Summary
Gemini CLI supports per-MCP-server tool allowlists via includeTools / excludeTools in settings JSON. The Python SDK (google-antigravity 0.1.0) has no equivalent on McpStdioServer, McpSseServer, or McpStreamableHttpServer — McpBridge.get_mcp_tools() registers every tool returned by the server with no client-side filtering.
For automation use cases (e.g. GitHub Actions PR review), we need to restrict the MCP toolset exposed to the model in the SDK, not only at runtime via policies.
Motivation
The SDK docs in hooks/policy.py recommend config-level tool restriction (CapabilitiesConfig.enabled_tools / disabled_tools) over policy.deny() because disabled tools are removed from model context and save tokens. Policies leave denied tools visible; the model may still attempt them.
CapabilitiesConfig.enabled_tools only applies to builtin harness tools (BuiltinTools enum), not MCP tool names.
Current workarounds:
- Server-side allowlist — e.g. GitHub remote MCP
X-MCP-Tools header. Works but couples SDK config to server-specific headers; not portable across MCP servers.
policies=[deny_all(), allow("tool_name"), ...] — runtime enforcement only; MCP tools remain in context.- Manual
McpBridge + filter + pass via LocalAgentConfig.tools — bypasses mcp_servers; awkward lifecycle.
Requested API
Parity with Gemini CLI MCP server config:
McpStreamableHttpServer(
url="https://api.githubcopilot.com/mcp/x/pull_requests",
headers={"Authorization": f"Bearer {token}"},
include_tools=[
"pull_request_read",
"pull_request_review_write",
],
# exclude_tools=[...], # optional; exclude takes precedence
)Same fields on McpStdioServer and McpSseServer.
Behavior:
- After MCP
tools/list, McpBridge only registers tools matching include_tools (if set).
exclude_tools removes tools even if listed in include_tools (match Gemini CLI semantics).- When neither is set, current behavior (all server tools) unchanged.
Optional: document that server-side filtering (e.g. X-MCP-Tools) and SDK include_tools can be combined; SDK filter is the portable contract.
Use case
Headless PR review agent in CI:
- Zero builtin tools:
CapabilitiesConfig(enabled_tools=[])
- MCP-only GitHub tools: strict allowlist of 2–4 review tools
- Deny-by-default policies as defense in depth
Today we must rely on GitHub MCP server headers for context-level MCP filtering; SDK-native include_tools would match Gemini CLI / agy plugin configs and simplify secure automation.
Environment
google-antigravity==0.1.0- Python 3.14 (also tested via local spike)
References
- Gemini CLI:
includeTools / excludeTools on mcpServers.*
- SDK:
google/antigravity/mcp/bridge.py — no filtering in get_mcp_tools()
- SDK:
google/antigravity/types.py — McpStreamableHttpServer fields limited to transport config
Summary
Gemini CLI supports per-MCP-server tool allowlists via
includeTools/excludeToolsin settings JSON. The Python SDK (google-antigravity0.1.0) has no equivalent onMcpStdioServer,McpSseServer, orMcpStreamableHttpServer—McpBridge.get_mcp_tools()registers every tool returned by the server with no client-side filtering.For automation use cases (e.g. GitHub Actions PR review), we need to restrict the MCP toolset exposed to the model in the SDK, not only at runtime via policies.
Motivation
The SDK docs in
hooks/policy.pyrecommend config-level tool restriction (CapabilitiesConfig.enabled_tools/disabled_tools) overpolicy.deny()because disabled tools are removed from model context and save tokens. Policies leave denied tools visible; the model may still attempt them.CapabilitiesConfig.enabled_toolsonly applies to builtin harness tools (BuiltinToolsenum), not MCP tool names.Current workarounds:
X-MCP-Toolsheader. Works but couples SDK config to server-specific headers; not portable across MCP servers.policies=[deny_all(), allow("tool_name"), ...]— runtime enforcement only; MCP tools remain in context.McpBridge+ filter + pass viaLocalAgentConfig.tools— bypassesmcp_servers; awkward lifecycle.Requested API
Parity with Gemini CLI MCP server config:
Same fields on
McpStdioServerandMcpSseServer.Behavior:
tools/list,McpBridgeonly registers tools matchinginclude_tools(if set).exclude_toolsremoves tools even if listed ininclude_tools(match Gemini CLI semantics).Optional: document that server-side filtering (e.g.
X-MCP-Tools) and SDKinclude_toolscan be combined; SDK filter is the portable contract.Use case
Headless PR review agent in CI:
CapabilitiesConfig(enabled_tools=[])Today we must rely on GitHub MCP server headers for context-level MCP filtering; SDK-native
include_toolswould match Gemini CLI / agy plugin configs and simplify secure automation.Environment
google-antigravity==0.1.0References
includeTools/excludeToolsonmcpServers.*google/antigravity/mcp/bridge.py— no filtering inget_mcp_tools()google/antigravity/types.py—McpStreamableHttpServerfields limited to transport config