feat: Add an optional confirmation / risk level marker for individual tool actions

[leblancfg]

Related to #114, but at a different grain.

Is your feature request related to a problem? Please describe.
Let's imagine I have an API with two endpoints:

1. GET /users/: lists users
2. PUT /users/<id>: edits a user's attributes

I want my users to install a single MCP server to handle connections to my API, with multiple tools.

As a user, when I install this MCP server, my agent/chatbot app might ask for initial confirmation. This is all fine and good for the GET endpoint, but as a user I also want to manually be able to audit and approve any changes the agent decides to make to the PUT one.

Describe the solution you'd like
Add an optional per-action flag or marker, to indicate risk level of the action performed.

It would then be up to client implementations to handle what to do with this information.

For risky actions, the docs can prescribe that use in a chatbot setting would be to let the user confirm any actions taken.

Describe alternatives you've considered
I believe having a server-grain risk level is too high, as I imagine the standard will be to have multiple tool actions available within a single MCP server connection.

[tadasant]

I had a bit of a back and forth with @baxen in a Discord on a similar topic (also related to #114). Adds some color to what I think regarding your request here and may be useful for others so I'll transcribe the chat:

[baxen] Another topic i'm curious if anyone has discussed (i may have missed a github issue on this and would be happy to raise one) - how can we add tagging/annotations to tools and should there be any standards? The primiary one we are looking at right now is for "trust" - marking the difference between read only vs write (or maybe degrees of safety) to make it easier for users to configure preferences about what agents do with or without approval

[tadasant] At least somewhat relevant is this issue on "risk level" #114

My general thought would be that between server instructions + tool-by-tool nams/descriptions, the nature of LLM's being able to process free form input is such that it's not clear that we would need more structure, curious to see if that breaks down somewhere though

[baxen] yeah its a good point that the client may be able to assess risk
and also there is no security role of a feature like this, as you have to trust the agent implementation to decide to surface or not any confirmations
but in practice adding a risk assessment on each tool call is a major latency hit, and servers may have a fully algorithmic way to make those decisions

[tadasant] Leaving it to the client doesn't necessarily mean latency is inevitable -- the client can remember one time user decisions (mapped to a specific mcp server + tool combination) or even perform inference on some prompt from a user (e.g. "auto approve all read only actions") and then store the inference result (e.g. "all calls to mcp server X + tool Y will be read only, so we can automatically approve them). You could go so far as to run that inference at the time the server connection is instantiated and the tools are listed (and so never incur any latency at the time of the tool call)

[baxen] yup yup that makes sense. One of my favorite tools is also the scariest - running bash commands - where a regex or similar can make it easy to catch a whole class of problems that depend on the tool input and not just the tool itself
what you said is more or less exactly what we are building right now, but we don't currently have a solution that will let us auto approve "ls" while prompting for confirmation on "rm" unless we hard code some treatment for that tool into the agent

...

[tadasant] Ok circling back: are we still talking about adding annotations to tools here? Or some different solution? My impression is that tool annotations denoting read-only vs. write, etc, wouldn't actually solve your problem, because they would be annotations at the tool definition level and not something that gets annotated at tool runtime. So if the server is responsible for annotating rm xyz as a write operation in the context of an execute_command tool call, there's still no way to know that categorization without first doing a roundtrip to the server (so it can do its regex logic) - an extra trip before executing the tool call that doesn't really fit in the working model of MCP

To solve this case, I would propose that the shell server expose two tools: execute_read_only_command and execute_write_command. This way, the LLM managed by the client can make the judgment call as to whether the command argument it is passing in should be passed into the read_only or the write tool call. And then the server can do its own check in the read_only tool to verify that the command is actually read_only (to guard against the possibility that the LLM made a mistake), but it doesn't have to report back to the client (thus dodging that extra roundtrip) in the happy path case that the LLM didn't make a mistake.

I feel like this would be a generally useful feature (not specific to Goose as a client) that the implementer of the shell MCP server should consider exposing. They could of course make it configurable if they wanted to -- i.e. leave it up to the user setting up the MCP server whether to expose 1 tool to execute_command or 2 tools to execute_read_only_command and execute_write_command.

tl;dr I think it is on the server implementer to segregate out dangerous vs. non-dangerous tools so that the client can build its auto-approval UX at the well-defined scope of an entire tool definition

[baxen] nice I like that! I was indeed thinking about an extra round trip client to server but i like what you're suggesting here better, it doesn't complicate the tool calling

---

All to say, my suggestion for your case is that it is the client app's responsibility to process user approvals on a tool-definition-by-tool-definition basis. I don't think we should trust servers to approve themselves, either directly or indirectly.

Clients could implement something in their MCP server configs like:

{
  "mcpServers": {
    "gdrive": {
      "command": "node",
      "args": [
        "/Users/admin/github-projects/mcp-gdrive/dist/index.js"
      ],
      "alwaysApprove": ["readDocument"],
      "alwaysAsk": ["createNewDocument"]
    }
  }
}

It wouldn't have to be static -- the client could update that "config" at runtime as the user clicks UI buttons that indicate their level of approval for a server's tool definitions.

It is already in-bounds with the MCP spec to implement something like this. In theory it could be standardized as a best practice, but I think we should wait and see how apps do some implementations before trying to standardize.

[leblancfg]

It wouldn't have to be static -- the client could update that "config" at runtime

Yes 100% aligned with that.

standardized as a best practice

That's generally my goal here. If I install an MCP server from a trusted source, it would be handy for it to come with its own suggestions of what should be alwaysAsk, etc. But yes, ultimately it will always be up to client apps to implement as they so wish.

The idea is also to reduce toil. The use cases I have in mind are multi-tennant, likely pointing to dozens of MCP servers in the future. In the suggestion above, I could easily see it become a part-time job to keep up and decide what global defaults for the alwaysApprove and alwaysAsk sections – which IMO could be mostly avoided.

---

Furthermore, I can imagine a future where many API-driven services have the MCP server implementation simply being dynamically generated from an OpenAPI spec (with risk level e.g. inferred from HTTP verb and/or encoded as an endpoint tag).

This could make single edit updates possible:

1. the service team updates their API definition in a single location, e.g. adding a new DELETE route. It's tagged as alwaysAsk.
2. The OpenAPI spec updates on deploy
3. The MCP server dynamically generates a new tool action for it
4. The chatbot client automatically sets the new tool action default to alwaysAsk

No need for the service team to ALSO update the MCP server code, or go meddle with the chatbot's MCP server configs.

[tadasant]

I think the concept of a "hint" from the server in this context is a reasonable ask. Just a question of whether it's worth introducing that surface area into the spec and whether we have enough of a sense as to the final use cases to properly spec out the possibilities here.

A workaround idea in the meanwhile (which might be the preferable approach in many cases): have the client run inference on every newly available tool call's name/description. If you can trust the server, then an LLM should be able to tell you whether the new tool should be alwaysAsk, alwaysAllow, etc based on some preconfigured user preferences and store that result. So the end-user never has to be prompted with approval screens unnecessarily.