Problem
Running mcp-assert lint against agent-lsp (65 tools, code intelligence MCP server) produces 3,535 errors and 181 warnings. The vast majority are false positives from two rules:
| Rule |
Count |
Issue |
| E105 |
2,784 |
Unconstrained string flow |
| E107 |
751 |
Circular dependency paths |
This volume makes CI results unusable. Real issues are invisible in the noise.
E105: Unconstrained string flow (2,784 false positives)
What it flags:
E105 apply_edit Unconstrained string "file_path" flows from "apply_edit" to "callers".
Agents may pass free text where structured data is expected.
Why it's a false positive: file_path is a filesystem path. It cannot be constrained with enum, pattern, or example in any meaningful way. The path comes from the user's project; it's not a fixed set of values. Same applies to session_id, workspace_root, root_dir, language_id, command, etc.
Combinatorial explosion: E105 traces every cross-tool string propagation path. With 65 tools and ~4 string params each, the rule generates thousands of findings for a single unconstrained type (file_path). One param name produces hundreds of errors.
Suggested fix: Skip E105 for params matching common path/ID patterns:
*_path, *_file, *_dir, *_root (filesystem paths)*_id, session_id (opaque identifiers)uri, url (URIs)command (shell commands)language, language_id (language identifiers)
Or: add a @mcp-assert-ignore annotation for params that are intentionally unconstrained.
E107: Circular dependency enumeration (751 errors)
What it flags:
E107 callers Circular dependency: callers -> close_document -> explore -> go_to_definition.
Agents may loop forever.
Why the count is inflated: E107 reports every unique path through the dependency graph. A cycle involving 5 tools produces dozens of path variants (starting from each node, varying lengths). The actual number of unique cycles is ~10-15, not 751.
Suggested fix: Collapse to one finding per cycle (shortest path), not one per path variant. Report the cycle once with all participating tools.
Impact
agent-lsp runs mcp-assert in CI with --threshold 0. With 3,535 false positives, the only option is raising the threshold to ~3,600, which defeats the purpose of the lint. We want to catch real issues (W102 missing descriptions, W110 param/description mismatch) but they're buried.
Environment
mcp-assert lint --server "agent-lsp go:gopls" --threshold 0
- agent-lsp: 65 tools, 30 languages, code intelligence MCP server
- Tool descriptions reference each other (workflow suggestions)
- Most params are filesystem paths, session IDs, or language identifiers
Suggested Changes
- E105: Add name-based heuristic to skip known-unconstrained param types
- E107: Collapse cycle variants to one finding per unique cycle
- Consider severity: Both rules should be
warning not error when the constraint is advisory rather than structural
Problem
Running
mcp-assert lintagainst agent-lsp (65 tools, code intelligence MCP server) produces 3,535 errors and 181 warnings. The vast majority are false positives from two rules:This volume makes CI results unusable. Real issues are invisible in the noise.
E105: Unconstrained string flow (2,784 false positives)
What it flags:
Why it's a false positive:
file_pathis a filesystem path. It cannot be constrained withenum,pattern, orexamplein any meaningful way. The path comes from the user's project; it's not a fixed set of values. Same applies tosession_id,workspace_root,root_dir,language_id,command, etc.Combinatorial explosion: E105 traces every cross-tool string propagation path. With 65 tools and ~4 string params each, the rule generates thousands of findings for a single unconstrained type (
file_path). One param name produces hundreds of errors.Suggested fix: Skip E105 for params matching common path/ID patterns:
*_path,*_file,*_dir,*_root(filesystem paths)*_id,session_id(opaque identifiers)uri,url(URIs)command(shell commands)language,language_id(language identifiers)Or: add a
@mcp-assert-ignoreannotation for params that are intentionally unconstrained.E107: Circular dependency enumeration (751 errors)
What it flags:
Why the count is inflated: E107 reports every unique path through the dependency graph. A cycle involving 5 tools produces dozens of path variants (starting from each node, varying lengths). The actual number of unique cycles is ~10-15, not 751.
Suggested fix: Collapse to one finding per cycle (shortest path), not one per path variant. Report the cycle once with all participating tools.
Impact
agent-lsp runs mcp-assert in CI with
--threshold 0. With 3,535 false positives, the only option is raising the threshold to ~3,600, which defeats the purpose of the lint. We want to catch real issues (W102 missing descriptions, W110 param/description mismatch) but they're buried.Environment
Suggested Changes
warningnoterrorwhen the constraint is advisory rather than structural