# Boundary & Risk Card

Project: upstash/context7

## Doramagic Trial Decision

Current decision: ready for pre-publication recommendation checks. First use should still start with least privilege, a temporary directory, and rollback.

## What The User Can Do Now

- Read the Human Manual first to understand purpose and main workflows.
- Copy the Prompt Preview for a pre-install trial. This checks interaction feel, not real execution.
- Test the official Quick Start command in an isolated environment before using a primary machine.

## What Not To Do Yet

- Do not treat Prompt Preview output as an actual project run.
- Do not treat metadata-only validation as sandbox install validation.
- Do not write unverified capabilities as supported, tested, or safe to install.
- Do not provide production data, private files, real secrets, or primary configuration directories on first use.

## Pre-install Checklist

- Host AI match: mcp_host
- Official install entry state: official entry found
- Verification location: temporary directory, temporary host, or container required
- Rollback readiness: required
- API keys, network access, file writes, or host configuration changes: treat as high risk until confirmed
- Install command, actual output, and failure logs: must be recorded

## Current Blockers

- No blockers.

## Project-specific Pitfalls

- Security or permission risk requires verification (high): Developers may expose sensitive permissions or credentials: [Bug]: OAuth metadata issuer mismatch for MCP OAuth endpoint Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: [Bug]: OAuth metadata issuer mismatch for MCP OAuth endpoint. Context: Source discussion did not expose a precise runtime context.
- Installation risk requires verification (medium): Upgrade or migration may change expected behavior: @upstash/context7-pi@0.1.0 Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: @upstash/context7-pi@0.1.0. Context: Observed when using node
- Installation risk requires verification (medium): Developers may fail before the first successful local run: Add tool to search by npm package name to skip the initial docs index search, makes MCP server faster Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: Add tool to search by npm package name to skip the initial docs index search, makes MCP server faster. Context: Observed when using node
- Installation risk requires verification (medium): Developers may fail before the first successful local run: [Feature Request] Local docs sync and numerous dx improvements Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: [Feature Request] Local docs sync and numerous dx improvements. Context: Observed during installation or first-run setup.
- Installation risk requires verification (medium): Developers may fail before the first successful local run: ctx7 setup --cli: downloadSkillFromGitHub missing Authorization header causes 403 Suggested check: Before packaging this project, run the relevant install/config/quickstart check for: ctx7 setup --cli: downloadSkillFromGitHub missing Authorization header causes 403. Context: Observed when using macos

## Risk And Permission Notes

- no_demo: medium

## Evidence Gaps

- No structured evidence gaps found.