Add per-server and per-tool allowlists to the generic MCP bridge

[vaddisrinivas]

Problem

The generic MCP bridge exposes mcp_list_servers, mcp_list_tools, and mcp_call_tool. That is useful, but too broad for locked-down profile/runtime deployments because a model can potentially call any tool exposed by a configured server.

Generic use case

Profiles and managed deployments can expose a remote MCP server while allowing only specific tools, argument shapes, or risk classes. This supports safer MCP adoption without requiring one bespoke Rust wrapper per MCP tool.

Managed-runtime use case

A compiled runtime contract can declare exactly which MCP server/tool pairs are allowed. The runtime rejects undeclared MCP calls before network dispatch and can prove no raw write-capable MCP surface is visible.

Proposed shape

• Extend MCP server config with include/exclude lists or a policy callback.
• Enforce allowlists in mcp_list_tools and mcp_call_tool.
• Add denial messages that tell the model which server/tool pair was blocked.
• Include allowlist state in diagnostics.

Acceptance criteria

• Tests show hidden MCP tools are not listed.
• Tests show blocked MCP calls do not reach the remote client.
• Existing configs behave the same by default.
• Related to Feature Request : Global MCP tool registry - centralised discovery, versioning, and routing for all MCP tools across the swarm #1848 and Feature Request : Native context-mode MCP integration - context window protection, session continuity, and sandbox execution for all OpenHuman agents #1857, but scoped to enforcement/allowlisting for the current bridge.

Alignment

This helps OpenHuman MCP generally. It also keeps Composio and MCP complementary: Composio handles managed OAuth/provider breadth; MCP allowlists handle precise external tool exposure.

[CodeGhost21]

Looks like every acceptance criterion in this issue is already implemented on main via the merged PR #2139 (same author). Quick audit:

Item	Status	Where
Per-server allowed_tools / disallowed_tools config	✅	McpServerConfig (src/openhuman/config/schema/tools.rs)
mcp_list_tools filters hidden tools	✅	McpServerRegistry::list_tools → filter_allowed_tools (src/openhuman/mcp_client/registry.rs:118-123)
mcp_call_tool rejects before remote transport dispatch	✅	McpServerRegistry::call_tool checks is_tool_allowed before client.call_tool (registry.rs:126-143)
Denial message names server + tool	✅	"MCP tool \{tool}` is not allowed for server `{name}`"`
Allowlist state in mcp_list_servers diagnostics	✅	McpListServersTool::execute exposes allowed_tools / disallowed_tools in both the JSON payload and markdown (src/openhuman/tools/impl/network/mcp.rs:50-99)
Default behavior unchanged	✅	both lists default to Vec::new(); is_tool_allowed returns true when both are empty
Test: hidden tools not listed	✅	server_definition_filters_allowed_tools (registry.rs)
Test: blocked calls don't reach the remote client	✅	blocked before transport (registry.rs)

PR #2139 used Refs #2134 instead of Closes #2134, so GitHub didn't auto-close this on merge — but the work itself is in. Safe to close.

If a follow-up is wanted later, the natural extensions are argument-shape policies (mentioned in the original "Proposed shape") and a policy-callback hook — both would be new scope and probably belong in a fresh issue.