docs(site): document two-level MCP permission model

[github-actions]

Summary

• Users authoring MCP servers now understand the two-level permission model: --allow-tool <server> (Copilot CLI grants server access) + allowed: [tools] (MCPG grants tool access).
• The new "Two-Level Permission Model" section clarifies defense-in-depth: both layers must grant permission for a tool call to succeed.
• Updated the allowed: field description to cross-reference the new section.
• Rewrote Security Notes to lead with the two-level model instead of burying it in generic bullets.

Changes

• site/src/content/docs/reference/mcp.mdx:
  • Add ## Two-Level Permission Model section explaining:
    • Layer 1: Copilot CLI server access via --allow-tool <server-name> (auto-generated by compiler from extensions + user-defined MCPs)
    • Layer 2: MCPG tool-level filtering via allowed: [...] (user-configured per server)
    • When --allow-tool is automatic (restricted bash vs wildcard bash modes)
    • Why both layers exist (coarse-grained vs fine-grained control)
  • Update allowed: field description to reference the new section
  • Rewrite Security Notes to emphasize two-level allow-listing as the primary security model

Accuracy checks

• --allow-tool generation logic verified in src/engine.rs → collect_allowed_tools():
  • Extensions contribute via allowed_copilot_tools() trait method (github, safeoutputs, azure-devops)
  • User-defined MCPs with container: or url: get --allow-tool entries (sorted alphabetically)
  • Only emitted when bash is restricted (not wildcard mode)
• allowed: enforcement confirmed via PR feat(mcp): filter SafeOutputs tools based on front matter config #156 (SafeOutputs tool filtering) and MCPG spec references in codebase
• Wildcard bash behavior confirmed: bash: [":*"] or omitted bash → --allow-all-tools instead of individual flags

Validation

• cd site && npm ci && npm run build — 29 pages built, all internal links valid

---

Created by the docs-writer workflow.

Generated by Docs Writer · ● 1.4M · ◷