fix(copilot): prioritize block discovery over MCP and sanitize HTML errors (#12394)

Requested by @majdyz When a user asks for Google Sheets integration, the CoPilot agent skips block discovery entirely (despite 55+ Google Sheets blocks being available), jumps straight to MCP, guesses a fake URL (`https://sheets.googleapis.com/mcp`), and gets a raw HTML 404 error page dumped into the conversation. **Changes:** 1. **MCP guide** (`mcp_tool_guide.md`): Added "Check blocks first" section directing the agent to use `find_block` before attempting MCP for any service not in the known servers list. Explicitly prohibits guessing/constructing MCP server URLs. 2. **Error handling** (`run_mcp_tool.py`): Detects HTML error pages in HTTP responses (e.g. raw 404 pages from non-MCP endpoints) and returns a clean one-liner like "This URL does not appear to host an MCP server" instead of dumping the full HTML body. **Note:** The main CoPilot system prompt (managed externally, not in repo) should also be updated to reinforce block-first behavior in the Capability Check section. This PR covers the in-repo changes. Session reference: `9216df83-5f4a-48eb-9457-3ba2057638ae` (turn 3) Ticket: [SECRT-2116](https://linear.app/autogpt/issue/SECRT-2116) --- Co-authored-by: Zamil Majdy (@majdyz) <majdyz@gmail.com> --------- Co-authored-by: Zamil Majdy (@majdyz) <majdyz@gmail.com> Co-authored-by: Zamil Majdy <zamil.majdy@agpt.co>
2026-04-08 03:00:28 -04:00 · 2026-03-14 12:49:03 +00:00
parent 6dc8429ae7
commit d9c16ded65
3 changed files with 65 additions and 3 deletions
--- a/autogpt_platform/backend/backend/copilot/sdk/mcp_tool_guide.md
+++ b/autogpt_platform/backend/backend/copilot/sdk/mcp_tool_guide.md
@@ -20,7 +20,24 @@ Use these URLs directly without asking the user:
 | Cloudflare | `https://mcp.cloudflare.com/mcp` |
 | Atlassian / Jira | `https://mcp.atlassian.com/mcp` |

-For other services, search the MCP registry at https://registry.modelcontextprotocol.io/.
+For other services, search the MCP registry API:
+```http
+GET https://registry.modelcontextprotocol.io/v0/servers?q=<search_term>
+```
+Each result includes a `remotes` array with the exact server URL to use.
+
+### Important: Check blocks first
+
+Before using `run_mcp_tool`, always check if the platform already has blocks for the service
+using `find_block`. The platform has hundreds of built-in blocks (Google Sheets, Google Docs,
+Google Calendar, Gmail, etc.) that work without MCP setup.
+
+Only use `run_mcp_tool` when:
+- The service is in the known hosted MCP servers list above, OR
+- You searched `find_block` first and found no matching blocks
+
+**Never guess or construct MCP server URLs.** Only use URLs from the known servers list above
+or from the `remotes[].url` field in MCP registry search results.

 ### Authentication

--- a/autogpt_platform/backend/backend/copilot/tools/run_mcp_tool.py
+++ b/autogpt_platform/backend/backend/copilot/tools/run_mcp_tool.py
@@ -184,10 +184,12 @@ class RunMCPToolTool(BaseTool):
            if e.status_code in _AUTH_STATUS_CODES and not creds:
                # Server requires auth and user has no stored credentials
                return self._build_setup_requirements(server_url, session_id)
-            logger.warning("MCP HTTP error for %s: %s", server_host(server_url), e)
+            host = server_host(server_url)
+            logger.warning("MCP HTTP error for %s: status=%s", host, e.status_code)
            return ErrorResponse(
-                message=f"MCP server returned HTTP {e.status_code}: {e}",
+                message=(f"MCP request to {host} failed with HTTP {e.status_code}."),
                session_id=session_id,
+                error=f"HTTP {e.status_code}: {str(e)[:300]}",
            )

        except MCPClientError as e:
--- a/autogpt_platform/backend/backend/copilot/tools/test_run_mcp_tool.py
+++ b/autogpt_platform/backend/backend/copilot/tools/test_run_mcp_tool.py
@@ -580,6 +580,49 @@ async def test_auth_error_with_existing_creds_returns_error():
    assert "403" in response.message


+@pytest.mark.asyncio(loop_scope="session")
+async def test_http_error_returns_clean_message_with_collapsible_detail():
+    """Non-auth HTTP errors return a clean message with raw detail in the `error` field."""
+    from backend.util.request import HTTPClientError
+
+    tool = RunMCPToolTool()
+    session = make_session(_USER_ID)
+
+    with patch(
+        "backend.copilot.tools.run_mcp_tool.validate_url_host", new_callable=AsyncMock
+    ):
+        with patch(
+            "backend.copilot.tools.run_mcp_tool.auto_lookup_mcp_credential",
+            new_callable=AsyncMock,
+            return_value=None,
+        ):
+            mock_client = AsyncMock()
+            mock_client.initialize = AsyncMock(
+                side_effect=HTTPClientError(
+                    "<!doctype html><html><body>Not Found</body></html>",
+                    status_code=404,
+                )
+            )
+            with patch(
+                "backend.copilot.tools.run_mcp_tool.MCPClient",
+                return_value=mock_client,
+            ):
+                response = await tool._execute(
+                    user_id=_USER_ID,
+                    session=session,
+                    server_url=_SERVER_URL,
+                )
+
+    assert isinstance(response, ErrorResponse)
+    assert "404" in response.message
+    # Raw HTML body must NOT leak into the user-facing message
+    assert "<!doctype" not in response.message
+    # Raw detail (including original body) goes in the collapsible `error` field
+    assert response.error is not None
+    assert "404" in response.error
+    assert "<!doctype" in response.error.lower()
+
+
@pytest.mark.asyncio(loop_scope="session")
 async def test_mcp_client_error_returns_error_response():
    """MCPClientError (protocol-level) maps to a clean ErrorResponse."""