feat: autoapprove readonly mcp tools (#881)

Author: jonathanlab

apps/twig/src/main/services/agent/service.ts

@@ -11,6 +11,7 @@ import {
   type RequestPermissionResponse,
   type SessionConfigOption,
 } from "@agentclientprotocol/sdk";
+import { isMcpToolReadOnly } from "@posthog/agent";
 import { Agent } from "@posthog/agent/agent";
 import {
   fetchGatewayModels,
@@ -1055,6 +1056,22 @@ For git operations while detached:
           optionCount: params.options.length,
         });
 
+        if (toolName && isMcpToolReadOnly(toolName)) {
+          log.info("Auto-approving read-only MCP tool", {
+            taskRunId,
+            toolName,
+          });
+          const allowOption = params.options.find(
+            (o) => o.kind === "allow_once" || o.kind === "allow_always",
+          );
+          return {
+            outcome: {
+              outcome: "selected",
+              optionId: allowOption?.optionId ?? params.options[0].optionId,
+            },
+          };
+        }
+
         // If we have a toolCallId, always prompt the user for permission.
         // The claude.ts adapter only calls requestPermission when user input is needed.
         // (It handles auto-approve internally for acceptEdits/bypassPermissions modes)

packages/agent/src/adapters/claude/claude-agent.ts

@@ -44,6 +44,7 @@ import {
   handleSystemMessage,
   handleUserAssistantMessage,
 } from "./conversion/sdk-to-acp.js";
+import { fetchMcpToolMetadata } from "./mcp/tool-metadata.js";
 import { canUseTool } from "./permissions/permission-handlers.js";
 import { getAvailableSlashCommands } from "./session/commands.js";
 import { parseMcpServers } from "./session/mcp-config.js";
@@ -140,6 +141,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
     const permissionMode: TwigExecutionMode = "default";
 
     const mcpServers = parseMcpServers(params);
+    await fetchMcpToolMetadata(mcpServers, this.logger);
 
     const options = buildSessionOptions({
       cwd: params.cwd,
@@ -199,6 +201,7 @@ export class ClaudeAcpAgent extends BaseAcpAgent {
 
     const meta = params._meta as NewSessionMeta | undefined;
     const mcpServers = parseMcpServers(params);
+    await fetchMcpToolMetadata(mcpServers, this.logger);
 
     const { query: q, session } = await this.initializeQuery({
       internalSessionId,

packages/agent/src/adapters/claude/mcp/tool-metadata.ts

@@ -0,0 +1,102 @@
+import type { McpServerConfig } from "@anthropic-ai/claude-agent-sdk";
+import { Client } from "@modelcontextprotocol/sdk/client/index.js";
+import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+import type { Tool } from "@modelcontextprotocol/sdk/types.js";
+import { Logger } from "../../../utils/logger.js";
+
+export interface McpToolMetadata {
+  readOnly: boolean;
+}
+
+const mcpToolMetadataCache: Map<string, McpToolMetadata> = new Map();
+
+function buildToolKey(serverName: string, toolName: string): string {
+  return `mcp__${serverName}__${toolName}`;
+}
+
+function isHttpMcpServer(
+  config: McpServerConfig,
+): config is McpServerConfig & { type: "http"; url: string } {
+  return config.type === "http" && typeof (config as any).url === "string";
+}
+
+async function fetchToolsFromHttpServer(
+  _serverName: string,
+  config: McpServerConfig & { type: "http"; url: string },
+): Promise<Tool[]> {
+  const transport = new StreamableHTTPClientTransport(new URL(config.url), {
+    requestInit: {
+      headers: (config as any).headers || {},
+    },
+  });
+
+  const client = new Client({
+    name: "twig-metadata-fetcher",
+    version: "1.0.0",
+  });
+
+  try {
+    await client.connect(transport);
+    const result = await client.listTools();
+    return result.tools;
+  } finally {
+    await client.close().catch(() => {});
+  }
+}
+
+function extractToolMetadata(tool: Tool): McpToolMetadata {
+  return {
+    readOnly: tool.annotations?.readOnlyHint === true,
+  };
+}
+
+export async function fetchMcpToolMetadata(
+  mcpServers: Record<string, McpServerConfig>,
+  logger: Logger = new Logger({ debug: false, prefix: "[McpToolMetadata]" }),
+): Promise<void> {
+  const fetchPromises: Promise<void>[] = [];
+
+  for (const [serverName, config] of Object.entries(mcpServers)) {
+    if (!isHttpMcpServer(config)) {
+      continue;
+    }
+
+    const fetchPromise = fetchToolsFromHttpServer(serverName, config)
+      .then((tools) => {
+        const toolCount = tools.length;
+        const readOnlyCount = tools.filter(
+          (t) => t.annotations?.readOnlyHint === true,
+        ).length;
+
+        for (const tool of tools) {
+          const toolKey = buildToolKey(serverName, tool.name);
+          mcpToolMetadataCache.set(toolKey, extractToolMetadata(tool));
+        }
+
+        logger.info("Fetched MCP tool metadata", {
+          serverName,
+          toolCount,
+          readOnlyCount,
+        });
+      })
+      .catch((error) => {
+        logger.error("Failed to fetch MCP tool metadata", {
+          serverName,
+          error: error instanceof Error ? error.message : String(error),
+        });
+      });
+
+    fetchPromises.push(fetchPromise);
+  }
+
+  await Promise.all(fetchPromises);
+}
+
+export function isMcpToolReadOnly(toolName: string): boolean {
+  const metadata = mcpToolMetadataCache.get(toolName);
+  return metadata?.readOnly === true;
+}
+
+export function clearMcpToolMetadataCache(): void {
+  mcpToolMetadataCache.clear();
+}

packages/agent/src/adapters/claude/tools.ts

@@ -6,6 +6,7 @@ export {
 } from "../../execution-mode.js";
 
 import type { TwigExecutionMode } from "../../execution-mode.js";
+import { isMcpToolReadOnly } from "./mcp/tool-metadata.js";
 
 export const READ_TOOLS: Set<string> = new Set(["Read", "NotebookRead"]);
 
@@ -44,8 +45,14 @@ export function isToolAllowedForMode(
   toolName: string,
   mode: TwigExecutionMode,
 ): boolean {
-  return (
-    mode === "bypassPermissions" ||
-    AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true
-  );
+  if (mode === "bypassPermissions") {
+    return true;
+  }
+  if (AUTO_ALLOWED_TOOLS[mode]?.has(toolName) === true) {
+    return true;
+  }
+  if (isMcpToolReadOnly(toolName)) {
+    return true;
+  }
+  return false;
 }

packages/agent/src/index.ts

@@ -23,6 +23,10 @@ export type {
   InProcessAcpConnection,
 } from "./adapters/acp-connection.js";
 export { createAcpConnection } from "./adapters/acp-connection.js";
+export {
+  fetchMcpToolMetadata,
+  isMcpToolReadOnly,
+} from "./adapters/claude/mcp/tool-metadata.js";
 export type { CodexProcessOptions } from "./adapters/codex/spawn.js";
 export { Agent } from "./agent.js";
 export {