feat(security): per-tool audience gating for MCP servers#500
Merged
Conversation
Add McpServerToolGrants to ToolAudienceProfile for per-server tool allowlists that vary by audience. When a server has an entry in the grants dictionary, only listed tools are exposed to that audience. Composes with the existing AllowedMcpServers gate. - Add McpServerToolGrants property to ToolAudienceProfile config - Enforce per-tool check in ToolAccessPolicy.IsToolExposed and AuthorizeInvocation with deny reason mcp_tool_not_allowed_for_audience_profile - Add IsMcpToolAllowed to ToolAudienceProfileResolver - Log tool drift warnings in McpClientManager when discovered tools diverge from configured grants across audience profiles - Add doctor advisory for MCP servers with no tool grants on any audience profile - Update JSON schema with McpServerToolGrants property
Add ToolAudienceProfiles.GetAllProfiles() to avoid brittle manual enumeration of Public/Team/Personal in multiple callsites. Replaces inline array literals in LogToolDrift and FindUngatedMcpServers so new audience tiers are not silently missed. Also removes misleading null-conditional on non-nullable profile property in LogToolDrift.
Add tests for integration paths and edge cases missed in initial coverage: FilterExposedTools session hot path with EffectiveTrustContext, load_tool denial for blocked MCP tools, Public audience with grants, multi-server grant independence, and JSON config deserialization round-trip with end-to-end policy enforcement.
Add CLI and TUI modes for viewing and managing McpServerToolGrants:
- `netclaw mcp tools <server>` — displays discovered tools with
per-audience grant status table (✓ granted, ✱ all, - blocked)
- `netclaw mcp tools <server> --snapshot` — populates McpServerToolGrants
for all audiences that allow the server from currently discovered tools
- `netclaw mcp tools` (no args) — launches interactive Termina TUI with
server selection, tool checkboxes, audience cycling, and save to config
Supporting changes:
- Add McpClientManager.GetToolNames() and /api/mcp/tools/{name} endpoint
- Add DaemonApi.GetMcpToolNamesAsync() client method
- Wire TUI mode in Program.cs for bare `netclaw mcp tools` invocation
TUI improvements: - Replace hidden Tab cycling with [◀ personal ▶] audience selector using left/right arrows, matching the channel wizard pattern - Add Ctrl+Q quit from any state, Esc quit from server list - Show proper footer hints with keyboard shortcuts CLI improvements: - Add --audience flag to filter list/snapshot to a specific audience - Add --grant and --revoke flags for surgical per-audience tool edits - Validate tool names against discovered tools before writing config - Show targeted error when audience doesn't allow the server
- Show tools as unchecked only when server has explicit grant list, not when server is simply absent from grants dictionary - Check server-level AllowedMcpServers gate before showing tool checkboxes — display "server not allowed" message for audiences that don't permit the server - Use manual cursor rendering (channel wizard pattern) to preserve cursor position across toggles - Add [A] toggle-all shortcut (select all / deselect all) - Subscribe footer hints to state changes so they display correctly - Match ToggleTool initializer to IsToolGranted semantics
- Add [E] key to toggle server access per audience (adds/removes from AllowedMcpServers), enabling operators to expose MCP servers to Team/Public audiences directly from the TUI - When enabling a server for a new audience, start with empty tool grants so the operator explicitly selects which tools to expose - Check server-level AllowedMcpServers gate in IsToolGranted to prevent tools showing as granted for audiences that don't allow the server - Show [✓]/[ ] Server enabled indicator with [E] toggle hint - Dim all tools when server is disabled for the selected audience - Save both AllowedMcpServers and McpServerToolGrants changes on [S] - Add [A] toggle-all shortcut
- netclaw-mcp: add per-tool audience filtering, search_tools/load_tool enforcement, and tool change detection logging requirements - netclaw-acl: update tool and data grants requirement with per-tool MCP grant scenarios and deny reason codes - netclaw-cli: add MCP tool permissions CLI, TUI, and doctor advisory requirements including server access toggle and secure-by-default
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
McpServerToolGrantstoToolAudienceProfilefor per-server tool allowlists that vary by audience. When a server has an entry in the grants dictionary, only listed tools are exposed to that audience. Composes with the existingAllowedMcpServersgate. Backward-compatible — null/omitted grants means all tools exposed (current behavior). Closes feat: per-tool audience gating for MCP servers #490.ToolAccessPolicy.IsToolExposedandAuthorizeInvocationwith deny reasonmcp_tool_not_allowed_for_audience_profileMcpClientManagerwhen discovered tools diverge from configured grantsnetclaw mcp tools <server>CLI command showing per-audience grant status tablenetclaw mcp tools <server> --snapshotto baseline grants from discovered toolsnetclaw mcp toolsTUI mode for interactive tool permission managementToolAudienceProfiles.GetAllProfiles()to centralize audience tier enumerationTest plan
McpToolAudienceGrantsTestscovering all enforcement pathsToolAudienceProfilesDoctorCheckTestsfor grant advisorynetclaw mcp tools memorizerdisplays grant table,--snapshotwrites config correctlynetclaw mcp toolswith no args)