MCP permissions

[artur-kozminski]

Describe the feature or problem you'd like to solve

add configuration allowence to usage of some tools from mcp servers

Proposed solution

Similar
"trustedFolders": [
".",
"C:\Users\t0155821\repos\ilbs",
"C:\Users\t0155821\.copilot",
"C:\Users\t0155821\.config\agents"
],
in config.json add "trustedTools": [ "mcp_server_name": ["tool_name1", "tool_name2"]]

in CLI tool there should be as well command /allow-tool <tool_name>

Example prompts or workflows

especially that's useful when we always know that some mcp functionality is read-only, and cannot have negative impact, or same with side effect impact is accepted

e.g. our tool reads db, gets data from webpage , why to asks each time,

Additional context

GitHub Copilot CLI 1.0.39

[artur-kozminski]

there is something like permissions-config.json, now I see it ,probably persistently kept between versions , not yet tested but maybe it's what I requested

content
"locations": {
"C:\Users\t0155821": {
"tool_approvals": [
{
"kind": "mcp",
"serverName": "mcp2",
"toolName": "mcp2_operation1"
},

[artur-kozminski]

it's working but STILL PROBLEM is with functionality, is that per session or persistence, file is persistence /reset-allowed-tools removes all entries, and what is expected to control SESSION allows from PERMANENT allows, and /reset-allowed-tools should have parameter session, and file session if is per session setting, closing agent /changing session removes all session's related configuration while permanent stays

[yionis01]

i think this is asking for the same thing i came to request. allowedTools / deniedTools to settings.json for persistent tool permissions. Currently, tool permissions (--allow-tool / --deny-tool) are session-scoped and must be passed as CLI flags on every launch. There is no way to persist tool-level allow/deny rules in settings.json, unlike allowedUrls and deniedUrls which already support this.

This makes it tedious to always auto-approve commonly used, low-risk MCP server tools (e.g., read-only lookups like m365-user(GetMultipleUsersDetails)). Users must either re-approve every session or resort to --allow-all, which is too broad.

[artur-kozminski]

intelij plugin for copilot adds patters which is even more useful for commands (similar would be nice and solves a lot of problems with read-only operations)

and specific tool of mcp (like it is in permissions-config.json (this is file)