feat: Support parameter-level filtering for MCP tool permissions

Resolved 💬 2 comments Opened Jan 13, 2026 by bhosmer-ant Closed Feb 26, 2026

Summary

Users want to allow MCP tools with specific parameter constraints. For example:

  • Allow mcp__slack__send_message but only to specific channels
  • Allow mcp__github__create_issue but only in certain repos

Currently, MCP rules explicitly reject parentheses patterns with the error:

MCP rules do not support patterns in parentheses

Context

Why this is safer for MCP than Bash

MCP tool inputs are structured JSON, not arbitrary shell commands. There's no ls && rm -rf ~ bypass concern since params are discrete key-value pairs. The shell injection risks that apply to Bash(ls:*) don't apply to MCP param matching.

Potential syntax options

  1. Simple wildcards (consistent with Bash):

``
mcp__slack__send_message(channelId: "C09PZGUHU1M")
mcp__slack__send_message(channelId: "C09*")
``

  1. CEL expressions (as proposed in the Server-Side Tool Permissions API):

``
mcp__slack__send_message(expr: 'input.channelId in ["C123", "C456"]')
``

  1. JSON query syntax:

``
mcp__slack__send_message({"channelId": {"$in": ["C123", "C456"]}})
``

Implementation notes

  • The Bash permission system already has matchWildcardPattern() and bashPermissionRule() that could be adapted
  • Main changes needed in permissionValidation.ts (remove block) and MCP permission checking
  • Need to decide on syntax and handle nested params, type coercion

Workarounds (current)

  • Use a PreToolUse hook for custom validation
  • Create a wrapper MCP server that enforces constraints
  • Manually approve each call

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗