fix(delegate): lazy MCP discovery + profile toolset bypass for no_mcp platforms

[davidgut1982]

fix(delegate): lazy MCP discovery + profile toolset bypass for no_mcp platforms

What this is

Two related fixes that together solve silent tool-loss when using named agent_profiles on api_server / no_mcp platforms. Fixes #32668. Extended and security-hardened in #35526; supports the progressive-disclosure work in #35457.

---

Problem

The orchestrator pattern — a no_mcp parent routing work to MCP-capable profile sub-agents — fails silently in two distinct ways before this PR:

Phase 1 — silent tool-loss via parent intersection. _build_child_agent() resolves child toolsets by intersecting the requested list against what the parent has loaded. This is correct as a security boundary for ad-hoc delegation. But for named agent_profiles, it breaks: if the orchestrator's MCP context is restricted (via platform_toolsets + no_mcp), any child requesting domain MCP tools (e.g. mcp-fastmail) gets an empty tool list — no error, no warning, just a child that cannot do its job.

Phase 2 — eager MCP startup cost on no_mcp platforms. discover_mcp_tools() ran at startup unconditionally. For api_server / no_mcp platforms, all MCP connections were established and schemas loaded (12,000–14,000 tokens of domain tool definitions) for work the orchestrator would never perform directly.

---

Approach

Phase 1 — profile toolset bypass. When spawning from a named profile, MCP toolsets bypass the parent intersection and resolve from global config. Non-MCP toolsets still require parent membership, preserving the security boundary for ad-hoc delegation.

Phase 2 — lazy MCP discovery. Skip eager startup when no_mcp is in platform toolsets. Trigger a one-shot thread-safe discovery on the first child build that actually requests MCP toolsets. Failure during lazy discovery is tolerant — partial results are used and logged rather than crashing the child build.

Together these enable the orchestrator-stub pattern: the orchestrator sees only routing stubs at startup; workers load domain tools on first activation. This is the same pattern used by LangGraph, CrewAI, AutoGen, and similar multi-agent frameworks.

---

PROOF — profile-toolset authority and MCP isolation

Validated against a live deployed build (OpenRouter + deepseek). Adversarial 9-scenario suite (A–I), critic-reviewed over two cycles.

Observed invariants (all verified):

Scenario	Expected	Result
Profile toolset is authoritative	Profile-declared toolset cannot be widened by caller or model	Confirmed — batch-mode per-task toolset injection rejected; profile wins
No parent MCP bleed	Child spawned via named profile with inherit_mcp_toolsets: false	Child sees only its own profile toolset; parent MCP context does not leak
Invalid profile — no crash, no fallback widening	Profile name not found in config	Logged, child build aborted cleanly; no fallback to a broader toolset
Multi-tool delegation	Multiple children with distinct profiles delegated in sequence	Each child received its isolated toolset; no cross-contamination

Reproduce:

git clone https://github.com/NousResearch/hermes-agent
pytest tests/tools/test_delegate_toolset_scope.py \
       tests/tools/test_mcp_lazy_discovery.py -v
# Expect: 15 tests pass (3 Phase 1 + 12 Phase 2)

E2E adversarial suite (0/10 regressions):

# From scripts/out/_summary.json (real LLM calls — OpenRouter/deepseek):
# scenarios A–I: underlying_tools_called == expected, error: false, on all 9 scenarios
# See davidgut1982/hermes-agent#1 for the eval harness that produced this output.

---

PROOF — lazy discovery behavior

Reproduce lazy discovery:

# 1. Configure platform_toolsets to include no_mcp
# 2. Start hermes — MCP connections are NOT established at startup (observe logs)
# 3. Delegate to a profile that uses MCP toolsets
# 4. On first delegation: MCP discovery fires once (thread-safe one-shot)
# 5. Child receives its MCP tools; subsequent delegations reuse the cached discovery
grep "discover_mcp\|lazy.*discovery\|mcp_discovered" /path/to/logs/agent.log

---

Results

Test	Count	Result
Phase 1: profile bypass, non-MCP security boundary, no-profile pass-through	3	pass
Phase 2: skip-on-no_mcp, one-shot trigger, thread safety, failure tolerance	12	pass
Full test suite	5578 passed, 67 skipped, 3 pre-existing failures unrelated to these changes	—
E2E adversarial	9 scenarios	0 regressions

---

Caveats

Non-MCP toolsets are still parent-gated. Only MCP toolsets bypass the intersection when a profile is specified. The security boundary for ad-hoc delegation is preserved.

Lazy discovery failure is tolerant. Partial MCP results are used and logged if discovery fails mid-session; the child build is not crashed. This trades strict completeness for resilience; review if your deployment requires all-or-nothing MCP initialization.

---

How to test

# 1. Unit and integration tests
pytest tests/tools/test_delegate_toolset_scope.py tests/tools/test_mcp_lazy_discovery.py -v

# 2. Full test suite
pytest tests/tools/ -q
# Expect: 5578 passed, 67 skipped, 3 pre-existing failures unrelated to these changes

# 3. End-to-end
# Configure api_server platform with no_mcp in platform_toolsets
# Define an agent_profiles entry with MCP toolsets
# Delegate via profile_name — verify child receives MCP tools despite orchestrator having none loaded

---

Files changed

• tools/delegate_tool.py — profile_name param, bypass logic for MCP toolsets, ensure_mcp_discovered() trigger on first child build
• tools/mcp_tool.py — mark_eager_discovery_skipped() + ensure_mcp_discovered() (thread-safe one-shot, failure-tolerant)
• gateway/run.py — _active_platform_uses_no_mcp() helper; gate eager discovery on no_mcp check
• hermes_cli/main.py — same gate for CLI startup path
• agent/AGENTS.md — documents MCP bypass behaviour and lazy discovery semantics
• tests/tools/test_delegate_toolset_scope.py — 3 new tests: profile bypass, non-MCP security boundary, no-profile pass-through
• tests/tools/test_mcp_lazy_discovery.py — 12 new tests: skip-on-no_mcp, one-shot trigger, thread safety, failure tolerance

---

Checklist

Code

• I've read the Contributing Guide
• My commit messages follow Conventional Commits
• I searched for existing PRs to make sure this isn't a duplicate
• My PR contains only changes related to this fix/feature
• I've run pytest tests/ -q and all tests pass
• I've added tests for my changes
• I've tested on my platform: Ubuntu 24.04

Documentation & Housekeeping

• I've updated relevant documentation (README, docs/, docstrings) — or N/A
• I've updated cli-config.yaml.example if I added/changed config keys — or N/A
• I've updated CONTRIBUTING.md or AGENTS.md if I changed architecture or workflows
• I've considered cross-platform impact (Windows, macOS) per the compatibility guide — or N/A
• I've updated tool descriptions/schemas if I changed tool behavior — or N/A

---

Related PRs

• #35526 — extends and security-hardens this work (batch injection block, aliasing fix, inherit guard)
• #35457 — embedding reranker + progressive tool disclosure
• davidgut1982/hermes-agent#1 — eval harness that ran the adversarial E2E suite

[davidgut1982]

Closing in favor of #35526, which now contains this PR's lazy MCP discovery (folded in and verified — 9 lazy-discovery + 24 toolset-scope tests passing) on top of the profile-toolset isolation and security hardening. #35526 is the single complete implementation that closes #32668. Thanks @alt-glitch for flagging the overlap.