@@ -100,10 +100,39 @@ That's it. Agent introspects schema, generates queries, runs SQL post-processing
100100| ` X-Target-Headers ` | No | JSON auth headers, e.g. ` {"Authorization": "Bearer xxx"} ` |
101101| ` X-API-Name ` | No | Override tool name prefix (default: auto-generated) |
102102| ` X-Base-URL ` | No | Override base URL for REST API calls |
103- | ` X-Allow-Unsafe-Paths ` | No | JSON array of glob patterns for POST/PUT/DELETE/PATCH |
104- | ` X-Poll-Paths ` | No | JSON array of paths requiring polling (enables poll tool) |
103+ | ` X-Allow-Unsafe-Paths ` | No | Header string containing JSON array of ` fnmatch ` globs ( ` * ` , ` ? ` ) for POST/PUT/DELETE/PATCH |
104+ | ` X-Poll-Paths ` | No | Header string containing JSON array of polling path patterns (enables poll tool) |
105105| ` X-Include-Result ` | No | Include full uncapped ` result ` field in output |
106106
107+ #### Header value examples
108+
109+ ` X-Allow-Unsafe-Paths ` and ` X-Poll-Paths ` use the same escaping format: JSON array encoded as a header string.
110+
111+ ** MCP config (JSON):**
112+ ``` json
113+ {
114+ "headers" : {
115+ "X-Allow-Unsafe-Paths" : " [\" /search\" , \" /api/*/query\" , \" /jobs/*/cancel\" ]"
116+ "X-Poll-Paths" : " [\" /search\" , \" /trips/*/status\" ]"
117+ }
118+ }
119+ ```
120+
121+ ** ` X-Allow-Unsafe-Paths ` pattern examples:**
122+ - ` "/search" ` exact path
123+ - ` "/api/*/query" ` one wildcard segment
124+ - ` "/jobs/*" ` any suffix under ` /jobs/ `
125+
126+ ** ` X-Poll-Paths ` pattern examples:**
127+ - ` "/search" ` exact polling path
128+ - ` "/trips/*/status" ` wildcard polling path
129+
130+ ` X-Poll-Paths ` enables polling guidance/tooling; ` X-Allow-Unsafe-Paths ` controls unsafe method allowlist.
131+
132+ ** Escaping quick check (same for both headers):**
133+ - wrong: ` "X-Allow-Unsafe-Paths": "["/search"]" `
134+ - right: ` "X-Allow-Unsafe-Paths": "[\"/search\"]" `
135+
107136### MCP Tools
108137
109138** Core tools** (2 per API):
0 commit comments