[BUG] tool_blocklist in agent.toml not filtering MCP tools from LLM context

[Abhishek21k]

Bug

tool_blocklist in agent.toml does not prevent MCP tools from being presented to the LLM or executed. The agent can still call blocked tools successfully.

Steps to Reproduce

1. Configure the ops agent with a tool_blocklist for Notion write tools:

# agents/ops/agent.toml
tool_blocklist = [
  "mcp_notion_api_patch_block_children",
  "mcp_notion_api_patch_page",
  "mcp_notion_api_post_page",
  "mcp_notion_api_delete_block",
]

[capabilities]
tools = ["*"]

2. Restart the daemon
3. Ask the ops agent to write to a Notion page
4. The agent successfully calls mcp_notion_api_patch_block_children — the blocklist is ignored

Expected Behavior

• Blocked tools should be removed from the tool definitions sent to the LLM (so it doesn't even know they exist)
• If somehow called, blocked tools should return a permission denied error

Actual Behavior

• The LLM still sees all Notion tools including write tools
• The agent successfully executes mcp_notion_api_patch_block_children

Investigation

The filtering logic in kernel.rs available_tools() (line ~4891) looks correct:

if !tool_blocklist.is_empty() {
    all_tools.retain(|t| !tool_blocklist.iter().any(|b| b == &t.name));
}

Possible causes:

1. TOML parsing issue: tool_blocklist placed after [capabilities] gets parsed as capabilities.tool_blocklist (swallowed by serde #[serde(default)]). Moving it before [capabilities] didn't help either — the field may not be loading from agent.toml at all.
2. Agent manifest loading: The tool_blocklist field may not be deserialized from the on-disk agent.toml during agent registration/spawn. Need to verify the manifest loading path actually reads this field.
3. MCP tool name mismatch: The actual MCP tool names at runtime may differ from what's in the blocklist. Need a way to inspect the exact tool names the MCP server registers.

Suggested Fix

• Add debug logging in available_tools() to log the blocklist and which tools get filtered
• Verify tool_blocklist round-trips through agent.toml → manifest deserialization
• Consider adding GET /api/agents/{id}/available-tools endpoint that returns the post-filtered tool list (not just the config)

Environment

• Branch: fix/all-tools-integration
• Notion MCP: @notionhq/notion-mcp-server@2.2.1

[Abhishek21k]

ops/agent.toml

name = "ops"
version = "0.1.0"
description = "DevOps agent. Monitors systems, runs diagnostics, manages deployments."
author = "openfang"
module = "builtin:chat"

[model]
provider = "default"
model = "default"
max_tokens = 2048
temperature = 0.2
system_prompt = """You are Ops, a DevOps and systems operations agent running inside the OpenFang Agent OS.

METHODOLOGY:
1. OBSERVE — Check current state before making changes. Read configs, check logs, verify status.
2. DIAGNOSE — Identify the issue using structured analysis. Check metrics, error patterns, resource usage.
3. PLAN — Explain what you intend to do and why before running any mutating command.
4. EXECUTE — Make changes incrementally. Verify each step before proceeding.
5. VERIFY — Confirm the change had the expected effect.

CHANGE MANAGEMENT:
- Prefer read-only operations unless explicitly asked to make changes.
- For destructive operations (restart, delete, deploy), state what will happen and confirm first.
- Always have a rollback plan for production changes.

REPORTING:
- Status: OK / WARNING / CRITICAL
- Details: What was checked and what was found
- Action: What should be done next (if anything)
You also have the 'image_generate' tool. Use it to create diagrams, system architecture visualizations, or any creative requests using the 'nano-banana-2' model.
"""

[routing]
simple_model = "gpt-4.1-nano" # was gpt-5-nano
medium_model = "gpt-4.1"      # was gpt-5.2
complex_model = "gpt-4.1"     # was gpt-5.2-pro
simple_threshold = 100
complex_threshold = 500

[schedule]
periodic = { cron = "every 5m" }


# Block Notion write tools — ops agent gets read-only Notion access.
# This MUST be before [capabilities] — TOML nests keys under the last [section].
tool_blocklist = [
  "mcp_notion_api_patch_block_children",
  "mcp_notion_api_update_a_block",
  "mcp_notion_api_delete_a_block",
  "mcp_notion_api_patch_page",
  "mcp_notion_api_patch_database",
  "mcp_notion_api_post_page",
  "mcp_notion_api_post_database",
  "mcp_notion_api_delete_block",
]

[capabilities]
tools = ["*"]
memory_read = ["*"]
memory_write = ["self.*"]
shell = [
  "docker *",
  "git *",
  "cargo *",
  "systemctl *",
  "ps *",
  "df *",
  "free *",
]

it still runned the "mcp_notion_api_update_a_block" function even though it is in blocklist

[Abhishek21k]

also here is the tools it has access as per the logs:

2026-03-16T10:28:01.415367Z  INFO openfang_kernel::kernel: Tools selected for LLM request agent=ops agent_id=4e6b4802-bb71-43f9-a996-13f498fcc270 tool_count=83 tool_names=["file_read", "file_write", "file_list", "apply_patch", "web_fetch", "web_search", "shell_exec", "agent_send", "agent_spawn", "agent_list", "agent_kill", "memory_store", "memory_recall", "agent_find", "task_post", "task_claim", "task_complete", "task_list", "event_publish", "schedule_create", "schedule_list", "schedule_delete", "knowledge_add_entity", "knowledge_add_relation", "knowledge_query", "image_analyze", "location_get", "browser_navigate", "browser_click", "browser_type", "browser_screenshot", "browser_read_page", "browser_close", "browser_scroll", "browser_wait", "browser_run_js", "browser_back", "media_describe", "media_transcribe", "image_generate", "video_generate", "cron_create", "cron_list", "cron_cancel", "channel_send", "hand_list", "hand_activate", "hand_status", "hand_deactivate", "a2a_discover", "a2a_send", "text_to_speech", "speech_to_text", "docker_exec", "process_start", "process_poll", "process_write", "process_kill", "process_list", "system_time", "canvas_present", "mcp_notion_api_get_user", "mcp_notion_api_get_users", "mcp_notion_api_get_self", "mcp_notion_api_post_search", "mcp_notion_api_get_block_children", "mcp_notion_api_patch_block_children", "mcp_notion_api_retrieve_a_block", "mcp_notion_api_update_a_block", "mcp_notion_api_delete_a_block", "mcp_notion_api_retrieve_a_page", "mcp_notion_api_patch_page", "mcp_notion_api_post_page", "mcp_notion_api_retrieve_a_page_property", "mcp_notion_api_retrieve_a_comment", "mcp_notion_api_create_a_comment", "mcp_notion_api_query_data_source", "mcp_notion_api_retrieve_a_data_source", "mcp_notion_api_update_a_data_source", "mcp_notion_api_create_a_data_source", "mcp_notion_api_list_data_source_templates", "mcp_notion_api_retrieve_a_database", "mcp_notion_api_move_page"]

[jaberjaber23]

Fixed. The change detection on daemon restart now includes tool_allowlist and tool_blocklist fields. Previously these were not compared, so editing them in agent.toml had no effect until the agent was re-created.