Python: [Generated by SRE Agent] Fix MCP allowed_tools empty list handling (#6296)

* Fix MCP allowed_tools empty list handling

When allowed_tools is set to an empty list [], the falsy check
'if not self.allowed_tools' incorrectly treats it as unconfigured
(same as None), causing all tools to be exposed. Change to an
explicit 'is None' check so that an empty list correctly results
in no tools being allowed.

Co-authored-by: Azure SRE Agent <noreply@microsoft.com>

* Clarify allowed_tools docstring: None vs [] semantics

Per Eduard's review on PR #6296: explicitly document that None exposes all tools and [] exposes none, across all four MCPTool / MCPStdioTool / MCPStreamableHTTPTool / MCPWebsocketTool docstrings.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* allowed_tools docstring: recommend load_tools=False for full disable

Per Eduard's follow-up on PR #6296: `load_tools=False` is the cleaner idiom when you don't want to expose any tools. Reframe `allowed_tools=[]` in the docstring as a runtime guard / inspection-only path and cross-reference `load_tools`.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Azure SRE Agent <noreply@microsoft.com>
Co-authored-by: Giles Odigwe <79032838+giles17@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
chetantoshniwal
2026-06-10 23:46:46 -07:00
committed by GitHub
Unverified
parent 3753d938f5
commit 4149f24791
2 changed files with 30 additions and 5 deletions
+29 -5
View File
@@ -379,7 +379,13 @@ class MCPTool:
name: The name of the MCP tool.
description: A description of the MCP tool.
approval_mode: Whether approval is required to run tools.
allowed_tools: A collection of tool names to allow.
allowed_tools: Optional allow-list of MCP tool names to expose as functions.
``None`` (the default) exposes every tool advertised by the MCP server.
A non-empty collection exposes only the tools whose names appear in it.
An empty collection (``[]``) exposes no tools — if you simply want to
disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is
useful as a runtime guard or when you want to load tool metadata for
inspection without exposing the tools for invocation.
tool_name_prefix: Optional prefix to prepend to exposed MCP function names.
load_tools: Whether to load tools from the MCP server.
parse_tool_results: An optional callable with signature
@@ -739,7 +745,7 @@ class MCPTool:
@property
def functions(self) -> list[FunctionTool]:
"""Get the list of functions that are allowed."""
if not self.allowed_tools:
if self.allowed_tools is None:
return self._functions
allowed_names = set(self.allowed_tools)
filtered_functions: list[FunctionTool] = []
@@ -2391,7 +2397,13 @@ class MCPStdioTool(MCPTool):
- A dict with keys `always_require_approval` or `never_require_approval`,
followed by a sequence of strings with the names of the relevant tools.
A tool should not be listed in both, if so, it will require approval.
allowed_tools: A list of tools that are allowed to use this tool.
allowed_tools: Optional allow-list of MCP tool names to expose as functions.
``None`` (the default) exposes every tool advertised by the MCP server.
A non-empty collection exposes only the tools whose names appear in it.
An empty collection (``[]``) exposes no tools — if you simply want to
disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is
useful as a runtime guard or when you want to load tool metadata for
inspection without exposing the tools for invocation.
additional_properties: Additional properties.
args: The arguments to pass to the command.
env: The environment variables to set for the command.
@@ -2566,7 +2578,13 @@ class MCPStreamableHTTPTool(MCPTool):
- A dict with keys `always_require_approval` or `never_require_approval`,
followed by a sequence of strings with the names of the relevant tools.
A tool should not be listed in both, if so, it will require approval.
allowed_tools: A list of tools that are allowed to use this tool.
allowed_tools: Optional allow-list of MCP tool names to expose as functions.
``None`` (the default) exposes every tool advertised by the MCP server.
A non-empty collection exposes only the tools whose names appear in it.
An empty collection (``[]``) exposes no tools — if you simply want to
disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is
useful as a runtime guard or when you want to load tool metadata for
inspection without exposing the tools for invocation.
additional_properties: Additional properties.
terminate_on_close: Close the transport when the MCP client is terminated.
client: The chat client to use for sampling.
@@ -2795,7 +2813,13 @@ class MCPWebsocketTool(MCPTool):
- A dict with keys `always_require_approval` or `never_require_approval`,
followed by a sequence of strings with the names of the relevant tools.
A tool should not be listed in both, if so, it will require approval.
allowed_tools: A list of tools that are allowed to use this tool.
allowed_tools: Optional allow-list of MCP tool names to expose as functions.
``None`` (the default) exposes every tool advertised by the MCP server.
A non-empty collection exposes only the tools whose names appear in it.
An empty collection (``[]``) exposes no tools — if you simply want to
disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is
useful as a runtime guard or when you want to load tool metadata for
inspection without exposing the tools for invocation.
additional_properties: Additional properties.
client: The chat client to use for sampling.
sampling_approval_callback: Optional gate run before each server-initiated
@@ -1530,6 +1530,7 @@ def test_mcp_tool_approval_mode_returns_none_for_unmatched_names() -> None:
3,
["tool_one", "tool_two", "tool_three"],
), # None means all tools are allowed
([], 0, []), # Empty list means no tools are allowed
(["tool_one"], 1, ["tool_one"]), # Only tool_one is allowed
(
["tool_one", "tool_three"],