MCP
MCP
MCP support is remote HTTPS/SSE only. Stdio MCP servers are rejected because aex is a remote session dispatcher, not a local process supervisor.
Rules:
- MCP servers are declared in the run request config (
mcpServers). - Runtime HITL is disabled.
- Tool policy must be configured before session start.
- Enabled MCP tools use
always_allowprovider permissions. always_askis not used by aex MVP.- Bearer/OAuth-style auth is carried by the
McpServerinstance (itsheaders); the SDK splits it into the vaulted secrets channel server-side.
Use allowlists for sensitive servers whenever possible.
Large-payload responses
aex is a session dispatcher, not an MCP runtime. We intentionally do not interpose on the transport between the model and an upstream MCP server, so we cannot elide MCP responses or write them to the session filesystem on the user's behalf. Anything an MCP tool returns lands directly in the model's context.
For ingestion-style MCP servers that return large JSON blobs (search results, catalogue dumps, bulk reads), prefer a skill that writes files instead of putting the whole response in model context:
- Package the upstream helper as a Skill (
Skill.fromDir/Skill.fromUrl) and pass it via the top-levelskillsoption. The skill can include a CLI binary or script that the agent invokes with its bash tool. - Keep any upstream HTTPS credentials in
environment.secrets. - Have the CLI write the full payload to the session filesystem. By default,
files it creates or modifies are captured automatically; pass
outputs.allowedDirsonly when you want to narrow capture to specific roots. Return only a small handle (path, item count, summary) to the model.
The agent sees the handle in context; the bytes ride out through
download() as a normal captured output.
If you genuinely want everything in context (small responses, code search, etc.), use MCP. If the payload would blow your context budget, the CLI-as-skill pattern is the supported answer — there is no platform flag to elide MCP responses.