fix(mcp): prefix mcp tool names with server name to avoid collisions#2282
fix(mcp): prefix mcp tool names with server name to avoid collisions#2282salmandeniz wants to merge 2 commits into
Conversation
Multiple MCP servers exposing tools with the same name (e.g., 'query' from multiple postgres servers) overwrite each other in _tool_dict. Prefix tool names with the server name so each tool remains unique and accessible.
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
There was a problem hiding this comment.
🟡 MCP tool approval action_name not namespaced by server, causing cross-server auto-approval
The PR prefixes tool names with server_name to avoid collisions (f"{server_name}_{mcp_tool.name}"), but _action_name at line 715 is still f"mcp:{mcp_tool.name}" without the server prefix. When two MCP servers expose a tool with the same name (e.g. read_file), both MCPTool instances share the same _action_name = "mcp:read_file". If the user selects "approve for session" for one server's tool, the action is added to auto_approve_actions (src/kimi_cli/soul/approval.py:248), which then auto-approves the identically-named tool from the other server (src/kimi_cli/soul/approval.py:195). Additionally, all pending approvals with the same action are batch-resolved (src/kimi_cli/soul/approval.py:250-252). Before this PR, this couldn't happen because only one tool with a given name existed in _tool_dict (the second overwrote the first). Now that both tools coexist with distinct names, the shared _action_name creates an unintended cross-server approval bypass.
(Refers to line 715)
Was this helpful? React with 👍 or 👎 to provide feedback.
…erver auto-approval When multiple MCP servers expose tools with the same name (e.g. read_file), the shared _action_name = 'mcp:read_file' caused auto-approval on one server to bypass approval on another. Prefix _action_name with the server-scoped tool name so each server's tool has a distinct approval identity.
2 participants
Multiple MCP servers exposing tools with the same name (e.g., 'query' from multiple postgres servers) overwrite each other in _tool_dict.\n\nPrefix tool names with the server name so each tool remains unique and accessible.