rename to --exclude-tools

Author: tommaso-moro

cmd/github-mcp-server/main.go

@@ -61,11 +61,11 @@ var (
 				}
 			}
 
-			// Parse disallowed tools (similar to tools)
-			var disallowedTools []string
-			if viper.IsSet("disallowed_tools") {
-				if err := viper.UnmarshalKey("disallowed_tools", &disallowedTools); err != nil {
-					return fmt.Errorf("failed to unmarshal disallowed-tools: %w", err)
+			// Parse excluded tools (similar to tools)
+			var excludeTools []string
+			if viper.IsSet("exclude_tools") {
+				if err := viper.UnmarshalKey("exclude_tools", &excludeTools); err != nil {
+					return fmt.Errorf("failed to unmarshal exclude-tools: %w", err)
 				}
 			}
 
@@ -93,7 +93,7 @@ var (
 				ContentWindowSize:    viper.GetInt("content-window-size"),
 				LockdownMode:         viper.GetBool("lockdown-mode"),
 				InsidersMode:         viper.GetBool("insiders"),
-				DisallowedTools:      disallowedTools,
+				ExcludeTools:         excludeTools,
 				RepoAccessCacheTTL:   &ttl,
 			}
 			return ghmcp.RunStdioServer(stdioServerConfig)
@@ -135,7 +135,7 @@ func init() {
 	// Add global flags that will be shared by all commands
 	rootCmd.PersistentFlags().StringSlice("toolsets", nil, github.GenerateToolsetsHelp())
 	rootCmd.PersistentFlags().StringSlice("tools", nil, "Comma-separated list of specific tools to enable")
-	rootCmd.PersistentFlags().StringSlice("disallowed-tools", nil, "Comma-separated list of tool names to disable regardless of other settings")
+	rootCmd.PersistentFlags().StringSlice("exclude-tools", nil, "Comma-separated list of tool names to disable regardless of other settings")
 	rootCmd.PersistentFlags().StringSlice("features", nil, "Comma-separated list of feature flags to enable")
 	rootCmd.PersistentFlags().Bool("dynamic-toolsets", false, "Enable dynamic toolsets")
 	rootCmd.PersistentFlags().Bool("read-only", false, "Restrict the server to read-only operations")
@@ -157,7 +157,7 @@ func init() {
 	// Bind flag to viper
 	_ = viper.BindPFlag("toolsets", rootCmd.PersistentFlags().Lookup("toolsets"))
 	_ = viper.BindPFlag("tools", rootCmd.PersistentFlags().Lookup("tools"))
-	_ = viper.BindPFlag("disallowed_tools", rootCmd.PersistentFlags().Lookup("disallowed-tools"))
+	_ = viper.BindPFlag("exclude_tools", rootCmd.PersistentFlags().Lookup("exclude-tools"))
 	_ = viper.BindPFlag("features", rootCmd.PersistentFlags().Lookup("features"))
 	_ = viper.BindPFlag("dynamic_toolsets", rootCmd.PersistentFlags().Lookup("dynamic-toolsets"))
 	_ = viper.BindPFlag("read-only", rootCmd.PersistentFlags().Lookup("read-only"))

docs/server-configuration.md

@@ -9,7 +9,7 @@ We currently support the following ways in which the GitHub MCP Server can be co
 |---------------|---------------|--------------|
 | Toolsets | `X-MCP-Toolsets` header or `/x/{toolset}` URL | `--toolsets` flag or `GITHUB_TOOLSETS` env var |
 | Individual Tools | `X-MCP-Tools` header | `--tools` flag or `GITHUB_TOOLS` env var |
-| Disallowed Tools | `X-MCP-Disallowed-Tools` header | `--disallowed-tools` flag or `GITHUB_DISALLOWED_TOOLS` env var |
+| Exclude Tools | `X-MCP-Exclude-Tools` header | `--exclude-tools` flag or `GITHUB_EXCLUDE_TOOLS` env var |
 | Read-Only Mode | `X-MCP-Readonly` header or `/readonly` URL | `--read-only` flag or `GITHUB_READ_ONLY` env var |
 | Dynamic Mode | Not available | `--dynamic-toolsets` flag or `GITHUB_DYNAMIC_TOOLSETS` env var |
 | Lockdown Mode | `X-MCP-Lockdown` header | `--lockdown-mode` flag or `GITHUB_LOCKDOWN_MODE` env var |
@@ -21,11 +21,11 @@ We currently support the following ways in which the GitHub MCP Server can be co
 
 ## How Configuration Works
 
-All configuration options are **composable**: you can combine toolsets, individual tools, disallowed tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
+All configuration options are **composable**: you can combine toolsets, individual tools, excluded tools, dynamic discovery, read-only mode and lockdown mode in any way that suits your workflow.
 
 Note: **read-only** mode acts as a strict security filter that takes precedence over any other configuration, by disabling write tools even when explicitly requested.
 
-Note: **disallowed tools** takes precedence over toolsets and individual tools — listed tools are always excluded, even if their toolset is enabled or they are explicitly added via `--tools` / `X-MCP-Tools`.
+Note: **excluded tools** takes precedence over toolsets and individual tools — listed tools are always excluded, even if their toolset is enabled or they are explicitly added via `--tools` / `X-MCP-Tools`.
 
 ---
 
@@ -173,7 +173,7 @@ Enable entire toolsets, then add individual tools from toolsets you don't want f
 
 ---
 
-### Disallowing Specific Tools
+### Excluding Specific Tools
 
 **Best for:** Users who want to enable a broad toolset but need to exclude specific tools for security, compliance, or to prevent undesired behavior.
 
@@ -190,7 +190,7 @@ Listed tools are removed regardless of any other configuration — even if their
   "url": "https://api.githubcopilot.com/mcp/",
   "headers": {
     "X-MCP-Toolsets": "pull_requests",
-    "X-MCP-Disallowed-Tools": "create_pull_request,merge_pull_request"
+    "X-MCP-Exclude-Tools": "create_pull_request,merge_pull_request"
   }
 }
 ```
@@ -207,7 +207,7 @@ Listed tools are removed regardless of any other configuration — even if their
     "./cmd/github-mcp-server",
     "stdio",
     "--toolsets=pull_requests",
-    "--disallowed-tools=create_pull_request,merge_pull_request"
+    "--exclude-tools=create_pull_request,merge_pull_request"
   ],
   "env": {
     "GITHUB_PERSONAL_ACCESS_TOKEN": "${input:github_token}"

internal/ghmcp/server.go

@@ -135,7 +135,7 @@ func NewStdioMCPServer(ctx context.Context, cfg github.MCPServerConfig) (*mcp.Se
 		WithReadOnly(cfg.ReadOnly).
 		WithToolsets(github.ResolvedEnabledToolsets(cfg.DynamicToolsets, cfg.EnabledToolsets, cfg.EnabledTools)).
 		WithTools(github.CleanTools(cfg.EnabledTools)).
-		WithDisallowedTools(cfg.DisallowedTools).
+		WithExcludeTools(cfg.ExcludeTools).
 		WithServerInstructions().
 		WithFeatureChecker(featureChecker).
 		WithInsidersMode(cfg.InsidersMode)
@@ -215,10 +215,10 @@ type StdioServerConfig struct {
 	// InsidersMode indicates if we should enable experimental features
 	InsidersMode bool
 
-	// DisallowedTools is a list of tool names to disable regardless of other settings.
+	// ExcludeTools is a list of tool names to disable regardless of other settings.
 	// These tools will be excluded even if their toolset is enabled or they are
 	// explicitly listed in EnabledTools.
-	DisallowedTools []string
+	ExcludeTools []string
 
 	// RepoAccessCacheTTL overrides the default TTL for repository access cache entries.
 	RepoAccessCacheTTL *time.Duration
@@ -277,7 +277,7 @@ func RunStdioServer(cfg StdioServerConfig) error {
 		ContentWindowSize: cfg.ContentWindowSize,
 		LockdownMode:      cfg.LockdownMode,
 		InsidersMode:      cfg.InsidersMode,
-		DisallowedTools:   cfg.DisallowedTools,
+		ExcludeTools:      cfg.ExcludeTools,
 		Logger:            logger,
 		RepoAccessTTL:     cfg.RepoAccessCacheTTL,
 		TokenScopes:       tokenScopes,

pkg/context/request.go

@@ -82,17 +82,17 @@ func IsInsidersMode(ctx context.Context) bool {
 	return false
 }
 
-// disallowedToolsCtxKey is a context key for disallowed tools
-type disallowedToolsCtxKey struct{}
+// excludeToolsCtxKey is a context key for excluded tools
+type excludeToolsCtxKey struct{}
 
-// WithDisallowedTools adds the disallowed tools to the context
-func WithDisallowedTools(ctx context.Context, tools []string) context.Context {
-	return context.WithValue(ctx, disallowedToolsCtxKey{}, tools)
+// WithExcludeTools adds the excluded tools to the context
+func WithExcludeTools(ctx context.Context, tools []string) context.Context {
+	return context.WithValue(ctx, excludeToolsCtxKey{}, tools)
 }
 
-// GetDisallowedTools retrieves the disallowed tools from the context
-func GetDisallowedTools(ctx context.Context) []string {
-	if tools, ok := ctx.Value(disallowedToolsCtxKey{}).([]string); ok {
+// GetExcludeTools retrieves the excluded tools from the context
+func GetExcludeTools(ctx context.Context) []string {
+	if tools, ok := ctx.Value(excludeToolsCtxKey{}).([]string); ok {
 		return tools
 	}
 	return nil

pkg/github/server.go

@@ -62,10 +62,10 @@ type MCPServerConfig struct {
 	// RepoAccessTTL overrides the default TTL for repository access cache entries.
 	RepoAccessTTL *time.Duration
 
-	// DisallowedTools is a list of tool names that should be disabled regardless of
+	// ExcludeTools is a list of tool names that should be disabled regardless of
 	// other configuration. These tools will be excluded even if their toolset is enabled
 	// or they are explicitly listed in EnabledTools.
-	DisallowedTools []string
+	ExcludeTools []string
 
 	// TokenScopes contains the OAuth scopes available to the token.
 	// When non-nil, tools requiring scopes not in this list will be hidden.

pkg/http/handler.go

@@ -275,8 +275,8 @@ func InventoryFiltersForRequest(r *http.Request, builder *inventory.Builder) *in
 		builder = builder.WithTools(github.CleanTools(tools))
 	}
 
-	if disallowed := ghcontext.GetDisallowedTools(ctx); len(disallowed) > 0 {
-		builder = builder.WithDisallowedTools(disallowed)
+	if excluded := ghcontext.GetExcludeTools(ctx); len(excluded) > 0 {
+		builder = builder.WithExcludeTools(excluded)
 	}
 
 	return builder

pkg/http/handler_test.go

@@ -105,26 +105,26 @@ func TestInventoryFiltersForRequest(t *testing.T) {
 			expectedTools: []string{"get_file_contents", "create_repository", "list_issues"},
 		},
 		{
-			name: "disallowed tools removes specific tools",
+			name: "excluded tools removes specific tools",
 			contextSetup: func(ctx context.Context) context.Context {
-				return ghcontext.WithDisallowedTools(ctx, []string{"create_repository", "issue_write"})
+				return ghcontext.WithExcludeTools(ctx, []string{"create_repository", "issue_write"})
 			},
 			expectedTools: []string{"get_file_contents", "list_issues"},
 		},
 		{
-			name: "disallowed tools overrides explicit tools",
+			name: "excluded tools overrides explicit tools",
 			contextSetup: func(ctx context.Context) context.Context {
 				ctx = ghcontext.WithTools(ctx, []string{"list_issues", "create_repository"})
-				ctx = ghcontext.WithDisallowedTools(ctx, []string{"create_repository"})
+				ctx = ghcontext.WithExcludeTools(ctx, []string{"create_repository"})
 				return ctx
 			},
 			expectedTools: []string{"list_issues"},
 		},
 		{
-			name: "disallowed tools combines with readonly",
+			name: "excluded tools combines with readonly",
 			contextSetup: func(ctx context.Context) context.Context {
 				ctx = ghcontext.WithReadonly(ctx, true)
-				ctx = ghcontext.WithDisallowedTools(ctx, []string{"list_issues"})
+				ctx = ghcontext.WithExcludeTools(ctx, []string{"list_issues"})
 				return ctx
 			},
 			expectedTools: []string{"get_file_contents"},
@@ -293,36 +293,36 @@ func TestHTTPHandlerRoutes(t *testing.T) {
 			expectedTools: []string{"get_file_contents", "create_repository", "list_issues", "create_issue", "list_pull_requests", "create_pull_request", "hidden_by_holdback"},
 		},
 		{
-			name: "X-MCP-Disallowed-Tools header removes specific tools",
+			name: "X-MCP-Exclude-Tools header removes specific tools",
 			path: "/",
 			headers: map[string]string{
-				headers.MCPDisallowedToolsHeader: "create_issue,create_pull_request",
+				headers.MCPExcludeToolsHeader: "create_issue,create_pull_request",
 			},
 			expectedTools: []string{"get_file_contents", "create_repository", "list_issues", "list_pull_requests", "hidden_by_holdback"},
 		},
 		{
-			name: "X-MCP-Disallowed-Tools with toolset header",
+			name: "X-MCP-Exclude-Tools with toolset header",
 			path: "/",
 			headers: map[string]string{
-				headers.MCPToolsetsHeader:        "issues",
-				headers.MCPDisallowedToolsHeader: "create_issue",
+				headers.MCPToolsetsHeader:     "issues",
+				headers.MCPExcludeToolsHeader: "create_issue",
 			},
 			expectedTools: []string{"list_issues"},
 		},
 		{
-			name: "X-MCP-Disallowed-Tools overrides X-MCP-Tools",
+			name: "X-MCP-Exclude-Tools overrides X-MCP-Tools",
 			path: "/",
 			headers: map[string]string{
-				headers.MCPToolsHeader:           "list_issues,create_issue",
-				headers.MCPDisallowedToolsHeader: "create_issue",
+				headers.MCPToolsHeader:        "list_issues,create_issue",
+				headers.MCPExcludeToolsHeader: "create_issue",
 			},
 			expectedTools: []string{"list_issues"},
 		},
 		{
-			name: "X-MCP-Disallowed-Tools with readonly path",
+			name: "X-MCP-Exclude-Tools with readonly path",
 			path: "/readonly",
 			headers: map[string]string{
-				headers.MCPDisallowedToolsHeader: "list_issues",
+				headers.MCPExcludeToolsHeader: "list_issues",
 			},
 			expectedTools: []string{"get_file_contents", "list_pull_requests", "hidden_by_holdback"},
 		},

pkg/http/headers/headers.go

@@ -41,9 +41,9 @@ const (
 	MCPLockdownHeader = "X-MCP-Lockdown"
 	// MCPInsidersHeader indicates whether insiders mode is enabled for early access features.
 	MCPInsidersHeader = "X-MCP-Insiders"
-	// MCPDisallowedToolsHeader is a comma-separated list of MCP tools that should be
+	// MCPExcludeToolsHeader is a comma-separated list of MCP tools that should be
 	// disabled regardless of other settings or header values.
-	MCPDisallowedToolsHeader = "X-MCP-Disallowed-Tools"
+	MCPExcludeToolsHeader = "X-MCP-Exclude-Tools"
 	// MCPFeaturesHeader is a comma-separated list of feature flags to enable.
 	MCPFeaturesHeader = "X-MCP-Features"
 

pkg/http/middleware/request_config.go

@@ -35,9 +35,9 @@ func WithRequestConfig(next http.Handler) http.Handler {
 			ctx = ghcontext.WithLockdownMode(ctx, true)
 		}
 
-		// Disallowed tools
-		if disallowedTools := headers.ParseCommaSeparated(r.Header.Get(headers.MCPDisallowedToolsHeader)); len(disallowedTools) > 0 {
-			ctx = ghcontext.WithDisallowedTools(ctx, disallowedTools)
+		// Excluded tools
+		if excludeTools := headers.ParseCommaSeparated(r.Header.Get(headers.MCPExcludeToolsHeader)); len(excludeTools) > 0 {
+			ctx = ghcontext.WithExcludeTools(ctx, excludeTools)
 		}
 
 		// Insiders mode

pkg/inventory/builder.go

@@ -141,15 +141,15 @@ func (b *Builder) WithFilter(filter ToolFilter) *Builder {
 	return b
 }
 
-// WithDisallowedTools specifies tools that should be disabled regardless of other settings.
+// WithExcludeTools specifies tools that should be disabled regardless of other settings.
 // These tools will be excluded even if their toolset is enabled or they are in the
 // additional tools list. This takes precedence over all other tool enablement settings.
 // Input is cleaned (trimmed, deduplicated) before applying.
 // Returns self for chaining.
-func (b *Builder) WithDisallowedTools(toolNames []string) *Builder {
+func (b *Builder) WithExcludeTools(toolNames []string) *Builder {
 	cleaned := cleanTools(toolNames)
 	if len(cleaned) > 0 {
-		b.filters = append(b.filters, CreateDisallowedToolsFilter(cleaned))
+		b.filters = append(b.filters, CreateExcludeToolsFilter(cleaned))
 	}
 	return b
 }
@@ -163,12 +163,12 @@ func (b *Builder) WithInsidersMode(enabled bool) *Builder {
 	return b
 }
 
-// CreateDisallowedToolsFilter creates a ToolFilter that excludes tools by name.
-// Any tool whose name appears in the disallowed list will be filtered out.
+// CreateExcludeToolsFilter creates a ToolFilter that excludes tools by name.
+// Any tool whose name appears in the excluded list will be filtered out.
 // The input slice should already be cleaned (trimmed, deduplicated).
-func CreateDisallowedToolsFilter(disallowed []string) ToolFilter {
-	set := make(map[string]struct{}, len(disallowed))
-	for _, name := range disallowed {
+func CreateExcludeToolsFilter(excluded []string) ToolFilter {
+	set := make(map[string]struct{}, len(excluded))
+	for _, name := range excluded {
 		set[name] = struct{}{}
 	}
 	return func(_ context.Context, tool *ServerTool) (bool, error) {