Evaluation: MCP tool “summarize pasted blob” (hosted parity)

Date: 2026-04-21
Outcome: Do not ship a hosted MCP tool that accepts an arbitrary user-supplied blob and returns an LLM summary inside Knowtation’s gateway.

Goal that was considered

A tool mirroring “paste a wall of text → get a short summary” for hosted MCP, analogous to local workflows where the client model summarizes text the user already pasted into chat.

Findings (code and product boundaries)

1. Auth and tenancy
   Hosted MCP already binds sessions to JWT + vault id (hub/gateway/mcp-hosted-server.mjs, getHostedAccessContext). A blob tool would still run inside that tenant, but the input is not vault-scoped until written to a note. Any bug in size limits or logging could leak cross-request patterns (operator logs, support exports) unless carefully redacted. Vault-scoped summarization today goes through summarize on a path with existing ACL (hub/gateway/mcp-tool-acl.mjs).

2. Rate limits
   The gateway applies per-user limits on /mcp (documented in docs/AGENT-INTEGRATION.md). A blob summarizer becomes a cheap LLM proxy: attackers send huge bodies to burn CPU, egress, and provider quotas without touching the vault. Mitigations (strict byte caps, per-tool quotas, billing hooks) duplicate work already distributed between bridge billing and client-side summarization.

3. Billing / credits
   Hosted summarize for notes uses sampling or configured server-side models with existing cost paths. A generic blob endpoint needs a defined billing class (per token? per request?) and alignment with runBillingGate on other expensive routes. Without that, it is either loss-making or inconsistent with other gated operations.

4. Payload caps and abuse
   Enforcing a cap (e.g. 32 KiB) avoids the worst cases but does not remove abuse: many small requests still stress the gateway. Compression bombs and pathological Unicode still need parsing guards. Meeting-style summarization is already covered by the meeting-notes prompt (user-supplied transcript) with a known shape and existing prompt registration patterns.

5. Parity vs local
   Self-hosted agents typically summarize in the IDE or via sampling without a dedicated “blob” tool. Adding a hosted-only blob tool diverges from the security model “read paths from the vault, don’t ingest arbitrary internet text into server-side LLM without review.”

Decision

No new MCP tool for arbitrary pasted-blob summarization on hosted Knowtation in this phase.

Alternatives (already supported):

• Summarize vault notes via hosted MCP summarize (path + role ACL).
• Paste transcripts into the meeting-notes prompt (bounded transcript slice in mcp/prompts/register.mjs).
• Summarize terminal or tool output locally on the coding host (per docs/TOKEN-SAVINGS.md — terminal-side tooling is not a hosted product surface).

If this is revisited, treat it as H0–H4 in docs/PARITY-MATRIX-HOSTED.md: explicit byte caps, abuse rate tier, billing class, and parity with any Hub UI that performs the same operation.