> At no point did we use tools/call or any command that could trigger actions, incur API usage costs, or alter data.
At this point I'm convinced it's not possible to predict this with MCP servers (or LLMs generally). You just don't know what it's definitively going to do when you poke it, even with a simple question like "What do you do".