Skip to content

chore(tools): Adding guardrails to MCP server tools #96

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
irfan-ahmed wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(tools): Adding guardrails to MCP server tools #96

irfan-ahmed wants to merge 1 commit into from

Conversation

@irfan-ahmed
Copy link
Member

@irfan-ahmed irfan-ahmed commented Dec 12, 2025
edited
Loading

Description

The PR adds guardrails to some of the commands that can change the configuration of the OCI system. The changes include:

  • Updated the delete/terminate/update tools to add a warning and destructiveHint. Also updated the description to make sure that the AI client asks for a confirmation before proceeding with the tool execution
  • Generated new denylist from oci-cli version 3.71.1
  • Bumped up the versions of servers that have this change

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

  1. Checkout this PR and build it. You can refer to https://github.com/oracle/mcp?tab=readme-ov-file#local-development to learn how to build the MCP servers
  2. Use https://github.com/oracle/mcp?tab=readme-ov-file#cline to configure Cline to use the locally built MCP servers
  3. Try to issue a prompt that deletes a configuration object. For example, if you are using the oci-api-mcp-server, you can use the following prompts
List instances in the compartment xyz
Delete instance abc in compartment xyz

You should verify that Cline will not execute the command even when you approve it, as it will hit the denylist

  1. You can set up another MCP server similarly, such as compute. Disable the oci-api-mcp-server and issue a prompt to delete the instance. It should ask for confirmation.

  2. Alternatively, you can also install and start Ollama with gpt-oss and use mcphost to issue prompts. Follow the steps listed at https://github.com/oracle/mcp?tab=readme-ov-file#mcphost

@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label Dec 12, 2025
@irfan-ahmed irfan-ahmed force-pushed the irfan/guard-rails branch 5 times, most recently from 8067b77 to e58ba1f Compare December 15, 2025 15:52
shopewf
shopewf reviewed Dec 22, 2025
View reviewed changes
src/oci-compute-mcp-server/oracle/oci_compute_mcp_server/server.py
"Deletes the specified instance. WARNING: This action is destructive and cannot be undone. It will "
"permanently delete the instance and all associated data. The AI client must inform the user of this "
"destructive nature and ask for explicit confirmation before executing this tool. Do not attempt "
"this operation without getting a confirmations from the user."
Copy link
Member

@shopewf shopewf Dec 22, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

so do we have a standard annotation for this type of destructive behavior? Is adding destructiveHint not enough? Should we add this to the best practices doc? If this is left off, is there no explicit confirmation from the user to perform this action?

Copy link
Member Author

@irfan-ahmed irfan-ahmed Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In my testing, I was seeing that without this, the GPT-oss model would be inconsistent in showing a warning. Once I added this, it always shows a confirmation before executing the task.

@irfan-ahmed
chore(update): Adding guardrails to MCP server tools
0fea9b2 
- Updated the delete/terminate/update tools to add a warning and destructiveHint. Also updated the description to make sure that the AI client asks for a confirmation before proceeding with the tool execution
- Generated new denylist from oci-cli version 3.71.1
- Bumped up the versions of servers that have this change
- Updated the denylist generator to store the version in the created commands and denylist of the CLI it is generated from
cboffa13
cboffa13 reviewed Jan 8, 2026
View reviewed changes
src/oci-api-mcp-server/oracle/oci_api_mcp_server/denylist
Copy link
Member

@cboffa13 cboffa13 Jan 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple questions:

  • Can this list be overwritten? If so, how?
  • We should add a section in the readme of this server for this functionality

@gebhardtr gebhardtr self-requested a review January 9, 2026 20:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gebhardtr gebhardtr Awaiting requested review from gebhardtr gebhardtr is a code owner

2 more reviewers

@cboffa13 cboffa13 cboffa13 approved these changes

@shopewf shopewf shopewf approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

OCA Verified All contributors have signed the Oracle Contributor Agreement.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@irfan-ahmed @shopewf @cboffa13