fix(orchestrator): scope Claude MCP tool pre-approval#3862
Conversation
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
ApprovabilityVerdict: Needs human review This PR modifies security-relevant tool authorization logic, gating which MCP tools are pre-approved based on sandbox read-only status. Changes that affect authorization behavior and restrict capabilities in security contexts warrant human review despite good test coverage. You can customize Macroscope's approvability policy. Learn more. |
The Claude Agent SDK's allowedTools option only pre-approves tool calls; tool availability is controlled by the separate tools option. Attaching the t3-code MCP server therefore always pre-approves its tools so headless permission modes (dontAsk) do not deny the orchestrator's own MCP calls. Read-only sandboxes now pre-approve only the orchestrator tools annotated read-only, so a read-only session can no longer silently spawn child threads or scheduled tasks.
3ffc8e1 to
744c7b7
Compare
Dismissing prior approval to re-evaluate 744c7b7
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using high effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 744c7b7. Configure here.
Reused live queries were keyed only by the runtime policy, so policies sharing a policy key could reuse a query opened with different MCP pre-approvals (wildcard vs read-only list) or without the MCP server attached. Key reuse on the effective allowlist instead.

Summary
allowedToolsonly pre-approves tool calls (availability is the separatetoolsoption), so without this entry headless modes likedontAskdeny the orchestrator's ownmcp__t3-code__*callsTool.Readonlyinstead of the wildcard, so a read-only session cannot silently spawn child threads or scheduled tasksNotes
An earlier revision of this PR instead dropped the wildcard when no explicit allowlist was set, on the premise that it blocked Claude's built-in tools. Per the SDK typings,
allowedToolscannot block built-in tools ("To restrict which tools are available, use thetoolsoption instead"), and dropping it would have auto-denied or prompt-gated the t3-code MCP tools in every mode that does not bypass permissions.Validation
vp checkvp run typecheckvp test apps/server/src/orchestration-v2/Adapters/ClaudeAdapterV2.test.tsAddresses review feedback on #2829.
Note
Scope Claude MCP tool pre-approval to read-only tools in read-only sandboxes
claudeMcpQueryOverridesnow pre-approves only the fixed set of tools inCLAUDE_READ_ONLY_T3_MCP_ALLOWED_TOOLSinstead of themcp__t3-code__*wildcard.claudeEffectiveQueryPolicyKeyto incorporate MCP-derivedallowedToolsinto live-query reuse keys, so read-only and non-read-only queries are not incorrectly shared.claudeMcpQueryOverridesnow requires areadOnlySandboxboolean; callers inopenQueryderive it fromsandboxPolicyKindForClaudeRuntimePolicy.Tool.ReadonlyinOrchestratorToolkit.Macroscope summarized 4eafde4.
Note
Medium Risk
Changes permission pre-approval for orchestrator MCP tools in read-only sandboxes; behavior is narrow and covered by focused adapter tests, but it affects what agents can do without prompts in constrained runtimes.
Overview
When a thread-scoped t3-code MCP server is attached, Claude query setup still pre-approves orchestrator MCP tools via
allowedTools, but read-only sandboxes now get onlyCLAUDE_READ_ONLY_T3_MCP_ALLOWED_TOOLSinstead of themcp__t3-code__*wildcard, so headless modes cannot auto-approve thread spawn or scheduled-task mutations.claudeMcpQueryOverridestakes areadOnlySandboxflag (derived from the runtime sandbox policy at query open). Live-query reuse usesclaudeEffectiveQueryPolicyKeyso differing MCP pre-approvals do not share a cached query. Tests cover MCP/no-MCP and allowlist combinations, plus a check that the read-only list stays aligned withTool.ReadonlyonOrchestratorToolkit.Reviewed by Cursor Bugbot for commit 4eafde4. Bugbot is set up for automated code reviews on this repo. Configure here.