string and throws an error that:https://claude.ai/code/session_01GqAyN4Ux7svWoU2HqsSLZF