Feature Request: Add per-tool auto-approval for MCP servers #861
Description
What would you like to be added?
I would like to request a new feature that allows users to configure per-tool auto-approval rules for MCP (Model Context Protocol) servers. Currently, the trust: true setting applies to an entire MCP server, which can be a security risk if the server exposes both safe (e.g., read_*) and dangerous (e.g., write_*) tools.
A more granular configuration would allow users to specify patterns for tools that should be auto-approved, while requiring confirmation for others.
Why is this needed?
This feature is crucial for a secure and efficient workflow, especially when using MCP servers like the GitHub MCP server. A typical use case is:
- Auto-approve all read-only operations (e.g.,
read_file,list_branches,get_issue). - Require confirmation for all write operations (e.g.,
create_pull_request,write_file,merge_branch).
This provides a balance between convenience and security, allowing users to streamline safe operations while maintaining control over potentially destructive actions.
Proposed Configuration
The new configuration could be added to the mcpServers section in settings.json:
{
"mcpServers": {
"github": {
"httpUrl": "http://localhost:8080/mcp",
"autoApproveTools": ["read_*", "get_*", "list_*"],
"requireConfirmationForTools": ["write_*", "delete_*", "create_*"]
}
}
}Additional context
This feature would complement the existing trust and includeTools/excludeTools settings, providing a more nuanced layer of control over tool execution. It would be a significant quality-of-life improvement for users who rely heavily on MCP servers for their daily development tasks.