Summary
When the first authenticated request initializes DocuEngine dynamic tools, the resulting tool list appears to become global for the whole process. In a shared deployment this means the first token to hit the server can effectively decide which dynamic tools are registered for everyone else.
Reproduction
- Start one shared server instance.
- Send a first authenticated request with token A that has a limited set of services.
- Later connect with token B that should expose a different or broader DocuEngine surface.
- Observe that the server keeps the already-registered dynamic toolset.
Expected
Dynamic tools should either be tenant-safe, token-scoped, or the server should make the shared-process limitation explicit and deterministic.
Actual
init_dynamic_tools() is guarded by a process-global flag, so the first successful registration wins.
Notes
This becomes visible in cloud or team environments where one MCP instance is reused by multiple users.
Summary
When the first authenticated request initializes DocuEngine dynamic tools, the resulting tool list appears to become global for the whole process. In a shared deployment this means the first token to hit the server can effectively decide which dynamic tools are registered for everyone else.
Reproduction
Expected
Dynamic tools should either be tenant-safe, token-scoped, or the server should make the shared-process limitation explicit and deterministic.
Actual
init_dynamic_tools()is guarded by a process-global flag, so the first successful registration wins.Notes
This becomes visible in cloud or team environments where one MCP instance is reused by multiple users.