refactor(tool-search): consolidate MCP metadata tag and harden deferred-tool setup (#3370)

Follow-up to #3342 (deferred MCP tool loading). Maintainability cleanup plus
hardening of malformed/empty tool_search queries; no change to the deferral
mechanism or search ranking.

- Add deerflow/tools/mcp_metadata.py as the single source of truth for the
  "deerflow_mcp" tag (MCP_TOOL_METADATA_KEY + tag_mcp_tool + public
  is_mcp_tool). Removes the duplicated magic string and the private,
  cross-module _is_mcp_tool import.
- tool_search.search: never raise on model-generated input. Extract
  _compile_catalog_regex (shared compile-with-literal-fallback); return empty
  for empty/whitespace queries and a bare "+" instead of matching everything
  or raising IndexError.
- DeferredToolSetup: document the empty-vs-populated invariant.
- build_deferred_tool_setup: comment the two distinct empty-return branches.
- _assemble_deferred: add return type, rename local to deferred_setup, build
  the final list with an explicit append.
- Tests: use tag_mcp_tool instead of per-file tag helpers; cover empty and
  bare-"+" queries.

backend/tests/test_deferred_catalog.py

@@ -54,6 +54,23 @@ def test_search_invalid_regex_falls_back_to_literal():
     assert cat.search("zzz(") == []
 
 
+def test_search_empty_query_returns_empty(catalog):
+    # An empty / whitespace-only query is meaningless; rather than let the empty
+    # regex match every tool, search() returns nothing so the model gets a clear
+    # "no match" signal and re-queries instead of acting on noise.
+    assert catalog.search("") == []
+    assert catalog.search("   ") == []
+
+
+def test_search_bare_plus_returns_empty(catalog):
+    # A "+" prefix with no required token is malformed model input. It must
+    # return no matches, not raise IndexError on parts[0]. " + " strips to "+",
+    # so it routes here too and must be handled the same way.
+    assert catalog.search("+") == []
+    assert catalog.search(" + ") == []
+    assert catalog.search("+   ") == []
+
+
 def test_hash_stable_across_instances():
     c1 = DeferredToolCatalog((alpha_search, beta_translate))
     c2 = DeferredToolCatalog((beta_translate, alpha_search))

backend/tests/test_deferred_promotion_integration.py

@@ -20,6 +20,7 @@ from langchain_core.tools import tool as as_tool
 from deerflow.agents.middlewares.deferred_tool_filter_middleware import DeferredToolFilterMiddleware
 from deerflow.agents.thread_state import ThreadState
 from deerflow.tools.builtins.tool_search import build_deferred_tool_setup
+from deerflow.tools.mcp_metadata import tag_mcp_tool
 
 
 @as_tool
@@ -40,11 +41,6 @@ def mcp_other(x: str) -> str:
     return x
 
 
-def _tag(t):
-    t.metadata = {**(t.metadata or {}), "deerflow_mcp": True}
-    return t
-
-
 def test_tool_search_promotes_into_next_turn():
     bound: list[list[str]] = []
 
@@ -53,7 +49,7 @@ def test_tool_search_promotes_into_next_turn():
             bound.append([getattr(t, "name", None) for t in tools])
             return self
 
-    setup = build_deferred_tool_setup([active_tool, _tag(mcp_calc), _tag(mcp_other)], enabled=True)
+    setup = build_deferred_tool_setup([active_tool, tag_mcp_tool(mcp_calc), tag_mcp_tool(mcp_other)], enabled=True)
     turn1 = AIMessage(content="", tool_calls=[{"name": "tool_search", "args": {"query": "select:mcp_calc"}, "id": "c1", "type": "tool_call"}])
     turn2 = AIMessage(content="done")
     model = RecordingModel(messages=iter([turn1, turn2]))

backend/tests/test_deferred_setup.py

@@ -1,7 +1,8 @@
 from langchain_core.tools import tool as as_tool
 from langgraph.types import Command
 
-from deerflow.tools.builtins.tool_search import DeferredToolCatalog, _is_mcp_tool, build_deferred_tool_setup, build_tool_search_tool
+from deerflow.tools.builtins.tool_search import DeferredToolCatalog, build_deferred_tool_setup, build_tool_search_tool
+from deerflow.tools.mcp_metadata import is_mcp_tool, tag_mcp_tool
 
 
 @as_tool
@@ -16,18 +17,13 @@ def local_echo(text: str) -> str:
     return text
 
 
-def _tag_mcp(t):
-    t.metadata = {**(t.metadata or {}), "deerflow_mcp": True}
-    return t
-
-
 def test_is_mcp_tool_reads_metadata():
-    assert _is_mcp_tool(_tag_mcp(mcp_calc)) is True
-    assert _is_mcp_tool(local_echo) is False
+    assert is_mcp_tool(tag_mcp_tool(mcp_calc)) is True
+    assert is_mcp_tool(local_echo) is False
 
 
 def test_setup_disabled_returns_empty():
-    setup = build_deferred_tool_setup([_tag_mcp(mcp_calc), local_echo], enabled=False)
+    setup = build_deferred_tool_setup([tag_mcp_tool(mcp_calc), local_echo], enabled=False)
     assert setup.tool_search_tool is None
     assert setup.deferred_names == frozenset()
     assert setup.catalog_hash is None
@@ -40,7 +36,7 @@ def test_setup_no_mcp_returns_empty():
 
 
 def test_setup_builds_from_mcp_survivors():
-    setup = build_deferred_tool_setup([_tag_mcp(mcp_calc), local_echo], enabled=True)
+    setup = build_deferred_tool_setup([tag_mcp_tool(mcp_calc), local_echo], enabled=True)
     assert setup.deferred_names == frozenset({"mcp_calc"})
     assert setup.tool_search_tool is not None
     assert setup.tool_search_tool.name == "tool_search"

backend/tests/test_deferred_tool_crosscontext.py

@@ -23,6 +23,7 @@ from deerflow.agents.middlewares.deferred_tool_filter_middleware import Deferred
 from deerflow.skills.tool_policy import filter_tools_by_skill_allowed_tools
 from deerflow.skills.types import Skill
 from deerflow.tools.builtins.tool_search import DeferredToolSetup, build_deferred_tool_setup
+from deerflow.tools.mcp_metadata import tag_mcp_tool
 
 
 @as_tool
@@ -37,11 +38,6 @@ def mcp_secret(x: str) -> str:
     return x
 
 
-def _tag(t):
-    t.metadata = {**(t.metadata or {}), "deerflow_mcp": True}
-    return t
-
-
 _BOUND: list[list[str]] = []
 
 
@@ -52,7 +48,7 @@ class _RecordingModel(GenericFakeChatModel):
 
 
 def _build_graph():
-    filtered = [active_tool, _tag(mcp_secret)]
+    filtered = [active_tool, tag_mcp_tool(mcp_secret)]
     setup = build_deferred_tool_setup(filtered, enabled=True)
     final = [*filtered, setup.tool_search_tool]
     model = _RecordingModel(messages=iter([AIMessage(content="done")] * 4))
@@ -107,18 +103,18 @@ def test_fail_closed_when_mcp_survives_without_setup(monkeypatch):
         lambda tools, *, enabled: DeferredToolSetup(None, frozenset(), None),
     )
     with pytest.raises(RuntimeError, match="fail-closed"):
-        agentmod._assemble_deferred([_tag(mcp_secret)], enabled=True)
+        agentmod._assemble_deferred([tag_mcp_tool(mcp_secret)], enabled=True)
 
 
 def test_subagent_reentry_does_not_touch_lead_state():
     """#2884: building a second (subagent) setup must not affect the lead's
     middleware. With no shared registry/ContextVar, the lead middleware depends
     only on its own deferred_names + the passed state."""
-    lead_setup = build_deferred_tool_setup([active_tool, _tag(mcp_secret)], enabled=True)
+    lead_setup = build_deferred_tool_setup([active_tool, tag_mcp_tool(mcp_secret)], enabled=True)
     mw = DeferredToolFilterMiddleware(lead_setup.deferred_names, lead_setup.catalog_hash)
 
     # Simulate a subagent build re-entering tool assembly with its own setup.
-    _ = build_deferred_tool_setup([_tag(mcp_secret)], enabled=True)
+    _ = build_deferred_tool_setup([tag_mcp_tool(mcp_secret)], enabled=True)
 
     class _Req:
         def __init__(self):
@@ -154,7 +150,7 @@ def test_policy_denied_mcp_yields_no_tool_search_end_to_end():
     tool_search (and does not fail-closed, because no MCP tool leaked through)."""
     from deerflow.agents.lead_agent import agent as agentmod
 
-    filtered = filter_tools_by_skill_allowed_tools([active_tool, _tag(mcp_secret)], [_make_skill(["active_tool"])])
+    filtered = filter_tools_by_skill_allowed_tools([active_tool, tag_mcp_tool(mcp_secret)], [_make_skill(["active_tool"])])
     final_tools, setup = agentmod._assemble_deferred(filtered, enabled=True)
 
     assert [t.name for t in final_tools] == ["active_tool"]
@@ -174,7 +170,7 @@ def test_tool_search_appended_after_policy_but_never_exposes_denied_tool():
     from deerflow.agents.lead_agent import agent as agentmod
 
     allowed = ["active_tool", "mcp_secret"]  # permits the MCP tool, does NOT list tool_search
-    filtered = filter_tools_by_skill_allowed_tools([active_tool, _tag(mcp_secret)], [_make_skill(allowed)])
+    filtered = filter_tools_by_skill_allowed_tools([active_tool, tag_mcp_tool(mcp_secret)], [_make_skill(allowed)])
     final_tools, setup = agentmod._assemble_deferred(filtered, enabled=True)
 
     names = {t.name for t in final_tools}