Comment by amzil

Schema validates structure, nothing validates intent. That's the actual attack surface and nobody's talking about it.

CLI `--help` is baked into the binary. You'd need a new release to change it. MCP server descriptions can change between sessions and nothing catches it.

Honestly though, the whole thread is arguing about the wrong layer. I've been doing API infra for 20 years and the pattern is always the same: if your API has good resource modeling and consistent naming, agents will figure it out through CLI, MCP, whatever. If it doesn't, MCP schemas won't save you.

Thanks for the CVE reference, hadn't seen that one.