feat: VK MCP config now works as an AllowList

[Pratham-Mishra04]

Summary

This PR implements MCP tool governance by enforcing virtual key MCP configurations as an execution-time allow-list. When virtual keys have empty MCPConfigs, all MCP tools are denied. When non-empty, each tool is validated against the configured allow-list at both inference time and MCP tool execution.

Changes

• Context parameter updates: Changed MCP-related functions to use *schemas.BifrostContext instead of context.Context to enable tool tracking
• Tool tracking: Added BifrostContextKeyMCPAddedTools context key to track which MCP tools are added to requests
• Governance enforcement: Virtual key MCP configurations now act as execution-time allow-lists with validation in both PreMCPHook and evaluateGovernanceRequest
• Auto-injection control: Added DisableAutoToolInject configuration option that respects the toggle and skips auto-injection when headers are already set by callers
• Decision type: Added DecisionMCPToolBlocked for MCP tool governance violations
• UI improvements: Updated MCP view description and sidebar item naming for better clarity

Type of change

• Feature
• Bug fix
• Refactor
• Documentation
• Chore/CI

Affected areas

• Core (Go)
• Transports (HTTP)
• Providers/Integrations
• Plugins
• UI (Next.js)
• Docs

How to test

Test MCP tool governance with virtual keys:

# Core/Transports
go version
go test ./...

# Test with virtual key having empty MCPConfigs (should deny all MCP tools)
curl -X POST /v1/chat/completions \
  -H "x-bf-virtual-key: test-vk-empty-mcp" \
  -d '{"model": "gpt-4", "messages": [{"role": "user", "content": "test"}]}'

# Test with virtual key having specific MCP tool allowlist
curl -X POST /v1/chat/completions \
  -H "x-bf-virtual-key: test-vk-with-mcp" \
  -d '{"model": "gpt-4", "messages": [{"role": "user", "content": "test"}]}'

# Test disable auto tool inject configuration
curl -X PUT /v1/config/mcp/disable-auto-tool-inject \
  -d '{"disable": true}'

# UI
cd ui
pnpm i || npm i
pnpm test || npm test
pnpm build || npm run build

New configuration options:

• disable_auto_tool_inject: Boolean flag to disable automatic MCP tool injection
• Virtual key MCPConfigs: Array of MCP client configurations that act as allow-lists

Screenshots/Recordings

UI changes include updated MCP configuration view with clearer descriptions for the disable auto tool injection toggle and improved sidebar navigation labels.

Breaking changes

• Yes
• No

Impact: MCP-related function signatures now require *schemas.BifrostContext instead of context.Context. Virtual keys with empty MCPConfigs will now deny all MCP tools by default.

Migration: Update any custom MCP integrations to use the new context parameter type. Configure MCPConfigs on virtual keys that need MCP tool access.

Related issues

Implements MCP tool governance and execution-time validation for virtual key configurations.

Security considerations

• Access control: Virtual key MCP configurations now enforce strict allow-lists for tool execution
• Context isolation: Tool tracking is isolated per request context to prevent cross-request leakage
• Validation: Both pre-execution and execution-time validation prevent unauthorized tool access

Checklist

• I read docs/contributing/README.md and followed the guidelines
• I added/updated tests where appropriate
• I updated documentation where needed
• I verified builds succeed (Go and UI)
• I verified the CI pipeline passes locally if applicable

[Pratham-Mishra04]

• refactor: standardize empty array conventions for VK Provider Config Allowed Keys #2006 : 2 dependent PRs (#2008 , #2113 )
• feat: VK MCP config now works as an AllowList #1940 👈 (View in Graphite)
• feat: add MCP auto tool injection toggle #1933
• refactor: standardize empty array conventions for VK Provider & MCP Configs, and makes Provider Config weight optional for routing #1932
• v1.5.0

This stack of pull requests is managed by Graphite. Learn more about stacking.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: de969a47-e677-4eca-8e80-6428abaa1d94

📥 Commits

Reviewing files that changed from the base of the PR and between a736638 and 1569c8c.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Virtual key MCP configurations now enforce tool access as an execution-time allow-list—tools not permitted by VK settings are blocked at inference and execution.
  • Added option to disable automatic MCP tool injection per request.

• Documentation

  • Updated MCP filtering guidance with clearer configuration and auto-injection behavior details.

• Chores

  • Updated sidebar navigation labels and added testing identifiers.

Walkthrough

Switch MCP APIs from context.Context to *schemas.BifrostContext, record MCP-added tool names in the Bifrost context, and add governance controls: virtual‑key MCP configs enforced as execution‑time allow‑lists plus a DisableAutoToolInject toggle that conditions auto‑injection.

Changes

Cohort / File(s)	Summary
Core: Bifrost caller core/bifrost.go	GetAvailableMCPTools signature changed to accept *schemas.BifrostContext and forwards it to MCP manager.
Core: MCP interface & manager core/mcp/interface.go, core/mcp/mcp.go	Interface and MCPManager methods updated to use *schemas.BifrostContext for AddToolsToRequest, GetAvailableTools, ExecuteToolCall; forwarding logic preserved.
Core: Tools manager core/mcp/toolmanager.go	GetAvailableTools and ParseAndAddToolsToRequest now take *schemas.BifrostContext; dedupe and code‑mode merging adjusted; non‑code tools appended and MCP‑added tool names appended into BifrostContext.
Core: Context keys core/schemas/bifrost.go	Added exported BifrostContextKeyMCPAddedTools to track MCP‑added tool names in the Bifrost context.
Governance plugin plugins/governance/main.go, plugins/governance/resolver.go, plugins/governance/changelog.md	Added DisableAutoToolInject config/state and wiring; enforce VK MCP configs as execution‑time allow‑lists via isMCPToolAllowedByVK; added DecisionMCPToolBlocked and integrated checks in PreMCPHook/evaluate paths.
Transport: server & plugin wiring transports/bifrost-http/server/server.go, transports/bifrost-http/server/plugins.go	Server constructs a NoDeadline *schemas.BifrostContext before calling GetAvailableMCPTools; governance config receives DisableAutoToolInject from transport wiring.
Docs, changelogs & UI docs/features/governance/mcp-tools.mdx, core/changelog.md, transports/changelog.md, plugins/governance/changelog.md, ui/.../mcpView.tsx, ui/components/sidebar.tsx	Docs, changelogs, and UI copy updated to reflect VK allow‑list enforcement, auto‑inject behavior, and minor UI label/test‑id changes.

Sequence Diagram(s)

sequenceDiagram
  participant Client as Client
  participant Transport as Transport
  participant Governance as Governance
  participant MCP as MCPManager
  participant ToolRuntime as ToolRuntime

  Client->>Transport: send request (headers/body)
  Transport->>Transport: build *schemas.BifrostContext (NoDeadline)
  Transport->>Governance: HTTPTransportPreHook (check headers, DisableAutoToolInject)
  Governance-->>Transport: pre-hook decision (allow or skip auto-inject)
  Transport->>MCP: GetAvailableMCPTools(*schemas.BifrostContext)
  MCP->>MCP: enumerate clients, dedupe, mark MCP-added tool names in BifrostContext
  Transport->>MCP: ParseAndAddToolsToRequest(*schemas.BifrostContext, req)
  MCP->>ToolRuntime: ExecuteToolCall(*schemas.BifrostContext, tool)
  ToolRuntime-->>MCP: tool result
  MCP-->>Transport: aggregated tools/results or DecisionMCPToolBlocked
  Transport-->>Client: response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I hopped through Bifrost, counting tools in tow,

Context tucked with names where quiet markers grow,
Governance listened, gates opened or stayed,
Auto‑inject paused until rules were obeyed,
The rabbit smiled — tidy trails in a row.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 60.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately captures the main feature: VK (virtual key) MCP config functioning as an allow-list, which is the primary objective of this PR.
Description check	✅ Passed	The PR description is comprehensive and well-structured, covering all major template sections including summary, changes, type, affected areas, testing instructions, breaking changes, and security considerations.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch 03-05-feat_virtual_key_mcp_configs_now_act_as_an_execution-time_allow-list

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@core/mcp/toolmanager.go`:
- Around line 197-203: In GetAvailableTools, avoid dereferencing
tool.Function.Name before nil checks and make tool suppression deterministic:
first check tool.Function != nil && tool.Function.Name != "" and only then call
schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools,
tool.Function.Name); next, replace the current global gating on
includeCodeModeTools with a per-tool check (e.g., skip adding the tool only if
!includeCodeModeTools && tool.IsCodeMode or equivalent flag on the tool) and
then use seenToolNames[tool.Function.Name] to deduplicate and append to
availableTools; update references to clientTools, includeCodeModeTools,
seenToolNames, availableTools, and schemas.AppendToContextList accordingly.

In `@plugins/governance/main.go`:
- Around line 1202-1228: The current blind single-tool check using
p.store.GetVirtualKey(virtualKeyValue) lets execution proceed (return req, nil,
nil) if the virtual key is missing/inactive even though
evaluateGovernanceRequest already ran, which creates a race that can allow
unauthorized tool execution; change this to fail-closed: when GetVirtualKey
returns !ok || vk == nil || !vk.IsActive, return an MCPPluginShortCircuit
BifrostError (DecisionMCPToolBlocked, 403) denying execution, and keep the
existing handling for len(vk.MCPConfigs) == 0 and isMCPToolAllowedByVK(vk,
toolName) as-is so empty configs or disallowed tools also return the same
short-circuit error.

In `@transports/changelog.md`:
- Around line 7-8: Remove the duplicated changelog entries by keeping only one
instance of the "feat: add option to disable automatic MCP tool injection per
request" entry and one instance of the "fix: preserve original audio filename in
transcription requests" entry; locate the duplicate lines in
transports/changelog.md (the exact strings above) and delete the repeated
occurrences so each change appears only once in the file.

In `@ui/app/workspace/config/views/mcpView.tsx`:
- Line 185: Update the explanatory sentence in the MCP view text (the JSX string
in mcpView.tsx where the paragraph about header-based tool inclusion is
rendered) to explicitly state that using the x-bf-mcp-include-tools header does
not bypass Virtual Key (VK) MCP execution-time allow-lists; tool injection via
the header is still subject to VK MCP allow-list checks and may be blocked by
them. Locate the paragraph around the existing wording "When enabled, MCP tools
are not automatically included..." and replace it with a clarified sentence that
mentions both the header and the VK MCP allow-lists (keep the existing header
code element <code className="text-xs">x-bf-mcp-include-tools</code> intact).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e14b7c87-859a-40e2-95da-57c4be9301a8

📥 Commits

Reviewing files that changed from the base of the PR and between dae2e01 and df4061c.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

193-203: ⚠️ Potential issue | 🟠 Major

Fix nondeterministic tool availability and incorrect MCPAddedTools tracking in GetAvailableTools.

At Line 200, regular tool append is globally gated by includeCodeModeTools, so once any code-mode client is encountered, regular tools may be dropped depending on map iteration order.
At Line 199, BifrostContextKeyMCPAddedTools is updated before confirming the tool was actually added. Also, code-mode tools appended at Lines 212-217 are not tracked.

💡 Proposed fix

 	for clientName, clientTools := range availableToolsPerClient {
 		client := m.clientManager.GetClientByName(clientName)
 		if client == nil {
 			m.logger.Warn("%s Client %s not found, skipping", MCPLogPrefix, clientName)
 			continue
 		}
-		if client.ExecutionConfig.IsCodeModeClient {
+		isCodeModeClient := client.ExecutionConfig.IsCodeModeClient
+		if isCodeModeClient {
 			includeCodeModeTools = true
+			// Code mode tools are injected from m.codeMode.GetTools() below.
+			continue
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
-			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
-				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-					seenToolNames[tool.Function.Name] = true
-				}
-			}
+			if tool.Function == nil || tool.Function.Name == "" {
+				continue
+			}
+			if seenToolNames[tool.Function.Name] {
+				continue
+			}
+			availableTools = append(availableTools, tool)
+			seenToolNames[tool.Function.Name] = true
+			schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
 		}
 	}
@@
 	if includeCodeModeTools && m.codeMode != nil {
 		codeModeTools := m.codeMode.GetTools()
 		// Add code mode tools, checking for duplicates
 		for _, tool := range codeModeTools {
 			if tool.Function != nil && tool.Function.Name != "" {
 				if !seenToolNames[tool.Function.Name] {
 					availableTools = append(availableTools, tool)
 					seenToolNames[tool.Function.Name] = true
+					schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
 				}
 			}
 		}
 	}

As per coding guidelines: core/mcp/*.go: “MCP tool access filtering follows a 4-level hierarchy: Global filter → Client-level filter → Tool-level filter → Per-request filter (HTTP headers). All four levels must agree for a tool to be available.”

Also applies to: 212-217

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 193 - 203, The GetAvailableTools loop
currently gates adding regular tools via a global includeCodeModeTools flag and
updates schemas.BifrostContextKeyMCPAddedTools before confirming addition, which
causes nondeterministic drops and missed tracking; update the logic inside the
clientTools iteration (referencing client.ExecutionConfig.IsCodeModeClient,
includeCodeModeTools, seenToolNames, availableTools, and
schemas.AppendToContextList) so that: evaluate per-tool whether code-mode allows
adding it (do not let a single client set includeCodeModeTools globally to veto
other tools), only call schemas.AppendToContextList when the tool is actually
appended to availableTools or otherwise accepted, mark seenToolNames only upon
successful addition, and ensure the same tracking is applied for code-mode tool
additions (the code-path that appends code-mode tools must also update
seenToolNames and MCPAddedTools).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/governance/main.go`:
- Around line 405-407: The header presence check currently uses a case-sensitive
map lookup on req.Headers (e.g., _, headerPresent :=
req.Headers["x-bf-mcp-include-tools"]) which can miss differently-cased incoming
headers and cause unintended injection; change the logic in the handler that
decides whether to call p.addMCPIncludeTools (and the similar check around lines
412-415) to perform a case-insensitive lookup — either normalize keys with
http.CanonicalHeaderKey or iterate req.Headers and use strings.EqualFold to
detect "x-bf-mcp-include-tools" — and only call addMCPIncludeTools(nil,
virtualKey) when no matching header is found ignoring case.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 193-203: The GetAvailableTools loop currently gates adding regular
tools via a global includeCodeModeTools flag and updates
schemas.BifrostContextKeyMCPAddedTools before confirming addition, which causes
nondeterministic drops and missed tracking; update the logic inside the
clientTools iteration (referencing client.ExecutionConfig.IsCodeModeClient,
includeCodeModeTools, seenToolNames, availableTools, and
schemas.AppendToContextList) so that: evaluate per-tool whether code-mode allows
adding it (do not let a single client set includeCodeModeTools globally to veto
other tools), only call schemas.AppendToContextList when the tool is actually
appended to availableTools or otherwise accepted, mark seenToolNames only upon
successful addition, and ensure the same tracking is applied for code-mode tool
additions (the code-path that appends code-mode tools must also update
seenToolNames and MCPAddedTools).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5847046b-32f7-41bf-a6ab-c734e9f6a6a4

📥 Commits

Reviewing files that changed from the base of the PR and between df4061c and 9255034.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (6)

• ui/app/workspace/config/views/mcpView.tsx
• core/mcp/mcp.go
• plugins/governance/resolver.go
• core/bifrost.go
• core/changelog.md
• plugins/governance/changelog.md

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

core/bifrost.go (1)

3257-3261: ⚠️ Potential issue | 🟠 Major

Normalize nil context before delegating to the MCP manager.

Public APIs in this file consistently normalize nil contexts to bifrost.ctx (e.g., lines 387–389, 409–411, 683–685). GetAvailableMCPTools breaks that pattern by forwarding nil directly to the MCP manager. While downstream code is safe from panics due to defensive nil checks on ctx.Value(), a nil context will silently skip all request-scoped MCP filtering and tracking—defeating the governance purpose of the new *schemas.BifrostContext contract.

Suggested fix

 func (bifrost *Bifrost) GetAvailableMCPTools(ctx *schemas.BifrostContext) []schemas.ChatTool {
 	if bifrost.MCPManager == nil {
 		return nil
 	}
+	if ctx == nil {
+		ctx = bifrost.ctx
+	}
 	return bifrost.MCPManager.GetAvailableTools(ctx)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/bifrost.go` around lines 3257 - 3261, GetAvailableMCPTools currently
forwards a nil *schemas.BifrostContext to MCPManager.GetAvailableTools which
bypasses request-scoped filtering; update GetAvailableMCPTools to normalize a
nil ctx to bifrost.ctx before delegating (i.e., if ctx == nil { ctx =
bifrost.ctx }) so that MCPManager.GetAvailableTools always receives a valid
context and request-scoped MCP filtering/tracking is enforced; locate this logic
inside the GetAvailableMCPTools method and adjust the variable passed to
MCPManager.GetAvailableTools accordingly.

plugins/governance/main.go (1)

467-479: ⚠️ Potential issue | 🟠 Major

Mirror the auto-inject guard in large-payload mode.

This path still always calls addMCPIncludeTools, so streamed/large-body requests ignore both disable_auto_tool_inject and a caller-supplied x-bf-mcp-include-tools header. That makes governance behavior depend on which request path handled the body.

Proposed fix

-		// MCP tool headers — header-only, no body needed
-		req.Headers, err = p.addMCPIncludeTools(req.Headers, virtualKey)
-		if err != nil {
-			p.logger.Error("failed to add MCP include tools: %v", err)
-			return nil, nil
-		}
+		// MCP tool headers — header-only, no body needed
+		p.cfgMutex.RLock()
+		autoInjectDisabled := p.disableAutoToolInject != nil && *p.disableAutoToolInject
+		p.cfgMutex.RUnlock()
+		headerPresent := false
+		for h := range req.Headers {
+			if strings.EqualFold(h, "x-bf-mcp-include-tools") {
+				headerPresent = true
+				break
+			}
+		}
+		if !autoInjectDisabled && !headerPresent {
+			req.Headers, err = p.addMCPIncludeTools(req.Headers, virtualKey)
+			if err != nil {
+				p.logger.Error("failed to add MCP include tools: %v", err)
+				return nil, nil
+			}
+		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/main.go` around lines 467 - 479, The code path handling
virtualKey calls addMCPIncludeTools unconditionally, which bypasses the same
auto-inject guard used for large/streamed payloads; update the block around
loadBalanceProvider and addMCPIncludeTools to first check the auto-inject guard
(the disable_auto_tool_inject flag and presence of the x-bf-mcp-include-tools
header on req.Headers) and only call p.addMCPIncludeTools when auto-injection is
allowed, mirroring the existing logic used elsewhere so that addMCPIncludeTools,
req.Headers modifications, and logging respect the same conditions; use the same
variables/functions (virtualKey, loadBalanceProvider, addMCPIncludeTools,
req.Headers, disable_auto_tool_inject, x-bf-mcp-include-tools) to locate and
apply the change.

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

193-202: ⚠️ Potential issue | 🔴 Critical

Don't let code-mode clients suppress unrelated MCP tools.

Once any code-mode client flips includeCodeModeTools to true, every later regular tool hits if !includeCodeModeTools and gets dropped, so the returned tool set depends on map iteration order. AppendToContextList also runs before the append, so the context can record tools that were never actually exposed, which can falsely trigger the new governance check.

Proposed fix

 		if client.ExecutionConfig.IsCodeModeClient {
 			includeCodeModeTools = true
+			continue // code mode tools are added below from m.codeMode.GetTools()
 		}
-		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
-			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
-				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-					seenToolNames[tool.Function.Name] = true
-				}
-			}
+			if tool.Function == nil || tool.Function.Name == "" || seenToolNames[tool.Function.Name] {
+				continue
+			}
+			availableTools = append(availableTools, tool)
+			seenToolNames[tool.Function.Name] = true
+			schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 193 - 202, The current logic uses a
global includeCodeModeTools flag so once any client sets
client.ExecutionConfig.IsCodeModeClient true all subsequent non-code tools are
skipped and AppendToContextList runs for tools that may not be added; fix by
treating tools per-client: for each tool from clientTools, check if this client
is a code-mode client (client.ExecutionConfig.IsCodeModeClient) and only allow
adding code-mode tools when includeCodeModeTools is true, otherwise always allow
non-code tools; move the schemas.AppendToContextList call to run only when you
actually append to availableTools and set seenToolNames[tool.Function.Name] only
upon successful append; reference functions/vars:
client.ExecutionConfig.IsCodeModeClient, includeCodeModeTools, clientTools loop,
availableTools, seenToolNames, and
schemas.AppendToContextList/BifrostContextKeyMCPAddedTools.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/features/governance/mcp-tools.mdx`:
- Around line 23-24: The docs incorrectly refer to the config key as
"mcp_disable_auto_tool_inject"; update the text and any notes to use the correct
key "disable_auto_tool_inject" (replace occurrences of
mcp_disable_auto_tool_inject with disable_auto_tool_inject) so the documentation
matches the actual config/json tag used by the plugin and update any surrounding
explanatory text as needed (references: the lines mentioning
x-bf-mcp-include-tools and the note that discusses auto-injection).

In `@plugins/governance/main.go`:
- Around line 405-410: The current check uses
req.CaseInsensitiveHeaderLookup("x-bf-mcp-include-tools") != "" which treats an
explicitly-present empty header as missing; change the logic to detect header
presence (key exists) rather than non-empty value so an explicit empty header
blocks injection. Locate the block around p.cfgMutex, p.disableAutoToolInject
and replace the headerPresent calculation to test for the header key’s existence
(e.g., check the request header map for "x-bf-mcp-include-tools") so that an
explicit header with an empty value is considered present and prevents
reinjection.
- Around line 1089-1110: The function isMCPToolAllowedByVK currently uses
strings.HasPrefix to match client prefixes which allows shorter client names to
incorrectly match longer client names; change the matching logic in
isMCPToolAllowedByVK to first parse the toolPattern into a client segment and an
optional tool suffix (e.g., split on the first '-' or find the first '-') and
then compare that parsed client segment for exact equality with
mcpConfig.MCPClient.Name; for the wildcard case treat pattern client+"-*" by
checking the parsed client equals mcpConfig.MCPClient.Name and then verifying
ToolsToExecute is non-empty, and for specific tools check ToolsToExecute for "*"
or the parsed suffix instead of using strings.HasPrefix.

---

Outside diff comments:
In `@core/bifrost.go`:
- Around line 3257-3261: GetAvailableMCPTools currently forwards a nil
*schemas.BifrostContext to MCPManager.GetAvailableTools which bypasses
request-scoped filtering; update GetAvailableMCPTools to normalize a nil ctx to
bifrost.ctx before delegating (i.e., if ctx == nil { ctx = bifrost.ctx }) so
that MCPManager.GetAvailableTools always receives a valid context and
request-scoped MCP filtering/tracking is enforced; locate this logic inside the
GetAvailableMCPTools method and adjust the variable passed to
MCPManager.GetAvailableTools accordingly.

In `@plugins/governance/main.go`:
- Around line 467-479: The code path handling virtualKey calls
addMCPIncludeTools unconditionally, which bypasses the same auto-inject guard
used for large/streamed payloads; update the block around loadBalanceProvider
and addMCPIncludeTools to first check the auto-inject guard (the
disable_auto_tool_inject flag and presence of the x-bf-mcp-include-tools header
on req.Headers) and only call p.addMCPIncludeTools when auto-injection is
allowed, mirroring the existing logic used elsewhere so that addMCPIncludeTools,
req.Headers modifications, and logging respect the same conditions; use the same
variables/functions (virtualKey, loadBalanceProvider, addMCPIncludeTools,
req.Headers, disable_auto_tool_inject, x-bf-mcp-include-tools) to locate and
apply the change.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 193-202: The current logic uses a global includeCodeModeTools flag
so once any client sets client.ExecutionConfig.IsCodeModeClient true all
subsequent non-code tools are skipped and AppendToContextList runs for tools
that may not be added; fix by treating tools per-client: for each tool from
clientTools, check if this client is a code-mode client
(client.ExecutionConfig.IsCodeModeClient) and only allow adding code-mode tools
when includeCodeModeTools is true, otherwise always allow non-code tools; move
the schemas.AppendToContextList call to run only when you actually append to
availableTools and set seenToolNames[tool.Function.Name] only upon successful
append; reference functions/vars: client.ExecutionConfig.IsCodeModeClient,
includeCodeModeTools, clientTools loop, availableTools, seenToolNames, and
schemas.AppendToContextList/BifrostContextKeyMCPAddedTools.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: dec13942-8e2e-4d68-9ad7-ee5b4265daab

📥 Commits

Reviewing files that changed from the base of the PR and between 9255034 and 0c1f9ca.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (7)

• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx
• plugins/governance/changelog.md
• transports/changelog.md
• transports/bifrost-http/server/plugins.go
• core/changelog.md
• transports/bifrost-http/server/server.go

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

193-202: ⚠️ Potential issue | 🔴 Critical

Do not let a code-mode client suppress later regular tools.

Line 194 flips a global flag, so after iteration hits any code-mode client, every later regular client is skipped. Because this loop ranges over a map, that makes availableTools nondeterministic. Line 199 also records those skipped tools in BifrostContextKeyMCPAddedTools, so plugins/governance/main.go can reject requests for tools that were never actually injected.

💡 Proposed fix

 	for clientName, clientTools := range availableToolsPerClient {
 		client := m.clientManager.GetClientByName(clientName)
 		if client == nil {
 			m.logger.Warn("%s Client %s not found, skipping", MCPLogPrefix, clientName)
 			continue
 		}
 		if client.ExecutionConfig.IsCodeModeClient {
 			includeCodeModeTools = true
+			// Code mode tools are sourced from m.codeMode.GetTools() below.
+			continue
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
-			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
-				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-					seenToolNames[tool.Function.Name] = true
-				}
-			}
+			if tool.Function == nil || tool.Function.Name == "" || seenToolNames[tool.Function.Name] {
+				continue
+			}
+			availableTools = append(availableTools, tool)
+			seenToolNames[tool.Function.Name] = true
+			schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 193 - 202, The loop currently flips a
global includeCodeModeTools when it sees a code-mode client, causing later
regular clients to be skipped and their names still appended to
BifrostContextKeyMCPAddedTools; change the logic so the "code-mode" decision is
local to the current client iteration (e.g., compute a local bool like
isThisClientCodeMode := client.ExecutionConfig.IsCodeModeClient) and use that to
decide whether to append to availableTools, set
seenToolNames[tool.Function.Name], and call schemas.AppendToContextList(ctx,
schemas.BifrostContextKeyMCPAddedTools, ...); do not mutate a global
includeCodeModeTools that affects subsequent clients and only record a tool in
BifrostContextKeyMCPAddedTools when it is actually added to availableTools.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/governance/main.go`:
- Around line 490-492: The large-payload path is always rewriting the
x-bf-mcp-include-tools header by calling p.addMCPIncludeTools(req.Headers,
virtualKey) even when auto-inject should be disabled; update that path to first
check the same guard used elsewhere (DisableAutoToolInject and whether the
caller provided a specific x-bf-mcp-include-tools value) and only call
p.addMCPIncludeTools when auto-inject is enabled and the header is not already
explicitly set, or alternatively make addMCPIncludeTools respect the
DisableAutoToolInject flag; ensure you reference and preserve req.Headers,
virtualKey, the DisableAutoToolInject flag, and the x-bf-mcp-include-tools
header when implementing the guard.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 193-202: The loop currently flips a global includeCodeModeTools
when it sees a code-mode client, causing later regular clients to be skipped and
their names still appended to BifrostContextKeyMCPAddedTools; change the logic
so the "code-mode" decision is local to the current client iteration (e.g.,
compute a local bool like isThisClientCodeMode :=
client.ExecutionConfig.IsCodeModeClient) and use that to decide whether to
append to availableTools, set seenToolNames[tool.Function.Name], and call
schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, ...);
do not mutate a global includeCodeModeTools that affects subsequent clients and
only record a tool in BifrostContextKeyMCPAddedTools when it is actually added
to availableTools.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c1964731-1f4b-4e47-ae7e-c43558fee220

📥 Commits

Reviewing files that changed from the base of the PR and between 0c1f9ca and a7173c4.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (9)

• transports/bifrost-http/server/plugins.go
• plugins/governance/changelog.md
• core/changelog.md
• ui/components/sidebar.tsx
• docs/features/governance/mcp-tools.mdx
• core/bifrost.go
• core/mcp/mcp.go
• core/schemas/bifrost.go
• transports/changelog.md

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

193-203: ⚠️ Potential issue | 🟠 Major

Keep MCP discovery deterministic and only record tools that are actually injected.

Because availableToolsPerClient is a map, setting includeCodeModeTools here makes later regular tools disappear based on iteration order. Also, BifrostContextKeyMCPAddedTools is updated during discovery, so a read-only availability call marks tools as “added”, duplicates skipped by duplicateCheckMap are still recorded, and code-mode tools appended in the later block are never tracked. In this stack that context key feeds MCP governance, so the bookkeeping can drift from the final request payload.

💡 Suggested direction

@@
-		if client.ExecutionConfig.IsCodeModeClient {
-			includeCodeModeTools = true
-		}
-		// Add tools from this client, checking for duplicates
-		for _, tool := range clientTools {
-			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
-				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-					seenToolNames[tool.Function.Name] = true
-				}
-			}
-		}
+		if client.ExecutionConfig.IsCodeModeClient {
+			includeCodeModeTools = true
+			continue
+		}
+		for _, tool := range clientTools {
+			if tool.Function == nil || tool.Function.Name == "" || seenToolNames[tool.Function.Name] {
+				continue
+			}
+			availableTools = append(availableTools, tool)
+			seenToolNames[tool.Function.Name] = true
+		}
@@
-				if !duplicateCheckMap[toolName] {
-					tools = append(tools, mcpTool)
-					// Update the map to prevent duplicates within MCP tools as well
-					duplicateCheckMap[toolName] = true
-				}
+				if !duplicateCheckMap[toolName] {
+					tools = append(tools, mcpTool)
+					duplicateCheckMap[toolName] = true
+					schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, toolName)
+				}
@@
-				if !duplicateCheckMap[toolName] {
+				if !duplicateCheckMap[toolName] {
 					responsesTool := mcpTool.ToResponsesTool()
 					// Skip if the converted tool has nil Name
 					if responsesTool.Name == nil {
 						continue
 					}
 
 					tools = append(tools, *responsesTool)
-					// Update the map to prevent duplicates within MCP tools as well
 					duplicateCheckMap[toolName] = true
+					schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, toolName)
 				}

Also applies to: 208-218, 337-349, 387-396

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 193 - 203, The discovery mutates
includeCodeModeTools and updates BifrostContextKeyMCPAddedTools during iteration
over the map availableToolsPerClient which makes discovery order-dependent and
records tools that may never be injected; fix by iterating clients in a
deterministic order (e.g., sort the map keys), compute per-client
includeCodeModeTools without changing global state for other clients (use a
local variable scoped to each client loop), only call
schemas.AppendToContextList(BifrostContextKeyMCPAddedTools, ...) at the moment
you actually append the tool to availableTools (and when duplicateCheckMap
indicates it's newly injected), and ensure code-mode tools are recorded the same
way when they are finally injected (so duplicateCheckMap/seenToolNames logic and
the code-mode branch both update the context consistently).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@plugins/governance/changelog.md`:
- Line 1: Changelog uses the transport/client config key
mcp_disable_auto_tool_inject but the governance plugin exposes it as
disable_auto_tool_inject; update the changelog entry in
plugins/governance/changelog.md to reference the plugin config key
disable_auto_tool_inject (and optionally note the transport mapping
mcp_disable_auto_tool_inject) so readers are pointed at the correct public
surface; look for the summary line mentioning mcp_disable_auto_tool_inject and
replace it with disable_auto_tool_inject while keeping the rest of the
description intact.

In `@plugins/governance/main.go`:
- Around line 155-159: The plugin must stop holding a live *bool pointer from
external config; instead snapshot the value into a plugin-owned boolean and
update it only via the plugin's reload/setter path. Replace uses of the shared
pointer (e.g. disableAutoToolInject stored on GovernancePlugin and any similar
fields at lines 267-271) with a plain bool field on GovernancePlugin, initialize
it by copying the dereferenced value under p.cfgMutex (or from the config
snapshot), and provide a dedicated update method invoked by
ReloadClientConfigFromConfigStore (or the config reload flow) to change that
bool under the plugin's mutex; remove any code that directly dereferences
s.Config.ClientConfig.DisableAutoToolInject at request time so concurrent
rewrites cannot race.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 193-203: The discovery mutates includeCodeModeTools and updates
BifrostContextKeyMCPAddedTools during iteration over the map
availableToolsPerClient which makes discovery order-dependent and records tools
that may never be injected; fix by iterating clients in a deterministic order
(e.g., sort the map keys), compute per-client includeCodeModeTools without
changing global state for other clients (use a local variable scoped to each
client loop), only call
schemas.AppendToContextList(BifrostContextKeyMCPAddedTools, ...) at the moment
you actually append the tool to availableTools (and when duplicateCheckMap
indicates it's newly injected), and ensure code-mode tools are recorded the same
way when they are finally injected (so duplicateCheckMap/seenToolNames logic and
the code-mode branch both update the context consistently).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f09783bc-41c4-4073-b060-4853a2109e47

📥 Commits

Reviewing files that changed from the base of the PR and between a7173c4 and 237dc14.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (6)

• plugins/governance/resolver.go
• core/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• core/schemas/bifrost.go
• ui/components/sidebar.tsx
• transports/changelog.md

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core/bifrost.go (1)

3257-3261: ⚠️ Potential issue | 🟠 Major

Default nil to bifrost.ctx before delegating.

Unlike the other public APIs in this file, this method now passes ctx straight through after the *schemas.BifrostContext migration. That makes GetAvailableMCPTools(nil) a breaking edge case and can crash once the MCP manager touches request-scoped context state for tool tracking/governance.

🛠️ Minimal fix

 func (bifrost *Bifrost) GetAvailableMCPTools(ctx *schemas.BifrostContext) []schemas.ChatTool {
+	if ctx == nil {
+		ctx = bifrost.ctx
+	}
 	if bifrost.MCPManager == nil {
 		return nil
 	}
 	return bifrost.MCPManager.GetAvailableTools(ctx)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/bifrost.go` around lines 3257 - 3261, The GetAvailableMCPTools method
currently forwards the incoming *schemas.BifrostContext directly and can crash
if ctx is nil; update Bifrost.GetAvailableMCPTools to default the parameter to
bifrost.ctx when ctx == nil before calling
bifrost.MCPManager.GetAvailableTools(ctx), preserving the existing nil-check for
bifrost.MCPManager and using the internal bifrost.ctx (of type
*schemas.BifrostContext) as the fallback context for request-scoped state.

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

193-203: ⚠️ Potential issue | 🟠 Major

BifrostContextKeyMCPAddedTools is recording the wrong tool set.

This loop still mixes “discovered” with “actually injected”. Once any code-mode client is seen, if !includeCodeModeTools stops appending later regular MCP tools based on map iteration order, but Line 199 still records those skipped tools in the context. Then plugins/governance/main.go uses that context list as the exact allow-list input, so requests can be rejected for phantom tools while actual code-mode tools appended later are never validated at inference time.

💡 Suggested direction

 	for clientName, clientTools := range availableToolsPerClient {
 		client := m.clientManager.GetClientByName(clientName)
 		if client == nil {
 			m.logger.Warn("%s Client %s not found, skipping", MCPLogPrefix, clientName)
 			continue
 		}
 		if client.ExecutionConfig.IsCodeModeClient {
 			includeCodeModeTools = true
+			continue // code-mode tools come from m.codeMode.GetTools() below
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
-			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
-				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-					seenToolNames[tool.Function.Name] = true
-				}
-			}
+			if tool.Function == nil || tool.Function.Name == "" || seenToolNames[tool.Function.Name] {
+				continue
+			}
+			availableTools = append(availableTools, tool)
+			seenToolNames[tool.Function.Name] = true
 		}
 	}

Then move schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, ...) to the two places in ParseAndAddToolsToRequest where a tool is actually appended to the outgoing request, and do the same for appended code-mode tools.

As per coding guidelines, MCP tool access filtering follows a 4-level hierarchy: Global filter → Client-level filter → Tool-level filter → Per-request filter (HTTP headers). All four levels must agree for a tool to be available.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 193 - 203, The context list
BifrostContextKeyMCPAddedTools is being populated too early for every discovered
tool regardless of whether it is actually appended to the outgoing request;
update ParseAndAddToolsToRequest so schemas.AppendToContextList(ctx,
schemas.BifrostContextKeyMCPAddedTools, ...) is only called at the exact points
where a tool is appended to availableTools (and similarly when code-mode tools
are appended), instead of inside the discovery loop that iterates clientTools
using seenToolNames and includeCodeModeTools; move the AppendToContextList calls
into the two branches that push to availableTools (and the branch that appends
code-mode tools when client.ExecutionConfig.IsCodeModeClient is true) so the
context reflects the true injected tool set used for request validation.

🧹 Nitpick comments (1)

core/mcp/interface.go (1)

23-26: Avoid making callers preserve DisableAutoToolInject by convention.

This comment documents a brittle contract: any partial UpdateToolManagerConfig call can silently flip auto-injection back to false because ToolsManager.UpdateConfig stores the bool unconditionally. Prefer a dedicated setter or an optional field here so “unchanged” is representable and unrelated runtime updates can’t widen tool exposure accidentally.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/interface.go` around lines 23 - 26, The current
UpdateToolManagerConfig(config *schemas.MCPToolManagerConfig) API forces callers
to preserve DisableAutoToolInject by convention, which is brittle; change the
contract so “unchanged” is representable and unrelated updates cannot flip the
flag. Modify the config type or API so DisableAutoToolInject is optional (e.g.,
make DisableAutoToolInject *bool on schemas.MCPToolManagerConfig or add a
separate SetDisableAutoToolInject(bool) method) and update
ToolsManager.UpdateConfig to only overwrite the existing setting when the
incoming optional value is non-nil; alternatively add a dedicated
ToolsManager.SetDisableAutoToolInject setter and document using it for toggles
while UpdateConfig only updates other fields.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/features/governance/mcp-tools.mdx`:
- Line 24: The sentence about skipping auto-injection when the caller supplies
the x-bf-mcp-include-tools header is ambiguous about when the VK allow-list is
enforced; update the bullet so it explicitly states that the VK allow-list is
enforced both at inference time (when deciding whether to allow tool inclusion)
and again at MCP tool execution time, e.g., rephrase to: "If the caller already
includes an `x-bf-mcp-include-tools` header, auto-injection is skipped — but the
VK allow-list is enforced at inference time and still enforced again at MCP tool
execution time." Include the terms `x-bf-mcp-include-tools` and "VK allow-list"
exactly to match other docs.

---

Outside diff comments:
In `@core/bifrost.go`:
- Around line 3257-3261: The GetAvailableMCPTools method currently forwards the
incoming *schemas.BifrostContext directly and can crash if ctx is nil; update
Bifrost.GetAvailableMCPTools to default the parameter to bifrost.ctx when ctx ==
nil before calling bifrost.MCPManager.GetAvailableTools(ctx), preserving the
existing nil-check for bifrost.MCPManager and using the internal bifrost.ctx (of
type *schemas.BifrostContext) as the fallback context for request-scoped state.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 193-203: The context list BifrostContextKeyMCPAddedTools is being
populated too early for every discovered tool regardless of whether it is
actually appended to the outgoing request; update ParseAndAddToolsToRequest so
schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, ...) is
only called at the exact points where a tool is appended to availableTools (and
similarly when code-mode tools are appended), instead of inside the discovery
loop that iterates clientTools using seenToolNames and includeCodeModeTools;
move the AppendToContextList calls into the two branches that push to
availableTools (and the branch that appends code-mode tools when
client.ExecutionConfig.IsCodeModeClient is true) so the context reflects the
true injected tool set used for request validation.

---

Nitpick comments:
In `@core/mcp/interface.go`:
- Around line 23-26: The current UpdateToolManagerConfig(config
*schemas.MCPToolManagerConfig) API forces callers to preserve
DisableAutoToolInject by convention, which is brittle; change the contract so
“unchanged” is representable and unrelated updates cannot flip the flag. Modify
the config type or API so DisableAutoToolInject is optional (e.g., make
DisableAutoToolInject *bool on schemas.MCPToolManagerConfig or add a separate
SetDisableAutoToolInject(bool) method) and update ToolsManager.UpdateConfig to
only overwrite the existing setting when the incoming optional value is non-nil;
alternatively add a dedicated ToolsManager.SetDisableAutoToolInject setter and
document using it for toggles while UpdateConfig only updates other fields.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7be51428-8abc-46cb-a6f2-436c15fc4c81

📥 Commits

Reviewing files that changed from the base of the PR and between 237dc14 and 266c534.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

✅ Files skipped from review due to trivial changes (2)

• ui/app/workspace/config/views/mcpView.tsx
• core/changelog.md

🚧 Files skipped from review as they are similar to previous changes (4)

• core/schemas/bifrost.go
• plugins/governance/resolver.go
• ui/components/sidebar.tsx
• core/mcp/mcp.go

[coderabbitai]

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

194-204: ⚠️ Potential issue | 🟠 Major

Order-dependent tool suppression in GetAvailableTools can drop valid tools and overpopulate governance context.

includeCodeModeTools is toggled inside the same client loop and immediately used to gate availableTools appends. That makes regular MCP tool inclusion depend on client iteration order, while BifrostContextKeyMCPAddedTools is still populated for skipped tools. This can cause inconsistent tool injection and false governance denials downstream.

💡 Suggested fix

 func (m *ToolsManager) GetAvailableTools(ctx *schemas.BifrostContext) []schemas.ChatTool {
 	availableToolsPerClient := m.clientManager.GetToolPerClient(ctx)
 	// Flatten tools from all clients into a single slice, avoiding duplicates
 	var availableTools []schemas.ChatTool
 	var includeCodeModeTools bool
 	// Track tool names to prevent duplicates
 	seenToolNames := make(map[string]bool)

+	// Pass 1: detect if any client enables code mode.
+	for clientName := range availableToolsPerClient {
+		client := m.clientManager.GetClientByName(clientName)
+		if client != nil && client.ExecutionConfig.IsCodeModeClient {
+			includeCodeModeTools = true
+			break
+		}
+	}
+
+	// Pass 2: collect regular MCP tools deterministically.
 	for clientName, clientTools := range availableToolsPerClient {
 		client := m.clientManager.GetClientByName(clientName)
 		if client == nil {
 			m.logger.Warn("%s Client %s not found, skipping", MCPLogPrefix, clientName)
 			continue
 		}
 		if client.ExecutionConfig.IsCodeModeClient {
-			includeCodeModeTools = true
+			continue
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
 			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
 				seenToolNames[tool.Function.Name] = true
 				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-				}
+				availableTools = append(availableTools, tool)
 			}
 		}
 	}

#!/bin/bash
# Verify the order-sensitive gating and downstream context consumption.
rg -nC3 --type go 'for clientName, clientTools := range availableToolsPerClient|includeCodeModeTools|AppendToContextList\(ctx, schemas\.BifrostContextKeyMCPAddedTools|if !includeCodeModeTools' core/mcp/toolmanager.go
rg -nC3 --type go 'BifrostContextKeyMCPAddedTools' core/mcp/toolmanager.go plugins/governance/main.go

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 194 - 204, GetAvailableTools currently
toggles includeCodeModeTools inside the client loop and immediately uses it to
decide whether to append to availableTools while always calling
schemas.AppendToContextList with schemas.BifrostContextKeyMCPAddedTools, causing
order-dependent suppression and stale governance context; fix by determining
includeCodeModeTools for all clients before the per-client tool loop (e.g., a
preliminary pass over availableToolsPerClient or using ExecutionConfig flags),
then in the second pass only call schemas.AppendToContextList and append to
availableTools based on that fully-resolved includeCodeModeTools value so that
tool inclusion and BifrostContextKeyMCPAddedTools stay consistent regardless of
client iteration order.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 194-204: GetAvailableTools currently toggles includeCodeModeTools
inside the client loop and immediately uses it to decide whether to append to
availableTools while always calling schemas.AppendToContextList with
schemas.BifrostContextKeyMCPAddedTools, causing order-dependent suppression and
stale governance context; fix by determining includeCodeModeTools for all
clients before the per-client tool loop (e.g., a preliminary pass over
availableToolsPerClient or using ExecutionConfig flags), then in the second pass
only call schemas.AppendToContextList and append to availableTools based on that
fully-resolved includeCodeModeTools value so that tool inclusion and
BifrostContextKeyMCPAddedTools stay consistent regardless of client iteration
order.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8f34d1ef-915a-4114-845f-689001f786fd

📥 Commits

Reviewing files that changed from the base of the PR and between 1124ac4 and 3d47165.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (10)

• ui/app/workspace/config/views/mcpView.tsx
• docs/features/governance/mcp-tools.mdx
• plugins/governance/resolver.go
• core/bifrost.go
• core/mcp/interface.go
• transports/bifrost-http/server/plugins.go
• plugins/governance/changelog.md
• ui/components/sidebar.tsx
• core/changelog.md
• transports/changelog.md

[coderabbitai]

♻️ Duplicate comments (1)

core/mcp/toolmanager.go (1)

194-204: ⚠️ Potential issue | 🟠 Major

Code-mode detection is still suppressing regular MCP tools nondeterministically.

Line 194 flips a global flag, and Line 202 uses it to skip appending non-code tools. Because map iteration order is undefined, regular tools may disappear depending on which client is visited first.

💡 Proposed fix

 	for clientName, clientTools := range availableToolsPerClient {
 		client := m.clientManager.GetClientByName(clientName)
 		if client == nil {
 			m.logger.Warn("%s Client %s not found, skipping", MCPLogPrefix, clientName)
 			continue
 		}
-		if client.ExecutionConfig.IsCodeModeClient {
+		isCodeModeClient := client.ExecutionConfig.IsCodeModeClient
+		if isCodeModeClient {
 			includeCodeModeTools = true
+			// Code-mode tools are sourced from m.codeMode.GetTools() below.
+			continue
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
 			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
 				seenToolNames[tool.Function.Name] = true
 				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !includeCodeModeTools {
-					availableTools = append(availableTools, tool)
-				}
+				availableTools = append(availableTools, tool)
 			}
 		}
 	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 194 - 204, The code flips the global
includeCodeModeTools flag using client.ExecutionConfig.IsCodeModeClient and then
uses it while iterating clientTools, which makes omission of non-code tools
nondeterministic due to map iteration order; change the logic to compute a
per-client boolean (e.g., perClientIsCodeMode :=
client.ExecutionConfig.IsCodeModeClient) inside the client loop and use that
local flag when deciding whether to append to availableTools, leaving
seenToolNames and schemas.AppendToContextList behavior unchanged so tools from
non-code clients are never suppressed by a prior code-mode client.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 194-204: The code flips the global includeCodeModeTools flag using
client.ExecutionConfig.IsCodeModeClient and then uses it while iterating
clientTools, which makes omission of non-code tools nondeterministic due to map
iteration order; change the logic to compute a per-client boolean (e.g.,
perClientIsCodeMode := client.ExecutionConfig.IsCodeModeClient) inside the
client loop and use that local flag when deciding whether to append to
availableTools, leaving seenToolNames and schemas.AppendToContextList behavior
unchanged so tools from non-code clients are never suppressed by a prior
code-mode client.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 33940a4d-0f82-4952-b77f-159f0a72719c

📥 Commits

Reviewing files that changed from the base of the PR and between 3d47165 and 10fab26.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

✅ Files skipped from review due to trivial changes (1)

• plugins/governance/changelog.md

🚧 Files skipped from review as they are similar to previous changes (10)

• core/changelog.md
• transports/bifrost-http/server/server.go
• ui/app/workspace/config/views/mcpView.tsx
• docs/features/governance/mcp-tools.mdx
• core/schemas/bifrost.go
• ui/components/sidebar.tsx
• plugins/governance/resolver.go
• core/bifrost.go
• transports/changelog.md
• core/mcp/interface.go

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@ui/components/sidebar.tsx`:
- Around line 243-255: Add stable data-testid attributes to the interactive
SidebarMenuButton instances so UI tests can target them reliably: update the
SidebarMenuButton at the first block (the button rendering that uses
hasSubItems, onClick={hasSubItems ? handleClick : item.hasAccess ? (e) =>
handleNavigation(item.url, e) : undefined}) to include a data-testid following
the pattern "data-testid=\"nav-button-<qualifier>\"" (use a stable qualifier
derived from the item, e.g., item.id or a slugified item.title); do the same for
the other interactive control in the later block (the submenu toggle / link
around lines 290-301) using a complementary testid like
"nav-submenu-toggle-<qualifier>" so both top-level buttons and submenu toggles
have predictable testids.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8385c914-aec6-43fb-bb9d-02c3a58b5cf9

📥 Commits

Reviewing files that changed from the base of the PR and between 10fab26 and 3148afc.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (10)

• ui/app/workspace/config/views/mcpView.tsx
• transports/bifrost-http/server/server.go
• docs/features/governance/mcp-tools.mdx
• core/bifrost.go
• transports/changelog.md
• plugins/governance/changelog.md
• core/schemas/bifrost.go
• core/mcp/mcp.go
• transports/bifrost-http/server/plugins.go
• core/changelog.md

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

core/bifrost.go (1)

3408-3413: ⚠️ Potential issue | 🟡 Minor

Don't forward a nil BifrostContext here.

This public MCP entrypoint is now the only one in core/bifrost.go that delegates a possibly-nil context downstream instead of normalizing it first. That makes the context.Context → *schemas.BifrostContext migration easy to regress at runtime and leaves the behavior up to MCPManager.GetAvailableTools.

💡 Proposed fix

 func (bifrost *Bifrost) GetAvailableMCPTools(ctx *schemas.BifrostContext) []schemas.ChatTool {
 	if bifrost.MCPManager == nil {
 		return nil
 	}
+	if ctx == nil {
+		ctx = bifrost.ctx
+	}
 	return bifrost.MCPManager.GetAvailableTools(ctx)
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/bifrost.go` around lines 3408 - 3413, GetAvailableMCPTools currently
forwards a potentially nil *schemas.BifrostContext to
MCPManager.GetAvailableTools; ensure the context is normalized first by guarding
for nil in Bifrost.GetAvailableMCPTools (check ctx == nil) and creating a
default &schemas.BifrostContext{} (or using the package's existing
context-normalization helper if one exists) before calling
bifrost.MCPManager.GetAvailableTools(ctx) so downstream code never receives a
nil context.

♻️ Duplicate comments (2)

core/mcp/toolmanager.go (1)

194-203: ⚠️ Potential issue | 🟠 Major

Code-mode dedupe order can suppress code-mode tool injection and misreport MCP-added tools.

Line 200 marks code-mode client tools as seen and Line 201 records them in BifrostContextKeyMCPAddedTools, but Line 202 skips adding them to availableTools. Then Line 215 skips the same names from m.codeMode.GetTools(). This can drop code-mode tools entirely while still reporting them as “added.”

♻️ Proposed fix

 		if client.ExecutionConfig.IsCodeModeClient {
 			includeCodeModeTools = true
+			// Code mode tools are sourced from m.codeMode.GetTools() below.
+			continue
 		}
 		// Add tools from this client, checking for duplicates
 		for _, tool := range clientTools {
 			if tool.Function != nil && tool.Function.Name != "" && !seenToolNames[tool.Function.Name] {
 				seenToolNames[tool.Function.Name] = true
 				schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools, tool.Function.Name)
-				if !client.ExecutionConfig.IsCodeModeClient {
-					availableTools = append(availableTools, tool)
-				}
+				availableTools = append(availableTools, tool)
 			}
 		}

Also applies to: 210-217

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@core/mcp/toolmanager.go` around lines 194 - 203, The current loop marks
code-mode client tool names as seen and logs them to
BifrostContextKeyMCPAddedTools before adding them to availableTools, then skips
adding code-mode tools and later skips m.codeMode.GetTools() by name, which can
drop code-mode tools while still reporting them as added; fix by changing the
logic in the clientTools loop (where client.ExecutionConfig.IsCodeModeClient is
checked) so that you only mark seenToolNames[tool.Function.Name] = true and call
schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools,
tool.Function.Name) after you actually append the tool to availableTools (i.e.,
do not skip appending for code-mode tools or alternatively append them first
when client.ExecutionConfig.IsCodeModeClient), and keep the
m.codeMode.GetTools() filter using seenToolNames to avoid duplicates—this
ensures availableTools and the MCP-added context list remain consistent with
m.codeMode.GetTools() deduping.

plugins/governance/main.go (1)

1022-1050: ⚠️ Potential issue | 🟠 Major

Inference-time MCP validation still ignores caller-supplied request tools.

At Line 1027, the check only inspects BifrostContextKeyMCPAddedTools (auto-added tools). Tools provided directly on the incoming request can bypass this inference-time check and only get blocked later in PreMCPHook, which weakens the stated inference-time + execution-time enforcement behavior.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@plugins/governance/main.go` around lines 1022 - 1050, The inference-time MCP
validation only checks BifrostContextKeyMCPAddedTools and ignores
caller-supplied tools; update the block that builds and checks addedTools to
also retrieve the caller-supplied request tools (e.g., from the incoming request
object or a context key such as a request-tools key) and merge them into a
single slice (e.g., toolsToValidate), then run the same validation loop using
isMCPToolAllowedByVK against result.VirtualKey.MCPConfigs and produce
DecisionMCPToolBlocked/Reason using result.VirtualKey when any tool in
toolsToValidate is disallowed; ensure empty/missing combined lists are treated
the same as the current logic.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@core/bifrost.go`:
- Around line 3408-3413: GetAvailableMCPTools currently forwards a potentially
nil *schemas.BifrostContext to MCPManager.GetAvailableTools; ensure the context
is normalized first by guarding for nil in Bifrost.GetAvailableMCPTools (check
ctx == nil) and creating a default &schemas.BifrostContext{} (or using the
package's existing context-normalization helper if one exists) before calling
bifrost.MCPManager.GetAvailableTools(ctx) so downstream code never receives a
nil context.

---

Duplicate comments:
In `@core/mcp/toolmanager.go`:
- Around line 194-203: The current loop marks code-mode client tool names as
seen and logs them to BifrostContextKeyMCPAddedTools before adding them to
availableTools, then skips adding code-mode tools and later skips
m.codeMode.GetTools() by name, which can drop code-mode tools while still
reporting them as added; fix by changing the logic in the clientTools loop
(where client.ExecutionConfig.IsCodeModeClient is checked) so that you only mark
seenToolNames[tool.Function.Name] = true and call
schemas.AppendToContextList(ctx, schemas.BifrostContextKeyMCPAddedTools,
tool.Function.Name) after you actually append the tool to availableTools (i.e.,
do not skip appending for code-mode tools or alternatively append them first
when client.ExecutionConfig.IsCodeModeClient), and keep the
m.codeMode.GetTools() filter using seenToolNames to avoid duplicates—this
ensures availableTools and the MCP-added context list remain consistent with
m.codeMode.GetTools() deduping.

In `@plugins/governance/main.go`:
- Around line 1022-1050: The inference-time MCP validation only checks
BifrostContextKeyMCPAddedTools and ignores caller-supplied tools; update the
block that builds and checks addedTools to also retrieve the caller-supplied
request tools (e.g., from the incoming request object or a context key such as a
request-tools key) and merge them into a single slice (e.g., toolsToValidate),
then run the same validation loop using isMCPToolAllowedByVK against
result.VirtualKey.MCPConfigs and produce DecisionMCPToolBlocked/Reason using
result.VirtualKey when any tool in toolsToValidate is disallowed; ensure
empty/missing combined lists are treated the same as the current logic.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6f7d35dc-ff13-4f8a-945c-97116de5ced7

📥 Commits

Reviewing files that changed from the base of the PR and between 3148afc and a736638.

📒 Files selected for processing (15)

• core/bifrost.go
• core/changelog.md
• core/mcp/interface.go
• core/mcp/mcp.go
• core/mcp/toolmanager.go
• core/schemas/bifrost.go
• docs/features/governance/mcp-tools.mdx
• plugins/governance/changelog.md
• plugins/governance/main.go
• plugins/governance/resolver.go
• transports/bifrost-http/server/plugins.go
• transports/bifrost-http/server/server.go
• transports/changelog.md
• ui/app/workspace/config/views/mcpView.tsx
• ui/components/sidebar.tsx

🚧 Files skipped from review as they are similar to previous changes (6)

• core/changelog.md
• plugins/governance/resolver.go
• ui/app/workspace/config/views/mcpView.tsx
• plugins/governance/changelog.md
• transports/bifrost-http/server/server.go
• ui/components/sidebar.tsx

[Pratham-Mishra04]

Merge activity

• Mar 18, 11:57 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• Mar 18, 12:04 PM UTC: Graphite rebased this pull request as part of a merge.
• Mar 18, 12:05 PM UTC: @Pratham-Mishra04 merged this pull request with Graphite.