fix: CLI --list-tools must honor BRAINCTL_ALLOWED_TOOLS (red-team)#139
Merged
Conversation
Red-team of v2.8.0 surfaced two related bugs in the inspection path:
1. `BRAINCTL_ALLOWED_TOOLS=memory_add brainctl-mcp --list-tools`
printed all 100 visible tools, not just `memory_add`. The
allowlist was applied in the async `list_tools()` handler
(used by MCP clients) but not in the CLI inspection path.
Result: an operator could think their server was locked down
while clients saw a different (broader) surface.
2. `--list-tools --all` was meant to bypass only the v2
visibility filter (so debuggers can see the full v1+v2
surface), but it also silently bypassed the operator's
allowlist. An admin using `--all` to inspect would see tools
that the server would actually refuse to call.
The fix applies _ALLOWED_TOOLS in the CLI branch as well, with
`--all` only bypassing _VISIBLE_TOOL_NAMES (the v2 filter), never
the operator's explicit allowlist.
Regression coverage added in TestCLIListToolsConsistency with four
cases: allowlist+no-flag, allowlist+--all, no-allowlist+no-flag,
no-allowlist+--all.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Red-team of the freshly merged v2.8.0 surfaced two related bugs in the inspection path:
brainctl-mcp --list-toolsignoredBRAINCTL_ALLOWED_TOOLS. The allowlist was applied only in the asynclist_tools()handler (used by MCP clients), not in the CLI branch. An operator inspecting their config could think the server was locked down while clients saw a broader surface.--list-tools --allalso bypassed the allowlist, not just the v2 visibility filter.--allis meant to show the full v1+v2 registered surface for debugging, but the operator's explicit security allowlist should never be silently dropped.Repro (before fix)
After: both return
1.Verification
pytest tests/test_mcp_allowed_tools.py -q→ 20 passed (4 new tests inTestCLIListToolsConsistency)Test plan
--all→ still only allowlisted tools--all→ full registered surface