diff --git a/python/packages/core/agent_framework/_mcp.py b/python/packages/core/agent_framework/_mcp.py index 2fc79e85a5..f25a44c38c 100644 --- a/python/packages/core/agent_framework/_mcp.py +++ b/python/packages/core/agent_framework/_mcp.py @@ -379,7 +379,13 @@ class MCPTool: name: The name of the MCP tool. description: A description of the MCP tool. approval_mode: Whether approval is required to run tools. - allowed_tools: A collection of tool names to allow. + allowed_tools: Optional allow-list of MCP tool names to expose as functions. + ``None`` (the default) exposes every tool advertised by the MCP server. + A non-empty collection exposes only the tools whose names appear in it. + An empty collection (``[]``) exposes no tools — if you simply want to + disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is + useful as a runtime guard or when you want to load tool metadata for + inspection without exposing the tools for invocation. tool_name_prefix: Optional prefix to prepend to exposed MCP function names. load_tools: Whether to load tools from the MCP server. parse_tool_results: An optional callable with signature @@ -739,7 +745,7 @@ class MCPTool: @property def functions(self) -> list[FunctionTool]: """Get the list of functions that are allowed.""" - if not self.allowed_tools: + if self.allowed_tools is None: return self._functions allowed_names = set(self.allowed_tools) filtered_functions: list[FunctionTool] = [] @@ -2391,7 +2397,13 @@ class MCPStdioTool(MCPTool): - A dict with keys `always_require_approval` or `never_require_approval`, followed by a sequence of strings with the names of the relevant tools. A tool should not be listed in both, if so, it will require approval. - allowed_tools: A list of tools that are allowed to use this tool. + allowed_tools: Optional allow-list of MCP tool names to expose as functions. + ``None`` (the default) exposes every tool advertised by the MCP server. + A non-empty collection exposes only the tools whose names appear in it. + An empty collection (``[]``) exposes no tools — if you simply want to + disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is + useful as a runtime guard or when you want to load tool metadata for + inspection without exposing the tools for invocation. additional_properties: Additional properties. args: The arguments to pass to the command. env: The environment variables to set for the command. @@ -2566,7 +2578,13 @@ class MCPStreamableHTTPTool(MCPTool): - A dict with keys `always_require_approval` or `never_require_approval`, followed by a sequence of strings with the names of the relevant tools. A tool should not be listed in both, if so, it will require approval. - allowed_tools: A list of tools that are allowed to use this tool. + allowed_tools: Optional allow-list of MCP tool names to expose as functions. + ``None`` (the default) exposes every tool advertised by the MCP server. + A non-empty collection exposes only the tools whose names appear in it. + An empty collection (``[]``) exposes no tools — if you simply want to + disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is + useful as a runtime guard or when you want to load tool metadata for + inspection without exposing the tools for invocation. additional_properties: Additional properties. terminate_on_close: Close the transport when the MCP client is terminated. client: The chat client to use for sampling. @@ -2795,7 +2813,13 @@ class MCPWebsocketTool(MCPTool): - A dict with keys `always_require_approval` or `never_require_approval`, followed by a sequence of strings with the names of the relevant tools. A tool should not be listed in both, if so, it will require approval. - allowed_tools: A list of tools that are allowed to use this tool. + allowed_tools: Optional allow-list of MCP tool names to expose as functions. + ``None`` (the default) exposes every tool advertised by the MCP server. + A non-empty collection exposes only the tools whose names appear in it. + An empty collection (``[]``) exposes no tools — if you simply want to + disable tool execution, prefer ``load_tools=False`` instead. ``[]`` is + useful as a runtime guard or when you want to load tool metadata for + inspection without exposing the tools for invocation. additional_properties: Additional properties. client: The chat client to use for sampling. sampling_approval_callback: Optional gate run before each server-initiated diff --git a/python/packages/core/tests/core/test_mcp.py b/python/packages/core/tests/core/test_mcp.py index a40c1c9b54..3eaf60785d 100644 --- a/python/packages/core/tests/core/test_mcp.py +++ b/python/packages/core/tests/core/test_mcp.py @@ -1530,6 +1530,7 @@ def test_mcp_tool_approval_mode_returns_none_for_unmatched_names() -> None: 3, ["tool_one", "tool_two", "tool_three"], ), # None means all tools are allowed + ([], 0, []), # Empty list means no tools are allowed (["tool_one"], 1, ["tool_one"]), # Only tool_one is allowed ( ["tool_one", "tool_three"],