Integrate MCP tools with Tool Confirmation Message Bus

[allenhutchison]

Summary

This issue tracks the integration of MCP (Model Context Protocol) tools with the Tool Confirmation Message Bus infrastructure being implemented in #7231. This represents an additional phase of work beyond the initial 3 PRs outlined in the parent issue.

Context

MCP tools currently have their own confirmation logic with static allowlists and callback-based confirmation handling. This needs to be migrated to use the new MessageBus/PolicyEngine infrastructure for consistency across all tool types.

Implementation Plan

1. Extend PolicyEngine for MCP-Specific Rules

• Add mcpServerName and mcpToolName fields to PolicyRule interface
• Support matching rules by MCP server and/or specific tools within a server
• Enable server-level and tool-level "always allow" policies

2. Enhance Message Types for MCP Metadata

• Add optional mcpMetadata field to ToolConfirmationRequest:

  mcpMetadata?: {
    serverName: string;
    serverToolName: string;
    displayName: string;
    trust?: boolean;
  }

3. Migrate MCP Tool Confirmation

• Modify DiscoveredMCPToolInvocation.shouldConfirmExecute() to use MessageBus
• Convert static allowlist to dynamic PolicyEngine rules
• Bridge async messaging with existing synchronous interface using Promise/correlation pattern

4. Implement "Always Allow" as Policy Rules

• "Always Allow Server" → Add rule: { mcpServerName: 'server-name', decision: ALLOW }
• "Always Allow Tool" → Add rule: { mcpServerName: 'server', mcpToolName: 'tool', decision: ALLOW }
• Persist rules appropriately for user preferences

5. Handle Trust Contexts

• Integrate trusted folder checks into PolicyEngine evaluation
• Pass trust context through message metadata or PolicyEngineConfig

Dependencies

• Requires completion of PR 2 (Core Tool Integration) from Epic: Tool Confirmation Message Bus #7231
• Should be done before or alongside PR 3 (TUI Integration) to ensure UI handles MCP-specific confirmations

Acceptance Criteria

• MCP tools use MessageBus for all confirmation requests
• Static allowlist is replaced with PolicyEngine rules
• Server-level and tool-level "always allow" functionality preserved
• Trusted folder behavior maintained
• All existing MCP tool tests pass
• New tests added for MCP-specific message bus integration

Related Issues

• Parent issue: Epic: Tool Confirmation Message Bus #7231 (Tracker: Implement Tool Confirmation Message Bus)
• Related PR 1: feat(core): Tool Confirmation Message Bus foundation (PR 1 of 3) #7835 (Foundation & Scaffolding)

/cc @allenhutchison