Tools: Define "Sensitive Operation" to clarify when clients should request consent #307
Description
Is your feature request related to a problem? Please describe.
The spec suggests "Prompt for user confirmation on sensitive operations", however, there is no way for the client to know which tools are causing sensitive operations. It's not clearly defined, and this leads to a wide range of different behavior amongst current client implementations:
Cursor IDE asks for consent on every single operation, Claude Desktop allows users to give consent once per chat and some other clients don't ask at all.
Using agent workflows that issue 30+ tool calls on a task can become quite annoying to work with, if the client prompts for every one of them, like Cursor IDE does for example.
Example:
Some servers like filesystem are already configured with a certain file path, which can be assumed user intention to be shared as context, so listing directories or reading files could be considered safe, while writing files is probably still a "sensitive operation". This way, many tool calls don't need interaction.
Describe the solution you'd like
Servers could suggest a sensitivity- or security policy. This could be be a simple enum property on the tool properties, which describes security: ['sensitive', 'safe'] (naming TBD), or simpler would be sensitive: boolean, which would be default true if unspecified, but gives the server the ability to define tools that can be called without interaction.
Describe alternatives you've considered
Potentially, the tool properties is the wrong place, since reading a database could be considered safe in some scenarios, while very sensitive in others. So the sensitivity is potentially not determined by the action itself (i.e. database read), but the accessed data that is being used by the tool. It might rather define "read-only", "read-write" and "write-only" and then instead have the user define what operations he wants to be prompted for on certain resources (certain URLs or domains, databases, files/paths, etc).
Example: Some files might be fine to read and even write, but it might not be necessary for the agent to read your .secrets or .env files without prior consent.
Additional context
I'm building an MCP server plugin for a game engine. The agent frequently needs to query the scene in different ways to make a decision on how to change it. These query operations are all insensitive and make up 90% of the tool calls.