fix(mcp): restore trust+isTrustedFolder permission check in getDefaultPermission#2642
Merged
Merged
Conversation
…tPermission The trust/isTrustedFolder logic was accidentally dropped during the permission system refactor in feat/support-permission (PR QwenLM#2283). Previously, shouldConfirmExecute() returned false (no confirmation) when both conditions were met: - MCP server config has trust: true - The workspace folder is trusted (isTrustedFolder()) The refactor replaced shouldConfirmExecute() with getDefaultPermission() but left out the trust check entirely, adding a comment claiming 'trust logic is now handled by PM rules' — however no PM rules were ever generated from the trust setting, making trust: true completely non-functional. This fix restores the original behavior: MCP tools from a trusted server (trust: true) auto-approve only when the workspace is also trusted, preserving the security gate that prevents trust settings from bypassing confirmation in untrusted folders.
huww98
requested review from
DennisYu07,
DragonnZhang,
LaZzyMan,
Mingholy,
gwinthis,
pomelo-nwu and
tanzhenxin
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TLDR
The
trust: truesetting on MCP servers stopped working in v0.13.0 after the permission system refactor (PR #2283). This PR restores the original behavior.Screenshots / Video Demo
Dive Deeper
Root Cause
PR #2283 (
feat/support-permission) refactored MCP tool confirmation from the oldshouldConfirmExecute()API to the newgetDefaultPermission()+getConfirmationDetails()split.The original
shouldConfirmExecute()had an explicit trust check:The refactored
getDefaultPermission()omitted this check entirely, leaving only a comment: "Note: trust/isTrustedFolder logic is now handled by PM rules". However, no PM rules were ever generated from thetrustsetting, makingtrust: truecompletely non-functional — the field is stored, passed through the entire config → mcp-client → DiscoveredMCPTool → Invocation chain, but never consulted during permission evaluation.Fix
Restore the original two-condition check in
getDefaultPermission():trust === trueon the MCP server configisTrustedFolder()on the workspace (security gate)Both conditions must be true, preserving the security invariant that
trustsettings (including user-level~/.qwen/settings.json) cannot bypass confirmation in untrusted workspaces.Reviewer Test Plan
Add to your project's
.qwen/settings.json(trusted workspace):{ "mcpServers": { "my-server": { "command": "...", "trust": true } } }MCP tools from
my-servershould now execute without a confirmation dialog. Before this fix they always prompted regardless of thetrustsetting.Testing Matrix
Linked issues / bugs
Related to #861
🤖 Generated with Qoder