Skip to content

fix(chat): built-in tools allowlist no longer filters user-configured MCP servers#41

Merged
mudler merged 3 commits into
masterfrom
fix/builtin-tools-allowlist-scoping
Jul 1, 2026
Merged

fix(chat): built-in tools allowlist no longer filters user-configured MCP servers#41
mudler merged 3 commits into
masterfrom
fix/builtin-tools-allowlist-scoping

Conversation

@localai-bot

Copy link
Copy Markdown
Collaborator

Summary

Fixes a bug diagnosed via live debugging: wiz's built-in-tools allowlist (cfg.Tools, used by nib-desktop to trim the prompt for small/CPU models to a fixed 9-tool set) was silently filtering out tools from every user-configured MCP server too — not just built-ins. A user could add a fully working remote MCP server (verified independently via curl and nib mcp test, returning 9 real tools), and none of them would ever reach the model, with no error shown anywhere — defeating the entire point of adding one.

  • types.Config.Toolstypes.Config.BuiltinTools (clean rename, no deprecated alias — this field is young enough that a break is low-risk).
  • The MCP tool filter (cogito.WithMCPToolFilter) now bypasses the allowlist for any tool call arriving on a session sourced from Session.cfgClients (a user-configured MCP server), using the *mcp.ClientSession identity the filter callback already receives but previously discarded. Session-identity-based, not name-based, so a coincidentally-named built-in tool can't spoof a bypass.
  • Built-in host tools and the 10 self-config tools (add_mcp_server, list_mcp_servers, etc.) still respect the allowlist exactly as before — an explicit design decision confirmed during brainstorming ("we want to have a minimum set + the ones that the user configures via MCP"), not an oversight.
  • No general "restrict everything including MCP servers" lockdown filter was added — considered and explicitly rejected as unneeded complexity for this iteration.

Design spec: docs/superpowers/specs/2026-07-01-builtin-tools-allowlist-scoping.md (local-only, gitignored, not part of this diff)
Implementation plan: docs/superpowers/plans/2026-07-01-builtin-tools-allowlist-scoping.md (same)

This is phase 1 of 2. nib-desktop needs a mechanical 2-line follow-up (internal/agent/agent.go:130,155-156, the only file referencing the renamed field) once this merges and its github.com/mudler/nib dependency bumps — tracked as a separate piece of work, not part of this PR.

Test plan

  • go build ./..., go vet ./..., go test ./... all clean across every package
  • New unit tests directly exercise the filter's identity logic: a tool from a configured MCP server bypasses the allowlist regardless of name; a tool from a non-configured session still respects it; the allowlist-empty (default) case still exposes everything
  • Confirmed the new test would have failed against the pre-fix inline filter (func(_ *mcp.ClientSession, name string) bool { return s.toolEnabled(name) }), proving this closes the exact gap found during live debugging
  • All existing toolEnabled call sites outside the MCP filter (native tool gates, the 10-tool self-config loop) are untouched — TestSelfConfigToolDefinitionsCount still asserts exactly 10
  • Reviewer traced cogito's actual filter-invocation path (mcpToolsFromTransportfilter(session, tool.Name)) to confirm the session pointers genuinely match by identity, not just in the isolated unit test

🤖 Generated with Claude Code

mudler and others added 3 commits July 1, 2026 21:10
Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
…ld invariant

Rename stale "Tools" allowlist references in comments to BuiltinTools
after the field rename, drop an orphaned SendMessage comment fragment,
and document that mcpToolFilter must be rebuilt per turn (never cached)
to avoid stale cfgSessions pointers after ReconcileMCPServers.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@mudler mudler merged commit 941532a into master Jul 1, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants