Summary
Configure the Filesystem MCP server to block agent reads of sensitive files. This is a non-negotiable prerequisite before any self-development work where agents target the agent-dev codebase.
Context
Identified during the self-development readiness brainstorm (SEC agent, April 7 2026). When agents work on agent-dev itself, they have filesystem access to the project directory — which includes .env files containing API keys. The Filesystem MCP currently allows reading any file in the workspace. A file-level blocklist prevents accidental or intentional secret exfiltration through agent context.
Blocked File Patterns
.env
.env.local
.env.production
.env.*
*.pem
*.key
*.p12
*.pfx
Implementation Options
Option A: Filesystem MCP native support
The @modelcontextprotocol/server-filesystem server may support path-based exclusion patterns. Check the server's configuration options for an exclude or deny parameter in mcp-config.json.
Option B: MCPToolProvider filter layer
If native exclusion isn't supported, add a filter in MCPToolProvider that intercepts filesystem_read tool calls and rejects any path matching the blocked patterns before forwarding to the MCP server.
BLOCKED_PATTERNS = [".env", ".env.*", "*.pem", "*.key", "*.p12", "*.pfx"]
def _is_blocked_path(path: str) -> bool:
filename = Path(path).name
return any(fnmatch.fnmatch(filename, pattern) for pattern in BLOCKED_PATTERNS)Option C: Both
Native exclusion as primary defense + MCPToolProvider filter as belt-and-suspenders.
Acceptance Criteria
Effort
Tiny (15-30 minutes)
Dependencies
None
Source
Self-development readiness brainstorm, SEC agent recommendation — April 7, 2026
Summary
Configure the Filesystem MCP server to block agent reads of sensitive files. This is a non-negotiable prerequisite before any self-development work where agents target the agent-dev codebase.
Context
Identified during the self-development readiness brainstorm (SEC agent, April 7 2026). When agents work on agent-dev itself, they have filesystem access to the project directory — which includes
.envfiles containing API keys. The Filesystem MCP currently allows reading any file in the workspace. A file-level blocklist prevents accidental or intentional secret exfiltration through agent context.Blocked File Patterns
Implementation Options
Option A: Filesystem MCP native support
The
@modelcontextprotocol/server-filesystemserver may support path-based exclusion patterns. Check the server's configuration options for anexcludeordenyparameter inmcp-config.json.Option B: MCPToolProvider filter layer
If native exclusion isn't supported, add a filter in
MCPToolProviderthat interceptsfilesystem_readtool calls and rejects any path matching the blocked patterns before forwarding to the MCP server.Option C: Both
Native exclusion as primary defense + MCPToolProvider filter as belt-and-suspenders.
Acceptance Criteria
filesystem_readcalls for.env,*.pem,*.keyfiles are rejectedmcp-config.jsonor env var)Effort
Tiny (15-30 minutes)
Dependencies
None
Source
Self-development readiness brainstorm, SEC agent recommendation — April 7, 2026