Skip to content

Correct tools field documentation to match runtime allowlist enforcement#3965

Merged
lpcox merged 3 commits intomainfrom
copilot/fix-tools-field-documentation-discrepancy
Apr 16, 2026
Merged

Correct tools field documentation to match runtime allowlist enforcement#3965
lpcox merged 3 commits intomainfrom
copilot/fix-tools-field-documentation-discrepancy

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 16, 2026
edited
Loading

Nightly docs reconciliation found a mismatch: docs/CONFIGURATION.md said the server tools field is not enforced, but runtime already enforces it for both discovery and execution paths. This PR updates the configuration reference to reflect actual behavior and remove misleading security guidance.

  • Documentation correction (docs/CONFIGURATION.md)

    • Reworded tools from “intended to be exposed” to “list of tool names to allow”.
    • Replaced the stale “not enforced at runtime” note with explicit enforcement semantics:
      • non-allowed tools are hidden from tools/list
      • non-allowed tools are rejected with 403 on tools/call
    • Added wildcard/default behavior clarification:
      • ["*"] allows all tools
      • omitting tools preserves allow-all behavior
    • Clarified example meaning: listed tools are the only accessible tools.
- **`tools`** (optional): List of tool names to allow for this server
  - Enforced at runtime: tools not in this list are hidden from `tools/list` responses and rejected with a 403 error on `tools/call`
  - Use `["*"]` (wildcard) to allow all tools (default behavior when field is omitted)
  - Example: `["get_file_contents", "search_code"]` (only these tools are accessible)

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • example.com
    • Triggering command: /tmp/go-build288318675/b510/launcher.test /tmp/go-build288318675/b510/launcher.test -test.testlogfile=/tmp/go-build288318675/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 backoff -o x_amd64/vet -o MP1gqioUw 9853127/b288/ x_amd64/vet -p github.com/Burnt-atomic -lang=go1.18 x_amd64/vet (dns block)
    • Triggering command: /tmp/go-build2484935478/b514/launcher.test /tmp/go-build2484935478/b514/launcher.test -test.testlogfile=/tmp/go-build2484935478/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 8393�� --noprofile cfg 64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg 64/pkg/tool/linux_amd64/vet 8393�� /tmp/go-build2998393940/b057/vet.cfg /home/REDACTED/go/pkg/mod/google.golang.org/grpc@v-ifaceassert 64/pkg/tool/linux_amd64/vet s.go s_unsafe.go ache/go/1.25.8/x-o 64/pkg/tool/linux_amd64/vet (dns block)
  • invalid-host-that-does-not-exist-12345.com
    • Triggering command: /tmp/go-build288318675/b492/config.test /tmp/go-build288318675/b492/config.test -test.testlogfile=/tmp/go-build288318675/b492/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true /sig.s elemetry.io/otel@v1.43.0/semconv/v1.40.0/doc.go x_amd64/vet --gdwarf-5 pickfirst/intern-unsafeptr=false lcache/go/1.25.8-unreachable=false x_amd64/vet -I g_.a 989853127/b288//_cgo_.o x_amd64/vet --gdwarf-5 --64 9853127/b288/ x_amd64/vet (dns block)
    • Triggering command: /tmp/go-build2484935478/b496/config.test /tmp/go-build2484935478/b496/config.test -test.testlogfile=/tmp/go-build2484935478/b496/testlog.txt -test.paniconexit0 -test.timeout=10m0s /tmp/go-build4184684721/b534/vet.cfg 8393940/b211/vet.cfg cfg 64/pkg/tool/linux_amd64/vet -p google.golang.org/grpc/resolver -lang=go1.24 64/pkg/tool/linux_amd64/vet 8393�� VhqIL5F_jm2QYlEh5z2z/VhqIL5F_jm2QYlEh5z2z cfg 64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg 64/pkg/tool/linu-buildtags (dns block)
  • nonexistent.local
    • Triggering command: /tmp/go-build288318675/b510/launcher.test /tmp/go-build288318675/b510/launcher.test -test.testlogfile=/tmp/go-build288318675/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 backoff -o x_amd64/vet -o MP1gqioUw 9853127/b288/ x_amd64/vet -p github.com/Burnt-atomic -lang=go1.18 x_amd64/vet (dns block)
    • Triggering command: /tmp/go-build2484935478/b514/launcher.test /tmp/go-build2484935478/b514/launcher.test -test.testlogfile=/tmp/go-build2484935478/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 8393�� --noprofile cfg 64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg 64/pkg/tool/linux_amd64/vet 8393�� /tmp/go-build2998393940/b057/vet.cfg /home/REDACTED/go/pkg/mod/google.golang.org/grpc@v-ifaceassert 64/pkg/tool/linux_amd64/vet s.go s_unsafe.go ache/go/1.25.8/x-o 64/pkg/tool/linux_amd64/vet (dns block)
  • slow.example.com
    • Triggering command: /tmp/go-build288318675/b510/launcher.test /tmp/go-build288318675/b510/launcher.test -test.testlogfile=/tmp/go-build288318675/b510/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true g_.a -I x_amd64/vet --gdwarf-5 backoff -o x_amd64/vet -o MP1gqioUw 9853127/b288/ x_amd64/vet -p github.com/Burnt-atomic -lang=go1.18 x_amd64/vet (dns block)
    • Triggering command: /tmp/go-build2484935478/b514/launcher.test /tmp/go-build2484935478/b514/launcher.test -test.testlogfile=/tmp/go-build2484935478/b514/testlog.txt -test.paniconexit0 -test.timeout=10m0s 8393�� --noprofile cfg 64/pkg/tool/linux_amd64/vet -c=4 -nolocalimports -importcfg 64/pkg/tool/linux_amd64/vet 8393�� /tmp/go-build2998393940/b057/vet.cfg /home/REDACTED/go/pkg/mod/google.golang.org/grpc@v-ifaceassert 64/pkg/tool/linux_amd64/vet s.go s_unsafe.go ache/go/1.25.8/x-o 64/pkg/tool/linux_amd64/vet (dns block)
  • this-host-does-not-exist-12345.com
    • Triggering command: /tmp/go-build288318675/b519/mcp.test /tmp/go-build288318675/b519/mcp.test -test.testlogfile=/tmp/go-build288318675/b519/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 9853127/b379/_pkg_.a -I x_amd64/vet --gdwarf-5 g/grpc/internal/test -o x_amd64/vet .cfg�� vETN/_26YzdEWvp07jCyovETN /tmp/go-build1989853127/b288/ x_amd64/vet . --gdwarf2 --64 x_amd64/vet (dns block)
    • Triggering command: /tmp/go-build2484935478/b523/mcp.test /tmp/go-build2484935478/b523/mcp.test -test.testlogfile=/tmp/go-build2484935478/b523/testlog.txt -test.paniconexit0 -test.timeout=10m0s -uns�� /tmp/go-build299-p cfg 64/pkg/tool/linu-lang=go1.25 64/src/runtime/cgrep 1yubCdL4X .13/x64/bin/as 64/pkg/tool/linu-goversion (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI linked an issue Apr 16, 2026 that may be closed by this pull request
📚 Documentation Reconciliation Report - 2026-04-16 #3929
Closed
Copilot AI changed the title [WIP] Fix tools field documentation discrepancy identified in report Correct tools field documentation to match runtime allowlist enforcement Apr 16, 2026
Copilot AI requested a review from lpcox April 16, 2026 18:29
@lpcox lpcox marked this pull request as ready for review April 16, 2026 18:45
Copilot AI review requested due to automatic review settings April 16, 2026 18:45
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the configuration reference to correctly describe how the per-server tools allowlist behaves at runtime, aligning docs/CONFIGURATION.md with the gateway’s current tool filtering/enforcement logic.

Changes:

  • Rewords tools as an allowlist (not just “intended exposure”).
  • Documents runtime enforcement on discovery (tools/list) and execution (tools/call).
  • Clarifies allow-all defaults and wildcard behavior (["*"] / omitted field).
Show a summary per file
File Description
docs/CONFIGURATION.md Corrects tools field documentation to describe runtime allowlist semantics and defaults.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 1

Comment thread docs/CONFIGURATION.md Outdated
@lpcox
Potential fix for pull request finding
64b3866 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@lpcox lpcox merged commit 9445b9a into main Apr 16, 2026
3 checks passed
@lpcox lpcox deleted the copilot/fix-tools-field-documentation-discrepancy branch April 16, 2026 19:13
This was referenced Apr 16, 2026
Closed
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

📚 Documentation Reconciliation Report - 2026-04-16

3 participants

@lpcox