allowlist / denylist of available mcp tools

[jzyinq]

I'm testing mcp integration for a while now and I'm really digging it.

But, to have it more foolproof, mcp configuration should have an ability to allow / deny certain tools from given mcp server:

Let's take github server as an example:

❯ mods --mcp-list-tools
github > add_issue_comment
github > add_pull_request_review_comment_to_pending_review
github > assign_copilot_to_issue
github > create_and_submit_pull_request_review
github > create_branch
github > create_issue
github > create_or_update_file
github > create_pending_pull_request_review
github > create_pull_request
github > create_repository
github > delete_file
github > delete_pending_pull_request_review
github > dismiss_notification
github > fork_repository
github > get_code_scanning_alert
github > get_commit
github > get_file_contents
github > get_issue
github > get_issue_comments
github > get_me
github > get_notification_details
github > get_pull_request
github > get_pull_request_comments
github > get_pull_request_diff
github > get_pull_request_files
github > get_pull_request_reviews
github > get_pull_request_status
github > get_secret_scanning_alert
github > get_tag
github > list_branches
github > list_code_scanning_alerts
github > list_commits
github > list_issues
github > list_notifications
github > list_pull_requests
github > list_secret_scanning_alerts
github > list_tags
github > manage_notification_subscription
github > manage_repository_notification_subscription
github > mark_all_notifications_read
github > merge_pull_request
github > push_files
github > request_copilot_review
github > search_code
github > search_issues
github > search_repositories
github > search_users
github > submit_pending_pull_request_review
github > update_issue
github > update_pull_request
github > update_pull_request_branch

In read-only version this integration is awesome and I can leave a terminal to do its job in background, but many operations could do some changes that I don't want to do by mistake.

So I propose to extend the existing configuration with something like this:

mcp-servers:
  github:
    command: docker
    args:
      - run
      - "-i"
      - "--rm"
      - "--env-file"
      - "/home/user/.mcp-github.env"
      - "ghcr.io/github/github-mcp-server"
    tools:
      allow: # this would be the easiest thing, just type allowed tools
        - get_issue
        - get_commit
        - get_tag 
        - search_code
        - search_issues
      # to keep things simple, you can have either allow or deny in configuration
      deny: # and on the opposite side, exclude those potentially risky ones
        - update_issue
        - update_pull_request
        - mark_all_notifications_read

[ssh30]

how do you add mcp tools to intereact with mods command line i can't find any information

[philippgille]

how do you add mcp tools to intereact with mods command line i can't find any information

It was added in #486, just not part of a new release yet.

The README already mentions some flags for it:

mods/README.md

Line 166 in de347f6

#### MCP

And the config template has some settings for it:

mods/config_template.yml

Line 10 in de347f6

mcp-servers:

[anuramat]

I have something like that but per-role in 7a4c8b8, see
#570 (comment)