feat: add allow/block-list of servers to the mcp_catalog tool

[dgageot]

The mcp_catalog builtin tool now supports allow-listing and block-listing of MCP servers. This lets agents enforce a curated set of available integrations and prevent access to specific servers—useful for compliance, security policies, or ensuring a focused set of tools in multi-agent deployments.

Configuration is straightforward: set allowed_servers (optional) to whitelist specific catalog server IDs, and blocked_servers (optional) to exclude them. Block-list takes precedence if a server appears in both. Filtering applies to all catalog operations: search, enable, and reset_auth. Empty or whitespace-only entries are rejected at validation time, and a warning is logged if a configuration references unknown server IDs, helping catch typos early.

An example configuration can be found in examples/mcp_catalog_filtered.yaml. All changes are backward compatible—existing configurations without these fields work unchanged.

[docker-agent]

Assessment: 🟢 APPROVE

The allow/block-list filtering implementation for mcp_catalog is correct and well-structured. Core logic is sound: block-list takes precedence over allow-list, filtering runs at construction time (no shared-state mutation), unknown server IDs emit a warning at startup, and config validation rejects empty/whitespace entries. Wiring through registry.go and the schema update are both correct. All changes are backward compatible.

Low-severity observations (no action required, noted for awareness):

• toIDSet nil-vs-empty-map contract (mcpcatalog.go:237): toIDSet(nil) returns nil while toIDSet([]string{" "}) returns a non-nil empty map. Callers gate on len(set) > 0 so observable behavior is identical today. Validation already rejects whitespace entries upstream, making this path unreachable in production—safe but subtly inconsistent.
• TestSearchRespectsAllowList substring risk (mcpcatalog_test.go:324): The test verifies that searching for the dropped server's ID returns an error. If that ID becomes a substring of an allowed server's title or description as the embedded catalog evolves, the test could produce a false pass. Low risk given the test's controlled server IDs, but worth watching.
• Noisy warnings for future-proofed block-lists (mcpcatalog.go:175): IDs in blocked_servers that don't exist in today's catalog generate a slog.Warn—intentional for catching typos, but could be noisy for operators who proactively block anticipated-future server IDs.

[rumpl]

This is a bad example because blocked_servers doesn't do anything here since only the allowed ones are allowed