QwenLM
diff --git a/‎integration-tests/cli/qwen-serve-routes.test.ts‎
Lines changed: 1 addition & 0 deletions b/‎integration-tests/cli/qwen-serve-routes.test.ts‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎packages/cli/src/serve/capabilities.ts‎
Lines changed: 8 additions & 0 deletions b/‎packages/cli/src/serve/capabilities.ts‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎packages/cli/src/serve/httpAcpBridge.test.ts‎
Lines changed: 121 additions & 0 deletions b/‎packages/cli/src/serve/httpAcpBridge.test.ts‎
Lines changed: 121 additions & 0 deletions
diff --git a/‎packages/cli/src/serve/httpAcpBridge.ts‎
Lines changed: 92 additions & 6 deletions b/‎packages/cli/src/serve/httpAcpBridge.ts‎
Lines changed: 92 additions & 6 deletions
diff --git a/‎packages/cli/src/serve/runQwenServe.ts‎
Lines changed: 20 additions & 0 deletions b/‎packages/cli/src/serve/runQwenServe.ts‎
Lines changed: 20 additions & 0 deletions
@@ -225,6 +225,7 @@ describe('qwen serve — capabilities envelope', () => {
       'workspace_file_read',
       // #4175 Wave 4 PR 17.
       'session_approval_mode_control',
+      'workspace_tool_toggle',
     ]);
   });
 });
 
@@ -115,6 +115,14 @@ export const SERVE_CAPABILITY_REGISTRY = {
   // settings via the daemon's `loadedSettings` handle. SDK helper:
   // `DaemonClient.setSessionApprovalMode`.
   session_approval_mode_control: { since: 'v1' },
+  // #4175 Wave 4 PR 17. `POST /workspace/tools/:name/enable` toggles a
+  // tool name in the workspace's `tools.disabled` settings list. The
+  // bridge writes the settings file directly (no ACP roundtrip) and
+  // fan-outs a `tool_toggled` event to all live session SSE buses.
+  // Already-registered tools in active sessions are NOT retroactively
+  // unregistered — the toggle takes effect on the next ACP child spawn
+  // (`tools.disabled` is consulted at `Config` construction time).
+  workspace_tool_toggle: { since: 'v1' },
   // Issue #4175 PR 15. Daemon was booted with `--require-auth` (or
   // `requireAuth: true`), so even loopback callers must carry a bearer
   // token. Advertised CONDITIONALLY — only when the flag is on — so
 
@@ -4278,6 +4278,127 @@ describe('createHttpAcpBridge', () => {
     });
   });
 
+  describe('setWorkspaceToolEnabled (#4175 Wave 4 PR 17)', () => {
+    it('throws when no persistDisabledTools callback is wired', async () => {
+      const bridge = makeBridge();
+      await expect(
+        bridge.setWorkspaceToolEnabled('Bash', false, undefined),
+      ).rejects.toThrow(/persistDisabledTools/);
+    });
+
+    it('invokes the persist callback with the workspace + name + enabled flag', async () => {
+      const calls: Array<{
+        workspace: string;
+        toolName: string;
+        enabled: boolean;
+      }> = [];
+      const bridge = makeBridge({
+        persistDisabledTools: async (workspace, toolName, enabled) => {
+          calls.push({ workspace, toolName, enabled });
+        },
+      });
+      const result = await bridge.setWorkspaceToolEnabled(
+        'Bash',
+        false,
+        undefined,
+      );
+      expect(result).toEqual({ toolName: 'Bash', enabled: false });
+      expect(calls).toEqual([
+        { workspace: WS_A, toolName: 'Bash', enabled: false },
+      ]);
+    });
+
+    it('does NOT spawn an ACP child even when called repeatedly', async () => {
+      let factoryCalls = 0;
+      const bridge = makeBridge({
+        channelFactory: async () => {
+          factoryCalls += 1;
+          throw new Error('channel factory should not be invoked');
+        },
+        persistDisabledTools: async () => {},
+      });
+      await bridge.setWorkspaceToolEnabled('Bash', false, undefined);
+      await bridge.setWorkspaceToolEnabled('Read', true, undefined);
+      expect(factoryCalls).toBe(0);
+    });
+
+    it('fan-outs tool_toggled events to every live session bus', async () => {
+      const factory: ChannelFactory = async () => {
+        const { clientStream, agentStream } = createInMemoryChannel();
+        new AgentSideConnection(() => new FakeAgent() as Agent, agentStream);
+        return {
+          stream: clientStream,
+          exited: new Promise<
+            | { exitCode: number | null; signalCode: NodeJS.Signals | null }
+            | undefined
+          >(() => {}),
+          kill: async () => {},
+          killSync: () => {},
+        };
+      };
+      const bridge = makeBridge({
+        channelFactory: factory,
+        persistDisabledTools: async () => {},
+      });
+      // Two thread-scope sessions on the same workspace, so both
+      // entries live in the byId map and both should observe the
+      // workspace-scoped fan-out.
+      const a = await bridge.spawnOrAttach({
+        workspaceCwd: WS_A,
+        sessionScope: 'thread',
+      });
+      const b = await bridge.spawnOrAttach({
+        workspaceCwd: WS_A,
+        sessionScope: 'thread',
+      });
+      const aborts = [new AbortController(), new AbortController()];
+      const itA = bridge
+        .subscribeEvents(a.sessionId, { signal: aborts[0]!.signal })
+        [Symbol.asyncIterator]();
+      const itB = bridge
+        .subscribeEvents(b.sessionId, { signal: aborts[1]!.signal })
+        [Symbol.asyncIterator]();
+      await bridge.setWorkspaceToolEnabled('Bash', false, undefined);
+      const [evA, evB] = await Promise.all([itA.next(), itB.next()]);
+      expect(evA.value?.type).toBe('tool_toggled');
+      expect(evB.value?.type).toBe('tool_toggled');
+      expect(evA.value?.data).toEqual({ toolName: 'Bash', enabled: false });
+      expect(evB.value?.data).toEqual({ toolName: 'Bash', enabled: false });
+      aborts.forEach((a) => a.abort());
+      await bridge.shutdown();
+    });
+
+    it('stamps tool_toggled with the originator clientId when supplied', async () => {
+      const factory: ChannelFactory = async () => {
+        const { clientStream, agentStream } = createInMemoryChannel();
+        new AgentSideConnection(() => new FakeAgent() as Agent, agentStream);
+        return {
+          stream: clientStream,
+          exited: new Promise<
+            | { exitCode: number | null; signalCode: NodeJS.Signals | null }
+            | undefined
+          >(() => {}),
+          kill: async () => {},
+          killSync: () => {},
+        };
+      };
+      const bridge = makeBridge({
+        channelFactory: factory,
+        persistDisabledTools: async () => {},
+      });
+      const session = await bridge.spawnOrAttach({ workspaceCwd: WS_A });
+      const abort = new AbortController();
+      const it = bridge
+        .subscribeEvents(session.sessionId, { signal: abort.signal })
+        [Symbol.asyncIterator]();
+      await bridge.setWorkspaceToolEnabled('Bash', false, session.clientId);
+      const next = await it.next();
+      expect(next.value?.originatorClientId).toBe(session.clientId);
+      abort.abort();
+      await bridge.shutdown();
+    });
+  });
+
   describe('subscribeEvents', () => {
     it('throws SessionNotFoundError for unknown session ids', () => {
       const bridge = makeBridge({
 
@@ -44,12 +44,8 @@ import {
   type ServeWorkspaceSkillsStatus,
 } from './status.js';
 import { buildEnvStatusFromProcess } from './envSnapshot.js';
-import type {
-  ApprovalMode} from '@qwen-code/qwen-code-core';
-import {
-  TrustGateError,
-  canUseRipgrep,
-} from '@qwen-code/qwen-code-core';
+import type { ApprovalMode } from '@qwen-code/qwen-code-core';
+import { TrustGateError, canUseRipgrep } from '@qwen-code/qwen-code-core';
 import { getGitVersion, getNpmVersion } from '../utils/systemInfo.js';
 import type {
   CancelNotification,
@@ -462,6 +458,30 @@ export interface HttpAcpBridge {
     persisted: boolean;
   }>;
 
+  /**
+   * Add or remove a tool name from the workspace's `tools.disabled`
+   * settings list and fan-out a `tool_toggled` event to every live
+   * session SSE bus. Does NOT consult the ACP child — settings are
+   * file IO the daemon owns directly. Already-registered tools in
+   * active sessions stay registered until the next ACP child spawn
+   * (`tools.disabled` is consulted at `Config` construction time, so
+   * the toggle takes effect on the next workspace-wide refresh).
+   *
+   * Unknown tool names are accepted: the daemon has no authoritative
+   * tool registry to validate against (built-ins live inside the ACP
+   * child, MCP tools are discovered post-spawn). Pre-disabling a
+   * not-yet-installed MCP tool is a legitimate use case.
+   *
+   * Throws when the daemon was constructed without a
+   * `persistDisabledTools` callback — direct embeds / tests must opt
+   * in to write semantics.
+   */
+  setWorkspaceToolEnabled(
+    toolName: string,
+    enabled: boolean,
+    originatorClientId: string | undefined,
+  ): Promise<{ toolName: string; enabled: boolean }>;
+
   /**
    * Kill the agent process for the session and remove it from the maps.
    * Used by the HTTP route layer to reap orphans created when a client
@@ -848,6 +868,23 @@ export interface BridgeOptions {
     boundWorkspace: string,
     mode: ApprovalMode,
   ) => Promise<void>;
+  /**
+   * #4175 Wave 4 PR 17 — optional callback for mutating
+   * `tools.disabled` in workspace settings. Invoked by
+   * `setWorkspaceToolEnabled` to add (`enabled: false`) or remove
+   * (`enabled: true`) `toolName` from the persisted disabled set.
+   * The default `runQwenServe` wires this to a fresh
+   * `loadSettings(boundWorkspace)` per call so concurrent edits from
+   * other writers (CLI, another daemon, an editor) are picked up.
+   * Bridge tests / embedded callers may omit it; without the hook
+   * `setWorkspaceToolEnabled` throws a clear error rather than
+   * silently dropping the write.
+   */
+  persistDisabledTools?: (
+    boundWorkspace: string,
+    toolName: string,
+    enabled: boolean,
+  ) => Promise<void>;
 }
 
 /**
@@ -1639,6 +1676,7 @@ export function createHttpAcpBridge(opts: BridgeOptions): HttpAcpBridge {
   }
   const boundWorkspace = opts.boundWorkspace;
   const persistApprovalMode = opts.persistApprovalMode;
+  const persistDisabledTools = opts.persistDisabledTools;
 
   // #3803 §02 single-workspace model: the bridge hosts AT MOST one
   // ATTACH-AVAILABLE channel and one default attach-target entry.
@@ -2421,6 +2459,32 @@ export function createHttpAcpBridge(opts: BridgeOptions): HttpAcpBridge {
     return response as unknown as T;
   };
 
+  /**
+   * Fan-out an event to every live session bus in the daemon. Used by
+   * workspace-scoped mutation routes (#4175 Wave 4 PR 17) — the
+   * `tool_toggled` and `mcp_server_restarted` events are not session-
+   * scoped, but every active SSE subscriber should still see them so
+   * cross-client UIs stay in sync. Errors from individual buses (e.g.
+   * already-closed) are swallowed — a single torn-down session must
+   * not block the broadcast to its peers.
+   *
+   * Named `broadcastWorkspaceEvent` to leave room for PR 16's
+   * forthcoming `publishWorkspaceEvent` — the post-merge fold-in
+   * collapses the two helpers (PR 21 #4255 follows the same naming
+   * convention to ease that consolidation).
+   */
+  const broadcastWorkspaceEvent = (
+    envelope: Omit<BridgeEvent, 'id' | 'v'>,
+  ): void => {
+    for (const entry of byId.values()) {
+      try {
+        entry.events.publish(envelope);
+      } catch {
+        /* bus closed for this session; skip */
+      }
+    }
+  };
+
   const createSessionEntry = (
     ci: ChannelInfo,
     sessionId: string,
@@ -3629,6 +3693,28 @@ export function createHttpAcpBridge(opts: BridgeOptions): HttpAcpBridge {
       };
     },
 
+    async setWorkspaceToolEnabled(toolName, enabled, originatorClientId) {
+      // #4175 Wave 4 PR 17. Pure file IO + event fan-out — no ACP
+      // roundtrip. The settings file is the source of truth; live
+      // sessions retain their already-registered tools until the next
+      // ACP child spawn (when `tools.disabled` is consulted at Config
+      // construction time).
+      if (!persistDisabledTools) {
+        throw new Error(
+          'setWorkspaceToolEnabled requires `persistDisabledTools` in ' +
+            'BridgeOptions; runQwenServe wires the production callback. ' +
+            'Direct embeds and tests must opt in.',
+        );
+      }
+      await persistDisabledTools(boundWorkspace, toolName, enabled);
+      broadcastWorkspaceEvent({
+        type: 'tool_toggled',
+        data: { toolName, enabled },
+        ...(originatorClientId ? { originatorClientId } : {}),
+      });
+      return { toolName, enabled };
+    },
+
     async killSession(sessionId, opts) {
       const entry = byId.get(sessionId);
       if (!entry) return;
 
@@ -288,6 +288,26 @@ export async function runQwenServe(
         const fresh = loadSettings(workspace);
         fresh.setValue(SettingScope.Workspace, 'tools.approvalMode', mode);
       },
+      // #4175 Wave 4 PR 17: `POST /workspace/tools/:name/enable` writes
+      // through this callback. Re-reads settings on each call (same
+      // freshness rationale as `persistApprovalMode`) and merges into
+      // the existing `tools.disabled` array — concurrent toggles from
+      // other writers stay safe across the read/modify/write window.
+      persistDisabledTools: async (workspace, toolName, enabled) => {
+        const fresh = loadSettings(workspace);
+        const merged = fresh.merged.tools?.disabled;
+        const current = Array.isArray(merged)
+          ? merged.filter((v): v is string => typeof v === 'string')
+          : [];
+        const next = new Set(current);
+        if (enabled) next.delete(toolName);
+        else next.add(toolName);
+        fresh.setValue(
+          SettingScope.Workspace,
+          'tools.disabled',
+          [...next].sort(),
+        );
+      },
     });
   let actualPort = opts.port;
   // Pass the already-canonical `boundWorkspace` into `createServeApp`