[FEATURE] MCP Tool-Level Access Control for Agents

Resolved 💬 5 comments Opened Mar 5, 2026 by BeiKeJieDeLiuLangMao Closed May 25, 2026

MCP Tool-Level Access Control

Summary

Enable fine-grained access control for MCP tools at the tool level, not just server level.

Current State

# Agent frontmatter - mcpServers controls entire servers
mcpServers:
  - aone-mix     # ALL tools in this server are accessible
  - code
  - sls-mcp

Problem: When an agent needs aone-mix, it gets access to all 20+ tools including sensitive operations like close_change_request, submit_cr_to_pre_intg, etc.

Proposed Solution

Option A: Whitelist Mode (Recommended)

---
mcpServers:
  - aone-mix

allowedTools:
  aone-mix:
    - get_change_request_by_branch
    - create_change_request
    - create_mix_flow_inst
    - get_mix_flow_inst_detail
  code:
    - get_single_file
    - list_repo_files
---

Option B: Blacklist Mode

---
mcpServers:
  - aone-mix

excludedTools:
  aone-mix:
    - close_change_request
    - submit_cr_to_pre_intg
    - switchOwner
---

Option C: settings.local.json Global Config

{
  "mcpToolFilters": {
    "aone-mix": {
      "allowed": ["get_change_request_by_branch", "create_change_request"],
      "blocked": ["close_change_request", "submit_cr_to_pre_intg"]
    }
  }
}

Use Cases

  1. Deploy Agent: Should create/monitor pipelines but NOT close change requests
  2. Explorer Agent: Should read code but NOT push commits or create MRs
  3. Production Safety: Prevent accidental production operations in dev environments

Priority

High - Security and safety concern for multi-agent systems

Related

  • Issue #7328: "[FEATURE] MCP Tool Filtering: Allow Selective Enable/..." (if exists)

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗