[codex] Summarize MCP denials

README.md

@@ -421,6 +421,7 @@ Implemented today:
   through trace evidence,
 - subprocess MCP invalid client-parameter guards before empty identifiers can
   reach downstream servers,
+- compact denial summaries on blocked MCP tool, resource, and prompt responses,
 - subprocess MCP response timeout handling for hung downstream servers,
 - subprocess MCP transport-close handling for child exits and broken pipes,
 - a runnable MCP killer demo that blocks poisoned-output exfiltration and
@@ -437,8 +438,9 @@ Implemented today:
   transport-close checks, mixed interop, public interop transcripts, resource
   subscription no-passthrough, pre-ready notification guards,
   notification-burst/flood checks, config and metadata guards,
-  client-intent redaction, invalid client-parameter guards, no-passthrough
-  checks, the MCP shim eval, inspect, and MCP server smoke checks.
+  client-intent redaction, invalid client-parameter guards, denial summaries,
+  no-passthrough checks, the MCP shim eval, inspect, and MCP server smoke
+  checks.
 
 Not implemented yet:
 

docs/architecture.md

@@ -137,13 +137,15 @@ Replay modes:
 
 `agentk trace-inspect` is the human review path. It verifies the hash chain, summarizes signature status, groups blocked events by policy rule, groups boundary events by syscall and evidence-ref type, and prints one compact row per event. Known hash evidence refs such as `args_sha256`, `descriptor_sha256`, and `response_sha256` are preserved. Any raw input ref is replaced with a fresh `input_sha256` ref in the inspection report.
 
+Blocked MCP tool, resource, and prompt responses also carry compact `denial` summaries at the response boundary. Those summaries surface verdict, policy rule, reason, syscall, target, and any missing capability without requiring reviewers to dig through the full nested event body.
+
 `agentk replay` records deterministic `stub_output_sha256` evidence refs for allowed `model.call`, `tool.invoke`, and `network.send` events. Blocked side effects stay blocked, do not get stub outputs, and are summarized by policy rule.
 
 `agentk fork-replay` compares the recorded log against another policy and reports both per-event changes and transition counts such as `deny:rule->allow:rule`. This makes policy drift reviewable without manually counting every changed event.
 
 `agentk fork-replay-behavior` accepts a JSON array of changed hashed output refs and emits a divergence report. Overrides are bound to the recorded step, syscall, and target, and raw output strings are rejected.
 
-`agentk release-audit` packages the local release ritual into one report. It runs readiness, git hygiene checks, formatting, tests, clippy, a fresh demo trace, signature verification with signer summaries, signer-pinning and trusted-signer manifest smoke coverage, brokered secret-handle, secret-reference validation, and secret-store availability smoke tests, MCP taint-flow, subprocess MCP boundary, lifecycle-redaction, initialize-guard, tool/resource/prompt shape guards, bad-response redaction, response-timeout, transport-close, mixed-interop, public interop transcript, resource subscription no-passthrough, pre-ready notification no-passthrough, notification-burst/flood, no-passthrough, config-guard, AgentK metadata-redaction, client-intent hashing, and invalid-client-param smoke tests, redacted inspect, replay blocked-rule summaries, fork replay decision summaries, behavior fork replay, and an MCP server smoke test. It does not configure remotes or push.
+`agentk release-audit` packages the local release ritual into one report. It runs readiness, git hygiene checks, formatting, tests, clippy, a fresh demo trace, signature verification with signer summaries, signer-pinning and trusted-signer manifest smoke coverage, brokered secret-handle, secret-reference validation, and secret-store availability smoke tests, MCP taint-flow, subprocess MCP boundary, lifecycle-redaction, initialize-guard, tool/resource/prompt shape guards, bad-response redaction, response-timeout, transport-close, mixed-interop, public interop transcript, resource subscription no-passthrough, pre-ready notification no-passthrough, notification-burst/flood, no-passthrough, config-guard, AgentK metadata-redaction, client-intent hashing, invalid-client-param smoke tests, and denial-summary smoke tests, redacted inspect, replay blocked-rule summaries, fork replay decision summaries, behavior fork replay, and an MCP server smoke test. It does not configure remotes or push.
 
 ### MCP Proxy MVP
 

docs/roadmap.md

@@ -99,6 +99,8 @@ Status: in progress.
 - [x] Hash client-provided AgentK intent metadata in subprocess MCP evidence.
 - [x] Reject empty subprocess MCP tool, resource, and prompt identifiers before
       forwarding.
+- [x] Surface compact denial summaries in blocked MCP tool/resource/prompt
+      responses.
 - [x] Add an operator contract for subprocess MCP proxy boundaries.
 - [x] Default-deny unsupported subprocess MCP request methods instead of generic passthrough.
 - [x] Add release-audit smoke coverage for unsupported subprocess MCP no-passthrough.
@@ -133,6 +135,7 @@ Status: in progress.
 - [x] Record stub outputs for model/tool/network syscalls.
 - [x] Summarize blocked policy rules in deterministic replay output.
 - [x] Summarize decision transitions in fork replay output.
+- [x] Surface blocked MCP denial details directly at the response boundary.
 - [x] Fork replay with changed model/tool behavior.
 - [x] Emit divergence reports.