RooCodeInc
diff --git a/‎packages/types/src/mode.ts‎
Lines changed: 45 additions & 0 deletions b/‎packages/types/src/mode.ts‎
Lines changed: 45 additions & 0 deletions
diff --git a/‎src/core/prompts/sections/mcp-servers.ts‎
Lines changed: 104 additions & 13 deletions b/‎src/core/prompts/sections/mcp-servers.ts‎
Lines changed: 104 additions & 13 deletions
diff --git a/‎src/core/prompts/system.ts‎
Lines changed: 1 addition & 1 deletion b/‎src/core/prompts/system.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/core/prompts/tools/access-mcp-resource.ts‎
Lines changed: 47 additions & 0 deletions b/‎src/core/prompts/tools/access-mcp-resource.ts‎
Lines changed: 47 additions & 0 deletions
diff --git a/‎src/core/prompts/tools/index.ts‎
Lines changed: 2 additions & 0 deletions b/‎src/core/prompts/tools/index.ts‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/core/prompts/tools/types.ts‎
Lines changed: 3 additions & 0 deletions b/‎src/core/prompts/tools/types.ts‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/core/prompts/tools/use-mcp-tool.ts‎
Lines changed: 68 additions & 0 deletions b/‎src/core/prompts/tools/use-mcp-tool.ts‎
Lines changed: 68 additions & 0 deletions
@@ -38,6 +38,50 @@ export const groupEntrySchema = z.union([toolGroupsSchema, z.tuple([toolGroupsSc
 
 export type GroupEntry = z.infer<typeof groupEntrySchema>
 
+/**
+ * McpRestrictions
+ */
+
+export const mcpToolRestrictionSchema = z.object({
+	serverName: z.string(),
+	toolName: z.string(),
+})
+
+export type McpToolRestriction = z.infer<typeof mcpToolRestrictionSchema>
+
+export const mcpRestrictionsSchema = z
+	.object({
+		allowedServers: z.array(z.string()).optional(),
+		disallowedServers: z.array(z.string()).optional(),
+		allowedTools: z.array(mcpToolRestrictionSchema).optional(),
+		disallowedTools: z.array(mcpToolRestrictionSchema).optional(),
+	})
+	.refine(
+		(data) => {
+			// Cannot have both allowedServers and disallowedServers
+			if (data.allowedServers && data.disallowedServers) {
+				return false
+			}
+			// Cannot have both allowedTools and disallowedTools for same server/tool combination
+			if (data.allowedTools && data.disallowedTools) {
+				// Filter out empty entries before checking for conflicts
+				const allowedFiltered = data.allowedTools.filter((t) => t.serverName.trim() && t.toolName.trim())
+				const disallowedFiltered = data.disallowedTools.filter((t) => t.serverName.trim() && t.toolName.trim())
+
+				const allowedSet = new Set(allowedFiltered.map((t) => `${t.serverName}:${t.toolName}`))
+				const disallowedSet = new Set(disallowedFiltered.map((t) => `${t.serverName}:${t.toolName}`))
+				const intersection = Array.from(allowedSet).filter((x) => disallowedSet.has(x))
+				return intersection.length === 0
+			}
+			return true
+		},
+		{
+			message: "Cannot have conflicting allowed/disallowed server or tool restrictions",
+		},
+	)
+
+export type McpRestrictions = z.infer<typeof mcpRestrictionsSchema>
+
 /**
  * ModeConfig
  */
@@ -70,6 +114,7 @@ export const modeConfigSchema = z.object({
 	customInstructions: z.string().optional(),
 	groups: groupEntryArraySchema,
 	source: z.enum(["global", "project"]).optional(),
+	mcpRestrictions: mcpRestrictionsSchema.optional(),
 })
 
 export type ModeConfig = z.infer<typeof modeConfigSchema>
 
@@ -1,32 +1,121 @@
 import { DiffStrategy } from "../../../shared/tools"
 import { McpHub } from "../../../services/mcp/McpHub"
+import { ModeConfig } from "@roo-code/types"
+import { getModeBySlug } from "../../../shared/modes"
+
+// Helper functions for MCP restriction checking (copied from use-mcp-tool.ts)
+function isServerAllowedForMode(serverName: string, restrictions: any, serverDefaultEnabled?: boolean): boolean {
+	// Handle defaultEnabled logic first
+	// If server has defaultEnabled: false, it must be explicitly allowed
+	if (serverDefaultEnabled === false) {
+		// Only allowed if explicitly in allowedServers list
+		return restrictions.allowedServers ? restrictions.allowedServers.includes(serverName) : false
+	}
+
+	// For defaultEnabled: true (default behavior)
+	// If allowedServers is defined, server must be in the list
+	if (restrictions.allowedServers && !restrictions.allowedServers.includes(serverName)) {
+		return false
+	}
+
+	// If disallowedServers is defined, server must not be in the list
+	if (restrictions.disallowedServers && restrictions.disallowedServers.includes(serverName)) {
+		return false
+	}
+
+	return true
+}
+
+function isToolAllowedForModeAndServer(serverName: string, toolName: string, restrictions: any): boolean {
+	// If allowedTools is defined, tool must be in the list
+	if (restrictions.allowedTools) {
+		// Filter out empty entries before checking
+		const validAllowedTools = restrictions.allowedTools.filter(
+			(t: any) => t.serverName?.trim() && t.toolName?.trim(),
+		)
+		if (validAllowedTools.length > 0) {
+			const isAllowed = validAllowedTools.some((t: any) => t.serverName === serverName && t.toolName === toolName)
+			if (!isAllowed) return false
+		}
+	}
+
+	// If disallowedTools is defined, tool must not be in the list
+	if (restrictions.disallowedTools) {
+		// Filter out empty entries before checking
+		const validDisallowedTools = restrictions.disallowedTools.filter(
+			(t: any) => t.serverName?.trim() && t.toolName?.trim(),
+		)
+		const isDisallowed = validDisallowedTools.some(
+			(t: any) => t.serverName === serverName && t.toolName === toolName,
+		)
+		if (isDisallowed) return false
+	}
+
+	return true
+}
 
 export async function getMcpServersSection(
 	mcpHub?: McpHub,
 	diffStrategy?: DiffStrategy,
 	enableMcpServerCreation?: boolean,
+	currentMode?: string,
+	customModes?: ModeConfig[],
 ): Promise<string> {
 	if (!mcpHub) {
 		return ""
 	}
 
+	let availableServers = mcpHub.getServers()
+
+	// Filter servers based on mode restrictions
+	if (currentMode && customModes) {
+		const mode = getModeBySlug(currentMode, customModes)
+		const restrictions = mode?.mcpRestrictions
+
+		if (restrictions || mode) {
+			// Always filter based on defaultEnabled, even if no explicit restrictions
+			availableServers = availableServers.filter((server) => {
+				// Get server configuration to check defaultEnabled setting
+				const serverConfig = mcpHub.getServerConfig(server.name)
+				const defaultEnabled = serverConfig?.defaultEnabled ?? true // Default to true if not specified
+
+				return isServerAllowedForMode(server.name, restrictions || {}, defaultEnabled)
+			})
+		}
+	}
+
 	const connectedServers =
-		mcpHub.getServers().length > 0
-			? `${mcpHub
-					.getServers()
+		availableServers.length > 0
+			? `${availableServers
 					.filter((server) => server.status === "connected")
 					.map((server) => {
-						const tools = server.tools
-							?.filter((tool) => tool.enabledForPrompt !== false)
-							?.map((tool) => {
-								const schemaStr = tool.inputSchema
-									? `    Input Schema:
+						let availableTools = server.tools?.filter((tool) => tool.enabledForPrompt !== false) || []
+
+						// Filter tools based on mode restrictions
+						if (currentMode && customModes) {
+							const mode = getModeBySlug(currentMode, customModes)
+							const restrictions = mode?.mcpRestrictions
+
+							if (restrictions) {
+								availableTools = availableTools.filter((tool) =>
+									isToolAllowedForModeAndServer(server.name, tool.name, restrictions),
+								)
+							}
+						}
+
+						const tools =
+							availableTools.length > 0
+								? availableTools
+										.map((tool) => {
+											const schemaStr = tool.inputSchema
+												? `    Input Schema:
 		${JSON.stringify(tool.inputSchema, null, 2).split("\n").join("\n    ")}`
-									: ""
+												: ""
 
-								return `- ${tool.name}: ${tool.description}\n${schemaStr}`
-							})
-							.join("\n\n")
+											return `- ${tool.name}: ${tool.description}\n${schemaStr}`
+										})
+										.join("\n\n")
+								: null
 
 						const templates = server.resourceTemplates
 							?.map((template) => `- ${template.uriTemplate} (${template.name}): ${template.description}`)
@@ -47,7 +136,9 @@ export async function getMcpServersSection(
 						)
 					})
 					.join("\n\n")}`
-			: "(No MCP servers currently connected)"
+			: currentMode && customModes && getModeBySlug(currentMode, customModes)?.mcpRestrictions
+				? "(No MCP servers are available for the current mode due to restrictions)"
+				: "(No MCP servers currently connected)"
 
 	const baseSection = `MCP SERVERS
 
 
@@ -59,7 +59,7 @@ async function generatePrompt(
 	const [modesSection, mcpServersSection] = await Promise.all([
 		getModesSection(context),
 		modeConfig.groups.some((groupEntry) => getGroupName(groupEntry) === "mcp")
-			? getMcpServersSection(mcpHub, effectiveDiffStrategy, enableMcpServerCreation)
+			? getMcpServersSection(mcpHub, effectiveDiffStrategy, enableMcpServerCreation, mode, customModeConfigs)
 			: Promise.resolve(""),
 	])
 
 
@@ -1,14 +1,61 @@
 import { ToolArgs } from "./types"
+import { getModeBySlug, isServerAllowedForMode } from "../../../shared/modes"
 
 export function getAccessMcpResourceDescription(args: ToolArgs): string | undefined {
 	if (!args.mcpHub) {
 		return undefined
 	}
+
+	let availableServers = args.mcpHub.getServers()
+
+	// Filter servers based on mode restrictions
+	if (args.currentMode && args.customModes) {
+		const mode = getModeBySlug(args.currentMode, args.customModes)
+		const restrictions = mode?.mcpRestrictions || {} // Use empty object if no restrictions defined
+
+		// Always filter based on defaultEnabled, even if no explicit restrictions
+		availableServers = availableServers.filter((server) => {
+			// Get server configuration to check defaultEnabled setting
+			const serverConfig = args.mcpHub?.getServerConfig(server.name)
+			const defaultEnabled = serverConfig?.defaultEnabled ?? true // Default to true if not specified
+
+			return isServerAllowedForMode(server.name, restrictions, defaultEnabled)
+		})
+	}
+
+	// Generate description with filtered servers and their available resources
+	if (availableServers.length === 0) {
+		return `## access_mcp_resource
+Description: Request to access a resource provided by a connected MCP server. Resources represent data sources that can be used as context, such as files, API responses, or system information.
+**Note: No MCP servers are available for the current mode.**
+
+This tool allows you to access resources provided by Model Context Protocol (MCP) servers, but the current mode has restrictions that prevent access to all configured MCP servers.
+
+Parameters:
+- server_name: (required) The name of the MCP server providing the resource
+- uri: (required) The URI identifying the specific resource to access`
+	}
+
+	const serverDescriptions = availableServers
+		.map((server) => {
+			const resourceCount = (server.resources || []).length
+			const resourceTemplateCount = (server.resourceTemplates || []).length
+			const totalResources = resourceCount + resourceTemplateCount
+
+			return `**${server.name}**: ${totalResources} resource${totalResources !== 1 ? "s" : ""} available`
+		})
+		.join("\n")
+
 	return `## access_mcp_resource
 Description: Request to access a resource provided by a connected MCP server. Resources represent data sources that can be used as context, such as files, API responses, or system information.
+
+**Available servers for current mode:**
+${serverDescriptions}
+
 Parameters:
 - server_name: (required) The name of the MCP server providing the resource
 - uri: (required) The URI identifying the specific resource to access
+
 Usage:
 <access_mcp_resource>
 <server_name>server name here</server_name>
 
@@ -70,6 +70,8 @@ export function getToolDescriptionsForMode(
 		partialReadsEnabled,
 		settings,
 		experiments,
+		currentMode: mode, // Pass current mode for MCP restriction checking
+		customModes, // Pass custom modes for restriction lookup
 	}
 
 	const tools = new Set<string>()
 
@@ -1,5 +1,6 @@
 import { DiffStrategy } from "../../../shared/tools"
 import { McpHub } from "../../../services/mcp/McpHub"
+import type { ModeConfig } from "@roo-code/types"
 
 export type ToolArgs = {
 	cwd: string
@@ -11,4 +12,6 @@ export type ToolArgs = {
 	partialReadsEnabled?: boolean
 	settings?: Record<string, any>
 	experiments?: Record<string, boolean>
+	currentMode?: string // NEW: Current mode for restriction checking
+	customModes?: ModeConfig[] // NEW: Custom modes for restriction lookup
 }
@@ -1,15 +1,83 @@
 import { ToolArgs } from "./types"
+import { getModeBySlug, isServerAllowedForMode, isToolAllowedForModeAndServer } from "../../../shared/modes"
 
 export function getUseMcpToolDescription(args: ToolArgs): string | undefined {
 	if (!args.mcpHub) {
 		return undefined
 	}
+
+	let availableServers = args.mcpHub.getServers()
+
+	// NEW: Filter servers based on mode restrictions
+	if (args.currentMode && args.customModes) {
+		const mode = getModeBySlug(args.currentMode, args.customModes)
+		const restrictions = mode?.mcpRestrictions || {} // Use empty object if no restrictions defined
+
+		// Always filter based on defaultEnabled, even if no explicit restrictions
+		availableServers = availableServers.filter((server) => {
+			// Get server configuration to check defaultEnabled setting
+			const serverConfig = args.mcpHub?.getServerConfig(server.name)
+			const defaultEnabled = serverConfig?.defaultEnabled ?? true // Default to true if not specified
+
+			return isServerAllowedForMode(server.name, restrictions, defaultEnabled)
+		})
+	}
+
+	// Generate description with filtered servers and their available tools
+	if (availableServers.length === 0) {
+		return `## use_mcp_tool
+Description: Request to use a tool provided by a connected MCP server. 
+**Note: No MCP servers are available for the current mode.**
+
+This tool allows you to execute tools provided by Model Context Protocol (MCP) servers, but the current mode has restrictions that prevent access to all configured MCP servers.
+
+Parameters:
+- server_name: (required) The name of the MCP server providing the tool
+- tool_name: (required) The name of the tool to execute  
+- arguments: (required) A JSON object containing the tool's input parameters`
+	}
+
+	const serverDescriptions = availableServers
+		.map((server) => {
+			let availableTools = server.tools || []
+
+			// Filter tools based on mode restrictions (only if explicit restrictions exist)
+			if (args.currentMode && args.customModes) {
+				const mode = getModeBySlug(args.currentMode, args.customModes)
+				const restrictions = mode?.mcpRestrictions
+
+				if (restrictions) {
+					availableTools = availableTools.filter((tool) =>
+						isToolAllowedForModeAndServer(server.name, tool.name, restrictions),
+					)
+				}
+			}
+
+			const toolList =
+				availableTools.length > 0
+					? availableTools
+							.map((tool) => {
+								const desc = tool.description ? ` - ${tool.description}` : ""
+								return `  • ${tool.name}${desc}`
+							})
+							.join("\n")
+					: "  (No tools available for current mode)"
+
+			return `**${server.name}**:\n${toolList}`
+		})
+		.join("\n\n")
+
 	return `## use_mcp_tool
 Description: Request to use a tool provided by a connected MCP server. Each MCP server can provide multiple tools with different capabilities. Tools have defined input schemas that specify required and optional parameters.
+
+**Available servers and tools for current mode:**
+${serverDescriptions}
+
 Parameters:
 - server_name: (required) The name of the MCP server providing the tool
 - tool_name: (required) The name of the tool to execute
 - arguments: (required) A JSON object containing the tool's input parameters, following the tool's input schema
+
 Usage:
 <use_mcp_tool>
 <server_name>server name here</server_name>
Original file line number	Diff line number	Diff line change
`@@ -70,6 +70,8 @@ export function getToolDescriptionsForMode(`
`70`	`70`	`partialReadsEnabled,`
`71`	`71`	`settings,`
`72`	`72`	`experiments,`
	`73`	`+ currentMode: mode, // Pass current mode for MCP restriction checking`
	`74`	`+ customModes, // Pass custom modes for restriction lookup`
`73`	`75`	`}`
`74`	`76`
`75`	`77`	`const tools = new Set<string>()`