MCP tool blocking not working - agents can still see and access disabled tools

[SuperSonnix71]

MCP tool blocking not working - agents can still see and access disabled tools

Hey! I'm trying to disable specific MCP tools for an agent, but the agent can still see and try to use those tools even though they're disabled in the config.

What I tried

Agent configuration with MCP tool blocking:

{
  "agent": {
    "my-agent": {
      "model": "ollama/my-model",
      "tools": {
        "write": true,
        "edit": true,
        "bash": true,
        "mcp__my-server__*": false  // ← Trying to block all tools from an MCP server
      }
    }
  }
}

Expected behavior

The agent should NOT be able to see or access any MCP tools that are set to false.

Actual behavior

1. The model can still see all the MCP tools in its function list
2. The model tries to call these disabled tools
3. The model gets confused because it sees the tools but they're supposed to be disabled

Example output from model:

The only functions provided are the mcp__* ones. 
The instructions say they are disabled.
Given restrictions, we cannot perform the task.

The model is clearly seeing the MCP tools in its available functions list, even though they're configured as false.

Environment

• OpenCode version: Latest
• MCP servers: Multiple (both local and remote)
• Models: Ollama models via remote endpoint

Related

Found issue #1320 which mentioned disabled tools still being accessible, but it was closed. The tool blocking mechanism doesn't seem to work for MCP tools.

Expected vs Actual

Expected: Tool restrictions should completely hide the tools from the model's function list

Actual: MCP tools are visible to the model even when disabled, causing confusion and failed tool calls

Is this a known limitation? Any workaround?

Thanks!

[github-actions]

This issue might be a duplicate of existing issues. Please check:

• Bug: Disabling Tools in config is not respected #1320: Similar tool blocking issue where disabled tools were still accessible (closed but may not be fully resolved)
• [FEATURE]: Option to deny MCP tools by default #3612: Feature request about denying MCP tools by default, mentions similar MCP tool blocking pattern not working
• Ability to restrict MCP tool use to subagent only #2277: Request for ability to restrict MCP tool usage, mentions permissions don't work for MCP tools like they do for builtin tools

Feel free to ignore if none of these address your specific case.

[rekram1-node]

@SuperSonnix71 can you run: opencode debug config and show me the output?

[SuperSonnix71]

@rekram1-node Thanks for looking into this! Here's the relevant output from opencode debug config:

"agent": {
  "ollama": {
    "model": "ollama/qwen3:32b",
    "tools": {
      "write": true,
      "edit": true,
      "bash": true,
      "task": true,
      "mcp__serena__*": false
    }
  }
}

Despite setting "mcp__serena__*": false, the ollama agent still sees all the Serena MCP tools in its function list. The model tries to use them and gets confused because it sees them as available but they're supposed to be blocked.

I had to work around this by adding explicit instructions in the agent prompt telling it to ignore the Serena tools, but they're still showing up in the function list which wastes tokens.

According to the OpenCode MCP docs, the tools config should "prevent them from being available to the LLM" - meaning OpenCode itself should filter these tools out before exposing them to the model. This is an OpenCode-level filter, not something the model should handle.

The behavior is the same no matter which model is used - all models still see the disabled MCP tools in their function list.

[rekram1-node]

@SuperSonnix71 I need to see your mcp server definitions, that's why it'd be super helpful to see the entire dump.

My assumption is that the mcp server is called serena and that mcp__ prefix is causing the issue because it isn't part of the mcp server name.

All mcp tools are:

<mcp server name> + "_" + <tool name>

They don't have any special prefix

[SuperSonnix71]

@rekram1-node I tried changing it to "serena_*": false ... seems to be working. even though, the MCP shows as connected. it cannot see it...
But then again, you never know with Qwen3. it's so noisy and dumb in the quantized version. Its talking about Minecraft mcp ?
Don't ask me why..

[rekram1-node]

@SuperSonnix71 so there are 2 different things:

the sidebar showing you connected means opencode has a connection to that mcp server

the tools wildcard is saying which tools will be presented to the agent

[SuperSonnix71]

@rekram1-node Thanks for all your help! quick and detailed as an old developer likes it!

[rekram1-node]

Of course!