Skip to content

fix(cli): hide mutating tools in read-only MCP mode#4248

Open
carderne wants to merge 1 commit into
mainfrom
chore/update-mcp-readonly
Open

fix(cli): hide mutating tools in read-only MCP mode#4248
carderne wants to merge 1 commit into
mainfrom
chore/update-mcp-readonly

Conversation

@carderne

Copy link
Copy Markdown
Collaborator

Hide profile switching and local dev-server process controls when the MCP server runs in read-only mode.

@changeset-bot

changeset-bot Bot commented Jul 13, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 9d256a1

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 26 packages
Name Type
trigger.dev Patch
@internal/dashboard-agent Patch
@trigger.dev/build Patch
@trigger.dev/core Patch
@trigger.dev/python Patch
@trigger.dev/react-hooks Patch
@trigger.dev/redis-worker Patch
@trigger.dev/rsc Patch
@trigger.dev/schema-to-json Patch
@trigger.dev/sdk Patch
@trigger.dev/database Patch
@trigger.dev/otlp-importer Patch
@trigger.dev/rbac Patch
@trigger.dev/sso Patch
@internal/cache Patch
@internal/clickhouse Patch
@internal/llm-model-catalog Patch
@internal/redis Patch
@internal/replication Patch
@internal/run-engine Patch
@internal/run-store Patch
@internal/schedule-engine Patch
@internal/testcontainers Patch
@internal/tracing Patch
@internal/tsql Patch
@internal/sdk-compat-tests Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@carderne carderne marked this pull request as ready for review July 13, 2026 15:44
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Walkthrough

The MCP write-tool set now includes profile switching and local development server start/stop tools. Read-only mode therefore omits these tools from LLM registration and applies write-oriented annotations. A Changeset documents the patch release and the associated hidden UI controls.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description is only a one-line summary and omits the required template sections, issue reference, checklist, testing, changelog, and screenshots. Expand the PR description to include Closes #issue, checklist items, testing steps, a short changelog, and screenshots if applicable.
✅ Passed checks (4 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: hiding mutating MCP tools in read-only mode.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-mcp-readonly

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@devin-ai-integration devin-ai-integration Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

Open in Devin Review

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔍 Pre-existing: async handler errors silently escape the try/catch

The registered tool callback at packages/cli-v3/src/mcp/tools.ts:116-121 does return tool.handler(...) without await. Since tool.handler is async (returns a Promise), any rejection from that promise will NOT be caught by the surrounding try/catch block — it will propagate as an unhandled rejection to the MCP framework instead of returning a structured error via respondWithError. Adding await before tool.handler(...) would fix this. This is pre-existing (not introduced by this PR) but affects all tools including the three newly classified as write tools.

(Refers to lines 116-121)

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

@carderne carderne enabled auto-merge (squash) July 13, 2026 15:46
@pkg-pr-new

pkg-pr-new Bot commented Jul 13, 2026

Copy link
Copy Markdown

Open in StackBlitz

@trigger.dev/build

npm i https://pkg.pr.new/@trigger.dev/build@9d256a1

trigger.dev

npm i https://pkg.pr.new/trigger.dev@9d256a1

@trigger.dev/core

npm i https://pkg.pr.new/@trigger.dev/core@9d256a1

@trigger.dev/python

npm i https://pkg.pr.new/@trigger.dev/python@9d256a1

@trigger.dev/react-hooks

npm i https://pkg.pr.new/@trigger.dev/react-hooks@9d256a1

@trigger.dev/redis-worker

npm i https://pkg.pr.new/@trigger.dev/redis-worker@9d256a1

@trigger.dev/rsc

npm i https://pkg.pr.new/@trigger.dev/rsc@9d256a1

@trigger.dev/schema-to-json

npm i https://pkg.pr.new/@trigger.dev/schema-to-json@9d256a1

@trigger.dev/sdk

npm i https://pkg.pr.new/@trigger.dev/sdk@9d256a1

commit: 9d256a1

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1


ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 104df9d0-57e5-4c02-9c8f-7bc65064c4f1

📥 Commits

Reviewing files that changed from the base of the PR and between 6e943f2 and 9d256a1.

📒 Files selected for processing (2)
  • .changeset/readonly-mcp-mutations.md
  • packages/cli-v3/src/mcp/tools.ts
📜 Review details
⏰ Context from checks skipped due to timeout. (25)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (7, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (8, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (10, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (3, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (4, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (5, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (6, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (11, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (1, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (2, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (9, 12)
  • GitHub Check: webapp / 🧪 Unit Tests: Webapp (12, 12)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-windows-latest-x64-8x - npm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-ubuntu-latest-x64-4x - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-windows-latest-x64-8x - pnpm)
  • GitHub Check: e2e / 🧪 CLI v3 tests (warp-ubuntu-latest-x64-4x - npm)
  • GitHub Check: internal / 🧪 Unit Tests: Internal
  • GitHub Check: typecheck / typecheck
  • GitHub Check: packages / 🧪 Unit Tests: Packages (2, 3)
  • GitHub Check: packages / 🧪 Unit Tests: Packages (3, 3)
  • GitHub Check: e2e-webapp / 🧪 E2E Tests: Webapp
  • GitHub Check: packages / 🧪 Unit Tests: Packages (1, 3)
  • GitHub Check: code-quality / code-quality
  • GitHub Check: Build and publish previews
  • GitHub Check: Analyze (javascript-typescript)
🧰 Additional context used
📓 Path-based instructions (5)
**/*.{ts,tsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

**/*.{ts,tsx}: Use types over interfaces for TypeScript
Avoid using enums; prefer string unions or const objects instead

**/*.{ts,tsx}: Prefer static imports over dynamic import(); use dynamic imports only for unresolvable circular dependencies, genuine performance code splitting, or conditional runtime loading.
Import Trigger.dev tasks from @trigger.dev/sdk; never use @trigger.dev/sdk/v3 or deprecated client.defineJob.
Add agentcrumbs while writing code using approved namespaces; mark lines with // @Crumbs or blocks with `// `#region` `@crumbs, and strip them before merging.

Files:

  • packages/cli-v3/src/mcp/tools.ts
**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Use function declarations instead of default exports

Files:

  • packages/cli-v3/src/mcp/tools.ts
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/otel-metrics.mdc)

**/*.ts: When creating or editing OTEL metrics (counters, histograms, gauges), ensure metric attributes have low cardinality by using only enums, booleans, bounded error codes, or bounded shard IDs
Do not use high-cardinality attributes in OTEL metrics such as UUIDs/IDs (envId, userId, runId, projectId, organizationId), unbounded integers (itemCount, batchSize, retryCount), timestamps (createdAt, startTime), or free-form strings (errorMessage, taskName, queueName)
When exporting OTEL metrics via OTLP to Prometheus, be aware that the exporter automatically adds unit suffixes to metric names (e.g., 'my_duration_ms' becomes 'my_duration_ms_milliseconds', 'my_counter' becomes 'my_counter_total'). Account for these transformations when writing Grafana dashboards or Prometheus queries

Files:

  • packages/cli-v3/src/mcp/tools.ts
packages/cli-v3/src/mcp/**/*

📄 CodeRabbit inference engine (packages/cli-v3/CLAUDE.md)

Provide an MCP server implementation in src/mcp/ for AI-assisted task development

Files:

  • packages/cli-v3/src/mcp/tools.ts
packages/**/*.{ts,tsx}

📄 CodeRabbit inference engine (AGENTS.md)

For public packages, use build for verification.

Files:

  • packages/cli-v3/src/mcp/tools.ts
🧠 Learnings (9)
📚 Learning: 2026-03-22T13:26:12.060Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3244
File: apps/webapp/app/components/code/TextEditor.tsx:81-86
Timestamp: 2026-03-22T13:26:12.060Z
Learning: In the triggerdotdev/trigger.dev codebase, do not flag `navigator.clipboard.writeText(...)` calls for `missing-await`/`unhandled-promise` issues. These clipboard writes are intentionally invoked without `await` and without `catch` handlers across the project; keep that behavior consistent when reviewing TypeScript/TSX files (e.g., usages like in `apps/webapp/app/components/code/TextEditor.tsx`).

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-03-22T19:24:14.403Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3187
File: apps/webapp/app/v3/services/alerts/deliverErrorGroupAlert.server.ts:200-204
Timestamp: 2026-03-22T19:24:14.403Z
Learning: In the triggerdotdev/trigger.dev codebase, webhook URLs are not expected to contain embedded credentials/secrets (e.g., fields like `ProjectAlertWebhookProperties` should only hold credential-free webhook endpoints). During code review, if you see logging or inclusion of raw webhook URLs in error messages, do not automatically treat it as a credential-leak/secrets-in-logs issue by default—first verify the URL does not contain embedded credentials (for example, no username/password in the URL, no obvious secret/token query params or fragments). If the URL is credential-free per this project’s conventions, allow the logging.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma error P1001 ("Can't reach database server") in TypeScript, don’t assume a single error shape. Prisma can surface P1001 via two different error classes/fields: `PrismaClientKnownRequestError` exposes it as `err.code === "P1001"` (common during mid-query connection drops), while `PrismaClientInitializationError` exposes it as `err.errorCode === "P1001"` (common on client startup failure). Therefore, predicates should use `err.code === "P1001" || err.errorCode === "P1001"`. Do not flag `err.code === "P1001"` as “unreachable/never matches,” as it is expected in production.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-05-18T08:21:27.694Z
Learnt from: d-cs
Repo: triggerdotdev/trigger.dev PR: 3632
File: apps/webapp/sentry.server.ts:4-21
Timestamp: 2026-05-18T08:21:27.694Z
Learning: When handling Prisma errors for P1001 ("Can't reach database server"), do not assume it only appears under a single property name. Prisma may surface P1001 via either `PrismaClientKnownRequestError` (`err.code === "P1001"`, e.g., mid-query connection drops) or `PrismaClientInitializationError` (`err.errorCode === "P1001"`, e.g., client startup connection failure). To reliably detect the condition, check `err.code === "P1001" || err.errorCode === "P1001"`, and avoid review rules that would incorrectly flag `err.code === "P1001"` as unreachable/never-matching.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-06-13T19:53:13.759Z
Learnt from: ericallam
Repo: triggerdotdev/trigger.dev PR: 3937
File: packages/trigger-sdk/skills/realtime-and-frontend/SKILL.md:258-260
Timestamp: 2026-06-13T19:53:13.759Z
Learning: When reviewing code that uses `trigger.dev/react-hooks`’s `useRealtimeRun`, preserve the call signature where the first argument is the full realtime handle object (not `handle.id`). This is intentional to maintain type-safety and is consistent with the official docs; do not suggest changing the first argument from the handle object to `handle.id`.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-06-17T17:13:49.929Z
Learnt from: matt-aitken
Repo: triggerdotdev/trigger.dev PR: 3948
File: apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx:48-62
Timestamp: 2026-06-17T17:13:49.929Z
Learning: In triggerdotdev/trigger.dev, within `dashboardLoader`/`dashboardAction` (or similar context resolver code) whenever you resolve an organization ID from an organization slug for RBAC/enterprise authorization scope, always read from the primary Prisma client (`prisma`), not `$replica`. Using `$replica` can hit replica-lag and cause the RBAC lookup/authorization to run without the correct org scope (bypassing intended role enforcement). Implement the slug→org lookup with `prisma.organization.findFirst(...)` (or equivalent primary-client query) and add an inline comment documenting why the primary client is required (replica lag could lead to unscoped RBAC checks).

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-06-23T13:04:21.413Z
Learnt from: carderne
Repo: triggerdotdev/trigger.dev PR: 4023
File: apps/webapp/app/services/upsertBranch.server.ts:14-18
Timestamp: 2026-06-23T13:04:21.413Z
Learning: In TypeScript, it’s valid to `import { type X }` and then use `typeof X` in a type-only position, e.g. `type Alias = z.infer<typeof X>`. The `type` modifier suppresses the runtime import, but the type checker still has the full exported type so `z.infer<typeof X>` can resolve correctly. In code reviews, don’t flag this as a TypeScript compile error as long as `typeof X` is used in a type context (e.g., with `z.infer`, `type` aliases, generics), not as a runtime value.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-06-04T18:16:35.386Z
Learnt from: nicktrn
Repo: triggerdotdev/trigger.dev PR: 3836
File: apps/supervisor/src/backpressure/backpressureMonitor.ts:3-5
Timestamp: 2026-06-04T18:16:35.386Z
Learning: When reviewing TypeScript in this repo, apply the rule “prefer type aliases over interfaces” only to data/object shapes and union/intersection type modeling. If an interface is being used as a behavioral contract for collaborators to implement (e.g., method-shape interfaces that define required behavior, such as `BackpressureLogger` / `BackpressureSignalSource` in `apps/supervisor/src/backpressure/backpressureMonitor.ts`), keep it as an `interface` and do not flag it as a type-alias-vs-interface violation.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
📚 Learning: 2026-06-09T17:58:04.699Z
Learnt from: 0ski
Repo: triggerdotdev/trigger.dev PR: 3879
File: apps/webapp/app/models/vercelIntegration.server.ts:619-630
Timestamp: 2026-06-09T17:58:04.699Z
Learning: In this codebase, outbound raw `fetch` calls should typically rely on Node/undici’s default request timeout (about ~300s) rather than adding a per-call `AbortController` + `setTimeout` wrapper inside individual functions (e.g. in files like `apps/webapp/app/models/vercelIntegration.server.ts`). During code review, do not flag the absence of a per-call timeout on a single `fetch` as an issue; if per-call timeouts are needed, they should be implemented via a codebase-wide convention (e.g., a shared fetch wrapper or documented pattern) rather than ad-hoc per-function changes.

Applied to files:

  • packages/cli-v3/src/mcp/tools.ts
🔇 Additional comments (1)
.changeset/readonly-mcp-mutations.md (1)

1-5: LGTM!

Comment on lines +51 to +53
switchProfileTool.name,
startDevServerTool.name,
stopDevServerTool.name,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

rg -n 'destructiveHint|readOnlyHint|WRITE_TOOLS' packages/cli-v3/src/mcp
fd -a -t f 'package.json|pnpm-lock.yaml|yarn.lock|package-lock.json' . \
  -x rg -n '`@modelcontextprotocol/sdk`'

Repository: triggerdotdev/trigger.dev

Length of output: 945


🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

sed -n '1,180p' packages/cli-v3/src/mcp/tools.ts

Repository: triggerdotdev/trigger.dev

Length of output: 3751


🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('packages/cli-v3/src/mcp/tools.ts')
for i, line in enumerate(p.read_text().splitlines(), 1):
    if 1 <= i <= 180:
        print(f"{i:4d}: {line}")
PY

Repository: triggerdotdev/trigger.dev

Length of output: 4501


🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

rg -n 'switchProfileTool|startDevServerTool|stopDevServerTool|WRITE_TOOLS|destructiveHint|readOnlyHint' packages/cli-v3/src/mcp -A4 -B4

Repository: triggerdotdev/trigger.dev

Length of output: 6490


🌐 Web query:

MCP schema destructiveHint readOnlyHint definition non-destructive additive updates

💡 Result:

In the Model Context Protocol (MCP), readOnlyHint and destructiveHint are properties within the ToolAnnotations schema used to describe tool behavior to clients [1][2]. These properties are designated as hints, meaning they provide guidance rather than guaranteed behavior, and clients should not rely on them when interacting with untrusted servers [2][3]. readOnlyHint The readOnlyHint property indicates whether a tool modifies its environment [4][2]. If set to true, the tool is considered read-only and does not modify the environment [4][1]. The default value is false [2]. destructiveHint The destructiveHint property indicates the nature of modifications performed by a tool when it is not read-only [1][2]. It is only meaningful when readOnlyHint is set to false [4][2]. If set to true, the tool may perform destructive updates to its environment, such as deleting or overwriting data [4][1][5]. If set to false, the tool performs only additive updates, such as creating or appending data [4][1][2]. The default value is true [1][2]. By distinguishing between destructive and additive updates, these hints allow clients to implement risk-aware interfaces, such as requiring human confirmation for tools marked with destructiveHint: true [1][5]. Other related annotations include idempotentHint (indicating if repeated calls have the same effect) and openWorldHint (indicating interaction with external entities) [1][5][2].

Citations:


🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path

for file in [
    "packages/cli-v3/src/mcp/tools/profiles.ts",
    "packages/cli-v3/src/mcp/tools/devServer.ts",
]:
    print(f"\n=== {file} ===")
    text = Path(file).read_text().splitlines()
    for i, line in enumerate(text, 1):
        if any(key in line for key in ["export const switchProfileTool", "export const startDevServerTool", "export const stopDevServerTool", "handler:", "respondWithError", "process", "profile", "server", "stop", "start"]):
            start = max(1, i - 8)
            end = min(len(text), i + 20)
            for j in range(start, end + 1):
                print(f"{j:4d}: {text[j-1]}")
            print()
            break
PY

Repository: triggerdotdev/trigger.dev

Length of output: 1934


🏁 Script executed:

#!/usr/bin/env bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path

targets = {
    "packages/cli-v3/src/mcp/tools/profiles.ts": ["export const switchProfileTool", "handler:"],
    "packages/cli-v3/src/mcp/tools/devServer.ts": ["export const startDevServerTool", "export const stopDevServerTool", "handler:"],
}

for file, markers in targets.items():
    print(f"\n=== {file} ===")
    lines = Path(file).read_text().splitlines()
    for marker in markers:
        for i, line in enumerate(lines, 1):
            if marker in line:
                start = max(1, i - 20)
                end = min(len(lines), i + 80)
                for j in range(start, end + 1):
                    print(f"{j:4d}: {lines[j-1]}")
                print()
                break
PY

Repository: triggerdotdev/trigger.dev

Length of output: 15717


Separate destructive hints from readonly filtering
WRITE_TOOLS is fine for hiding these tools in readonly mode, but it also marks switch_profile and start_dev_server as destructive. Classify destructiveHint separately so only truly destructive tools like stop_dev_server get that hint.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant